Active Directory Functionality and Structure

Posted on Nov 27, 2024 in Computers

Directory Service Functionality

Active Directory provides directory service functionality to organize, manage, and centrally control access to network resources.

It overlooks the physical network topology and protocols.

It is organized into sections allowing storage of numerous objects.

Active Directory can be extended as an organization grows.

It provides centralized access control with single sign-on.

Directory Service Objects

Objects represent network resources.

A single administrator controls resources in a distributed database.

Object properties or attributes are stored in the directory.

Users find objects by searching specific attributes.

Some objects contain other objects.

Directory Service Schema

The schema defines all objects.

Windows 2000 has only one schema.

Schema definitions include attributes and object classes.

Object classes describe creatable directory objects.

Each class is a set of attributes.

Attributes are defined independently and used in multiple classes.

The Active Directory schema is stored in a database.

Database storage means the schema is:

  • Dynamically available to applications for discovery.
  • Dynamically updatable for extensions.
  • Protected using Access Control Lists (DACL).

Active Directory

Active Directory’s logical and physical structures are separate.

The logical structure organizes resources; the physical manages traffic.

Physical structure defines replication and login traffic.

The logical structure is flexible for designing a directory hierarchy.

Logical components include:

  • Domains
  • OUs
  • Trees
  • Forests

Domain

The central unit of Active Directory’s logical structure.

A set of computers sharing a common directory database.

Domains have unique names and centralized user/group accounts.

Domains serve as security boundaries.

Domain administrators have permissions only within their domain.

Domains have security policies and relationships with other domains.

Domains are replication units.

Domain controllers replicate changes within the domain.

New domains operate in mixed mode by default.

Mixed mode is compatible with all domain controllers.

Native mode is enabled after upgrading all domain controllers.

Some functions require native mode.

Mixed to native mode conversion is one-way.

Trees and Forests

The first Windows domain is the forest root domain.

The forest root domain is crucial because:

  • The forest is referenced by the root domain name.
  • Additional domains form trees or forests.
  • Active Directory management panels are in the root domain.
  • Schema and domain naming masters reside in the root domain.

A tree is a hierarchical arrangement of domains sharing a namespace.

New domains are child domains of existing domains.

Secondary domains have two-way transitive trusts with their primary domain.

A forest is one or more trees.

Forest trees may not share a contiguous namespace.

Trees in a forest share a schema, configuration, and global catalog.

A single tree is a forest of one tree.

Each tree root domain has a transitive trust with the forest root domain.

The forest root domain name identifies the forest.

Each tree has a unique namespace.

Trust Relationship

A trust is a secure communication link between domains.

A two-way trust has routes in both directions.

A transitive trust extends to all trusted domains.

Two-way transitive trusts are default in Windows forests.

OU

An Organizational Unit organizes domain objects.

OUs can contain objects or other OUs.

OUs group objects logically.

Each domain has its own OU hierarchy.

Administrative control can be delegated over OUs.

Delegation assigns specific permissions to users or groups.

Global Catalog

The global catalog stores a subset of attributes of all objects.

It contains frequently used attributes.

It helps locate objects in the directory.

It enables:

  • Forest-wide information searches.
  • Logon using universal group membership.
  • Logon using User Principal Name across domains.

A global catalog server processes queries against the global catalog.

The first domain controller is automatically a global catalog server.

Other servers can be configured for load balancing.

The global catalog:

  • Makes the forest structure transparent for searches.
  • Contains access permissions for objects and attributes.

Physical Structure

Defines replication and login traffic locations.

Understanding physical components optimizes network traffic.

Domain controllers and sites are the physical structure.

Domain Controller

A server storing a directory replica.

Manages and replicates directory changes.

Handles logon, authentication, and directory lookups.

A domain can have multiple domain controllers.

The Active Directory database has three naming contexts:

  • Domain naming context (domain objects and attributes).
  • Configuration naming context (forest trusts).
  • Schema naming context (object and property definitions).

Domain controllers replicate domain changes.

Domain controllers replicate schema and configuration changes.

Replication ensures data availability across the network.

Active Directory uses multi-master replication.

Each domain controller has a writable database copy.

Updates are replicated to all domain controllers.

Temporary inconsistencies may occur during synchronization.

Single master operations are used for specific changes.

Sites

A combination of subnets connected by high-speed links.

Sites optimize Active Directory access and replication.

Sites are created to:

  • Optimize replication traffic.
  • Ensure reliable connections for authentication and logon.

Sites are assigned to the physical network structure.

Domains are assigned to the logical structure.

Logical and physical structures are independent.

  • No direct correlation between physical and domain structures.
  • Multiple domains per site and multiple sites per domain are possible.
  • No correlation between site and domain namespaces.

Domain Features

A logical group of computers sharing security information.

Provides centralized network resource management.

Users access resources with appropriate permissions.

Domains offer features beyond workgroups:

  • Single Sign-On: Access multiple resources with one login.
  • Single User Account: One account for multiple computers.
  • Centralized Management: Manage accounts and resources from one location.
  • Stability: Scalable for large networks.

Advantages of a domain:

  • Organizing Objects: Arrange objects in OUs.
  • Easy Information Location: Publish resources for easy access.
  • Streamlined Access: Manage access and security with group policies.
  • Delegated Authority: Assign management privileges for objects or OUs.