{"id":911,"date":"2017-12-05T19:11:12","date_gmt":"2017-12-05T19:11:12","guid":{"rendered":"http:\/\/wiki.thomasandsofia.com\/?p=911"},"modified":"2018-01-30T18:02:19","modified_gmt":"2018-01-30T18:02:19","slug":"active-directory-domain-services","status":"publish","type":"post","link":"https:\/\/wiki.thomasandsofia.com\/?p=911","title":{"rendered":"Active Directory Domain Services"},"content":{"rendered":"<p>Lesson 2 of 6<\/p>\n<p><a href=\"https:\/\/mva.microsoft.com\/en-us\/training-courses\/understanding-active-directory-8233?l=mD2wPRJy_8204984382\" target=\"_blank\" rel=\"noopener\">https:\/\/mva.microsoft.com\/en-us\/training-courses\/understanding-active-directory-8233?l=mD2wPRJy_8204984382<\/a><\/p>\n<p><a href=\"http:\/\/wiki.thomasandsofia.com\/2017\/12\/04\/understanding-active-directory\/\">&lt; Lesson 1<\/a> | <a href=\"http:\/\/wiki.thomasandsofia.com\/2018\/01\/30\/active-directory-certificate-services\/\">Lesson 3 &gt;<\/a><\/p>\n<h2>Main Menu<\/h2>\n<ul>\n<li><a href=\"#over\">Overview of AD DS<\/a><\/li>\n<li><a href=\"#phy\">AD DA Physical Components<\/a><\/li>\n<li><a href=\"#log\">AD DS Logical Components<\/a><\/li>\n<\/ul>\n<p><a name=\"over\"><\/a><\/p>\n<h2>Overview of AD DS<\/h2>\n<ul>\n<li><strong>Protocol<\/strong>\n<ul>\n<li>Lightweight Directory Access Protocol (LDAP)\n<ul>\n<li>X.500 Standard<\/li>\n<li>Based on TCP\/IP<\/li>\n<li>A method for accessing, searching and modifying a directory service<\/li>\n<li>A client-server model<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li><strong>Authentication<\/strong> (Who you are)\n<ul>\n<li>Authentication is the process of verifying a user&#8217;s identity on a network<\/li>\n<li>Authentication includes 2 components\n<ul>\n<li>Interactive Logon: Grants access to the local computer<\/li>\n<li>Network Authentication: Grants access to network resources<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li><strong>Authorization<\/strong> (What you can do)\n<ul>\n<li>Authorization is a process of verifying that an authenticated user has permissions to perform an action\n<ul>\n<li>Security principals are issued Security Identifiers (SIDs)\u00a0 when the account is created<\/li>\n<li>User accounts are issued security tokens during authentication that include the user&#8217;s SID and all related group SIDs\n<ul>\n<li>Security Token=This is who I am, these are the groups I belong to.<\/li>\n<\/ul>\n<\/li>\n<li>Shared resources on a network include access control lists (ACL) that define who can access the resource.<\/li>\n<li>The Security Token is compared against the Discretionary Access Control List (DACL) on the resource and access is granted or denied.\n<ul>\n<li>Write, Read, Change<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li><strong>Why Deploy AD DS<\/strong>\n<ul>\n<li>AD DS?\n<ul>\n<li>AD DS provides a centralized system for managing users, computers and other resources on a network.<\/li>\n<li>These features include:<\/li>\n<li>Centralized Directory\n<ul>\n<li>Instead of granting access on 5 computers to 5 users, AD lets you create all of those accounts in 1 place.<\/li>\n<li>Those users can now log into anyone of those computers at any time with the same username\/password<\/li>\n<li>Integrated Security<\/li>\n<li>Scalability\n<ul>\n<li>It is only limited by the abilities of your Domain Controllers<\/li>\n<\/ul>\n<\/li>\n<li>Common Management interface.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li><strong>Centralized Network Management<\/strong>\n<ul>\n<li>AD DS centralizes network management by providing\n<ul>\n<li>Single location and set of tools for managing user and group accounts.<\/li>\n<li>Single location for assigning access to shared network resources<\/li>\n<li>Directory service for AD DS enabled applications\n<ul>\n<li>Example: Exchange can get information about users it would not normally have.<\/li>\n<\/ul>\n<\/li>\n<li>Options for configuring security policies that apply to all users and computers\n<ul>\n<li>aka Group Policy &#8211; not going to deep dive in this course.<\/li>\n<\/ul>\n<\/li>\n<li>Group policies to manage user desktops and security settings<\/li>\n<li><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li><strong>Requirements for Installing AD DS<\/strong>\n<ul>\n<li>TCP\/IP\n<ul>\n<li>Configure appropriate TCP\/IP and DNS server addresses.<\/li>\n<\/ul>\n<\/li>\n<li>Credentials\n<ul>\n<li>To install a new AD DS forest, you need local Administrator access on the server.<\/li>\n<li>To install an additional domain controller in an existing domain, you need to be a member of the Domain Admins group.<\/li>\n<\/ul>\n<\/li>\n<li>Domain Name System (DNS) Infrastructure\n<ul>\n<li>Verify that a DNS infrastructure is in place.\u00a0 When you install AD DS, you can include DNS server installation if it is needed.<\/li>\n<li>When you create a new domain, a DNS delegation is created automatically during the installation process.\u00a0 Creating a DNS delegation requires credentials that have permissions to update the parent DNS zones.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li><strong>Overvew of AD DS and DNS<\/strong>\n<ul>\n<li>AD DS requires a DNS infrastructure<\/li>\n<li>AD DS domain names must be DNS domain names (FQDN)<\/li>\n<li>AD DS domain controller records (SRV records) must be registered in DNS to enable other domain controllers and client computers to locate the domain controllers.\n<ul>\n<li>Happens automatically<\/li>\n<\/ul>\n<\/li>\n<li>DNS zones can be stored in AD DS as Active Directory integrated zones.\n<ul>\n<li>Advanced feature\n<ul>\n<li>Can use AD as replication mechanism for DNS<\/li>\n<li>As a security boundary for DNS<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li><strong>Overview of AD DS Components<\/strong>\n<ul>\n<li>AD DS is both physical and logical components<\/li>\n<li>Physical\n<ul>\n<li>Data Store<\/li>\n<li>Domain Controllers<\/li>\n<li>Global catalog server<\/li>\n<li>Read-Only Domain Controller (RODC) (Optional)\n<ul>\n<li>Supported by Windows Server 2008 and later<\/li>\n<li>Allows a copy of your domain to be placed in a branch office.<\/li>\n<li>Can read from and use the information, but no risk of being compromised.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>Logical Components\n<ul>\n<li>Partitions<\/li>\n<li>Schema<\/li>\n<li>Domains<\/li>\n<li>Domain Trees<\/li>\n<li>Forests<\/li>\n<li>Sites<\/li>\n<li>Organizational Units (OUs)<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><a name=\"phy\"><\/a><\/p>\n<h2>AD DA Physical Components<\/h2>\n<ul>\n<li><strong>Domain Controllers<\/strong>\n<ul>\n<li>A domain controller is a server with AD Ds server role installed that has specifically been promoted to a domain controller<\/li>\n<li>Host a copy of the AD DS directory store<\/li>\n<li>Provide authentication and authorization services<\/li>\n<li>Replicate updates to other domain controllers in the domain and forest<\/li>\n<li>Allow administrative access to manage user accounts and network resources in a central location<\/li>\n<\/ul>\n<\/li>\n<li><strong>Global Catalog Servers<\/strong>\n<ul>\n<li>Global catalog servers are domain controllers that also store a copy of the global catalog<\/li>\n<li>Contains a copy of all AD DS objects in a forest that includes only some of the attributes of each object in the forest<\/li>\n<li>Improves efficiency of object searches by avoiding unnecessary referrals to domain controllers<\/li>\n<li>Required for users to log on to a domain<\/li>\n<\/ul>\n<\/li>\n<li><strong>Data Store<\/strong>\n<ul>\n<li>The AD DS data store is where all this information is physically kept on a server.\u00a0 The data store contains the database files and processes that store and manage directory information for users, services and applications.<\/li>\n<li>Contains the Ntds.dit file\n<ul>\n<li>Everything is in this file????<\/li>\n<\/ul>\n<\/li>\n<li>Is stored by default in the %SystemRoot%\\NDTS filder on all domain controllers<\/li>\n<li>Is accessible only through the domain controller processes and protocols.<\/li>\n<\/ul>\n<\/li>\n<li><strong>Replication<\/strong>\n<ul>\n<li>Replicates copies of all updates of the AD DS database to all other domain controllers in a domain or forest\n<ul>\n<li>If a user is added\/deleted, or a password is changed, etc. these changes are replicated across DCs.<\/li>\n<li>The AD DS replication topology is created automatically as new Domain Controllers are added to the domain.\n<ul>\n<li>This can be modified using sites.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>Ensures that all domain controllers have the same information<\/li>\n<li>Uses a multi-master replication model\n<ul>\n<li>No single point of failure or single source for information.<\/li>\n<li>All changes and change locations are recorded for audit purposes.<\/li>\n<\/ul>\n<\/li>\n<li>Can be managed by creating AD DS sites.<\/li>\n<\/ul>\n<\/li>\n<li><strong>Sites<\/strong>\n<ul>\n<li>An AD DS site is used to represent a network segment where all domain controllers are connected by a fast and reliable network connection.<\/li>\n<li>Associated with IP subnets<\/li>\n<li>Used to manage replication traffic<\/li>\n<li>Used to manage client logon traffic<\/li>\n<li>Used by site aware applications such as Distributed File Systems (DFS) or Exchange Server<\/li>\n<li>Used to assign group policy objects to all users and computers in a company location<\/li>\n<li><strong>Sites are defined based on network bandwidth<\/strong><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><a name=\"log\"><\/a><\/p>\n<h2>AD DS Logical Components<\/h2>\n<ul>\n<li>AD DS Schema\n<ul>\n<li>Defines every type of object that can be stored in the directory<\/li>\n<li>Enforces rules regarding object creation and configuration<\/li>\n<li>Object Types\n<ul>\n<li>Class Object: What objects can be created in the directory\n<ul>\n<li>Users<\/li>\n<li>Computers<\/li>\n<\/ul>\n<\/li>\n<li>Attribute Objects: Information that can be attached to an Object (Metadata?)\n<ul>\n<li>Display Name<\/li>\n<li>User Name<\/li>\n<li>Computer Name<\/li>\n<li>Phone number<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>The Basics\n<ul>\n<li>Domains are used to group and manage objects in an organization\n<ul>\n<li>An administrative boundary for applying policies to groups of objects<\/li>\n<li>A replication boundary for replicating data between domain controllers<\/li>\n<li>An authentication and authorization boundary that provides a way to limit the scope of access to resources.<\/li>\n<\/ul>\n<\/li>\n<li>Trees\n<ul>\n<li>A domain tree is a hierarchy of domains in AD DS<\/li>\n<li><a href=\"http:\/\/wiki.thomasandsofia.com\/wp-content\/uploads\/2017\/12\/active-directory-training-9-728.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-916\" src=\"http:\/\/wiki.thomasandsofia.com\/wp-content\/uploads\/2017\/12\/active-directory-training-9-728.jpg\" alt=\"\" width=\"476\" height=\"275\" srcset=\"https:\/\/wiki.thomasandsofia.com\/wp-content\/uploads\/2017\/12\/active-directory-training-9-728.jpg 476w, https:\/\/wiki.thomasandsofia.com\/wp-content\/uploads\/2017\/12\/active-directory-training-9-728-300x173.jpg 300w, https:\/\/wiki.thomasandsofia.com\/wp-content\/uploads\/2017\/12\/active-directory-training-9-728-150x87.jpg 150w\" sizes=\"auto, (max-width: 476px) 100vw, 476px\" \/><\/a><\/li>\n<li>All domains in the tree:\n<ul>\n<li>Share a contiguous name space with the parent domain<\/li>\n<li>Can have additional child domains<\/li>\n<li>By default create a two-way transitive trust with other domains.\n<ul>\n<li>Any resources in any of these domains can be accessed by accounts in those domains.\n<ul>\n<li>No special rules for users in sls.uk.microsoft.com to access resources in us.microsoft.com<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>Forests\n<ul>\n<li>A forest is a collection of one or more Domain Trees.<\/li>\n<li><a href=\"http:\/\/wiki.thomasandsofia.com\/wp-content\/uploads\/2017\/12\/11.gif\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-917\" src=\"http:\/\/wiki.thomasandsofia.com\/wp-content\/uploads\/2017\/12\/11.gif\" alt=\"\" width=\"438\" height=\"338\" \/><\/a><\/li>\n<li>Share a common schema\n<ul>\n<li>Definition of Objects and Attributes is the same.<\/li>\n<\/ul>\n<\/li>\n<li>Share a common configuration partition<\/li>\n<li>Share a common global catalog to enable searching\n<ul>\n<li>These start to matter with Forests<\/li>\n<li>Any user in any tree in a given Forest can find any object by querying the Global Catalog.<\/li>\n<\/ul>\n<\/li>\n<li>Enable trusts between all domains in the forest\n<ul>\n<li>Automatic &#8211; trusts exists between all domains in all trees in a forest.<\/li>\n<\/ul>\n<\/li>\n<li>Share the Enterprise Admins and Schema Admins group.\n<ul>\n<li>These people can change anything in any domain or tree in the forest<\/li>\n<li>Domain admins are only admins for that domain.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>Organizational Units (OUs)\n<ul>\n<li>Subdivision of a Domain?<\/li>\n<li>OUs are Active Directory containers that can contain users, groups, computers and other OUs<\/li>\n<li>OUs represent your organization hierarchically and\/or logically<\/li>\n<li>Manage a collection of objects in a consistent way\n<ul>\n<li>Manage objects that are consistent with each other, but not consistent with other objects<\/li>\n<\/ul>\n<\/li>\n<li>Delegate permissions to administer groups of objects<\/li>\n<li>Apply policies (Group Policies)<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>Trusts\n<ul>\n<li>Trusts provide a mechanizm for users to gain access to resources in another domain.<\/li>\n<li>All domains in a forest trust all other domains in the forest<\/li>\n<li>Trusts can extend outside of the forest (Manual process)<\/li>\n<li>Types of Trust\n<ul>\n<li>Directional: The trust direction flows from the trusting domain to the trusted domain.\n<ul>\n<li>The Trusting Domain has the resources.<\/li>\n<li>The Trusted Domain wants access to those resources<\/li>\n<li><a href=\"http:\/\/wiki.thomasandsofia.com\/wp-content\/uploads\/2017\/12\/trust-directional.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-918\" src=\"http:\/\/wiki.thomasandsofia.com\/wp-content\/uploads\/2017\/12\/trust-directional.png\" alt=\"\" width=\"402\" height=\"119\" srcset=\"https:\/\/wiki.thomasandsofia.com\/wp-content\/uploads\/2017\/12\/trust-directional.png 402w, https:\/\/wiki.thomasandsofia.com\/wp-content\/uploads\/2017\/12\/trust-directional-300x89.png 300w, https:\/\/wiki.thomasandsofia.com\/wp-content\/uploads\/2017\/12\/trust-directional-150x44.png 150w\" sizes=\"auto, (max-width: 402px) 100vw, 402px\" \/><\/a><\/li>\n<\/ul>\n<\/li>\n<li>Transitive: The trust relationship is extended beyond a two-domain trust to include other trusted domains. (Default Behavior)\n<ul>\n<li><a href=\"http:\/\/wiki.thomasandsofia.com\/wp-content\/uploads\/2017\/12\/trust-transitive.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-919\" src=\"http:\/\/wiki.thomasandsofia.com\/wp-content\/uploads\/2017\/12\/trust-transitive.png\" alt=\"\" width=\"447\" height=\"167\" srcset=\"https:\/\/wiki.thomasandsofia.com\/wp-content\/uploads\/2017\/12\/trust-transitive.png 447w, https:\/\/wiki.thomasandsofia.com\/wp-content\/uploads\/2017\/12\/trust-transitive-300x112.png 300w, https:\/\/wiki.thomasandsofia.com\/wp-content\/uploads\/2017\/12\/trust-transitive-150x56.png 150w\" sizes=\"auto, (max-width: 447px) 100vw, 447px\" \/><\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>AD DS Objects\n<ul>\n<li>Every THING is an object\n<ul>\n<li>Any additional data that belongs to that Object is an Attribute (Metadata)<\/li>\n<\/ul>\n<\/li>\n<li>Examples:\n<ul>\n<li>Users: Enables network resource access for a user<\/li>\n<li>InetOrgPerson: Similar to a user, but used for compatibility with other directory services (X.500 Standard)<\/li>\n<li>Contacts: Used to assign Email address and other Attributes to external users that do not by default have network access.<\/li>\n<li>Groups: Used to simplify the administration of access control<\/li>\n<li>Computers: Enables authentication and auditing of computer access to resources<\/li>\n<li>Printers: Use to simplify the process of locating and connecting to printers<\/li>\n<li>Shared Folders: Enables users to search for shared folders based on properties.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>Demo: Installation and Management<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Lesson 2 of 6 https:\/\/mva.microsoft.com\/en-us\/training-courses\/understanding-active-directory-8233?l=mD2wPRJy_8204984382 &lt; Lesson 1 | Lesson 3 &gt; Main Menu Overview of AD DS AD DA Physical Components AD DS Logical Components Overview of AD DS Protocol Lightweight Directory Access Protocol (LDAP) X.500 Standard Based on TCP\/IP A method for accessing, searching and modifying a directory service A client-server model Authentication ..<\/p>\n<div class=\"clear-fix\"><\/div>\n<p><a href=\"https:\/\/wiki.thomasandsofia.com\/?p=911\" title=\"read more...\">Read more<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[33],"tags":[],"class_list":["post-911","post","type-post","status-publish","format-standard","hentry","category-active-directory"],"_links":{"self":[{"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=\/wp\/v2\/posts\/911","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=911"}],"version-history":[{"count":7,"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=\/wp\/v2\/posts\/911\/revisions"}],"predecessor-version":[{"id":1013,"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=\/wp\/v2\/posts\/911\/revisions\/1013"}],"wp:attachment":[{"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=911"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=911"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=911"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}