Active Directory 1

Active Directory is a centralized database that contains user account and security information. In a workgroup, security and management takes place on each computer, with each computer holding information about users and resources. With Active Directory, all computers share the same central database.

The Active Directory structure is hierarchical framework the following components:

Component	Description
Domain	A domain is an administratively-defined collection of network resources that share a common directory database and security policies. The domain is the basic administrative unit of an Active Directory structure. Database information is replicated (shared or copied) within a domain. Security settings are not shared between domains. Each domain maintains its own set of relationships with other domains. Domains are identified using DNS names. The common name is the domain name itself. The distinguished name includes the DNS context or additional portions of the name. Depending on the network structure and requirements, the entire network might be represented by a single domain with millions of objects, or the network might require multiple domains.
Objects	Within Active Directory, each resource is identified as an object. Common objects include: Users Groups Computers Shared folders You should know the following about objects: Each object contains attributes (i.e. information about the object such as a user’s name, phone number, and email address) which is used for locating and securing resources. The schema identifies the object classes (the type of objects) that exist in the tree and the attributes (properties) of the object. Active Directory uses DNS for locating and naming objects. Container objects hold or group other objects, either other containers or leaf objects.
Organizational Unit (OU)	An organizational unit is like a folder that subdivides and organizes network resources within a domain. An organizational unit: Is a container object. Can be used to logically organize network resources. Simplifies security administration. You should know the following about OUs: First-level OUs can be called parents. Second-level OUs can be called children. OUs can contain other OUs or any type of leaf object (e.g. users, computers, and printers).
Generic Containers	Like OUs, generic containers are used to organize Active Directory objects. Generic container objects: Are created by default Cannot be created, moved, renamed, or deleted Have very few editable properties
Trees and Forests	Multiple domains are grouped together in the following relationship: A tree is a group of related domains that share the same contiguous DNS name space. A forest is a collection of related domain trees. The forest establishes the relationship between trees that have different DNS name spaces. Trees and forests have the following characteristics: The forest root domain is the top-level domain in the top tree. It is the first domain created in the Active Directory forest. The tree root domain is the highest level domain in a tree. Each domain in the tree that is connected to the tree root domain is called a child domain. A domain tree is a group of domains based on the same name space. Domains in a tree: Are connected with a two-way transitive trust. Share a common schema. Have common global catalogs.
Domain Controller	A domain controller is a server that holds a copy of the Active Directory database that can be written to. Replication is the process of copying changes to Active Directory between the domain controllers.
Sites and Subnets	Active Directory uses the following two objects to represent the physical structure of the network. A subnet represents a physical network segment. Each subnet possesses its own unique network address space. A site represents a group of well-connected networks (networks that are connected with high-speed links). You should know the following about sites and subnets: Sites and subnets are used to manage Active Directory replication between locations. All Active Directory sites contain servers and site links (the connection between two sites that allows replication to occur). Site links are used by Active Directory to build the most efficient replication topology. A site differs from a domain in that it represents the physical structure of your network, while a domain represents the logical structure of your organization. Clients are assigned to sites dynamically according to their Internet Protocol (IP) address and subnet mask. Domain controllers are assigned to sites according to the location of their associated server object in Active Directory.

The Active Directory database has a file called NTDS.dit. It is the physical database file in which all directory data is stored. This file consists of three internal tables:
• The data table contains all the information in the Active Directory data store: users, groups, application-specific data, and any other data that is stored in Active Directory after its installation.
• The link table contains data that represents linked attributes, which contain values that refer to other objects in Active Directory.
• The security descriptor (SD) table contains data that represents inherited security descriptors for each object.

Global Catalog	The Global Catalog (GC) is a database that contains a partial replica of every object from every domain within a forest. A server that holds a copy of the Global Catalog is a global catalog server. The Global Catalog facilitates faster searches because different domain controllers do not have to be referenced.
Operations Master Roles	Operations master roles, also referred to as Flexible Single-Master Operation (FSMO) roles, are specialized domain controller tasks assigned to a domain controller in the domain or forest. Operations master roles are useful because certain domain and enterprise-wide operations are not well suited for the multi-master replication performed by Active Directory to replicate objects and attributes. A domain controller that performs an operations master role is known as an operations master or operations master role owner. The following roles are forest roles, meaning that one domain controller within the entire forest holds the role: The schema master maintains the Active Directory schema for the forest. The domain naming master adds new domains to and removes existing domains from the forest. The following roles are domain roles, meaning that one domain controller in each domain holds the role: The RID master allocates pools or blocks of numbers (called relative IDs or RIDs) that are used by the domain controller when creating new security principles (such as user, group, or computer accounts). The PDC emulator acts like a Windows NT 4.0 Primary Domain Controller (PDC) and performs other tasks normally associated with NT domain controllers. The infrastructure master is responsible for updating changes made to objects. As you install or remove domain controllers, you will need to be aware of which domain controllers hold these roles.
Functional Level	A functional level is a set of operation constraints that determine the functions that can be performed by an Active Directory domain or forest. A functional level defines: Which Active Directory Domain Services (AD DS) features are available to the domain or forest. Which Windows Server operating systems can be run on domain controllers in the domain or forest. Functional levels do not affect which operating systems you can run on workstations and servers that are joined to the domain or forest. Windows Server 2008 supports the following domain functional levels: Windows 2000 Native Windows Server 2003 Windows Server 2008 Windows Server 2008 supports the following forest functional levels: Windows 2000 Windows Server 2003 Windows Server 2008 Note: You cannot have Windows NT domain controllers and Windows Server 2008 domain controllers in the same forest.
Group Policy	A policy is a set of configuration settings that must be applied to users or computers. Collections of policy settings are stored in a Group Policy object (GPO). The GPO is a collection of files that includes registry settings, scripts, templates, and software-specific configuration values. Group Policy is an important component of Active Directory because through Group Policy you can centrally manage and enforce desktop and other settings for users and computers within your organization. For example, with Group Policy you can: Enforce a common desktop for users Remove desktop components, such as preventing access to the Control Panel Restricting what actions users can perform, such as preventing users from shutting down the system Automatically installing software Dynamically set registry settings required by applications

Active Directory Server Roles

An Active Directory server role is a logical grouping of features and services that are required to perform a specific function in the Active Directory environment. Prior to Windows Server 2008, some Active Directory server roles were not incorporated into the Active Directory, rather they were available as Microsoft downloads. Functionality and services are added to your server by adding the following:

• A role is a set of software features that provides a specific server function. Examples of roles include DNS server, DHCP server, File Server, and Print Server.
• Role services are specific programs that provide the functions of a role. Some roles, like DNS, have a single role service. Other roles, like Print Server, have multiple role services such as the LPD Service for Unix printing and Internet Printing. You can think of a role as a group of programs, with each role service being a sub-component of the role.
• A feature is a software program not directly related to a server role but which adds functionality to the entire server. Features include management tools, communication protocols or clients, and clustering support.

The Active Directory server roles are described in the following table:

Role	Description
Active Directory Domain Services (AD DS)	AD DS is a distributed database that stores and manages information about network resources, such as users, computers, and printers. The AD DS role: Helps administrators securely manage information. Facilitates resource sharing and collaboration between users. Is required to be installed on the network to install directory-enabled applications such as Microsoft Exchange Server and for applying other Windows Server technologies, such as Group Policy.
Active Directory Lightweight Directory Service (AD LDS)	Active Directory Lightweight Directory Services (AD LDS), formerly known as Active Directory Application Mode (ADAM), is an LDAP directory service that you can use to create a directory store (database) for use by directory-enabled applications. AD LDS is very similar to Active Directory Domain Services (AD DS), but is customizable and can be much smaller than an AD DS database.
Active Directory Federation Services (AD FS)	AD FS is a feature which enables secure access to web applications outside of a user’s home domain or forest. The AD FS role: Provides Web Single-Sign-On (SSO) technologies to authenticate a user to multiple Web applications using a single user account. Securely federates (shares) user identities and access rights in the form of digital claims between partner organizations.
Active Directory Rights Management Service (AD RMS)	AD RMS is a feature which safeguards digital information from unauthorized use. The AD RMS role: Can define exactly how a recipient can use information, specifying who can open, modify, print, forward, and/or take other actions. Allows organizations to create custom usage rights templates (such as “Confidential – Read Only”) that can be applied directly to information such as product specifications, financial reports, e-mail messages, and customer data.
Active Directory Certificate Services (AD CS)	AD CS is an identity and access control feature that creates and manages public key certificates used in software security systems. The AD CS role: Provides customizable services for creating and managing public key certificates. Enhances security by binding the identity of a person, device, or service to a corresponding private key. Includes features that allow you to manage certificate enrollment and revocation in a variety of scalable environments. AD CS supports: Digital signatures Encrypting File System (EFS) Internet Protocol security (IPsec) Secure/Multipurpose Internet Mail Extensions (S/MIME) Secure Socket Layer/Transport Layer Security (SSL/TLS) Secure wireless networks Smart card logon Virtual Private Networks (VPN)

Note: All roles except for AD FS are supported on the Standard, DataCenter, and Enterprise editions of 2008. AD FS requires the DataCenter or Enterprise editions for deployment.

 

Server core is a minimal server installation option which provides a low-maintenance version of Windows Server 2008. Be aware of the following when using server core:

• The server core interface has limited GUI support, with most tasks being performed only from a command prompt.
• You can only perform a clean installation of server core; you cannot upgrade to or from server core.
• Server core can only run a limited set of server roles:
  • Active Directory
  • Active Directory Lightweight Directory Services (AD LDS)
  • Dynamic Host Configuration Protocol (DHCP) Server
  • DNS Server
  • File Server
  • Print Server
  • Media Services
  • Web Server (IIS)
• Server core has the following limitations:
  • There is no Windows Shell.
  • There is no managed code support (no .NET framework). All code has to be native Windows API code.
  • There is only MSI support for unattended mode installs.
• To manage a server core system:
  • Log on and use the command prompt.
  • Log on using Remote Desktop to gain access to the command prompt.
  • Use Windows Remote Shell (winrm).
  • Run Server Manager or another tool on another computer and connect to the server core system. This method allows you to use a GUI interface for managing the server core system.
• Run oclist to see a list of roles, role services, and features that can be installed on server core.
• Run start /w ocsetup to add server roles to the server core system. Switches for the role or service must be typed exactly as they are listed, and role names are case-sensitive.