So now we need to talk a little bit about authentication because thats whats it is really all about, providing a secure way to let users access the resources. The main thing here is what happens when the user logs on to the domain and whats happening in the background.
Before a client joins a domain the standard authentication standard protocol that is used is NTLMv2. This has been the standard authentication mechanism since Windows 2000 SP4.Before I go into the logon process I would like to say a few things about the the process of how the PC joins the domain.
When the Domain controllers name is given in the the "Computer Name Changes" window the first thing that happens is the the client computer checks its DNS configuration to see what DNS server is configured. The client will contact the Domain Controller using LDAP with a TCP destination port of 389. After the server is contacted it sends a series of LDAP request to making sure that is has contacted the right domain controller. During the process of installing the Domain Controller a additional zone was added to the DNS namespace this zone holds a varitey of SRV(services) records that are used to, among other things, help the client establish which server is the DC and how it should be contacted. The name of this zone is called msds.xxxx.
After the client has established which domain controller it should connect wih it must authenticated itself. This where KEREBOS comes into the game.Using KEREBOS the password or "challange" is never sent across the network nor is the client at any all time in direct contact with the service that grants access to the network. I will discuss KEREBOS and the rest of the domain join process in PART 3.
No comments:
Post a Comment