Active Directory offers a set of services for administrators to manage their IT networks. These services are deployed on a Windows server called a domain controller. Active Directory Domain Services (AD DS) is the most widely used Active Directory service. It authenticates Active Directory objects and authorizes access to network resources. AD DS also stores and organizes data in a logical, hierarchical structure and can be managed from anywhere in the network. Other important AD services include Active Directory Federation Services (AD FS), Active Directory Certification Services (AD CS), Active Directory Lightweight Directory Services (AD LDS), and Active Directory Rights Management Services (AD RMS).
Read on to learn more about Active Directory and its services.
Active Directory offers the following services to
secure and maintain your
organization's network.
Active Directory Domain Services (AD DS) is one among the many services offered by Active Directory. AD DS provides the flexibility to organize and manage your network resources from a single console.
Domain controllers (DCs) are Active Directory servers that host AD DS. DCs are responsible for the authentication and security of Active Directory objects. DCs are the key components in an Active Directory environment and thus have to be up and running at all times. DCs are designed to be resilient and fault tolerant. Applications and clients use the Lightweight Directory Access Protocol (LDAP) to interact with DCs. An LDAP query is used to fetch information from Active Directory databases. Active Directory objects are stored in DCs. In an organization with multiple DCs, data and changes made to it are replicated systematically.
The Global Catalog (GC) is a data storage catalog that is equivalent to a book index. The GC server is a DC that makes it easier to search for and locate Active Directory objects from any domain in a forest. The GC server holds a copy of all the objects in its domain and a partial copy of objects from other domains in the forest. This is managed by the AD DS replication system.
The entire Active Directory database is stored in the ntds.dit file, and the information on it is segregated into directory partitions (naming contexts). The data stored in a partition depends on the partition type, and each partition has an independent replication scope.
By default, there are three partitions in Active Directory:
AD DS also lets you configure application directory partitions as and when needed.
DCs also have various roles installed on them to ensure that replication is consistent across DCs. There are five Flexible Single Master Operation (FSMO) roles installed on different DCs to combat "last writer wins" and "single master replication" situations. They are:
The DC with the schema master role handles updates to the Active Directory schema. This role is unique in a forest.
The DC with this role is capable of adding or removing domains from your Active Directory. Like the schema master role, there is only one per forest.
There is only one domain controller with the primary domain controller (PDC) emulator role in a domain. This DC handles password change requests, time synchronization, and bad password attempts.
This role is unique to a domain, and the DC with this role allocates identifiers (a domain security ID (SID) and a unique relative ID (RID)) to other DCs in the domain.
The DC with this role takes care of cross-domain updates and references. The infrastructure master role should be on a DC that is not a GC server.
DCs respond to authentication requests and authorize access to resources based on the set permissions. AD DS logs all these requests, their status, user activity, and the changes made to Active Directory objects.
Active Directory stores information in a logical, hierarchical framework to streamline Active Directory management. An object is the fundamental entity in an Active Directory, while a forest is the highest.
A schema in Active Directory lets you define which objects can be stored in your Active Directory. Every object has a set of attributes based on its classSchema. The schema is extensible and can be structured based on an organization's needs. However, changes made to the schema are irreversible, so it should only be updated or modified when it is essential.
Active Directory stores network resources and related information as objects. User accounts, computer accounts, contacts, groups, organizational units, and shared folders are all the different objects that can be found in Active Directory.
Objects that can be authenticated—user accounts, computer accounts, and groups—are called security principals, and other objects like printers are called resources. Attributes like sAMAccountName or userPrincipalName are unique to an object and cannot be duplicated. Active Directory objects in a domain have a unique globally unique identifier and an SID that changes relatively with domains. SIDs are provided by the DC equipped with the RID master FSMO role.
Objects can be grouped into organizational units (OUs) or groups based on administrative need. OUs in Active Directory are container objects and can contain objects like user accounts, computers, or other OUs in the domain, which are referred to as nested OUs. Configuring OUs enables you to depict an organization's structure, apply Group Policies, and delegate administrative rights.
Objects can be grouped into organizational units (OUs) or groups based on administrative need. OUs in Active Directory are container objects and can contain objects like user accounts, computers, or other OUs in the domain, which are referred to as nested OUs. Configuring OUs enables you to depict an organization's structure, apply Group Policies, and delegate administrative rights.
Active Directory groups allow you to organize the security principals in your Active Directory for ease of administration. There are two different groups in Active Directory: security and distribution groups.
Security groups are used to assign permissions and user rights. They are also mail-enabled, so they can be used to send messages to all their members at once. Every security group has a group scope, which determines to what extent the assigned permissions and user rights hold true in Active Directory. There are three group scopes: universal, global, and domain local.
Distribution groups are just mail-enabled and can only be used to send out emails. They are extremely handy in an Exchange environment.
Objects in the same network and with similar security constraints can be logically grouped into a domain. Domains can have subdomains within them called child domains. Changes made to domains are constantly updated in the domain naming context.
Domains in Active Directory that share a common root and trust relationships form a tree. As a whole, all these components make up a forest. A forest in Active Directory contains domains that share a common structure, GC, and schema. It acts as a security constraint and can be accessed by other Active Directory forests only when a trust relationship is configured between them.
Objects in the same network and with similar security constraints can be logically grouped into a domain. Domains can have subdomains within them called child domains. Changes made to domains are constantly updated in the domain naming context.
Domains in Active Directory that share a common root and trust relationships form a tree. As a whole, all these components make up a forest. A forest in Active Directory contains domains that share a common structure, GC, and schema. It acts as a security constraint and can be accessed by other Active Directory forests only when a trust relationship is configured between them.
Active Directory acts as a centralized management tool and is highly scalable. It lets you oversee your IT network from a single console. Active Directory allows you to customize objects to meet your organization's requirements. It comes with a built-in replication feature that allows you to distribute data across the DCs in your network. It also comes with a backup and recovery feature that lets you restore information as and when needed once it has been configured.
Overall, Active Directory, helps in managing your IT network—but make sure to carefully structure it, because it can make or break your business.
Administrative tasks like object creation, modification, and deletion; password resets; and access control can be performed using the Active Directory Users and Computers console (ADUC). Active Directory objects can also be managed using PowerShell scripts. The GC server, Active Directory replication, sites, subnets, and other related settings can be configured in the Active Directory Sites and Services snap-in.
A Group Policy in Active Directory allows you to configure the Windows environment of users and computers. Policy settings and preferences are grouped and contained in a Group Policy Object (GPO). GPOs can be applied at the OU, domain, or site level. They can be modified using the Local Group Policy Editor or the Group Policy Management Console.
Apart from the snap-ins provided by Microsoft, Active Directory can also be managed using ADManager Plus, an Active Directory management and reporting solution.
Get your free, 30-day trial