Active Directory is the name given to a collection of services created by Microsoft that together deliver a network infrastructure that has:
- Centralized Storage of information about all network objects (users, computers, etc.).
- Authentication (via a protocol called Kerberos).
- Access control, providing permission levels that say who can do what.
- Provision of an audit trail to allow for monitoring of network activity.
Active Directory uses a number of standardized protocols to help provide for this infrastructure creation\management including:
- Lightweight Directory Access Protocol LDAP, the industry standard directory access protocol, compatible with many management and query applications.
- Kerberos-based authentication
- DNS-based naming and other network information.
These protocols help implement a variety of network services.
Active Directory stores all information and settings for a network infrastructure in a central database.
Active Directory allows administrators to assign policies, deploy and update software.
Active Directory networks can vary from a small installation with a few computers, users and printers to tens of thousands of users, many different networks and large server farms spanning many geographical locations.
- Define the boundary or boundaries of your LAN (i.e. Create a domain – a logical boundary).
- Assign a unique name to the boundary\boundaries of your LAN (Give the domain a domain name, a FQDN).
- Within the boundary\boundaries of the LAN organize the network objects within the domain logically (i.e. by department, by job function, by location, etc)
The Domain is the key structure of a Microsoft Active Directory network. Extrapolate a Domain outwards by developing a more complex structure and you can construct a collection of Domains (i.e. a Tree structure). Extrapolate this further to a collection of trees and you have a forest.
Focus in on the domain itself and you can develop the detail within it using containers called Organizational Units (OUs) that allow you to logically organize network objects (users, computers, groups, printers etc by geography, job function, department and so on).
To create a domain, name it and organize it for your Windows based network you need to install the server based service\role called Active Directory onto a suitable Windows 2000, 2003, 2008\2008 R2, or 2012 Server. This service allows for a logical structure to be created within which your network objects can be defined and organized. You will also need the support of DNS to be able to locate the objects and services Active Directory provides, using resolved user friendly naming conventions.
Active Directory provides a directory database that centrally stores the logically organized network object information for the domain.
The Active Directory structure allows creation of a hierarchical arrangement for our network objects. The objects fall into two broad categories: resources (e.g. printers) and security principals (user or computer accounts and groups). Security principals are assigned unique Security IDentifiers (SIDs).
Each object represents a single entity and its attributes. An object is uniquely identified by its name and has a set of attributes — the characteristics and information that the object represents— defined by a Schema, which determines the types of objects can be stored within Active Directory.
At the center of AD is the Data Store. The data store is the database file stored on servers that are running the AD services. The data store is a file called NTDS.DIT. This file stores information about all the network objects and their values. The object types and their attributes are called the AD Schema. Any server that holds a copy of the Data Store is a Domain Controller (DC) Server.
The NTDS.DIT database file is composed of partitions (also known as naming contexts). A Partition in AD is a data structure that distinguishes data for different replication purposes. Think of the AD partitions as a series of tables that make up the database and the AD Schema the defined fields and their data types.
The NTDS.DIT partitions\naming contexts (Tables) are called:
- Domain partition – The Domain partition stores AD data about users objects, group objects, GPO objects et al for the domain the DC server is acting as a server for.
- Configuration partition – The Configuration partition stores AD data about the structure of the forest (the domains that make up the forest), the sites in the forest and the subnets.
- Schema partition – The Schema partition stores AD data defining all possible object types and attributes allowed throughout the forest.
There can also be an Application partition for applications\services that are AD aware and can store such as DNS zone data information. There can also be a Global Catalog partition which is an index for all objects in an AD Forest.
The Global Catalog (GC) keeps partial data for all domain objects , and is used as an index for the AD Forest (at least one GC per Domain is required).
Editing the Active Directory Database:
The NTDS.DIT AD database file cannot be edited directly, and AD objects and their properties are normally edited using user friendly GUI Tools such as Active Directory Users and Computers, Active Directory Sites and Services, Active Directory Domains and Trusts or the Active Domain Administrative Center console.
However you can also use the Console tool ADSIEdit.msc (activated from the Run menu or a command prompt) to more directly edit the NTDS.DIT AD database file.
Active Directory Terms:
- Class – A logical grouping of objects such as computers, accounts, domains.
- Distinguished Name (DN) – Uniquely identifies an object within the entire AD forest.
- Domain – Holds all network objects and information only about those objects it contains. A domain is a security boundary.
- Forest – A hierarchical grouping like a pyramid structure of one or more Windows Domain trees that have different namespaces i.e. ABC.COM connected to XYZ.COM.
- Global Catalog – A central repository for key information about all objects in a forest.
- Globally Unique Identifier (GUID) – A unique 128 bit character string assigned to an object when it is created.
- Object – A distinct named set of attributes that represent a network resources (A user, a printer, a computer).
- Relative Distinguished Name (RDN) – Uniquely identifies an object within a single AD domain.
- Tree – A hierarchical grouping like a pyramid structure of one or more Windows Domains that share a contiguous namespace i.e. Research.ABC.COM a child domain of ABC.XOM.
- Site – A geographical grouping of one or more subnets connected by high speed links.
- Schema – A formal definition of the contents and structure of an Active Directory Forest such as classes * class properties * class attributes i.e. User*Firstname*John.
- User Principal Name (UPN) – The user friendly name given to a user account, and looks like an e-mail type of address i.e. [email protected]