Introduction to Active Directory
Basic Active Directory Components
At its core, Active Directory needs structure to work properly. It provides the basic building blocks for people to build their own directory. These basic building blocks of Active Directory include domains, domain controllers, trusts, forests, organizational units, groups, sites, replication, and the global catalog.
Understanding Forests
At the top of the Active Directory structure is a forest. A forest holds all of the objects, organizational units, domains, and attributes in its hierarchy. Under a forest are one or more trees which hold domains, OUs, objects, and attributes.
As illustrated in this image, there are two trees in the forest. You might use a structure like this for
organizations with more than one operating company.
You could also design a structure with multiple forests, but these are for very specific reasons and not common.
Domains
At the heart of the Active Directory structure is the domain. The domain is typically of the Internet naming variety (e.g. Learnthat.com), but you are not forced to stick with this structure – you could technically name your domain whatever you wish.
Microsoft recommends using as few domains and possible in building your Active Directory structure and to rely on Organizational Units for structure. Domains can contain multiple nested OUs, allowing you to build a pretty robust and specific structure.
Domain Controllers
In Windows NT, domains used a Primary Domain Controller (PDC) and Backup Domain Controller (BDC) model. This had one server, the PDC, which was “in charge” while the other DCs where subservient. If the PDC failed, you had to promote a BDC to become the PDC and be the server in charge.
In Active Directory, you have multiple Domain Controllers which are equal peers. Each DC in the Active Directory domain contains a copy of the AD database and synchronizes changes with all other DCs by multi-master replication. Replication occurs frequently and on a pull basis instead of a push one. A server requests updates from a fellow domain controller. If information on one DC changes (e.g. a user changes their password), it sends signal to the other domain controllers to begin a pull replication of the data to ensure they are all up to date.
Servers not serving as DCs, but in the Active Directory domain, are called ‘member servers.’
Active Directory requires at least one Domain Controller, but you can install as many as you want (and it’s recommended you install at least two domain controllers in case one fails).
Trust Relationships
Trust Relationships are important in an Active Directory environment so forests and domains can communicate with one another and pass credentials. Within a single forest, trusts are created when a domain is created. By default, domains have an implicit two-way transitive trust created. This means each domain trusts each other for security access and credentials. A user in domain A can access resources permitted to him in domain B while a user in domain B can access resources permitted to her in domain A.
AD allows several different types of trusts to be created, but understanding the two-way transitive trust is the most important to understanding AD.
Organizational Units
An Organizational Unit (OU) is a container which gives a domain hierarchy and structure. It is used for ease of administration and to create an AD structure in the company’s geographic or organizational terms.
Organizational Units
An OU can contain OUs, allowing for the creating of a multi-level structure, as shown in the image above. There are three primary reasons for creating OUs:
Organizational Structure: First, creating OUs allows a company to build a structure in Active Directory which matches their firm’s geographic or organizational structure. This permits ease of administration and a clean structure.
Security Rights: The second reason to create an OU structure is to assign security rights to certain OUs. This, for example, would allow you to apply Active Directory Policies to one OU which are different than another. You could setup policies which install an accounting software application on computers in the Accounting OU.
Delegated Administration: The third reason to create OUs is to delegate administrative responsibility. AD Architects can design the structure to allow local administrators certain administrative responsibility for their OU and no other. This allows for a delegated administration not available in Windows NT networks.
Groups
Groups serve two functions in Active Directory: security and distribution.
A security group contains accounts which can be used for security access. For example, a security group could be assigned rights to a particular directory on a file server.
A distribution group is used for sending information to users. It cannot be used for security access.
There are three group scopes:
Global: Global scope security groups contains users only from the domain in which is created. Global security groups can be members of both Universal and Domain Local groups.
Universal: Universal scope security groups can contain users, global groups, and universal groups from any domain. These groups are typically used in a multi-domain environment if access is required across domains.
Domain Local: Domain Local scope groups are often created in domains to assign security access to a particular local domain resource. Domain Local scope groups can contain user accounts, universal groups, and global groups from any domain. Domain Local scope groups can contain domain local groups in the same domain.
Sites
An Active Directory site object represents a collection of IP subnets, usually constituting a physical Local Area Network (LAN). Multiple sites are connected for replication by site links. Typically, sites are used for:
Physical Location Determination: Enables clients to find local resources such as printers, shares, or domain controllers.
Replication: You can optimize replication between domain controllers by creating links.
By default, Active Directory uses automatic site coverage, though you can purposefully setup sites and resources.
Replication
Since most Active Directory networks contain multiple domain controllers and users could theoretically attach to any DC for authentication or information, each of the servers needs to be kept up to date. Domain Controllers stay up to date by replicating the database between each other. It performs this using a pull method – a server requests new information from a different DC frequently. After a change, the DC initiates a replication after waiting 15 seconds (in Windows 2003) or 5 minutes (in Windows 2000). Windows Server 2003 uses technology to only replicate changed information and compressions replication over WAN links.
Windows Server sets up a replication topology to determine where a server updates from. In a large network, this keeps replication time down as servers replicate in a form of a ring network.
Active Directory uses multi-master replication. Multimaster replication does not rely on a single primary domain controller, but instead treats each DC as an authority. When a change is made on any DC, it is replicated to all other DCs. Although each DC is replicated alike, all of the DCs aren’t equal. There are several flexible single-master operation roles which are assigned to one domain controller at a time.
AD uses Remote Procedure Calls (RPC) for replication and can use SMTP for changes to schema or configuration.
FSMO Roles
All domain controll
ers are not equal. We know, it’s hard to hear. You’ve spent this whole time reading this tutorial thinking that all DCs are created equal and now we have to burst your bubble. Some DCs have more responsibility than others. It’s just part of life!
There are five roles which are called operations masters, or flexible single-master operations (FSMOs). Two are forestwide roles and three are domainwide roles. The forestwide roles are:
Schema master: Controls update to the Active Directory schema.
Domain naming master: Controls the addition and removal of domains from the forest.
The three domainwide roles are:
RID master: Allocates pools of unique identifier to domain controllers for use when creating objects. (RID is relative identifier).
Infrastructure master: Synchronizes cross-domain group membership changes. The infrastructure master cannot run on a global catalog server, unless all of the DCs are global catalog servers.
PDC Emulator: Provides backward compatibility for NT 4 clients for PDC operations – such as a password change. The PDC also serves as the master time server.
Global Catalog
As a network gets larger, it can contain multiple domains and many domain controllers. Each domain only contains records from its own domain in its AD database to keep the database small and replication manageable. The Active Directory domain relies on a global catalog database which contains a global listing of all objects in the forest. The Global Catalog is held on DCs configured as global catalog servers.
The global catalog contains a subset of information – such as a user’s first name and last name – and the distinguished name of the object so your client can contact the proper domain controller if you need more information. The distinguished name is the full address of an object in the directory. For example, a printer in the OU Accounting in the Learnthat.com domain might have a distinguished name of:
CN=AcctLaser1,OU=Accounting,DC=Learnthat,DC=com
The GC database is only a subset of the entire database called the Partial Attribute Set (PAS), containing 151 of the 1,070 properties available in Windows Server 2003. You can define additional properties for replication to the GC by modifying schema.
Wounderful tutorial. Thak u very much
Very good tutorial, it may help me land a job. I needed a breif overview, before a job interview. Thanks A bunch!
I am really glad to be on this site.Thankyou verymuch and God Bless
I hit a jackpot….Yahooo..
Excellent tuturial. Real helpful to cover on the basics and build the knowledge. Thanks very much.
Am a student of MCITP. Can i down load free material on AD,ADDS,ADFS,LDAP,ADLSet.
a stepping stone i just needed. tx a lot
I found it interesting and informative…Thank you so much..
beautiful tutorial , this is just great it really sets the stage for higher learning.
Thank you so muuuuuch…. this realli realli… helped for ma interview…. God bless… : )
Was a great tutorial, Learnt a lot and indeed its a step forward to get more… Thanks alot
i really got lots of 9ledge from this site . gr888888888888888. God bless u.
very good
very interesting and helpfull.
very nice tutorial
Wonderful! This will help me at my hopefully new job! My only request is that yopu exapnd the section on the actuall interation with AD. THAAANK YOUUU!
Very nice! This will help me in a job intervju tomorrow. Cheers!
Good Job!!.. It’s really help full.
Wonderful tutorial. Very helpful, thanks 🙂
Easy and to the point, good for beginner to get clear picture of AD. Cheers
This really helps a lot. Thanks.
thnks its a great hepled
I thank you a bunch. It gave me a very clear idea about AD. God Bless.
thank u very much for the kind information
Excellent Job Done.
Thanks a lot for providing such useful information.
thank you !!!! very good tutorial
Wow, this is a wonderful tutorial,
Thank you soooo much. !
I am interested in learning Active Direstory. So kindly help me out.
It is very helpful to understand the basic. Thanx a lot.
Is there any way how to get this donwloaded? pls let me knw.. 🙂
nice article
Thank you, This was very informative. Just what I needed to better understand AD
I went through this in an hour! – Stupendous job! – Thanks much.
Superb tutorial… 🙂
A well structured sequential tutorial netwoking and AD services. Bravo Zulu!
Hey,
Is this downloadable in any way? Could really use it in my studys 🙂
Best Regards
awesome!!!!!!!!!!!! Thanks for the detailed information
thanks a lot .explained in a verysimple and lucid way.
good tutorial.
realy the teaching materail ver help full thaks
Thank you very much for briliant tutorial and such a resourceful site. Hats over
It’s helpful but i recommend you add a tutorial on Microsoft Exchange Server 2003 and Designing AD and Network Infrastructure to make it more complete for MCSE.
Thanks alot was really helpful in understanding AD a bit more…
wonderfull tutoriel.thank you very much
Its wonderful doc.. especailly on windows.. i suggest every one to go though it..
it was so wonderful tutorial….gave me a whole brief picture to AD…..in such good summary…thank you so much….hope i do get my 1st level help desk role now …cheers
Good Tutorial. Thanks a lot.
I am a beginner to AD, cause I’m trying to teach myself Windows server 2003 to prepare for Exam 70-290.
So far I am really please with what I’m reading cause it’s making me understand the concept of AD.
Could you please tell me if a CDrom or a DVD exist on this tutorial and how I can get it or is it possible to download or print this tutorial?
Thanks
It really helped thanks alot
Very informative and easy to read. Thank-You! x
God one. Thanks a ton!!!
Excellent work done on this website tutorial.
its brief, concise and hits on the point. I have had gone through couple of tutorials but this tutorial has wiped up all the misconceptions i had before.
Manythanks to all who have done exceptional work hard on this tutorial.
Thanks. this is a well prepared tutorial. easy to understand.
Great, i found it very informatic and it has expand my knowledge of AD.
Really nice. You did a great job. Congrats!
And thank you very much!!!
have some question here? what is the future of active directory in windows server 2003?
Fantabulous!!! Thanks to the mentor. Great Job!
thanks its complete toturial for active directory
Thanks a lot! Really great and easy to understand article!
Fantastic!
really good tutorial for beginners for active directory, thanks
Very Exhaustive tutotrial. A wonderful learning tool. Great Job.
I’m trying to understand Active Directory for an upcoming job interview. While Active Directory is not part of the job requirements, knowing a little more is a positive.
Thanks for this tutorial !
Brilliant tutorial, Thanks
Very good tutorial. Helped me alot to understand the AD.
Great tutorial, needed to update myself with Server 2003 features.. good work!