Some of the topics covered in this article have been newly described in Kerberos Part 1 - Active Directory Components and Kerberos Part 2 - AD User Accounts and Service Principal Name.
Active Directory
At the very beginning, I'll attempt a brief (and incomplete) description of Active Directory. The term Active Directory (hereafter AD) is very extensive and encompasses Microsoft's entire solution for managing a computer network (computers with Microsoft Windows OS) in a corporate environment. Active Directory, in essence, is a distributed directory service from MS and is part of Windows Server 2000/2003.
Note: I wrote more about directory services in the article Directory Services and LDAP.
The directory contains stored files of information about objects and their mutual relationships. In a computer network, there are a large number of objects, such as servers, workstations, applications, databases, users. Users must be able to find and use this information. Administrators must be able to control how these objects are used. The directory needs to be centralized, but also sufficiently powerful/scalable.
AD includes a number of services. Its primary role is to provide central services for authentication and authorization, i.e., user management (more precisely, account management, because it can also be a computer, for instance). But various parts provide many other functions, for example, Group Policy allows managing policies of individual computers (what is allowed on them) and installing applications in bulk (and remotely).
AD is strongly linked with DNS, I might say that some parts are based on DNS (they certainly don't function without it). AD uses the same hierarchical structure as DNS.
Note: I wrote about DNS, including its relation to AD, in the article DNS (Domain Name System) focused on Microsoft.
Note: For AD management, there's a package of tools that you can install from the Windows Server installation CD using the file adminpack.msi. If you want to expand the user information provided by the Active Directory Users and Computers (ADUC) tool, install the Windows 2003 Server Resource Kit and then run regsvr32 acctinfo.dll.
AD Objects and Schema
Data stored in AD (information about users, groups, etc.) are organized as objects. An object is a named group of attributes that represent a network resource. Some objects can contain other objects; these are containers.
The Active Directory schema defines the objects that can be stored in AD. The schema is a list of definitions that determine the types of objects and types of information they can hold. In the schema, there are two types of objects, schema classes (determines possible objects, is a summary of attributes) and schema attributes (individual attributes for an object). Together, these objects are called metadata.
Note: For schema management, the Active Directory Schema tool is used. This is not standard among Administrative Tools, but you need to register the library regsvr32 schmmgmt.dll and then add this Snap-in using the mmc console (best to save it afterwards).
AD Components
Components are used to create the directory structure so that it corresponds to the structure of the organization and meets its needs. Some components represent logical and others physical structure. These components also help meet the requirements mentioned above (such as scalability).
The logical structure of Active Directory (organization of resources) is formed using forests, trees, domains and OUs. At the top of the structure is the forest. It can contain one or more trees. A tree is formed by one or more domains. Inside domains, we already have individual organizational units - OUs. Inside OUs are individual objects (computers, users, printers, etc.).
Note: Logical grouping of resources serves to find these objects by name, instead of knowing their physical location.
The physical structure of Active Directory is created using domain controllers and sites. I'm not sure what the correct Czech word to use for the English site is, but it's essentially networks/subnets. A site is given by a certain range of addresses and usually a site equals a LAN. The second physical component is a domain controller - DC, which is directly a certain server where part (or all) of AD is located.
Domain
A domain is the basic element of the logical structure of AD. Objects (which can be millions) that belong to the given domain are directly stored in the domain. AD is formed by one or more domains. A domain is not limited to a physical location and can spread across all branches. A domain is a security boundary; access to domain objects is controlled by ACLs, which have set permissions. Security settings and permissions cannot cross between domains.
Organizational Unit OU
An OU (Organizational Unit) is a container used within a domain to group/organize objects into logical administrative groups. OU is the smallest unit to which we can delegate administrative rights. OUs can be nested inside each other and create any hierarchical structure. The OU hierarchy is local within the domain and does not affect other domains. OUs are usually created to reflect the structure of the organization (i.e., by divisions and departments). As needed, we can place user and computer accounts in the same OUs or create a separate structure.
Note: For OU management, the Active Directory Users and Computers tool is used.
Tree
A tree is a grouping or hierarchical organization of one or more domains. It is created by adding a subordinate domain (child domain) to a parent domain, which is called the root domain. Domains in the tree share a contiguous namespace, schema, and hierarchical connection of domain names. The DNS standard is used, so the domain name of a child is created by using its relative name appended after a dot to its parent domain name.
Forest
A forest is a grouping of one or more separate independent trees. All domains in the forest share the same schema, global catalog, and are connected by an implicit two-way trust relationship. Trees in the forest have their own naming - DNS name (separate namespace by domains). Domains in the forest work independently, but thanks to the forest, mutual communication is enabled across the entire organization (authorization). The root domain is important for the forest because it typically holds two special roles.
Site
A site is a combination of one or more IP subnets that are connected by reliable and fast links. A site contains domain controllers. If we have multiple local networks (locations, branches) connected via a WAN network, a site is usually created for each LAN. When we look at the logical structure of AD, sites are not displayed anywhere. In determining a site, only DCs (servers) and connections figure and are used for replication between them. Sites are mainly significant for replication.
Note: For site management, the Active Directory Sites and Services tool is used.
Domain Controller DC
A domain controller (often abbreviated as DC) is a computer (server) running Windows Server 2003 (or 2000) operating system and contains a replica of the domain directory (local domain database). A domain can have multiple domain controllers, and each contains a complete replica of the directory for that domain. One controller can only have one domain. A domain controller also serves for user authentication.
If we have multiple DCs and make some change in AD, we make it on one of the DCs. Subsequently, automatic replication is performed (periodically scheduled or immediate in case of important data) so that other DCs have the same state. Common replications are of the multimaster type, all DCs are equal and have a writable copy of the directory. Nevertheless, some values cannot be handled this way and a singlemaster model is used, where one DC is the main one and changes are made on it. These roles are referred to as Operations masters roles. When changing the same value in multiple places, collision detection is performed using the attribute property version number.
Two roles are unique for the entire forest and are thus referred to as Forest-wide roles. These are the Schema Master, which maintains and manages the entire AD schema. And the Domain Naming Master, which controls adding and removing domains to the forest.
Three other roles are unique for a domain, thus Domain-wide roles. The Relative Identifier (RID) Master assigns blocks of RID numbers to controllers, which are used to create SID (security identifier - a unique identifier of each object in AD). The Primary Domain Controller (PDC) Emulator serves to emulate Windows NT 4.0 PDC for old clients. The Infrastructure Master maintains links between objects from different domains, using the global catalog.
The transfer of the Domain Naming Master role is done using Active Directory Domains and Trusts. The transfer of the Schema Master role is done using Active Directory Schema. Right-click to connect to the desired DC and select the Operations Master option. The roles of RID Master, PDC Emulator, and Infrastructure Master are transferred using Active Directory Users and Computers. Connect to the desired domain and right-click on it to select Operations Master.
To find out which DC holds which role, you can use the previous graphical tools or the command line dsquery server -hasfsmo {schema | name | infr | pdc | rid}.
Global Catalog GC
Global Catalog (GC) no longer determines either the logical or physical structure of AD, but it plays a very important role, so it is also described here.
If we are looking for an object in AD and this object is in the same domain, we ask a DC. However, if we are looking for an object from another domain (but within the same directory - the same AD), we need a service to help us. In AD, this service is the Global Catalog. It is a central repository that contains selected information about objects from the entire tree or forest.
A DC that contains a copy of the global catalog is called a Global Catalog Server (in other words, GC can only be operated on a DC). We can have multiple global catalogs, and multimaster replication is performed between them. GCs are often placed in different sites, but we must remember the traffic caused by replication (which can be significant).
GC thus allows finding information from the directory regardless of which domain in the forest it is located in. Its second function is to provide information about membership in universal groups, which is needed during the login process.
Note: To set up the global catalog, use the Active Directory Sites and Services tool, navigate through the corresponding site to the desired DC, right-click on NTDS Settings, and select Properties.
If the global catalog is not available during login, the user can only log in locally to the computer. One way to bypass this problem without running a GC is to enable the universal group membership caching (UGMC) feature for the site. In this case, the DC stores the information locally. During the user's first login, it queries the global catalog and stores the returned values in the cache, where it keeps and updates them. During subsequent logins, the information from this cache is used.
Note: Enabling the UGMC feature is done using Active Directory Sites and Services, where you click on the desired site, right-click on NTDS Site Settings, and select Properties.
Deployment in Practice
In this section, I will try to write a few tips and recommendations on practical AD deployment.
Division of Domains, Trees, and Forests
In our conditions, one domain is often sufficient. When the first DC is installed, a tree and a forest are also created. We may need more domains, for example, if we want a different password policy (because it applies to the entire domain).
A more common reason for dividing the structure may be due to the division of administrative permissions. User and computer management can be handled at the OU level, but for a number of higher tasks, we may use domains.
Note: DC installation is done simply using a wizard, which is invoked by entering the dcpromo command. Any Windows 2003 Server can be promoted to a domain controller. In the wizard, we specify whether it is a new domain or we are adding a DC to an existing one. We also specify the forest.
Note: If we install the first DC, it automatically becomes the Root Domain and acquires all five roles.
We use more trees if we need to operate different (separate) namespaces. This can happen, for example, when acquiring another company, where we need to share permissions but want to keep our own names.
We need more forests only in special cases. This is when we need absolute separation in terms of permissions and autonomy (isolation). For example, we have an operational environment and a testing one that must not have any relationship. Because the Enterprise admin has access everywhere within the forest, we must create more forests to achieve complete separation of permissions. In other words, we use more forests if we need to achieve isolation or autonomy of a unit within the company or if we are merging remote companies. If we need separate schemas and global catalogs or manually manage trust relationships.
Division of Sites
Division into sites is quite common and used. If we have more than one location/branch, it is usually advantageous to operate them as separate sites.
Placement of the Global Catalog
There are two fundamental questions regarding the placement of the global catalog. The first concerns placement in branches. Generally, it is good to have a GC in each branch because it speeds up login and does not transfer data over the WAN every time. Also, in the event of a WAN link failure, the GC ensures that users can log in. On the other hand, replication transfers a larger volume of data, and many of them are unnecessary (for the branch). Therefore, for small branches with slow connections, it is more appropriate to use universal group membership caching.
If we have a forest with only one domain, it is recommended to have all DCs also as GCs because the GC contains the same data as the DC. Another recommendation is that if we do not have the global catalog on all DCs, the Operations masters roles should be placed on a server without a GC.
Finally, just one link to Microsoft materials Domains and Forests Technical Reference. This topic is, of course, described in many places, but a good article is not easy to find.
K tomuto tématu se může hodit zajímavý program od Microsoftu Microsoft Active Directory Topology Diagrammer (www.microsoft.com/downloads/details.aspx?FamilyID=CB42FC06-50C7-47ED-A65C-862661742764). Ten slouží ke generování Visio schémat AD (domény, site, OU, trust) a Exchange topologie.
Ahoj, mohl bych pozadat o radu?
Muj problem je ze AD se stara o DNS a tyto zaznamy bych potreboval menit z Linuxu. Na linuxe mam postaveny dva servry, jeden ostry jeden zalozni. V DNS mám zaznam ktery ukazuje vzdy na jeden stroj. a toto bych potreboval menit primo z Linuxu.
Diky a přeji krasný den.
respond to [2]Ondra: Nevím, zda tomu úplně rozumím, ale pokud mám na DNS nastaveno Dynamic updates na Nonsecure and secure, tak si Linux může vytvořit (změnit) svůj záznam klasicky protokolem DNS.
Pak se může použít nějaké vzdálené volání fce dnscmd. A možná by mohlo fungovat i SNMP (nevím).
Zdravim, nejak som sa v tom vsetkom trochu stratil, aky je teda rozdiel medzi domain a tree, maju nejake funkcie? dik
domain - jedna doména, v ní kupa userů,počítačů a dalších objektů, tree - víc domén ve vztahu (třeba podřízenosti, jako vrchol stromečku a pod ním větvičky) a v nich kupa počítačů a mají funkce že v nich jsou ty objekty (GPO, správa userů a stanic, remote instalace atd.) :-) ale to všechno je v tom článku dobře popsané
Díky za kvalitní článek. Dobře a celkem pochopitelně vysvětleno. Díky:-)
Hezky a detailne popsane.diky za clanek.:-)
Dobrý den, mam dotaz.
Když v AD potřebuji přejmenovat globální skupinu, která je už naplněná členy.Co se stane těm členům co mají přiřazenou skupinu.(Zdali oni nepřijdou.)
Děkuji
dyk za ukol na OSka ;-)
neh ho bit to je muj kamarad buziku vojedu ti psa a rodibnzu sracku divocakos
[12] ja taki he to hajzl zajebem ho jak svin:-O