2/19/2019
System Administration
What is a directory service?
What is AD?
Active directory Domain Service overview
Why AD?
AD components
M. Rebwar Raees
M. Rebwar Raees 1
� 2/19/2019
A directory service is a container
that provides a hierarchical
structure and allows to store
objects for quick and easy access
and manipulation. A directory
service is like an electronic phone
directory that lets you search for
Name and retrieve the phone
number, address, or other
information without knowing
where that person lives.
M. Rebwar Raees
Before directory services, If you needed a file, you needed to know the
name of the file, the name of the server on which it is stored and its
folder path. Now this works well on small network, but as the network
grows it becomes challenging.
Directory service is the means by which users and administrators can
locate resources regardless of where those resources are located.
Also earlier typical user could have more than one user account or
password, and as the network grows and the number of username and
password also increases, like one for File Server, one for email server,
etc.
M. Rebwar Raees
M. Rebwar Raees 2
� 2/19/2019
Is there any answer from Microsoft regarding to directory service?
Active Directory is Microsoft’s answer to directory services and it does a
lot more than just locating resources.
Active Directory take care of this by using Kerberos Authentication and
Single Sign-On (SSO).
SSO means ability of Kerberos to provide a user with one set of credentials and grant
them access across a range of resources and services with that same set of credentials.
Kerberos authenticates the credentials and issues the user a ticket with which the user
gains access to the resources and services that support Kerberos.
M. Rebwar Raees
Active Directory also makes
user management more easier
as it acts as a single
repository for all of this user
and computer related
information.
AD uses LDAP as its access
protocol.
Port number for LDAP is
389.
M. Rebwar Raees
M. Rebwar Raees 3
� 2/19/2019
Active Directory is based off of
a standardized directory service
called Lightweight Directory
Access Protocol (LDAP).
LDAP evolved from the X.500
standards and a protocol called
Directory Access Protocol
(DAP). With the revised,
lighter version of DAP came
LDAP, which serves as both the
service and protocol,
Based on TCP/IP
M. Rebwar Raees
What is ADDS ?
AD DS stores directory data and manages communication between users and
domains, including user logon processes, authentication, and directory searches.
What is ADDS Server Role?
AD DS provides a distributed database that stores and manages information about
network resources and application-specific data from directory-enabled
applications.
Administrators can use AD DS to organize elements of a network, such as users,
computers, and other devices, into a hierarchical containment structure.
A database file – NTDS.dit
An Active Directory domain controller (DC) is a server that is running AD DS.
Active Directory is a multimaster database, information is automatically replicated between
multiple domain controllers.
M. Rebwar Raees
M. Rebwar Raees 4
� 2/19/2019
AD DS provides a centralized system for managing users, computers, and other
resources on a network.
Centralized resource and security administration.
Active Directory provides a single point from which administrators can manage network resources
and their associates’ security objects
Single logon for access to global resources.
Fault tolerance and redundancy.
Active Directory uses a multimaster domain controller design.
Changes made on one domain controller are replicated to all other domain controllers in the
environment.
It is recommended to have two or more domain controllers for each domain.
Simplified resource location
M. Rebwar Raees
Authentication: is the process of verifying a user’s identity on a network,
authentication includes two components:
Interactive logon: grants access to the local computer
Network authentication: grants access to network resources
Authorization: is a process of verifying that an authenticated user has
permission to perform an action.
Authorization happens frequently and unobtrusively whenever users request services, like
opening their home folder, reading/writing files, or when requesting access to an AD DS
aware application.
The user only sees the result of the authorization;they are granted or denied access.
M. Rebwar Raees
M. Rebwar Raees 5
� 2/19/2019
AD DS is composed of both physical and logical components:
Physical Components Logical Components
• Data store: Stores the AD DS information. This is a file • Partitions: domain directory, configuration directory,
on each domain controller. schema directory, global catalog, application directory.
• Domain controllers : Contains a copy of AD DS • Schema: Defines the list of attributes which all objects
database. in the AD DS can have.
• Global catalog server: Host the global catalog, which is • Domains: logical, administrative boundary for users
a partial, read-only copy of all the domain naming and computers
contexts in the forest. A global catalog speeds up
searches for objects that might be attached to other • Domain trees: Collection of domain controllers that
domain controllers in the forest. share a common root domain.
• Read-Only Domain Controller (RODC): Contains a • Forests: Collections of domains that share a common
read-only copy of AD DS database. AD DS.
• Sites: Collections of users, groups, computers as • Organizational units (OUs): Organizes the elements
defined by their physical locations. Useful in planning found at a give site or domain for the purposes of
administrative tasks such as replication of the AD DS. securing them more selectively.
M. Rebwar Raees
DC:is a server with the AD DS server role installed that has specifically been
promoted to a domain controller
Allow administrative access to manage user accounts and network resources
Replicate updates to other domain controllers in the domain and forest
Provide authentication and authorization services
Host a copy of the AD DS directory store
Global catalog servers are domain controllers that also store a copy of the global
catalog
The Global Catalog GC:
Required for users to log on to a domain
Improves efficiency of object searches by avoiding unnecessary referrals to domain controllers
Contains a copy of all AD DS objects in a forest that includes only some of the attributes for each
object in the forest
M. Rebwar Raees
M. Rebwar Raees 6
� 2/19/2019
Read-Only Domain Controller (RODC)
Introduced with Windows Server 2008.
A domain controller that contains a copy
of the ntds.dit file that cannot be modified
and that does not replicate its changes to
other domain controllers with Active
Directory.
M. Rebwar Raees
An AD DS site is used to represent a network segment where all domain controllers
are connected by a fast and reliable network connection
So Sites are:
Associated with IP subnets
Used to manage replication traffic
Used to manage client logon traffic
Used by site aware applications such as Distributed File Systems (DFS) or Exchange Server
Used to assign group policy objects to all users and computers in a company location
The primary reason for creating sites are:
Control network traffic across wide area network (WAN) links.
Minimize replication traffic across the WAN link because you can schedule the replication.
control client logon traffic and provide a better client logon experience because client computers
will always connect to a domain controller in their own site
M. Rebwar Raees
M. Rebwar Raees 7
� 2/19/2019
M. Rebwar Raees
Schema: A Schema acts as the building blocks of Active
Directory. It holds all of the information needed to
created users, groups, computers, and so on within Active
Directory . Only one Schema for the entire forest
Individual resources are called objects
Objects belong to classes
Object Types Function Examples
EachClass has its own attributes
What objects can be created • User
defined in the Schema. Class Object
in the directory • Computer
Default Classes:
Attribute Information that can be
• Display name
Domain, Shared folder, User Account, Object attached to an object
Computer, Group, Printer, Shared Drive M. Rebwar Raees
M. Rebwar Raees 8
� 2/19/2019
Domain: The Domain is the core unit of logical structure in Active
Directory. All Objects which share a common directory database,
trust relationship with other domain and security policies is know
as Domain
An administrative boundary for applying policies to domain.local
groups of objects
A replication boundary for replicating data between
domain controllers
An authentication and authorization boundary that
provides a way to limit the scope of access to resources
M. Rebwar Raees
Tree: Trees are groups of domains that share a contiguous namespace.
All Domains in a Tree share:
Schema
Configuration
Global Catalog
M. Rebwar Raees
M. Rebwar Raees 9
� 2/19/2019
Forest: contains one or more trees and one or more namespaces, Unlike
a tree, a forest can contain several disjointed namespaces.
All Domains in a Forest share:
Schema Forest contoso.msft
Configuration Tree
Global Catalog
nwtraders.msft sales.
contoso.msft
Tree
marketing. sales.
nwtraders.msft nwtraders.msft M. Rebwar Raees
Organizational Units (OUs): are Active Directory containers that can
contain users, groups, computers, and other OUs.
Default containers, including Users, Computers, and Builtin,…
. OUs are used to:
Represent your organization hierarchically and logically.
Delegate permissions to administer groups of objects.
Manage a collection of objects in a consistent way.
Apply policies.
M. Rebwar Raees
M. Rebwar Raees 10
� 2/19/2019
M. Rebwar Raees
M. Rebwar Raees 11
