Active Directory is a centralized database that contains user account and security information. In a workgroup, security and management takes place on each computer, with each computer holding information about users and resources. With Active Directory, all computers share the same central database.
The Active Directory structure is hierarchical framework the following components:
Component | Description |
Domain | A domain is an administratively-defined collection of network resources that share a common directory database and security policies. The domain is the basic administrative unit of an Active Directory structure.
Depending on the network structure and requirements, the entire network might be represented by a single domain with millions of objects, or the network might require multiple domains. |
Objects | Within Active Directory, each resource is identified as an object. Common objects include:
You should know the following about objects:
|
Organizational Unit (OU) | An organizational unit is like a folder that subdivides and organizes network resources within a domain. An organizational unit:
You should know the following about OUs:
|
Generic Containers | Like OUs, generic containers are used to organize Active Directory objects. Generic container objects:
|
Trees and Forests | Multiple domains are grouped together in the following relationship:
Trees and forests have the following characteristics:
|
Domain Controller | A domain controller is a server that holds a copy of the Active Directory database that can be written to. Replication is the process of copying changes to Active Directory between the domain controllers. |
Sites and Subnets | Active Directory uses the following two objects to represent the physical structure of the network.
You should know the following about sites and subnets:
|
The Active Directory database has a file called NTDS.dit. It is the physical database file in which all directory data is stored. This file consists of three internal tables:
• The data table contains all the information in the Active Directory data store: users, groups, application-specific data, and any other data that is stored in Active Directory after its installation.
• The link table contains data that represents linked attributes, which contain values that refer to other objects in Active Directory.
• The security descriptor (SD) table contains data that represents inherited security descriptors for each object.
Global Catalog | The Global Catalog (GC) is a database that contains a partial replica of every object from every domain within a forest. A server that holds a copy of the Global Catalog is a global catalog server. The Global Catalog facilitates faster searches because different domain controllers do not have to be referenced. |
Operations Master Roles | Operations master roles, also referred to as Flexible Single-Master Operation (FSMO) roles, are specialized domain controller tasks assigned to a domain controller in the domain or forest. Operations master roles are useful because certain domain and enterprise-wide operations are not well suited for the multi-master replication performed by Active Directory to replicate objects and attributes. A domain controller that performs an operations master role is known as an operations master or operations master role owner.
The following roles are forest roles, meaning that one domain controller within the entire forest holds the role:
The following roles are domain roles, meaning that one domain controller in each domain holds the role:
As you install or remove domain controllers, you will need to be aware of which domain controllers hold these roles. |
Functional Level | A functional level is a set of operation constraints that determine the functions that can be performed by an Active Directory domain or forest. A functional level defines:
Windows Server 2008 supports the following domain functional levels:
Windows Server 2008 supports the following forest functional levels:
Note: You cannot have Windows NT domain controllers and Windows Server 2008 domain controllers in the same forest. |
Group Policy | A policy is a set of configuration settings that must be applied to users or computers. Collections of policy settings are stored in a Group Policy object (GPO). The GPO is a collection of files that includes registry settings, scripts, templates, and software-specific configuration values.
Group Policy is an important component of Active Directory because through Group Policy you can centrally manage and enforce desktop and other settings for users and computers within your organization. For example, with Group Policy you can:
|
Active Directory Server Roles
An Active Directory server role is a logical grouping of features and services that are required to perform a specific function in the Active Directory environment. Prior to Windows Server 2008, some Active Directory server roles were not incorporated into the Active Directory, rather they were available as Microsoft downloads. Functionality and services are added to your server by adding the following:
- A role is a set of software features that provides a specific server function. Examples of roles include DNS server, DHCP server, File Server, and Print Server.
- Role services are specific programs that provide the functions of a role. Some roles, like DNS, have a single role service. Other roles, like Print Server, have multiple role services such as the LPD Service for Unix printing and Internet Printing. You can think of a role as a group of programs, with each role service being a sub-component of the role.
- A feature is a software program not directly related to a server role but which adds functionality to the entire server. Features include management tools, communication protocols or clients, and clustering support.
The Active Directory server roles are described in the following table:
Role | Description |
Active Directory Domain Services (AD DS) | AD DS is a distributed database that stores and manages information about network resources, such as users, computers, and printers. The AD DS role:
|
Active Directory Lightweight Directory Service (AD LDS) | Active Directory Lightweight Directory Services (AD LDS), formerly known as Active Directory Application Mode (ADAM), is an LDAP directory service that you can use to create a directory store (database) for use by directory-enabled applications. AD LDS is very similar to Active Directory Domain Services (AD DS), but is customizable and can be much smaller than an AD DS database. |
Active Directory Federation Services (AD FS) | AD FS is a feature which enables secure access to web applications outside of a user’s home domain or forest. The AD FS role:
|
Active Directory Rights Management Service (AD RMS) | AD RMS is a feature which safeguards digital information from unauthorized use. The AD RMS role:
|
Active Directory Certificate Services (AD CS) | AD CS is an identity and access control feature that creates and manages public key certificates used in software security systems. The AD CS role:
AD CS supports:
|
Note: All roles except for AD FS are supported on the Standard, DataCenter, and Enterprise editions of 2008. AD FS requires the DataCenter or Enterprise editions for deployment.
Server core is a minimal server installation option which provides a low-maintenance version of Windows Server 2008. Be aware of the following when using server core:
- The server core interface has limited GUI support, with most tasks being performed only from a command prompt.
- You can only perform a clean installation of server core; you cannot upgrade to or from server core.
- Server core can only run a limited set of server roles:
- Active Directory
- Active Directory Lightweight Directory Services (AD LDS)
- Dynamic Host Configuration Protocol (DHCP) Server
- DNS Server
- File Server
- Print Server
- Media Services
- Web Server (IIS)
- Server core has the following limitations:
- There is no Windows Shell.
- There is no managed code support (no .NET framework). All code has to be native Windows API code.
- There is only MSI support for unattended mode installs.
- To manage a server core system:
- Log on and use the command prompt.
- Log on using Remote Desktop to gain access to the command prompt.
- Use Windows Remote Shell (winrm).
- Run Server Manager or another tool on another computer and connect to the server core system. This method allows you to use a GUI interface for managing the server core system.
- Run oclist to see a list of roles, role services, and features that can be installed on server core.
- Run start /w ocsetup to add server roles to the server core system. Switches for the role or service must be typed exactly as they are listed, and role names are case-sensitive.