Principles of building Active Directory domains. Introduction to the basic concepts of Active Directory
Any novice user, faced with the abbreviation AD, wonders what is Active Directory? Active Directory is a directory service developed by Microsoft for domain Windows networks. Included in most operating systems Windows Server, as a set of processes and services. Initially, the service dealt only with domains. However, since Windows Server 2008, AD has become the name for a wide variety of directory-based identity services. This makes Active Directory for beginners more optimal for learning.
Basic Definition
The server that runs Active Directory Domain Services is called a domain controller. It authenticates and authorizes all users and computers in a Windows network domain, assigning and applying a security policy to all PCs, and installing or updating software. For example, when a user logs on to a Windows domain-joined computer, Active Directory verifies the provided password and determines whether the object is a system administrator or regular user. It also allows you to manage and store information, provides authentication and authorization mechanisms, and provides a framework for deploying other related services: certificate services, federated and lightweight directory services, and rights management.
Active Directory uses LDAP version 2 and 3, Microsoft's version of Kerberos, and DNS.
Active Directory - what is it? In simple words about complex
Tracking network data is a time-consuming task. Even in small networks users tend to have difficulty finding network files and printers. Without some kind of directory, medium to large networks cannot be managed and often have difficulty finding resources.
Previous Microsoft versions Windows included services to help users and administrators find data. Network Neighborhood is useful in many environments, but the obvious disadvantage is the inconvenient interface and its unpredictability. WINS Manager and Server Manager can be used to view a list of systems, but were not available to end users. Administrators used the User Manager to add and remove data of a completely different type of network object. These applications proved to be ineffective for large networks and begged the question, why in the company Active Directory?
catalogue, in general sense, represents full list objects. Phone book is a type of directory that stores information about people, businesses, and government organizations, andthey usually contain names, addresses, and telephone numbers. wondering Active Directory - what is it, in simple words we can say that this technology is similar to the reference book, but is much more flexible. AD stores information about organizations, sites, systems, users, common resources and any other network object.
Introduction to the basic concepts of Active Directory
Why does an organization need Active Directory? As mentioned in the introduction to Active Directory, the service stores information about network components. The "Active Directory for Beginners" guide says that this is allows clients to find objects in their namespace. This t term (also called console tree) refers to the area in which a network component can be located. For example, the table of contents of a book creates a namespace in which chapters can be mapped to page numbers.
DNS is a console tree that resolves hostnames to IP addresses, such asphonebooks provide a namespace for name resolution for phone numbers. And how does this happen in Active Directory? AD provides a console tree for resolving the names of network objects to the objects themselves andcan resolve a wide variety of objects, including users, systems, and services on the network.
Objects and Attributes
Anything that Active Directory keeps track of is considered an object. You can say in simple words that this in Active Directory is any user, system, resource, or service. The common terms object is used because AD is able to keep track of many elements, and many objects can share common attributes. What does it mean?
Attributes describe objects in Active Directory, for example, all user objects share attributes to store the user's name. This also applies to their descriptions. Systems are also objects, but they have a separate set of attributes that includes hostname, IP address, and location.
The set of attributes available for any particular object type is called a schema. It makes object classes distinct from each other. Schema information is actually stored in Active Directory. That this behavior of the security protocol is very important is the fact that the schema allows administrators to add attributes to object classes and distribute them over the network to all corners of the domain without restarting any domain controllers.
LDAP container and name
A container is a special type of object that is used to organize the operation of a service. It does not represent a physical entity like a user or a system. Instead, it is used to group other elements. Container objects can be nested within other containers.
Every element in AD has a name. These are not the ones you are used to, for example, Ivan or Olga. These are LDAP distinguished names. LDAP distinguished names are tricky, but they allow you to uniquely identify any object within a directory, regardless of its type.
Term tree and website
A term tree is used to describe a set of objects in Active Directory. What is this? In simple terms, this can be explained using a tree association. When containers and objects are combined hierarchically, they tend to form branches - hence the name. A related term is a contiguous subtree, which refers to the unbroken main trunk of a tree.
Continuing the metaphor, the term "forest" describes a collection that is not part of the same namespace, but has general scheme, configuration, and global catalog. Objects in these structures are available to all users if security allows. Organizations that are divided into multiple domains should group trees into a single forest.
The site is geographic location, defined in Active Directory. Sites correspond to logical IP subnets and as such can be used by applications to find the nearest server on the network. Using site information from Active Directory can significantly reduce WAN traffic.
Active Directory Management
Active Directory snap-in component - Users. This is the most convenient tool for administering Active Directory. It is directly accessible from the Administrative Tools program group in the Start menu. It replaces and enhances the Server Manager and User Manager from Windows NT 4.0.
Safety
Active Directory is playing important role in the future of Windows networking. Administrators must be able to protect their directory from intruders and users while delegating tasks to other administrators. All of this is possible using the Active Directory security model, which associates an access control list (ACL) with every container and object attribute in the directory.
A high level of control allows the administrator to provide individual users and groups different levels of permissions for objects and their properties. They can even add attributes to objects and hide those attributes from certain user groups. For example, you can set an ACL so that only managers can view other users' home phones.
Delegated Administration
A concept new to Windows 2000 Server is delegated administration. This allows you to assign tasks to other users without granting additional access rights. Delegated administration can be assigned through specific objects or contiguous directory subtrees. It's much more effective method granting authority over networks.
IN destination for someone with all global domain administrator rights, the user can only be granted permissions within a specific subtree. Active Directory supports inheritance, so any new objects inherit their container's ACLs. 
The term "trust"
The term " trusting relationship' are still used, but have different functionality. There is no distinction between unilateral and bilateral trusts. After all, all Active Directory trusts are bidirectional. Moreover, they are all transitive. So, if domain A trusts domain B, and B trusts C, then there is an automatic implicit trust relationship between domain A and domain C.
Audit in Active Directory - what is it in simple words? This is a security feature that allows you to determine who is trying to access objects, as well as how successful this attempt is.
Using DNS (Domain Name System)
The system, otherwise known as DNS, is essential for any organization connected to the Internet. DNS provides name resolution between common names such as mspress.microsoft.com and the raw IP addresses that components use network layer for communication.
Active Directory makes extensive use of DNS technology for object lookup. This is a significant change from previous operating Windows systems, which require NetBIOS names to be resolved by IP addresses, and rely on WINS or other NetBIOS name resolution techniques.
Active Directory works best when used with DNS servers running Windows 2000. Microsoft has made it easy for administrators to migrate to Windows 2000 DNS servers by providing migration wizards that guide the administrator through the process.
Other DNS servers may be used. However, in this case, administrators will have to spend more time managing DNS databases. What are the nuances? If you choose not to use Windows 2000 DNS servers, you must ensure that your DNS servers comply with the new DNS Dynamic Update Protocol. Servers rely on dynamically updating their records to find domain controllers. It is not comfortable. After all, eIf dynamic updating is not supported, databases must be updated manually. 
Windows domains and internet domains are now fully compatible. For example, a name such as mspress.microsoft.com will identify the Active Directory domain controllers responsible for the domain, so any client with DNS access can find the domain controller.Clients can use DNS resolution to look up any number of services because Active Directory servers publish a list of addresses to DNS using the new dynamic update features. This data is defined as a domain and published through service resource records. SRV RR follow the format service.protocol.domain.
Active Directory servers provide an LDAP service to host an object, and LDAP uses TCP as the underlying transport layer protocol. Therefore, a client that looks up an Active Directory server in the mspress.microsoft.com domain will look up a DNS entry for ldap.tcp.mspress.microsoft.com.
Global Directory
Active Directory provides a global catalog (GC) andprovides a single source to search for any object in the organization's network.
The global catalog is a service in Windows 2000 Server that allows users to find any object that has been granted access. This functionality is far superior to the Find Computer application included with previous versions Windows. After all, users can search for any object in Active Directory: servers, printers, users, and applications.
Basic concepts of Active Directory
Service Active Directory
Extensible and scalable directory service Active Directory (Active Directory) allows you to effectively manage network resources.
Active Directory is a hierarchically organized repository of data about network objects, providing a convenient means for finding and using this data. Computer running Active Directory, called domain controller . WITH Active Directoryalmost all administrative tasks are involved.
Active Directory technology is based on standard Internet protocols and helps to clearly define the structure of the network.
Active Directory and DNS
IN Active Directorythe domain name system is used.
DomainName System , (DNS) is a standard Internet service that organizes groups of computers into domains.DNS domains have a hierarchical structure that forms the basis of the Internet. The different levels of this hierarchy identify computers, organizational domains, and top-level domains. DNS also serves to resolve hostnames, for example z eta.webwork.com to numerical IP addresses, such as 192.168.19.2. By means of DNS, the Active Directory domain hierarchy can be inscribed in the Internet space or left independent and isolated from external access.
To access resources in domain applies full name host, such as zeta.webatwork.com. Herezetais the name of the individual computer, webwork is the domain of the organization, and com is the top-level domain. Top-level domains form the foundation of the DNS hierarchy and are therefore called root domains (root domains ). They are organized geographically, with names based on two-letter country codes (enfor Russia), by type of organization (cell for commercial organizations) and by appointment ( mil for military organizations).
Regular domains like microsoft.com, called parental (parent domain ) because they form the basis of the organizational structure. Parent domains can be divided into subdomains of different departments or remote affiliates. For example, complete computer name V Microsoft office Seattle might have jacob.seattle.microsoft.com , Where jacob- computer name, seAltle - subdomain and microsoft.com is the parent domain. Another subdomain name - child domain (child domain).
Components Active Directory
Active Directory unifies the physical and logical structure for network components. Active Directory logical structures help organize directory objects and manage network accounts and shares. The logical structure includes the following elements:
organizational unit (organizational unit) - a subgroup of computers, usually reflecting the structure of the company;
domain ( domain ) - a group of computers sharing a common catalog database;
domain tree (domain tree) - one or more domains sharing a contiguous namespace;
domain forest - one or more trees that share directory information.
The physical elements help plan the actual network structure. Based on physical structures, network links and physical boundaries of network resources are formed. The physical structure includes the following elements:
subnet ( subnet) - scoped network group IP addresses and netmask;
website ( site) one or more subnets. The site is used to set up directory access and replication.
Organizational units
Organizational units (OUs) are subgroups within domains that often reflect the functional structure of an organization. PUs are a kind of logical containers that host accounts, shares, and other PUs. For example, you can create in the domain microsoftt. com divisions resources, IT, Marketing. This schema can then be expanded to include child departments.
It is allowed to place objects in the OP only from the parent domain. For example, ROs from the Seattle.microsoft.com domain only contain objects from that domain. Add objects frommy. microsoft.com can't. OP is very convenient in the formation of a functional or business structures organizations. But this is not the only reason for their use.
OPs allow group policy to be defined for a small set of resources in a domain without applying it to the entire domain. OP creates compact and more manageable representations of directory objects in a domain, which helps manage resources more efficiently.
OPs allow you to delegate authority and control administrative access to domain resources, which helps to set limits on the authority of administrators in a domain. Can be given to user A administrative powers only for one OU and at the same time give user B administrative authority for all OUs in the domain.
Domains
Domain Active Directory is a group of computers that share a common directory database. Active Directory domain names must be unique. For example, there cannot be two domains microsoft.com, but there can be a parent domain microsoft.com with child domains seattle.microsoft.com and my.microsoft.com. If the domain is part of a closed network, the name given to the new domain must not conflict with any of the existing domain names on that network. If the domain is part of the global Internet, then its name should not conflict with any of the existing domain names on the Internet. To ensure that names are unique on the Internet, the parent domain name must be registered through any authorized registrar.
Each domain has its own security policies and trust relationships with other domains. Often, domains are distributed over multiple physical locations, that is, they consist of multiple sites, and sites span multiple subnets. The domain directory database stores objects that define accounts for users, groups, and computers, as well as shared resources such as printers and folders.
Domain functions are limited and regulated by the mode of its operation. There are four functional modes of domains:
mixed mode Windows 2000 (mixed mode) - supports domain controllers running Windows NT 4.0, Wi ndows 2000 and Windows server 2003;
Windows 2000 native mode ( native mode ) - supports domain controllers running Windows 2000 and Windows server 2003;
intermediate mode Windows server 2003 ( interim mode) - supports domain controllers running Windows NT 4.0 and Windows server 2003;
mode Windows Server 2003 - Supports domain controllers running Windows Server 2003.
Forests and trees
Each domain Active Directory has DNS-type name microsoft.com. Domains that share directory data form a forest. Forest domain names in the DNS name hierarchy are non-contiguous(discontinuous) or related(continuous).
Domains that have a contiguous name structure are called a domain tree. If forest domains have non-contiguous DNS names, they form separate domain trees in the forest. You can include one or more trees in a forest. The console is intended for access to domain structures.Active Directory- domains and trust (ActiveDirectory Domainsand trusts).
The functions of forests are limited and regulated by the functional regime of the forest. There are three such modes:
Windows 2000 - Supports domain controllers running Windows NT 4.0, Windows 2000 and Windows server 2003;
intermediate ( interim) Windows server 2003 - supports domain controllers running Windows NT 4.0 and Windows Server 2003;
Windows Server 2003 - Supports domain controllers running Windows Server 2003.
The most up-to-date Active Directory features are available in Windows mode Server 2003. If all domains in the forest are in this mode, you can enjoy improved global catalog replication and more efficient Active Directory data replication. You can also disable schema classes and attributes, use dynamic helper classes, rename domains, and create one-way, two-way, and transitive trusts in the forest.
Sites and Subnets
Website is a group of computers on one or more IP subnets used to plan the physical structure of a network. Site planning occurs independently of the logical structure of the domain. Active Directory allows you to create multiple sites within a single domain, or a single site spanning multiple domains.
Unlike sites that can span multiple IP address areas, subnets have a set IP address area and netmask. Subnet names are specified in the format net/bitmask, for example 192.168.19.0/24 where network address 192.168.19.0 and netmask 255.255.255.0 are combined into the subnet name 192.168.19.0/24.
Computers are assigned to sites based on their location on a subnet or set of subnets. If computers on subnets are able to communicate at sufficiently high speeds, they are called well connected (well connected).
Ideally, sites consist of well-connected subnets and computers. If the traffic between subnets and computers is low, you may need to create multiple sites. Good communication gives sites some advantages.
When a client joins a domain, the authentication process first looks up the local domain controller in the client's site, i.e. local controllers are queried first if possible, which limits network traffic and speeds up authentication.
Directory information is replicated more frequently inside sites than between sites. This reduces network traffic caused by replication and ensures that local domain controllers receive updated information quickly.
You can customize the order in which directory data is replicated using site links (site links). For example, define bridgehead server (bridgehead ) for replication between sites.
The bulk of the cross-site replication load will fall on this dedicated server, and not on any available site server. Sites and subnets are configured in the console Active Directory- sites and services(Active Directory Sites and Services).
Working with domains Active Directory
Online Windows server 2003 service ActiveDirectoryconfigured at the same timeDNS. However, Active Directory domains and DNS domains have different purposes. Active Directory domains help manage accounts, resources, and security.
The DNS domain hierarchy is primarily for name resolution.
Computers running Windows XP Professional and Windows 2000 can take full advantage of Active Directory. They operate as Active Directory clients on the network and have access to transitive trusts that exist in a domain tree or forest. These relationships allow authorized users to access resources in any domain in the forest.
System Windows Server 2003 functions as a domain controller or as a member server. Member servers become controllers after Active Directory is installed; controllers are demoted to member servers after Active Directory is removed.
Both processes are performed Active Directory Installation Wizard. A domain can have multiple controllers. They replicate directory data among themselves using a multi-master replication model that allows each controller to process directory changes and then propagate them to other controllers. Due to the multi-master structure, all controllers have equal responsibility by default. However, you can give some domain controllers priority over others in certain tasks, such as creating a bridgehead server that has priority when replicating directory data to other sites.
In addition, some tasks are best performed on a dedicated server. A server that handles a specific type of task is called master of operations (operations master ).
All Windows 2000, Windows XP Professional, and Windows Server 2003 computers that are joined to a domain have accounts created and stored, like other resources, as Active Directory objects. Computer accounts are used to control access to the network and its resources. Before a computer gains access to a domain using its account, it must go through an authentication procedure.
Directory structure
Directory data is provided to users and computers through data store (data stores) and global directories (globalcatalogs). Although most of the featuresActiveDirectoryaffect the data warehouse, global catalogs (GCs) are just as important because they are used for logging in and searching for information. If the GC is not available, normal users will not be able to log on to the domain. The only way to get around this condition is to cache memberships locally. universal groups.
Access and distribution of Active Directory data are provided by means directory access protocols (directory accessprotocols) And replication (replication).
Replication is needed to distribute updated data to controllers. The main update distribution method is multi-master replication, but some changes are handled only by specialized controllers - operations masters (operations masters ).
The way multimaster replication is performed in Windows Server 2003 has also changed with the introduction of directory sections applications (applicationdirectorypartitions). Through them, system administrators can create replication partitions in the domain forest, which are logical structures used to manage replication within the domain forest. For example, you can create a partition that will handle the replication of DNS information within a domain. Other systems in the domain are not allowed to replicate DNS information.
Application directory partitions can be a child of a domain, a child of another application partition, or a new tree in the domain forest. Partition replicas can be hosted on any Active Directory domain controller, including global catalogs. Although application catalog partitions are useful in large domains and forests, they increase planning, administration, and maintenance overhead.
Data store
The store contains information about the most important objects of the Active Directory directory service - accounts, shares, user interfaces, and group policies. Sometimes the data warehouse is simply called catalog (directory ). On the domain controller, the directory is stored in the NTDS.DIT file, the location of which is determined during the installation of Active Directory (it must be an NTFS drive). Some directory data can also be stored separately from the main storage, such as group policies, scripts, and other information recorded in the SYSVOL system share.
Provide directory information to sharing called publication (publish). For example, when a printer is opened for use on the network, it is published; shared folder information is published, and so on. Domain controllers replicate most changes to storage in a multi-master fashion. The administrator of a small or medium-sized organization rarely manages storage replication because it is automatic, but it can be configured according to the specifics of the network architecture.
Not all directory data is replicated, but only:
Domain data - information about objects in the domain, including objects of accounts, shares, OP and group policies;
Configuration data - information about the topology of the directory: a list of all domains, trees and forests, as well as the location of controllers and servers of the ledger;
Schema data - information about all objects and data types that can be stored in the directory; standard windows scheme Server 2003 describes account objects, share objects, and more, and can be extended by defining new objects and attributes, or by adding attributes to existing objects.
Global Directory
If local caching of membership in universal groups is not performed, network entry is based on membership information universal group provided by the GC.
It also provides directory search across all domains in the forest. Controller, acting GC server, stores a full replica of all directory objects in its domain and a partial replica of objects in the rest of the forest domains.
Only some object properties are needed for login and search, so partial replicas can be used. To form a partial replica, replication needs to transfer less data, which reduces network traffic.
By default, the first domain controller becomes the GC server. Therefore, if there is only one controller in the domain, then the GC server and the domain controller are the same server. You can place the GC on a different controller to reduce the login response time and speed up searches. It is recommended that you create one GC in each domain site.
There are several ways to solve this problem. Of course, you can create a ledger server on one of the domain controllers in the remote office. The disadvantage of this method is an increase in the load on the GC server, which may require additional resources and careful planning of the server's uptime.
Another way to solve the problem is to cache universal group memberships locally. However, any domain controller can service logon requests locally without contacting the ledger server. This speeds up the login procedure and makes things easier in the event of a G/L server failure. It also reduces replication traffic.
Instead of periodically refreshing the entire GC throughout the network, it is enough to update the information in the cache about membership in the universal group. By default, refresh occurs every eight hours on every domain controller that uses local caching of universal group membership.
Membership in universal group individually for each site. Recall that a site is a physical structure consisting of one or more subnets that have an individual set of IP addresses and a netmask. Domain controllers Windows Server 2003 and the GC they refer to must be in the same site. If there are several sites, you will have to set up local caching on each of them. In addition, the users logging on to the site must be part of a Windows Server 2003 domain running in Windows Server 2003 forest mode.
Replication in Active Directory
The directory stores three types of information: domain data, schema data, and configuration data. Domain data is replicated to all domain controllers. All domain controllers are equal, i.e. all changes made from any domain controller will be replicated to all other domain controllers Schema and configuration data is replicated to all domains in the tree or forest. In addition, all individual domain objects and some properties of forest objects are replicated to the GC. This means that the domain controller stores and replicates the schema for the tree or forest, the configuration information for all domains in the tree or forest, and all directory objects and properties for its own domain.
The domain controller that hosts the ledger contains and replicates the schema information for the forest, the configuration information for all domains in the forest, and a limited set of properties for all directory objects in the forest (it only replicates between ledger servers), and all directory objects and properties for its domain.
To understand the essence of replication, consider the following scenario for setting up a new network.
1. In the domain And the first controller is installed. This server is the only domain controller. It is also the GC server. Replication does not occur in such a network, since there are no other controllers.
2. In the domain A second controller is installed, and replication begins. You can designate one controller as the infrastructure master and the other as the GC server. The infrastructure master monitors and requests GL updates for changed objects. Both of these controllers also replicate schema and configuration data.
3. In the domain And a third controller is installed, on which there is no GC. The infrastructure master watches for GC updates, requests them for changed objects, and then replicates the changes to a third domain controller. All three controllers also replicate schema and configuration data.
4. A new domain B is created, controllers are added to it. The GC servers in Domain A and Domain B replicate all schema and configuration data, as well as a subset of domain data from each domain. Replication in domain A continues as described above, plus replication begins within domain B.
ActiveDirectory And LDAP
Lightweight Directory Access Protocol (LDAP) is a standard protocol for Internet connections over TCP/IP networks. LDAP is designed specifically for accessing directory services with minimal overhead. LDAP also defines the operations used to query and modify directory information.
Clients Active Directory uses LDAP to communicate with computers running Active Directory every time they log on to the network or search for shares. LDAP simplifies directory association and migration to Active Directory from other directory services. To improve compatibility, you can use the Active Directory Service Interfaces (ActiveDirectory Service- Interfaces, ADSI).
Operations master roles
The operations master performs tasks that are inconvenient to perform in a multi-master replication model. There are five operations master roles that can be assigned to one or more domain controllers. Some roles must be unique at the forest level, for others the domain level is sufficient. The following roles must exist in each Active Directory forest:
Schema master) - manages updates and changes to the directory schema. Updating the catalog schema requires access to the schema master. To determine which server given time is the master of the schema in the domain, just open the window command line and enter: dsquery server -hasfsmo schema .
Domain naming master - manages the addition and removal of domains in the forest. To add or remove a domain, access to the domain naming master is required. To determine which server is currently the domain naming master, simply type in a command prompt window: dsquery server -hasfsmo name .
These roles, which are common to the forest as a whole, must be unique within it.
The following roles are mandatory in every Active Directory domain.
Relative ID master (relative ID master ) - allocates relative identifiers to domain controllers. Every time you create a user object, group or computer, controllers assign a unique SID to an object, consisting of a domain SID and a unique identifier that has been allocated by the relative identifier master. To determine which server is currently the master of relative identifiers in the domain, it is enough to enter in the command line window: dsqueryserver-hasfsmorid.
PDC emulator (PDC emulator) - In mixed or staging domain mode, acts as a Windows NT primary domain controller. It authenticates Windows NT logins, handles password changes, and replicates updates to P DCs. In order to determine which server is currently the PDC emulator in the domain, it is enough to enter in the command line window dsquery server - hasfsmo pdc.
Infrastructure host (infrastructure master ) - updates links of objects, comparing the data of its catalog with the data of the general ledger. If the data is out of date, it queries the GC for updates and replicates them to the rest of the domain controllers. To determine which server is currently the infrastructure master in the domain, it is enough in the command line window and enter dsqueryserver -hasfsmo infr .
These roles, which are common to the entire domain, must be unique within it. In other words, you can only configure one relative ID master, one PDC emulator, and one infrastructure master per domain.
Operations master roles are usually assigned automatically, but they can be reassigned. When a new network is installed, all operations master roles are assigned to the first domain controller in the first domain. If a new child domain or root domain is later created in a new tree, the operations master roles are also automatically assigned to the first domain controller. In the new domain forest, the domain controller is assigned all of the operations master roles. If new domain is created in the same forest, its controller is assigned the roles of the master of relative identifiers, the P emulatorDC and infrastructure master. The schema master and domain naming master roles remain with the first domain in the forest.
If there is only one controller in the domain, it performs all the roles of operations masters. If there is only one site on the network, the default location of operations masters is optimal. However, as domain controllers and domains are added, it is sometimes necessary to move operations master roles to other domain controllers.
If there are two or more domain controllers in a domain, we recommend that you configure two domain controllers to serve as operations masters. For example, designate one domain controller as the primary operations master, and another as a backup, which will be needed when the primary fails.
Administration Active Directory
CUsing the Active Directory service, computer accounts are created, they are connected to the domain, and computers, domain controllers, and organizational units (OUs) are managed.
Administration and support tools are provided to manage Active Directory. The tools listed below are implemented as MMC console snap-ins (Microsoft managementConsole):
Active Directory Users and Computers (Active Directory Users and computers) allows you to manage users, groups, computers and organizational units (OU);
Active Directory- domains and trust ( Active Directory Domainsand Trusts ) serves to work with domains, domain trees and domain forests;
Active Directory- sites Andservices (Active Directory Sites and Services) allows you to manage sites and subnets;
Resultant policy (Resultant Set of Policy used to view the current user or system policy and to schedule policy changes.
IN Microsoft Windows 2003 Server can access these snap-ins directly from the Administrative Tools menu.
Another administration tool is a snap Scheme ActiveDirectory (Active Directory schema) - allows you to manage and modify the directory schema.
Command line utilities Active Directory
To manage objects Active Directory there are command-line tools that allow you to perform a wide range of administrative tasks:
DSADD - adds to Active Directory computers, contacts, groups, OPs and users.
DSGET - displays properties of computers, contacts, groups, OUs, users, sites, subnets and servers registered in Active Directory.
DSMOD - changes the properties of computers, contacts, groups, POs, users and servers registered in Active Directory.
DSMOVE - Moves a single object to a new location within a domain, or renames an object without moving it.
DSQXJERY - searches for computers, contacts, groups, POs, users, sites, subnets and servers in Active Directory according to the given criteria.
DSRM - removes an object from Active Directory.
NTDSUTIL - allows you to view information about the site, domain or server, manage operations masters (operations masters) and serve the databaseActive Directory.
Active Directory - An extensible and scalable directory service Active Directory (Active Directory) allows you to efficiently manage network resources.
Active Directory is a hierarchically organized repository of data about network objects, providing convenient means for finding and using this data. The computer that runs Active Directory is called a domain controller. Almost all administrative tasks are related to Active Directory.
Active Directory technology is based on standard Internet protocols and helps to clearly define the network structure, in more detail how to deploy an Active Directory domain from scratch, read here ..
Active Directory and DNS
Active Directory uses the domain name system.
Using the Active Directory service, computer accounts are created, they are connected to the domain, and computers, domain controllers, and organizational units (OU) are managed.
Administration and support tools are provided to manage Active Directory. The tools listed below are implemented as MMC (Microsoft Management Console) snap-ins:
Active Directory - users and computers (Active Directory Users and Computers) allows you to manage users, groups, computers and organizational units (OD);
Active Directory - domains and trust (Active Directory Domains and Trusts) is used to work with domains, domain trees and domain forests;
Active Directory - sites and services (Active Directory Sites and Services) allows you to manage sites and subnets;
The Resultant Set of Policy is used to view the current user or system policy and to schedule policy changes.
In Microsoft Windows 2003 Server, you can access these snap-ins directly from the Administrative Tools menu.
Another administrative tool - the Active Directory Schema snap-in - allows you to manage and modify the directory schema.
To manage Active Directory objects, there are command-line tools that allow you to perform a wide range of administrative tasks:
DSADD - adds computers, contacts, groups, OPs and users to Active Directory.
DSGET - Displays the properties of computers, contacts, groups, POs, users, sites, subnets and servers registered in Active Directory.
DSMOD - changes the properties of computers, contacts, groups, POs, users and servers registered in Active Directory.
DSMOVE - Moves a single object to a new location within a domain, or renames an object without moving it.
DSQXJERY - searches for computers, contacts, groups, OPs, users, sites, subnets and servers in Active Directory according to specified criteria.
DSRM - Removes an object from Active Directory.
NTDSUTIL - allows you to view site, domain, or server information, manage operations masters, and maintain the Active Directory database.
Windows network administrators cannot escape familiarity with . This overview article will be devoted to what is Active Directory and what they are eaten with.
So, Active Directory is Microsoft's implementation of a directory service. Directory service in this case means a software package that helps system administrator work with such network resources as shared folders, servers, workstations, printers, users and groups.
Active Directory has a hierarchical structure made up of objects. All objects are divided into three main categories.
- User and computer accounts;
- Resources (for example, printers);
- Services (eg. Email).
Each object has a unique name and has a number of characteristics. Objects can be grouped.
User properties Active Directory has a forest structure. The forest has several trees that contain domains. Domains, in turn, contain the above objects.
Active Directory structure Typically, objects in a domain are grouped into OUs. Subdivisions serve to build a hierarchy within a domain (organizations, territorial subdivisions, departments, etc.). This is especially important for organizations that are geographically dispersed. When building a structure, it is recommended to create as few domains as possible, creating, if necessary, separate divisions. It is on them that it makes sense to apply group policies.
Workstation Properties Another way to structure Active Directory are sites. Sites are a way of physical rather than logical grouping based on network segments.
As already mentioned, each object in Active Directory has a unique name. For example, a printer HPLaserJet4350dtn, which is located in the division Lawyers and in the domain primer.ru will have a name CN=HPLaserJet4350dtn,OU=Lawyers,DC=primer,DC=ru. CN is a common name ou- subdivision DC— domain object class. An object name can have many more parts than in this example.
Another form of the object name looks like this: primer.ru/Lawyers/HPLaserJet4350dtn. Each object also has a globally unique identifier ( GUID) is a unique and immutable 128-bit string used by Active Directory for search and replication. Some objects also have a user principal name ( UPN) in the format object@domain.
Here general information about what is Active Directory and why they are needed in local networks on Windows base. Finally, it makes sense to say that the administrator has the ability to work with Active Directory remotely through funds remote administration Server for Windows 7 (KB958830)(Download) And Remote Server Administration Tools for Windows 8.1 (KB2693643) (Download).
Active Directory
Active Directory(“Active Directories”, AD) - LDAP-compatible implementation of a corporation's directory service Microsoft for operating systems of the family Windows NT. Active Directory allows administrators to use group policies to ensure a consistent user experience setting, deploy software to multiple computers through group policies or through System Center Configuration Manager(previously Microsoft Systems Management Server), install operating system, application and server software updates on all computers in the network using the Update Service Windows Server . Active Directory stores environment data and settings in a centralized database. networks Active Directory can be of various sizes: from several tens to several million objects.
Performance Active Directory took place in 1999, the product was first released with Windows 2000 Server, and then was modified and improved upon release Windows Server 2003. Subsequently Active Directory has been improved in Windows Server 2003 R2, Windows Server 2008 And Windows Server 2008 R2 and renamed to Active Directory Domain Services. The directory service was formerly called NT Directory Service (NTDS), this name can still be found in some executable files.
Unlike the versions Windows before Windows 2000 who used mainly the protocol NetBIOS for networking, service Active Directory integrated with DNS And TCP/IP. The default authentication protocol is Kerberos. If the client or application does not support authentication Kerberos, the protocol is used NTLM .
Device
Objects
Active Directory has a hierarchical structure consisting of objects. Objects fall into three main categories: resources (such as printers), services (such as email), and Accounts users and computers. Active Directory provides information about objects, allows you to organize objects, control access to them, and establishes security rules.
Objects can be containers for other objects (security and distribution groups). An object is uniquely identified by its name and has a set of attributes - characteristics and data that it can contain; the latter, in turn, depend on the type of object. Attributes are the constituent base of an object's structure and are defined in the schema. The schema defines what types of objects can exist.
The schema itself consists of two types of objects: schema class objects and schema attribute objects. One schema class object defines one object type Active Directory(for example, a User object), and one schema attribute object defines an attribute that an object can have.
Each attribute object can be used in several different schema class objects. These objects are called schema objects (or metadata) and allow you to modify and add to the schema as needed. However, each schema object is part of the object definitions Active Directory, so disabling or changing these objects can have serious consequences, since as a result of these actions the structure will be changed Active Directory. The change to the schema object is automatically propagated to Active Directory. Once created, a schema object cannot be deleted, it can only be disabled. Usually, all schema changes are carefully planned.
Container similar object in the sense that it also has attributes and belongs to the namespace , but unlike an object, a container does not stand for anything specific: it can contain a group of objects or other containers.
Structure
The top level of the structure is the forest - the collection of all objects, attributes and rules (attribute syntax) in Active Directory. The forest contains one or more trees connected by transitive relationships of trust . The tree contains one or more domains, also connected in a hierarchy by transitive trust relationships. Domains are identified by their DNS name structures - namespaces.
Objects in a domain can be grouped into containers - OUs. Organizational units allow you to create a hierarchy within a domain, simplify its administration, and allow you to model the organizational and/or geographic structure of a company in Active Directory. Divisions can contain other divisions. Corporation Microsoft recommends using as few domains as possible in Active Directory, and use divisions for structuring and policies. Group policies are often applied specifically to organizational units. Group policies are themselves objects. The division is the most low level, on which administrative powers can be delegated.
Another way to divide Active Directory are sites , which are a way of physical (rather than logical) grouping based on network segments. Sites are divided into those with connections via low-speed channels (for example, via global networks, using virtual private networks) and via high-speed channels (for example, via a local area network). A site may contain one or more domains, and a domain may contain one or more sites. When designing Active Directory it is important to consider the network traffic generated when data is synchronized between sites.
Key design decision Active Directory is the decision to divide the information infrastructure into hierarchical domains and top-level divisions. Typical models used for such divisions are divisions by functional divisions of the company, by geographical location and by roles in information infrastructure companies. Combinations of these models are often used.
Physical structure and replication
Physically, information is stored on one or more equivalent domain controllers that have replaced those used in Windows NT primary and backup domain controllers, although a so-called "single-master operations" server, which can emulate a primary domain controller, is retained for some operations. Each domain controller keeps a read/write copy of the data. Changes made on one controller are synchronized to all domain controllers during replication. Servers where the service itself Active Directory not installed, but which are included in the domain Active Directory, are called member servers.
replication Active Directory performed upon request. Service Knowledge Consistency Checker creates a replication topology that uses the sites defined in the system to manage traffic. Intrasite replication is performed frequently and automatically by a consistency checker (by notifying replication partners of changes). Replication between sites can be configured for each channel of a site (depending on the quality of the channel) - a different "rate" (or "cost") can be assigned to each channel (for example DS3, , ISDN etc.) and replication traffic will be limited, scheduled, and routed according to the assigned link estimate. Replication data can transitively travel across multiple sites via site link bridges if the "score" is low, although AD automatically assigns a lower score for site-to-site links than for transitive links. Site-to-site replication is performed by bridgehead servers in each site, which then replicate the changes to each domain controller in their site. Intradomain replication takes place according to the protocol RPC protocol IP, cross-domain - can also use the protocol SMTP.
If the structure Active Directory contains several domains, to solve the problem of finding objects, it is used global catalog: A domain controller that contains all the objects in the forest, but with a limited set of attributes (a partial replica). The catalog is stored on specified global catalog servers and serves cross-domain requests.
The single host capability allows requests to be handled when multi-host replication is not allowed. There are five types of such operations: Primary Domain Controller (PDC) emulation, main computer Relative Identifier (Relative Identifier or RID Master), Infrastructure Host (Infrastructure Master), Schema Host (Schema Master), and Domain Naming Host (Domain Naming Master). The first three roles are unique within the domain, the last two are unique within the entire forest.
base Active Directory can be divided into three logical stores or "partitions". The schema is a template for Active Directory and defines all object types, their classes and attributes, attribute syntax (all trees are in the same forest because they have the same schema). The configuration is the structure of the forest and trees Active Directory. A domain stores all information about objects created in that domain. The first two stores are replicated to all domain controllers in the forest, the third partition is fully replicated between replica controllers within each domain and partially replicated to global catalog servers.
naming
Active Directory supports the following object naming formats: generic type names UNC, URL And LDAP URL. Version LDAP X.500 naming format is used internally Active Directory.
Each object has distinguished name (English) distinguished name, DN) . For example, a printer object named HPLaser3 in the Marketing OU and in the foo.org domain will have the following DN: CN=HPLaser3,OU=Marketing,DC=foo,DC=org , where CN is the common name, OU is the section, and DC is the domain object class. Distinguished names can have many more parts than the four parts in this example. Objects also have canonical names. These are the distinguished names written in reverse order, without identifiers and using forward slashes as separators: foo.org/Marketing/HPLaser3 . To define an object within its container, use relative distinguished name : CN=HPLaser3 . Each object also has a globally unique identifier ( GUID) is a unique and immutable 128-bit string that is used in Active Directory for search and replication. Certain objects also have a user principal name ( UPN, in accordance with RFC 822) in the format object@domain.
Integration with UNIX
Various levels of interaction with Active Directory can be implemented in most UNIX-like operating systems through standard-compliant LDAP clients, but such systems typically do not understand most of the attributes associated with components Windows such as group policies and support for one-way trusts.
Third party vendors offer integration Active Directory on platforms UNIX, including UNIX, linux, MacOS X and a number of applications based Java, with product package:
Schematic add-ons supplied with Windows Server 2003 R2 include attributes that are closely enough related to RFC 2307 to be of general use. RFC 2307 base implementations, nss_ldap and pam_ldap , proposed PADL.com, directly support these attributes. The standard scheme for group membership follows RFC 2307bis (proposed). Windows Server 2003 R2 includes the Microsoft Management Console for creating and editing attributes.
An alternative is to use another directory service like 389 Directory Server(previously Fedora Directory Server, FDS), eB2Bcom ViewDS v7.1 XML Enabled Directory or Sun Java System Directory Server from Sun Microsystems, which performs two-way synchronization with Active Directory, thus implementing "reflected" integration when clients UNIX And linux are authenticated FDS, and clients Windows are authenticated Active Directory. Another option is to use OpenLDAP with the possibility of translucent overlay, expanding the elements of the remote server LDAP additional attributes stored in the local database.
Active Directory automated using Powershell .
Literature
- Rand Morimoto, Kenton Gardiner, Michael Noel, Joe Koka Microsoft Exchange Server 2003. Complete Guide = Microsoft Exchange Server 2003 Unleashed. - M .: "Williams", 2006. - S. 1024. - ISBN 0-672-32581-0
see also
Links
Notes
| Microsoft Windows Components | |
|---|---|
| Main | |
| Services management |
|
| Applications |
Contact DVD Maker Fax and Scan Internet Explorer Magazine Magnifier media center Windows Media Player Program joint work Center Windows devices Mobile Mobility Center Narrator Paint Personal character editor Remote Assistance Speech recognition word pad Notebook Side panel sound recording Calendar Calculator Scissors Mail symbol table historical: Movie Maker NetMeeting Outlook Express Program Manager File Manager Photo album |
| Games | |
| OS kernel | |
| Services | |
| File systems |
|
| Server |
Active Directory Deployment Services File Replication Service DNS Domains Folder redirection Hyper-V IIS Media Services MSMQ Network Access Protection (NAP) Print Services for UNIX Remote Differential Compression Remote Installation Services Rights Management Service Roaming user profiles SharePoint Dispatcher system resources Remote Desktop WSUS Group Policy Distributed transaction coordinator |
| Architecture | |
| Safety | |
| Compatibility | |
| Microsoft | ||
|---|---|---|
| BY | ||
| Server software | ||
| Technologies | ||
| Internet | ||
| Games | ||
| Hardware security |
||
| Education | ||
| Licensing | ||
| Subdivisions | ||