• Why does an organization need Active Directory? What is Active Directory and how to install and configure the database

    Technology Active Directory(AD) is a directory service created by Microsoft. A directory service contains data in an organized format and provides organized access to it. Active Directory is not an invention of Microsoft, but an implementation of an existing industrial model (namely X.500), a communication protocol (LDAP - Lightweight Directory Access Protocol) and data retrieval technologies (DNS services).

    You should start learning about Active Directory by understanding the purpose of this technology. IN in general terms, a directory is considered a data storage container.

    A telephone directory is a good example of a directory service because it contains a set of data and provides the ability to obtain the necessary information from the directory. The directory contains various entries, each of which has its own meaning, for example, the names/surnames of subscribers, their home address and, in fact, a phone number. In an extended directory, entries are grouped by geographic location, type, or both. In this way, a hierarchy of record types can be formed for each geographic location. Besides, telephone operator also fits the definition of a directory service because it has access to data. Therefore, if you give a request to obtain any directory data, the operator will issue the required response to the received request.

    The Active Directory directory service is designed to store information about all network resources. Clients have the ability to query Active Directory to obtain information about any network object. Active Directory features include the following:

    • Secure data storage. Each object in Active Directory has its own access control list (ACL), which contains a list of resources that have been granted access to the object, as well as a predefined level of access to that object.
    • A feature-rich query engine based on the Active Directory-created global catalog (GC). All clients that support Active Directory can access this directory.
    • Replicating directory data to all domain controllers simplifies access to information, improves availability, and improves reliability of the entire service.
    • A modular extension concept that allows you to add new object types or extend existing objects. For example, you can add the “salary” attribute to the “user” object.
    • Network communication using multiple protocols. Active Directory is based on the X.500 model, which supports a variety of network protocols eg LDAP 2, LDAP 3 and HTTP.
    • To implement domain controller naming and lookup services network addresses DNS service is used instead of NetBIOS.

    Directory information is distributed across the entire domain, thereby avoiding excessive duplication of data.

    Although Active Directory distributes directory information across different stores, users have the ability to query Active Directory for information about other domains. Global catalog contains information about all objects in an enterprise forest, helping you search for data across the entire forest.

    When you run the DCPROMO utility (a program for promoting a regular server to a domain controller) on a computer running Windows control To create a new domain, the utility creates a domain on the DNS server. The client then contacts the DNS server to obtain information about its domain. DNS Server provides information not only about the domain, but also about the nearest domain controller. The client system, in turn, connects to the Active Directory domain database on the nearest domain controller in order to find the necessary objects (printers, file servers, users, groups, organizational units) that are part of the domain. Because each domain controller stores references to other domains in the tree, the client can search the entire domain tree.

    A flavor of Active Directory that lists all objects in a domain forest is available when you need to find data outside the client's domain tree. This version is called a global catalog. The global catalog can be stored on any domain controller in the AD forest.

    The global catalog provides quick access to each object that is located in the domain forest, but at the same time contains only some object parameters. To obtain all attributes, you must contact the Active Directory service of the target domain (the controller of the domain of interest). The global catalog can be configured to provide the required object properties.

    To simplify the process of creating Active Directory objects, the domain controller maintains a copy and class hierarchy for the entire forest. Active Directory contains class structures in an extensible schema to which new classes can be added.

    Schema is part of the Windows configuration namespace that is supported by all domain controllers in the forest. The Windows configuration namespace is made up of several structural elements, such as physical location, Windows sites, and subnets.

    Site is contained within a forest and can unite computers from any domain, and all computers on the site must have fast and reliable network connections to back up domain controller data.

    Subnet is a group of IP addresses allocated to a site. Subnets allow you to speed up the replication of Active Directory data between domain controllers.

    • Tutorial

    In my work, I have often had to deal with grids that seem to be working, but in which any minor incident could result in hours of downtime out of the blue. KD died? No problem, we have a second one. How do the balls not open? Why doesn't the gateway respond? And, on that CD there was a single DHCP server and now all of them have disappeared.

    In this article I will try to describe the correct, from my point of view, solutions for creating a small business network infrastructure. And of course, this article reflects the author’s personal good practice and may differ from the reader’s ideals.

    So. We have up to 100 clients. Everything is standard, users go online, send mail, use file storage, work in 1c, want more cool computer and try to catch viruses. And yes, we don’t know how to cloud yet.

    A couple of pillars of almost any infrastructure,
    and then we will go over the obvious and not so obvious nuances. By the way, I repeat, we have small-medium business, don't make it worse.
    Data security. “A landmine hit the server room.”
    If a landmine hits your server room, then most likely the safety of your data will be the last thing you care about. It is much more likely that on December 31 the pipe above burst, causing a fire there and causing the floor to collapse.
    - Data is our everything. One of the servers backup must be located outside the server room. This is a lifeline. Even if it contains only the most important things, in a day or two you can buy or rent servers again and deploy a working infrastructure. Irrevocably lost base You will never be able to restore 1s again. By the way, the old guy a la P4-2400/1024 usually copes with properly organized backups.
    Monitoring. “01/01/2013 02:24 | From: Zabbix | Subject: Nuclear launch detected!”
    You're having a great time celebrating New Year in a circle of friends. By the way, it’s not just you, the caretaker of the building where you rent premises also doesn’t waste time. Thus, the burnt room will be flooded with water in the morning a nice bonus to your aching head, Happy New Year.
    - If something goes wrong, you simply have to be the first to know about it. The same SMS notifications about critical events are the norm. By the way, if in the morning 5 minutes after the alarm clock rang the monitoring server has not responded to you, it’s time to sound the alarm. After all, the server that monitors the monitoring server also wrote nothing. In general, it’s okay, you have a backup server outside the server room, which nevertheless wrote to you that it has lost everyone, but is still operational.
    Recovery plan. “Calm down, Kazladoev, let’s sit down!”
    This is the most terrible New Year in your experience. Yes, having received the SMS and assessed the situation, the firefighters were called immediately, and they arrived in almost 5 minutes and put out the fire quickly. But anyway, one part of the server room was burned, the second was filled with foam, and the third eventually fell under the floor.
    - A lie, of course. This is not the most pleasant, but also not the worst New Year. Yes, you're in for a busy week, but with a clear plan, you know where to start and what to do. I recommend that in the disaster recovery plan you describe everything in great detail, including console commands. If you need to restore some MySQL server that was configured three years ago, it’s unlikely that you will remember some minor nuance that will ultimately require you to spend half a day. By the way, everything will go somewhat differently than you planned, perhaps even completely differently, be prepared for this.
    Now to the basics of networking on AD.
    I'm not going to describe the benefits of clustering and other LiveMigration. We are a small business and don’t have money for vMotions. In fact, it’s not necessary; most services are perfectly backed up out of the box. Below there will be no how-to on setting, but I will try to give the right direction for self-study.
    • Active Directory. There must be two domain controllers, physically on different pieces of hardware. By the way, Microsoft does not recommend (did not recommend) doing all CD in virtual machines, i.e. at least one CD must be purely iron. In general, this is nonsense; you can create different CDs on different physical hosts, just follow Microsoft’s general recommendations for setting up CDs in a virtual environment. By the way, don't forget to store the GC on both domain controllers.
    • DNS is just the basics. If your Domain Name Service is working crookedly, you will constantly rake in problems out of the blue. There must be at least two DNS servers, and for this purpose CDs are quite suitable for us. And contrary to the recommendations of the “Recommendations Compliance Analyzer” on the CDs themselves, I advise you to specify yourself as the master. And one more thing, forget about the practice of registering servers on clients by IP addresses: if this is an NTP server, then clients should know it as ntp.company.xyz, if it is a proxy, then something like gate.company.xyz, Well, in general it’s clear. By the way, this can be the same server with the name srv0.domain.xyz, but with different CNAMEs. This will be very helpful when expanding or moving services.
    • NTP server following DNS. Your CDs should always give the exact time.
      Thanks foxmuldercp for the advice
    • There should also be two DHCP servers. On these same CDs, quite working diagram. Just configure it so that the issuing ranges do not overlap, but so that each DHCP can cover the entire fleet of machines. And yes, let each DHCP server identify itself as the first DNS server. I think it's clear why.
    • File server. Everything is easy here too. We make DFS with replication, on the same CD. In general, replication has nothing to do with it, just always register links to shares via DFS, try to adhere to this practice in relation to all file resources. When you need to move the share to a new location, simply move the share and change the link in DFS. The client may not notice anything at all.
    • MSSQL server 1c. It's not easy anymore. And expensive. You have a somewhat large database, and keeping a backup SQL server is prohibitive. This thing cannot be reserved; in any case, you need a new instance, which costs money. Backups are our everything, no big deal. Think about where you can quickly deploy a temporary DBMS server. By the way, there is a free MSSQL Express with a limit on the size of the database, maybe it will be enough for you.
    • Gateway. Linux and other FreeBSD. No matter how unpleasant it may be, there is no money for TMG and other kerios. You still have to understand iptables. Here I can give unambiguous advice - if you are friends with OSI, there will be no problems, if you are not friends, there will be problems with Kerio. By the way, if you think that you are an admin and do not know what the difference is between a frame and a frame, then it will be difficult for you.
    • Safety. This is a very broad topic, so the following paragraphs are about this intimate issue.
      Users must work under Domain Users. Any, I emphasize, any application can be configured to work in an environment with limited rights. Sometimes it is enough to add write permissions to the directory with installed program and disable recording inside executable files. Sometimes, to find out the specifics, you will need to monitor the registry and file system. Sometimes you want to kill and give out admin rights. Sometimes it makes sense. The choice is yours, but never disable UAC. And you, sitting at your workplace, should at most have local administrator rights over all workstations, and in no case should you be a domain administrator. If necessary, manage servers through the terminal.
    • Accounts. I won’t say anything about users, I think it’s clear that there is one account per user. But not everyone understands that each service should have its own account. For example, MSSQL running in an AD environment does not need domain administrator rights. Create a regular user account and specify it when installing the DBMS. The installer will write it himself necessary rights and everything will work great. And so with almost any service. If some openfire asks for an admin account to connect to AD - that's one name, it only needs to read the directory service.
    • Software update. Expand WSUS and don’t forget to log in at least on the second Wednesdays of the month and check for new updates. Select 10-15 cars from your fleet and include them in the test group. Check for new updates in this group, and when you don’t find any bugs, deploy them to everyone. By the way, here

    Active Directory is a Microsoft directory service for the Windows NT family of operating systems.

    This service allows administrators to use group policies to ensure uniformity of settings for the user's work environment, software installation, updates, etc.

    What is the essence of Active Directory and what problems does it solve? Read on.

    Principles of organizing peer-to-peer and multi-peer networks

    But another problem arises, what if user2 on PC2 decides to change his password? Then if the user user1 changes the password account, user2 on PC1 will not be able to access the resource.

    Another example: we have 20 workstations with 20 accounts to which we want to provide access to a certain , for this we must create 20 accounts on file server and provide access to the required resource.

    What if there are not 20 but 200 of them?

    As you understand, network administration with this approach turns into absolute hell.

    Therefore, the workgroup approach is suitable for small office networks with the number of PCs no more than 10 units.

    If there are more than 10 workstations in the network, the approach in which one network node is delegated the rights to perform authentication and authorization becomes rationally justified.

    This node is the domain controller - Active Directory.

    Domain Controller

    The controller stores a database of accounts, i.e. it stores accounts for both PC1 and PC2.

    Now all accounts are registered once on the controller, and the need for local accounts becomes meaningless.

    Now, when a user logs into a PC, entering his username and password, this data is transmitted in private form to the domain controller, which performs authentication and authorization procedures.

    Afterwards, the controller issues the user who has logged in something like a passport, with which he subsequently works on the network and which he presents at the request of other network computers, servers to whose resources he wants to connect.

    Important! A domain controller is a computer running Active Directory that controls user access to network resources. It stores resources (eg printers, folders with shared access), services (e.g. email), people (user and user group accounts), computers (computer accounts).

    The number of such stored resources can reach millions of objects.

    Can act as a domain controller next versions MS Windows: Windows Server 2000/2003/2008/2012 except for Web-Edition.

    The domain controller, in addition to being the authentication center for the network, is also the control center for all computers.

    Immediately after turning on, the computer begins to contact the domain controller, long before the authentication window appears.

    Thus, not only the user entering the login and password is authenticated, but also the client computer is authenticated.

    Installing Active Directory

    Let's look at an example of installing Active Directory on Windows Server 2008 R2. So, to install the Active Directory role, go to “Server Manager”:

    Add the role “Add Roles”:

    Select the Active Directory Domain Services role:

    And let's start the installation:

    After which we receive a notification window about the installed role:

    After installing the domain controller role, let's proceed to installing the controller itself.

    Click “Start” in the program search field, enter the name of the DCPromo wizard, launch it and check the box for advanced installation settings:

    Click “Next” and choose to create a new domain and forest from the options offered.

    Enter the domain name, for example, example.net.

    We write NetBIOS domain name, without zone:

    Select the functional level of our domain:

    Due to the peculiarities of the functioning of the domain controller, we also install a DNS server.

    Active Directory (AD) is utilities, designed for the operating room Microsoft systems Server. It was originally created as a lightweight algorithm for accessing user directories. WITH Windows versions Server 2008 introduced integration with authorization services.

    Allows you to comply group policy, which applies the same type of settings and software on all controlled PCs using System Center Configuration Manager.

    If in simple words for beginners, this is a server role that allows you to manage all access and permissions on your local network from one place

    Functions and purposes

    Microsoft Active Directory is a (so-called directory) package of tools that allows you to manipulate users and network data. Main goal creation – facilitating the work of system administrators in large networks.

    Directories contain various information related to users, groups, network devices, file resources - in a word, objects. For example, user attributes that are stored in the directory should be the following: address, login, password, number mobile phone etc. The directory is used as authentication points, with which you can find out necessary information about the user.

    Basic concepts encountered during work

    There are a number of specialized concepts that are used when working with AD:

    1. Server is a computer that contains all the data.
    2. The controller is a server with the AD role that processes requests from people using the domain.
    3. An AD domain is a collection of devices united under one unique name, simultaneously using a common directory database.
    4. The data store is the part of the directory responsible for storing and retrieving data from any domain controller.

    How active directories work

    The main operating principles are:

    • Authorization, which makes it possible to use a PC on the network by simply entering personal password. In this case, all information from the account is transferred.
    • Security. Active Directory contains user recognition functions. For any network object, you can remotely, from one device, set the necessary rights, which will depend on the categories and specific users.
    • Network administration from one point. When working with the Active Directory, the system administrator does not need to reconfigure all PCs if it is necessary to change access rights, for example, to a printer. Changes are carried out remotely and globally.
    • Full DNS integration. With its help, there is no confusion in AD; all devices are designated exactly the same as on the World Wide Web.
    • Large scale. A set of servers can be controlled by one Active Directory.
    • Search performed according to various parameters, for example, computer name, login.

    Objects and Attributes

    An object is a set of attributes, united under its own name, representing a network resource.

    Attribute - characteristics of an object in the catalog. For example, these include the user’s full name and login. But the attributes of a PC account can be the name of this computer and its description.

    “Employee” is an object that has the attributes “Name”, “Position” and “TabN”.

    LDAP container and name

    Container is a type of object that can consist of other objects. A domain, for example, may include account objects.

    Their main purpose is organizing objects by types of signs. Most often, containers are used to group objects with the same attributes.

    Almost all containers map a collection of objects, and resources are mapped to a unique Active Directory object. One of the main types of AD containers is the organization module, or OU (organizational unit). Objects that are placed in this container belong only to the domain in which they are created.

    Lightweight Directory Access Protocol (LDAP) is the basic algorithm for TCP/IP connections. It is designed to reduce the amount of nuance when accessing directory services. LDAP also defines the actions used to query and edit directory data.

    Tree and site

    A domain tree is a structure, a collection of domains that have general diagram and configuration that form common space names and are bound by a trusting relationship.

    A domain forest is a collection of trees connected to each other.

    A site is a collection of devices in IP subnets, representing a physical model of the network, the planning of which is carried out regardless of the logical representation of its construction. Active Directory has the ability to create an n-number of sites or combine an n-number of domains under one site.

    Installing and configuring Active Directory

    Now let's move directly to setting up Active Directory using Windows Server 2008 as an example (the procedure is identical on other versions):

    Click on the “OK” button. It is worth noting that such values ​​are not required. You can use the IP address and DNS from your network.

    • Next, you need to go to the “Start” menu, select “Administration” and “”.
    • Go to the “Roles” item, select the “ Add roles”.
    • Select “Active Directory Domain Services”, click “Next” twice, and then “Install”.
    • Wait for the installation to complete.
    • Open the “Start” menu-“ Execute" Enter dcpromo.exe in the field.
    • Click “Next”.
    • Select item “ Create new domain in the new forest” and click “Next” again.
    • In the next window, enter a name and click “Next”.
    • Choose compatibility mode(Windows Server 2008).
    • In the next window, leave everything as default.
    • Will start configuration windowDNS. Since it had not been used on the server before, no delegation was created.
    • Select the installation directory.
    • After this step you need to set administration password.

    To be secure, the password must meet the following requirements:


    After AD completes the component configuration process, you must reboot the server.



    The setup is complete, the snap-in and role are installed on the system. AD can only be installed on Windows family Server regular versions, such as 7 or 10, may only allow installation of the management console.

    Administration in Active Directory

    By default, in Windows Server, the Active Directory Users and Computers console works with the domain to which the computer belongs. You can access computer and user objects in this domain through the console tree or connect to another controller.

    The tools in the same console allow you to view additional options objects and search for them, you can create new users, groups and change permissions.

    By the way, there is 2 types of groups in the Asset Directory - security and distribution. Security groups are responsible for delimiting access rights to objects; they can be used as distribution groups.

    Distribution groups cannot differentiate rights and are used primarily for distributing messages on the network.

    What is AD delegation

    Delegation itself is transfer of part of permissions and control from the parent to another responsible party.

    It is known that every organization has several system administrators at its headquarters. Miscellaneous tasks should be placed on different shoulders. In order to apply changes, you must have rights and permissions, which are divided into standard and special. Specific permissions apply to a specific object, while standard permissions are a set of existing permissions that make specific features available or unavailable.

    Establishing trust

    There are two types in AD trust relationships: “unidirectional” and “bidirectional”. In the first case, one domain trusts the other, but not vice versa; accordingly, the first has access to the resources of the second, and the second does not have access. In the second type, trust is “mutual”. There are also “outgoing” and “incoming” relationships. In outgoing, the first domain trusts the second, thus allowing users of the second to use the resources of the first.

    During installation, the following procedures should be followed:

    • Check network connections between controllers.
    • Check settings.
    • Tune name resolution for external domains.
    • Create a connection from the trusting domain.
    • Create a connection on the side of the controller to which the trust is addressed.
    • Check the created one-way relationships.
    • If the need arises in establishing bilateral relations - make an installation.

    Global catalog

    This is a domain controller that stores copies of all objects in the forest. It gives users and programs the ability to search for objects in any domain of the current forest using attribute discovery tools included in the global catalog.

    The global catalog (GC) includes a limited set of attributes for each forest object in each domain. It receives data from all sections of the domain directory in the forest, they are copied using standard process Active Directory service replication.

    The schema determines whether the attribute will be copied. There is a possibility configuration additional characteristics , which will be re-created in the global catalog using “ Active schemes Directory". To add an attribute to the global catalog, you need to select the replication attribute and use the “Copy” option. This will create replication of the attribute to the global catalog. Attribute parameter value isMemberOfPartialAttributeSet will become true.

    In order to find out location global catalog, you need to command line enter:

    Dsquery server –isgc

    Data replication in Active Directory

    Replication is a copying procedure that is carried out when it is necessary to store equally up-to-date information that exists on any controller.

    It is produced without operator participation. There are the following types of replica content:

    • Data replicas are created from all existing domains.
    • Replicas of data schemas. Since the data schema is the same for all objects in the Active Directory forest, replicas of it are maintained across all domains.
    • Configuration data. Shows the construction of copies among controllers. The information is distributed to all domains in the forest.

    The main types of replicas are intra-node and inter-node.

    In the first case, after the changes, the system waits, then notifies the partner to create a replica to complete the changes. Even in the absence of changes, the replication process occurs automatically after a certain period of time. After breaking changes are applied to directories, replication occurs immediately.

    Replication procedure between nodes happens in between minimal load on the network, this avoids information loss.

    Windows network administrators cannot avoid getting acquainted with . This review article will focus on what Active Directory is and what they are used with.

    So, Active Directory is a directory service implementation from Microsoft. Under directory service in in this case refers to a software package that helps system administrator work with such network resources, How shared folders, servers, workstations, printers, users and groups.

    Active Directory has a hierarchical structure consisting of objects. All objects are divided into three main categories.

    • User and computer accounts;
    • Resources (for example, printers);
    • Services (eg e-mail).

    Each object has a unique name and has a number of characteristics. Objects can be grouped.

    User Properties

    Active Directory has a forest structure. The forest has several trees that contain domains. Domains, in turn, contain the above-mentioned objects.


    Active Directory structure

    Typically, objects in a domain are grouped into organizational units. Divisions serve to build a hierarchy within a domain (organizations, territorial divisions, departments, etc.). This is especially important for organizations that are dispersed geographically. When building a structure, it is recommended to create as few domains as possible, creating, if necessary, separate divisions. It is on them that it makes sense to apply group policies.

    Workstation Properties

    Another way to structure Active Directory is sites. Sites are a method of physical, rather than logical, grouping based on network segments.

    As already mentioned, each object in Active Directory has a unique name. For example, a printer HPLaserJet4350dtn, which is located in the division Lawyers and in the domain primer.ru will have a name CN=HPLaserJet4350dtn,OU=Lawyers,DC=primer,DC=ru. CN is a common name OU- division, DC— domain object class. An object name can have many more parts than in this example.

    Another form of writing an object name looks like this: primer.ru/Lawyers/HPLaserJet4350dtn. Also, each object has a globally unique identifier ( GUID) is a unique and immutable 128-bit string that is used in Active Directory for lookup and replication. Some objects also have a UPN ( UPN) in the format object@domain.

    Here general information about what Active Directory is and why they are needed in local networks on Windows based. Finally, it makes sense to say that the administrator has the ability to work with Active Directory remotely using Funds remote administration server for Windows 7 (KB958830)(Download) And Remote Server Administration Tools for Windows 8.1 (KB2693643) (Download).

    Read more: