Active Directory is Windows Directory Service

A directory is a feature that stores information about various objects present on the network.
Active Directory is a directory service that offers methods to store information and data and makes it available to the users.
AD is a form of directory.

Active Directory is a directory service that runs on Microsoft Windows Server. It is used
for identity and access management.

 A directory service is a container that provides a hierarchical structure and

allows to store objects for quick and easy access and manipulation. A directory
service is like an electronic phone directory that lets you search for Name and
retrieve the phone number, address, or other information without knowing where
that person lives.

 Before directory services, If you needed a file, you needed to know the
name of the file, the name of the server on which it is stored and its
folder path. Now this works well on small network, but as the network grows it
becomes challenging.

 Directory service is the means by which users and administrators can locate
resources regardless of where those resources are located.

It stores a large database of information about various AD objects that belong to the same network. For instance, printers,
computers, shared folders, applications, etc. However, the information for each type of AD object tends to vary largely.
For example, the AD server records their username, password, IP address, and SID( security identifier) for users.
It is a centralized database that contains network information.
In short , The directory structure that Microsoft networks use to house their users and computer accounts is called Active
Directory (AD) and the directory information is controlled and managed by Domain Controller (DC) servers.
Active Directory is the replacement for the Security Accounts Manager (SAM) directory database found in Windows NT 4.0
and allows Windows 2000 and later to scale to millions of objects, breaking the 40,000 security object barrier found in
Windows NT 4.0.
Microsoft introduced Active Directory Domain Services in Windows 2000 to give organizations the ability to manage multiple
on-premises infrastructure components and systems using a single identity per user.

AD is a database. By default, each domain controller (DC) stores a copy of this database
as ntds.dit in its \winnt\ntds folder. The database is logically divided into three
directory partitions, or naming contexts (NCs)—the Schema NC, the Configuration NC,
and the Domain NC. All DCs in the forest contain the same Schema NC and
Configuration NC because this information is defined forestwide. Each DC in an AD
domain holds the same copy of the domain's Domain NC. If the DC is designated as a
Global Catalog (GC) server, then that DC also holds a partial copy of every other
domain's Domain NC. This partial copy includes all the objects from the respective
domains, but only a subset of the attributes.
Active Directory defines the structure for the organization with objects and organizational units
(OUs). Administrators can group objects, such as computers or individuals, together in OUs
based on certain criteria, such as location or business function. Admins can also apply
permissions and tasks based on the level of the OU.

Administrators have two Active Directory options to choose from -- on-premises Active

Directory, which runs on Windows Server, or the Azure Active Directory, which operates in
Microsoft's cloud. They can also use a combination of both. The Azure AD identity
management service has a similar name, but it has a few differences from on-premises Active
Directory.

Windows Server AD uses domain name systems and the Lightweight Directory Access
Protocol to work with directories both on premises and on the internet, and it uses Kerberos
for authentication. Azure AD uses the Security Assertion Markup Language and Open
Authorization. Azure AD does not use OUs, domains or Group Policy Objects for organization.
Beyond these structural differences, Azure AD has fewer features.

AD DS runs on a server or server cluster called the domain controller. Each time a user logs
in, accesses a network resource or runs an application, the AD domain controller
authenticates the request. Corruption in the AD database or the failure of the domain
controller server can devastate an enterprise, so administrators often set up AD DS on a
server cluster for automatic replication and synchronization for resiliency and added
performance.
Active Directory also works across a series of levels. The domain is the lowest level and
generally includes objects organized into a single database.

Trees are collections of one or more domains connected by a trust relationship. The forest is
the highest level, which collects trees into a global structure and represents the
ultimate boundary for accessibility in Active Directory. Objects are typically not accessible
outside of the AD forest.

GP troubleshooting

Group Policy files are stored in the SYSVOL share on all DCs in the domain - specifically, in subfolders of the
SYSVOL\domain\Policies folder. If the SYSVOL share is not present on a DC, this typically indicates a problem
with either the File Replication Service (FRS) or Distributed File System Replication (DFS-R), depending on
which one is being used to replicate SYSVOL.

SYSVOL troubleshooting

SYSVOL is a folder that exists on all domain controllers. It is the repository for all of the active
directory files. It stores all the important elements of the Active Directory group policy.

SYSVOL is a shared folder which contains files which is common for the domain. This share will be
created automatically when set up the DC. The default file location is 'C:\Windows\SYSVOL' but it can be
changed during the DC setup

What is Sysvol and why is it important?

SYSVOL is a folder that exists on all domain controllers. It is the repository for all of the active
directory files. It stores all the important elements of the Active Directory group policy. The File Replication
Service or FRS allows the replication of the SYSVOL folder among domain controllers

One of the best ways to check the health of the SYSVOL replication using DFSR is to install the Distributed
File System management tools on a machine. You can do this through Server Manager.

For a Windows Server 2012 machine, they're found under Features, Remote Server Administration Tools,
Role Administration Tools, File Services Tools,DFS Management Tools. After installation, launch the DFS
Management tool, which will show the Domain System Volume group that contains the SYSVOL Share
replicated folder

DFRS troubleshooting

 Active Directory (AD) uses Distributed File System Replication (DFSR) to replicate the
disk-based portion of AD (SYSVOL) in Windows Server 2008 and later mode domains,
replacing the old File Replication Service (FRS).
AD Sites

Sites are managed and administered through the Active Directory Sites and Services management
console snap-in. This utility is used to create and manage site links and their properties within the
Windows 2000 domain. To use it, select Start | Programs | Administrative Tools | Active Directory Sites
and Services.

OR By Navigate to Server Manager > Tools > Active Directory Sites and services in the Active Directory
Sites and Service window, right-click Sites and select New Site

To manage AD sites and subnets, use the Active Directory Sites and Services snap-in
(dssite.msc)

Two topologies are found in a successful network, Physical Topology and Logical Topology. Physical Topology
represents the structure of the network which includes network topologies, hardware placements, IP address allocations.
Logical Topology represents the security boundaries of said network, network services etc. In  an Active Directory
infrastructure setup, the Domain represents the logical topology while Sites and Subnets represent the physical
topology.

The AD components—sites, subnets, and site links—are referred to as the AD physical topology
 Site A site is a collection of machines connected at LAN speed. This usually translates to a
building (or group of buildings). Sites are used for a number of purposes: to control
replication between domain controllers, to determine the domain controller a user will
authenticate against, for the instance of a site-aware application (such as DFS) that will be
accessed, and also to apply group policy.
Subnet A subnet is equivalent to a networking subnet. It defines a set of IP addresses. Subnets are
linked to a site and define the IP addresses available in that site. This aids machines in finding
a domain controller. The subnet information is stored in Active Directory for reference
purposes. It’s not used to control the network or IP addresses assigned to client machines.
Site Link (a.k.a. A site link is a logical link in Active Directory between two sites. Replication between
intersite domain controllers follows the site link topology. The replication traffic will follow, but real,
transports) physical, network site links control the routing (in AD) of that traffic. If a domain controller
isn’t available in the user’s site, the site links are used to find an available DC.
Site Link Bridge A site link bridge consists of a set of site links that are transitive—all of the sites in the bridge
can communicate directly with each other. By default, all site links are bridged. This should
only be changed if there are underlying network routing issues that prevent all sites from
communicating directly with each other
The AD physical topology has a low volatility. You’ll rarely need to make changes to your sites and subnets, but you need to
understand how they work because they can have a big impact on replication, authentication, and general AD health.
 A site can simply be defined as a physical location or network. It can be separate building, separate city or even in
separate country. This Step-By-Step will provide example of this by detailing steps on setup and configuration of sites
and subnets. Two sites, Site A and Site B will be created then assigned to the relevant servers along with the subnets.
The environment to be created is as follows:

Server Name Roles Operating System Site Subnets

Primary Domain Windows server standard 192.168.148.0/2

DC1.contoso.com Site A (HQ)
Controller 2012 R2 4

SRV1.contoso.co Additional Domain Windows server standard Site B (Branch

10.10.10.0/24
m Controller 2012 R2 Office)

Step 1: Creating a new site

The Active Directory Sites and Services console is used to create and manage sites, and control how the
directory is replicated within a site and between sites. Using this tool, you can specify connections between
sites, and how they are to be used for replication.
The AD Sites and Services console can be accessed via Server Manager or
the Administrative Tools folder from the Start Menu.
1. Navigate to Server Manager > Tools > Active Directory Sites and Services
2. In the Active Directory Sites and Service window, right-click Sites and select New Site

3.
4. Enter SiteA in the Name: box

5. Select the DEFAULTIPSITELINK and click OK
6.  Click OK to complete the site creation
 7. Repeat steps 1 to 5 and create SiteB. Once completed, you should see the following:
8.
1. Repeat steps 1 to 3 and use prefex 10.10.10.0/24 assigned to SiteB
Step 3: Creating Site Links
1. In the Active Directory Sites and Services MMC,  right-click Inter-Site Transports > IP and then click New Site Link

2. In the New Object – subnet window, enter a desired name for the link, select both SiteA and SiteB, and click add

3. Click OK to continue
4. The link is then created link with the default values however it can be optimized. Right-click on the link

and select properties
5. In the SiteA-SiteB Dedicated Link Properties window, the cost defines the links assigned bandwidth.

6. Replication changes can also be defined between sites. To accomplish this, click on Change Schedule

7. Define a custom schedule and click OK

8.  Click OK to apply the changes
 
Step 4: Moving the Domain controllers to the newly created sites
1. In the Active Directory Sites and Services MMC, navigate to Default-First-Site-Name > Servers
2. Right-click on the Domain controller required to move and select Move…

3. In the Move Server window, select SiteA which will be site the Domain Controller will be moving to and click OK

4. Repeat steps 1 to 3 to move SRV1 to SiteB

 Suppose your organization has a head office and two branches in different cities. Your task is to
create the correct AD site and subnet architecture.

To manage AD sites and subnets, use the Active Directory Sites and Services snap-in
(dssite.msc). By default, there is only one Default-First-Site-Name site in the console. Rename it
to HQ.

Hint. You can rename the site using PowerShell:

Get-ADReplicationSite Default-First-Site-Name | Rename-ADObject -NewName NewSiteName

Now create 2 new sites:

 Toronto
 Vancouver

Click on Sites > New Site.

Specify the site name, select link name (the default is DEFAULTSITELINK with IP transport) and
click OK. Create another site.
Now you need to create IP subnets and add them to the appropriate AD site. The list of IP
subnets is located in the Subnets section and is empty by default.

Create a new subnet: Subnets -> New Subnet.

Specify the IPv4 subnet and subnet mask in the format 192.168.1.0/24 and bind it to the desired
AD site.

Similarly, create all other IP subnets in your organization and map them to Active Directory sites.
You can create a subnet and add it to an AD site using PowerShell:

New-ADReplicationSubnet -Name “192.168.100.0/24” -Site "HQ"

To display all IP subnets, run the command:

Get-ADReplicationSubnet -Filter *

After creating sites and subnets, you can install additional domain controllers in new sites. When
you install an additional DC, it will be automatically placed on the site to which the IP subnet of the
domain controller is bound. If a site is not assigned to a subnet of a domain controller, by default it
will be placed in a site that authorized the promotion of the server to a domain controller.
Site links are used for communication between sites. A site link links 2 or more AD sites and
matches the physical connection topology between sites. For example, if all three of your sites
can be directly connected to each other, just create a single site link, which includes 3 sites.

You can manage the site with links in the same console in the section Inter-Site Transports > IP.
By default, we have only one link named DEFAULTSITELINK with three sites and a replication
schedule every 3 hours.
AZURE AD
Azure Active Directory is a secure online authentication store, which can contain users and groups.
Users have a username and a password which are used when you sign into an application that uses Azure AD for
authentication
Azure Active Directory (Azure AD) is Microsoft’s cloud-based identity and access management service, which helps your
employees sign in and access resources in:
a) External resources, such as Microsoft 365, the Azure portal, and thousands of other SaaS applications.
b) Internal resources, such as apps on your corporate network and intranet, along with any cloud apps developed by your
own organization.
Technically, Azure Active Directory is Microsoft’s multi-tenant, cloud-based directory and identity management service.

Microsoft introduced Active Directory Domain Services in Windows 2000 to give organizations the ability to manage multiple
on-premises infrastructure components and systems using a single identity per user.
Azure AD takes this approach to the next level by providing organizations with an Identity as a Service (IDaaS) solution
for all their apps across cloud and on-premises.

Windows Active Directory (AD) was the previous version of Azure AD.