Domain - Local security Database

Discussion in 'Windows Server 2003 / 2008 / 2012 / 2016' started by beaumontdvd, Mar 3, 2010.

  1. beaumontdvd

    beaumontdvd Kilobyte Poster

    487
    3
    32
    Hi all, am I right in saying that in a workgroup each computer has its own local security database and in a domain the local security database isn't held on the DC for security? If not where is it held?

    Also that you cannot logon to a domain locally? So when you login you will be logging in using domain credentials based on the active directory entries?

    Also what happens if the domains down and AD is not installed would you be able to login to the dc?


    Hope someone can explain in the simplest terms as I'm new to this domain environment :oops:

    thanks,
    Dave
     
    Certifications: 070-271, 070-272, (MCDST)Level 1,2,3 NVQ
    WIP: 070-270, A+, N+, S+,MCDST 7 Upgrade
  2. Boycie
    Honorary Member

    Boycie Senior Beer Tester

    6,281
    85
    174
    In a workgroup environment each workstation is responsible for it's own security. The database is held by itself, yes. On a domain controller, the local security database is modified when dcpromo is run.

    If you are talking about the domain controller, then yes. If you are talking about a client, there is a gpo to prevent a user logging on the workstation.

    If AD is not installed, you have no domain. If you mean what happens if the DC is down, a message would be presented to the user explaining the domain controller cannot be contacted, or if the cached credentials are configured, it may log the user on although not provide access to resources which require authentication.
     
    Last edited: Mar 3, 2010
    Certifications: MCSA 2003, MCDST, A+, N+, CTT+, MCT
  3. beaumontdvd

    beaumontdvd Kilobyte Poster

    487
    3
    32
    Thanks mate that makes sense, where is the security database held on a domain controller then? This is the bit that puzzles me, and also say we pulled the ethernet out on the DC but it had active directory would it still be able to log you on if there was a user account setup for dave in AD? Would it cach daves credentials to the dc and then look in ad for the username / password to authenticate it then provide the access token to the user dave?

    Thanks,
     
    Certifications: 070-271, 070-272, (MCDST)Level 1,2,3 NVQ
    WIP: 070-270, A+, N+, S+,MCDST 7 Upgrade
  4. derkit

    derkit Gigabyte Poster

    1,480
    58
    112
    My understanding is that you'll still be able to logon to a workstation if it has a local profile already created on it. It may have issues trying to access other resources if they need authentication.

    The security database - something to do with SAM off the top of my head?

    (derkit is learning mode also!)
     
    Certifications: MBCS, BSc(Hons), Cert(Maths), A+, Net+, MCDST, ITIL-F v3, MCSA
    WIP: 70-293
  5. Boycie
    Honorary Member

    Boycie Senior Beer Tester

    6,281
    85
    174
    On the controller, mate. When dcpromo is run, the existing database is modified for the directory services.

    you could still log on, yes. there is nothing to cache if you were at the box. it would be checking against credentials already present.
     
    Certifications: MCSA 2003, MCDST, A+, N+, CTT+, MCT
  6. Boycie
    Honorary Member

    Boycie Senior Beer Tester

    6,281
    85
    174
    There is a gpo to allow a client a logon without domain controller authentication. I think the default is 10. This is handy for say a laptop user who may wish to use their machine outside the domain.

    SAM is the local security account manager, opposed to the active directory held on the domain controller.
     
    Last edited: Mar 3, 2010
    Certifications: MCSA 2003, MCDST, A+, N+, CTT+, MCT
  7. SimonD
    Honorary Member

    SimonD Terabyte Poster

    3,681
    440
    199
    There are two distinct differences.

    Workgroups are machine specific, if you don't have a machine created on the machine locally you can't 'generally' log on.

    In AD, if you have the DC go down the only way you could log onto a workstation is if you had previously logged onto it and the machine has it stored in the cache (and yes, by default the machine retains 10 cached profiles).

    As far as where the user\password information is kept, that's stored within Active Directory itself, each DC and GC will hold that information allowing you to log in (this is done via Kerberos Tickets), the thing to always remember is that Kerberos relies on a time being correct to within a defined skew (defaults to 5 minutes), if the clock on the machine is out of sync by more than 5 minutes you will have issues.
    Another thing worth mentioning is that depending on the type of change AD will only sync at regular intervals, however if you make a change to an account (for instance changing the password) then the AD will sync between all DC's to ensure that they all have the correct and upto date information.

    SAM is pretty old school, it was from the old NT4 days (and was actually something you could export to disk and apply programs such as L0pht Crack against).
     
    Certifications: CNA | CNE | CCNA | MCP | MCP+I | MCSE NT4 | MCSA 2003 | Security+ | MCSA:S 2003 | MCSE:S 2003 | MCTS:SCCM 2007 | MCTS:Win 7 | MCITP:EDA7 | MCITP:SA | MCITP:EA | MCTS:Hyper-V | VCP 4 | ITIL v3 Foundation | VCP 5 DCV | VCP 5 Cloud | VCP6 NV | VCP6 DCV | VCAP 5.5 DCA
  8. derkit

    derkit Gigabyte Poster

    1,480
    58
    112
    :thumbleft

    Thanks for the info boycie :)
     
    Certifications: MBCS, BSc(Hons), Cert(Maths), A+, Net+, MCDST, ITIL-F v3, MCSA
    WIP: 70-293
  9. derkit

    derkit Gigabyte Poster

    1,480
    58
    112
    Ah,...... the old school days, and that program I remember working on our network back in '97 :biggrin
     
    Certifications: MBCS, BSc(Hons), Cert(Maths), A+, Net+, MCDST, ITIL-F v3, MCSA
    WIP: 70-293
  10. Sparky
    Highly Decorated Member Award 500 Likes Award

    Sparky Zettabyte Poster Moderator

    10,718
    543
    364
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) MS-900 AZ-900 Security+ Network+ A+
    WIP: Microsoft Certs
  11. beaumontdvd

    beaumontdvd Kilobyte Poster

    487
    3
    32
    Thanks everyone for all the help :biggrin
    Im slowly getting through this 270 :twisted:
    Just making sure I understand every little bit and going through it gradually 8)
    So if the ethernet was pulled out of the dc it would be possible to only logon using credentials I have used previously?
    What If I have never logged on before would that make the domain unaccessible?
    Thanks for the link sparky

    Dave
     
    Last edited: Mar 4, 2010
    Certifications: 070-271, 070-272, (MCDST)Level 1,2,3 NVQ
    WIP: 070-270, A+, N+, S+,MCDST 7 Upgrade
  12. SimonD
    Honorary Member

    SimonD Terabyte Poster

    3,681
    440
    199
    It depends on whether you have a GC located on your network, if you do (and it's not your DC) then you can still log on, however if you don't then your machine would need to have something to authenticate you against, that's either a cached profile or a local user account. If it has neither you won't be able to log on to the machine (which makes sense, otherwise you could pretty much just log onto any machine and not worry about security).
     
    Certifications: CNA | CNE | CCNA | MCP | MCP+I | MCSE NT4 | MCSA 2003 | Security+ | MCSA:S 2003 | MCSE:S 2003 | MCTS:SCCM 2007 | MCTS:Win 7 | MCITP:EDA7 | MCITP:SA | MCITP:EA | MCTS:Hyper-V | VCP 4 | ITIL v3 Foundation | VCP 5 DCV | VCP 5 Cloud | VCP6 NV | VCP6 DCV | VCAP 5.5 DCA

Share This Page

Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.