2/19/2019

System Administration

What is a directory service?

What is AD?

Active directory Domain Service overview

Why AD?

AD components

M. Rebwar Raees

M. Rebwar Raees 1
 2/19/2019

A directory service is a container

that provides a hierarchical
structure and allows to store
objects for quick and easy access
and manipulation. A directory
service is like an electronic phone
directory that lets you search for
Name and retrieve the phone
number, address, or other
information without knowing
where that person lives.
M. Rebwar Raees

Before directory services, If you needed a file, you needed to know the
name of the file, the name of the server on which it is stored and its
folder path. Now this works well on small network, but as the network
grows it becomes challenging.
Directory service is the means by which users and administrators can
locate resources regardless of where those resources are located.
Also earlier typical user could have more than one user account or
password, and as the network grows and the number of username and
password also increases, like one for File Server, one for email server,
etc.
M. Rebwar Raees

M. Rebwar Raees 2
 2/19/2019

Is there any answer from Microsoft regarding to directory service?

Active Directory is Microsoft’s answer to directory services and it does a
lot more than just locating resources.
Active Directory take care of this by using Kerberos Authentication and
Single Sign-On (SSO).
 SSO means ability of Kerberos to provide a user with one set of credentials and grant
them access across a range of resources and services with that same set of credentials.
Kerberos authenticates the credentials and issues the user a ticket with which the user
gains access to the resources and services that support Kerberos.

M. Rebwar Raees

Active Directory also makes

user management more easier
as it acts as a single
repository for all of this user
and computer related
information.
AD uses LDAP as its access
protocol.
Port number for LDAP is
389.
M. Rebwar Raees

M. Rebwar Raees 3
 2/19/2019

 Active Directory is based off of

a standardized directory service
called Lightweight Directory
Access Protocol (LDAP).
 LDAP evolved from the X.500
standards and a protocol called
Directory Access Protocol
(DAP). With the revised,
lighter version of DAP came
LDAP, which serves as both the
service and protocol,
 Based on TCP/IP

M. Rebwar Raees

 What is ADDS ?
 AD DS stores directory data and manages communication between users and
domains, including user logon processes, authentication, and directory searches.
 What is ADDS Server Role?
 AD DS provides a distributed database that stores and manages information about
network resources and application-specific data from directory-enabled
applications.
 Administrators can use AD DS to organize elements of a network, such as users,
computers, and other devices, into a hierarchical containment structure.
 A database file – NTDS.dit
 An Active Directory domain controller (DC) is a server that is running AD DS.
 Active Directory is a multimaster database, information is automatically replicated between
multiple domain controllers.
M. Rebwar Raees

M. Rebwar Raees 4
 2/19/2019

AD DS provides a centralized system for managing users, computers, and other

resources on a network.
 Centralized resource and security administration.
 Active Directory provides a single point from which administrators can manage network resources
and their associates’ security objects
 Single logon for access to global resources.
 Fault tolerance and redundancy.
 Active Directory uses a multimaster domain controller design.
 Changes made on one domain controller are replicated to all other domain controllers in the
environment.
 It is recommended to have two or more domain controllers for each domain.
 Simplified resource location
M. Rebwar Raees

Authentication: is the process of verifying a user’s identity on a network,

authentication includes two components:
 Interactive logon: grants access to the local computer
 Network authentication: grants access to network resources

Authorization: is a process of verifying that an authenticated user has

permission to perform an action.
 Authorization happens frequently and unobtrusively whenever users request services, like
opening their home folder, reading/writing files, or when requesting access to an AD DS
aware application.
 The user only sees the result of the authorization;they are granted or denied access.

M. Rebwar Raees

M. Rebwar Raees 5
 2/19/2019

AD DS is composed of both physical and logical components:

Physical Components Logical Components
• Data store: Stores the AD DS information. This is a file • Partitions: domain directory, configuration directory,
on each domain controller. schema directory, global catalog, application directory.
• Domain controllers : Contains a copy of AD DS • Schema: Defines the list of attributes which all objects
database. in the AD DS can have.
• Global catalog server: Host the global catalog, which is • Domains: logical, administrative boundary for users
a partial, read-only copy of all the domain naming and computers
contexts in the forest. A global catalog speeds up
searches for objects that might be attached to other • Domain trees: Collection of domain controllers that
domain controllers in the forest. share a common root domain.

• Read-Only Domain Controller (RODC): Contains a • Forests: Collections of domains that share a common
read-only copy of AD DS database. AD DS.

• Sites: Collections of users, groups, computers as • Organizational units (OUs): Organizes the elements
defined by their physical locations. Useful in planning found at a give site or domain for the purposes of
administrative tasks such as replication of the AD DS. securing them more selectively.
M. Rebwar Raees

 DC:is a server with the AD DS server role installed that has specifically been
promoted to a domain controller
 Allow administrative access to manage user accounts and network resources
 Replicate updates to other domain controllers in the domain and forest
 Provide authentication and authorization services
 Host a copy of the AD DS directory store
 Global catalog servers are domain controllers that also store a copy of the global
catalog
 The Global Catalog GC:
 Required for users to log on to a domain
 Improves efficiency of object searches by avoiding unnecessary referrals to domain controllers
 Contains a copy of all AD DS objects in a forest that includes only some of the attributes for each
object in the forest
M. Rebwar Raees

M. Rebwar Raees 6
 2/19/2019

Read-Only Domain Controller (RODC)

 Introduced with Windows Server 2008.

 A domain controller that contains a copy

of the ntds.dit file that cannot be modified
and that does not replicate its changes to
other domain controllers with Active
Directory.

M. Rebwar Raees

 An AD DS site is used to represent a network segment where all domain controllers

are connected by a fast and reliable network connection
So Sites are:
 Associated with IP subnets
 Used to manage replication traffic
 Used to manage client logon traffic
 Used by site aware applications such as Distributed File Systems (DFS) or Exchange Server
 Used to assign group policy objects to all users and computers in a company location
 The primary reason for creating sites are:
 Control network traffic across wide area network (WAN) links.
 Minimize replication traffic across the WAN link because you can schedule the replication.
 control client logon traffic and provide a better client logon experience because client computers
will always connect to a domain controller in their own site
M. Rebwar Raees

M. Rebwar Raees 7
 2/19/2019

M. Rebwar Raees

Schema: A Schema acts as the building blocks of Active

Directory. It holds all of the information needed to
created users, groups, computers, and so on within Active
Directory . Only one Schema for the entire forest
 Individual resources are called objects
 Objects belong to classes
Object Types Function Examples
 EachClass has its own attributes
What objects can be created • User
defined in the Schema. Class Object
in the directory • Computer
 Default Classes:
Attribute Information that can be
• Display name
 Domain, Shared folder, User Account, Object attached to an object
Computer, Group, Printer, Shared Drive M. Rebwar Raees

M. Rebwar Raees 8
 2/19/2019

 Domain: The Domain is the core unit of logical structure in Active

Directory. All Objects which share a common directory database,
trust relationship with other domain and security policies is know
as Domain
 An administrative boundary for applying policies to domain.local
groups of objects
 A replication boundary for replicating data between
domain controllers
 An authentication and authorization boundary that
provides a way to limit the scope of access to resources
M. Rebwar Raees

 Tree: Trees are groups of domains that share a contiguous namespace.

 All Domains in a Tree share:
 Schema
 Configuration
 Global Catalog

M. Rebwar Raees

M. Rebwar Raees 9
 2/19/2019

 Forest: contains one or more trees and one or more namespaces, Unlike
a tree, a forest can contain several disjointed namespaces.
 All Domains in a Forest share:
 Schema Forest contoso.msft
 Configuration Tree
 Global Catalog
nwtraders.msft sales.
contoso.msft
Tree

marketing. sales.
nwtraders.msft nwtraders.msft M. Rebwar Raees

Organizational Units (OUs): are Active Directory containers that can

contain users, groups, computers, and other OUs.
 Default containers, including Users, Computers, and Builtin,…

. OUs are used to:

 Represent your organization hierarchically and logically.
 Delegate permissions to administer groups of objects.
 Manage a collection of objects in a consistent way.

 Apply policies.

M. Rebwar Raees

M. Rebwar Raees 10
 2/19/2019

M. Rebwar Raees

M. Rebwar Raees 11