다음을 통해 공유

Active Directory Domain Services: Basic Info

  • 아티클

 

Before proceeding with AD we will know something about Domain and Workgroup.

What is Domain?

Domain is a logical group of computers which shares the common directory database.

What is workgroup?

Workgroup is an standalone computer which use the own database. for example our home pc

Coming to Active Directory,

Active Directory is a directory database which stores information about the active directory objects like users, computers, groups, Organizational unit and group policies.

we have two types of structure in Active Directory as below.

Logical structure and Physical Structure

In logical Structure we have

  • - domains,
  • - tree,
  • organizational unit and
  • forest.

Domain: 

As I mentioned above domain is a logical group of computers which shares common directory database.

Tree: 

A hierarchy of domains with a contiguous namespace as below.

https://4.bp.blogspot.com/-jsunK3MlzHo/VZEsHI0DYYI/AAAAAAAAE-I/vSgKaJF_fvE/s200/Tree.PNG
Domain Tree

Forest: 

Group of one or more trees, and they don't share contiguous namespace as below.

https://1.bp.blogspot.com/-QYdd3_YFxMk/VZEoyC1KKFI/AAAAAAAAE98/2qLi7ZVepBM/s400/Domain%2Bforest.PNG
Domain Forest

Note: First domain in the forest is called Root Domain.

Organizational unit:

Organizational unit is a container using this we can organize active directory objects(users, groups, organization unit).

We can create Sub OU's in ou if required and for example if we want to manage a department like sales, marketing and IT kind of thing, then we can create separate ou's for all the departments and we can add all the related users to that OU and we can manage them by applying group policy and delegation as well.

Suppose you are company hiring contract employee to handle part of the IT related work and want to call them as IT helpdesk, then you can create a OU as ITHelpdesk and you can add all the contract employees to that OU and apply required policy and delegation that you want give to them.

It is easy to manage Active directory objects using Organizational unit.

Will take one more example, suppose you want to apply a GPO to group of users and don't want to apply the same policy to remaining domain users, then simply you can create a OU and add the users you want to apply GPO, then create GPO and link with that OU.

This is all about the organizational unit.

Physical Structure of Active Directory:

In physical structure of AD we will find Domain controllers and Sites.

Domain Controllers:

Domain controller is a server that runs Active directory domain services and responds to authenticaion requests like login requests.

Sites:

Sites are defined as group of well connected highly reliable and fast TCP/IP subnets. A site allows administrator to configure active directory access and replication topology to take advantage of the physical network.

This is all about Physical and logical structure of AD.

In active we have three different type of Partitions as below.

  1. 1. Domain Partition: It contains replicas of all the objects in that domain, this partition replicate only to other domain controller in the same domain.
  2. 2. Schema Partition: It contains the forest wide schema, each forest has one schema so that the definition of each object class is consistent.
  3. 3. Configuration partition: It contains the forest topology, is a record of all domain controllers and the connections between them in a forest.

Note: Changes made to the schema, are replicated to all the domains in the forest, this replication is called Multimaster replication.

Flexible Single Master Operations:

Totally we have two types of FSMO roles

  1. 1. Forest Wide roles
  2. 2. Domain wide roles

In forest wide roles we have two roles as follows.

  1. 1. Schema Master role
  2. 2. Domain Naming master role

In Domain wide roles we have three roles as follows

  1. 1. PDC emulator(Primary Domain Controller)
  2. 2. RID Master role(Relative Identifier)
  3. 3. Infrastructure Master role.

Schema Master:

  • -  It keep the schema upto date in forest.
  • - Any modifications or updates to the existing schema will me updated by this role.
  • - Only one Schema Master role present in the entire Forest.

If Schema Master is down nothing will impact on Domain controller, however if schema tries to update any schema modifications or updates it will not work, hence we need to make sure that Schema Master is up before making any changes to schema in forest.

Domain Naming Master:

It will manage the addition or removal of domains in the forest.

If Naming master is down nothing will impact on Domain, however it's not possible to add or remove any domains from the forest.

PDC Emulator:

  • - Responsible for updating any password changes in a domain.
  • - It is responsible for domain time sync.
  • - Responsible for updating Group Policy.

If PDC is down then we will face below issues.

  • - Users unable to change the password.
  • - Unsynced time can lead to login failures for users.
  • - GPO issues.

RID Master:

  • - It will allocates RID pools to Domains that will help in creating users.
  • - Initially each DC's will have a pool of 500 RID's once it drained then DC will contact to RID master for a new pool of RID's to create users accounts.

If RID master down then nothing will happen untill DC will have RID pool with it, once it's drained it's not possible to create new users as there are no RID's in DC.

Infrastructure Master:

  • - Resoponsible for updating cross domain references.
  • - Do not place Infrstructure master role in a DC holding Global Catalog, unless all the DC's in the environment are Global catalog.
  • - If Infrastructure Master role is down nothing will not impact to DC's, but If there are multiple domains , any change in an object which is referenced by another object in another domain will not be reflected.

Global Catalog:

 It will contain full information of it's own domain and partial information of all the domain in a forest, that will help users to find the information related to their queries.

Transfer and Seize FSMO roles:

Transfer FSMO roles via NTDSUTIL:

  • - Go to Command prompt
  • - Type NTDSUTIL
  • - Type roles
  • - Type Connections
  • - Connect to Server Servername
  • - type q (will bring you back to Fsmo maintainance)
  • - Transfer Schema master
  • - Transfer RID master
  • - Transfer PDC
  • - Transfer Naming Master
  • - Transfer Infrastructure master

Once done we can check the status by typing netdom query fsmo in command prompt.

Seize FSMO roles:

  • - Go to Command prompt
  • - Type NTDSUTIL
  • - Type roles
  • - Type Connections
  • - Connect to Server Servername
  • - type q (will bring us back to Fsmo maintainance)
  • - Seize Schema master
  • - Seize RID master
  • - Seize PDC
  • - Seize Naming Master
  • - Seize Infrastructure master

Once done we can check the status by typing netdom query fsmo in command prompt.

Note:

You can find the RID, PDC and Infrastructure roles in "Active Directory users and computers" and Domain naming master role at the "Active directory domains and trusts" console.

To find Schema master we have to follow below steps.

  • In Run box type regsvr32 schmmgmt.dll (this command will register schmmgmt.dll on our computer)
  • Go to Start
  • Type mmc /a
  • Click on file menu -> add or remove snap-in and then click add
  • under the available snap-ins double click on Active Directory Schema and click close and then click on ok.
  • Save this by clicking on file menu and then save it as schmmgmt.msc
  • Now we can open the Schema to transfer this role via GUI.

Installing and Configuring Active Directory:

  • First we need to install Active directory domain services role using Server manager.
  • Then restart the system.
  • Type dcpromo in run box and proceed with the Installation of Active Directory.

Once after completing the configuration of ADDS we will get the below options in the Administrative tools.

  • Active Directory users and Computers
  • Active directory Sites and services.
  • Active Directory domains and trusts.
  • ADSI Edit
  • Active Directory administrative center

below are the default folders created after installing active directory.

C:\windows\NTDS\ntds.dit

C:\Windows\SYSVOL

NTDS.dit is active directory database file, default size will be in between 14MB to 16MB

SYSVOL folder contains all the security related information like group policies and authentication related info.