02-Active Directory Domain Services

Microsoft
Virtual
Academy
Active Directory Domain Services

(AD DS)
Module Overview
• Overview of AD DS
• AD DS Physical Components
• AD DS Logical Components
Module 1: Overview of AD DS
• Protocol
• What is Authentication?
• What is Authorization?
• Why Deploy AD DS?
• Requirements for Installing AD DS
• Overview of AD DS and DNS
• Overview of AD DS Components
Protocol
• Kerberos
• Lightweight Directory Access Protocol (LDAP)
– Based on TCP/IP
– A method for accessing, searching, and modifying a
directory service
What is Authentication?
Authentication is the process of verifying a user’s identity on a network
Authentication includes two components:

• Interactive logon: grants access to • Network authentication: grants
the local computer access to network resources
What is Authorization?
Authorization is a process of verifying that an authenticated user has permission to
perform an action
Security principals are issued User accounts are issued security

security identifiers (SIDs) when the tokens during authentication that
account is created include the user’s SID and all
related group SIDs
Shared resources on a network The security token is compared

include access control lists (ACL) against the Discretionary Access
that define who can access the Control List (DACL) on the
resource resource and access is granted or
denied
Why Deploy AD DS?
AD DS provides a centralized system for managing users, computers, and other
resources on a network
AD DS features include:
• Centralized directory
• Single sign-on access
• Integrated security
Requirements for Installing AD DS
Object Description
TCP/IP • Configure appropriate TCP/IP and DNS server addresses.
• To install a new AD DS forest, you need to be local

Administrator on the server. To install an additional domain
Credentials
controller in an existing domain, you need to be a member of
the Domain Admins group.
• Verify that a DNS infrastructure is in place. When you install AD
DS, you can include DNS server installation, if it is needed.
Domain Name
System )DNS) • When you create a new domain, a DNS delegation is created
Infrastructure automatically during the installation process. Creating a DNS
delegation requires credentials that have permissions to update
the parent DNS zones.
Overview of AD DS and DNS
AD DS requires a DNS AD DS domain names must be
infrastructure DNS domain names
DNS Domain
Name
DNS
AD DS domain controller records DNS zones can be stored in AD

must be registered in DNS to DS as Active Directory integrated
enable other domain controllers zones
and client computers to locate
the domain controllers
DNS
Zone
Component Overview
AD DS is composed of both physical and logical components
Physical Components Logical Components

• Data store • Schema
• Domain controllers • Domains
• Global catalog server • Domain trees
• Replication • Forests
• Trust
• Organizational units (OUs)
• AD DS Objects
Module 2: Overview of AD DS Physical Components
• Domain Controllers
• Global Catalog Servers
• Data Store
• Replication
Domain Controllers
A domain controller is a server with the AD DS server role installed that has
specifically been promoted to a domain controller
Domain controllers:
• Host a copy of the AD DS directory store
• Provide authentication and authorization services
• Replicate updates to other domain controllers in the domain and forest

Global Catalog Servers
Global catalog servers are domain controllers that also store a copy of the global
catalog
The global catalog:

• Contains a copy of all AD DS objects in a forest that includes only some of the
attributes for each object in the forest
• Improves efficiency of object searches by avoiding unnecessary referrals to

domain controllers
• Required for users to log on to a domain

What is the AD DS Data Store?
The AD DS data store contains the database files and processes that store and
manage directory information for users, services, and applications
The AD DS data store:

• Consists of the Ntds.dit file
• Is stored by default in the %SystemRoot%\NTDS folder on all domain

controllers
• Is accessible only through the domain controller processes and protocols

What is AD DS Replication?
AD DS replication copies all updates of the AD DS database to all other domain
controllers in a domain or forest
AD DS replication:
• Ensures that all domain controllers have the same information
• Uses a multimaster replication model
• Can be managed by creating AD DS sites
The AD DS replication topology is created automatically as new domain controllers

are added to the domain
Lesson 3: Overview of AD DS Logical Components
• AD DS Schema
• The Basics: Domains
• The Basics: Trees
• The Basics: Forests
• The Basics: Organizational Units (OUs)
• Trusts
• AD DS Objects
What is the AD DS Schema?
The AD DS Schema:
• Defines every type of object that can be stored in the directory
• Enforces rules regarding object creation and configuration
Object Types Function Examples
What objects can be created in the • User

Class Object
directory • Computer
Information that can be attached to an

Attribute Object • Display name
object
The Basics: Domains
Domains are used to group and manage objects in an
organization
Contoso.com
Domains:
• An administrative boundary for applying policies to groups of objects
• A replication boundary for replicating data between domain controllers
• An authentication and authorization boundary that provides a way to limit the

scope of access to resources
The Basics: Trees
contoso.com
A domain tree is a hierarchy of domains in AD DS
emea.contoso.com na.contoso.com
All domains in the tree:
• Share a contiguous namespace with the parent domain
• Can have additional child domains
• By default create a two-way transitive trust with other domains

The Basics: Forests
A forest is a collection of
one or more domain trees
Trusts
Trusts provide a mechanism for users to gain access to resources in another domain
Types of Trusts Description Diagram
The trust direction flows from Access

Directional trusting domain to the trusted
domain
TRUST
The trust relationship is extended Trust &

Transitive beyond a two-domain trust to Access
include other trusted domains
• All domains in a forest trust all other domains in the forest

• Trusts can extend outside the forest
The Basics: Organizational Units (OUs)
OUs are Active Directory containers that can contain users, groups, computers, and
other OUs
OUs are used to:

• Represent your organization hierarchically and logically
• Manage a collection of objects in a consistent way
• Delegate permissions to administer groups of objects
• Apply policies
AD DS Objects
Object Description
User • Enables network resource access for a user
• Similar to a user account

InetOrgPerson
• Used for compatibility with other directory services
• Used primarily to assign e-mail addresses to external users

Contacts
• Does not enable network access
Groups • Used to simplify the administration of access control
• Enables authentication and auditing of computer access to

Computers
resources
• Used to simplify the process of locating and connecting to
Printers
printers
Shared folders • Enables users to search for shared folders based on properties
Thanks for Watching!

02-Active Directory Domain Services

Uploaded by

Copyright:

Available Formats

02-Active Directory Domain Services

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

02-Active Directory Domain Services

Uploaded by

Copyright:

Available Formats

What are the main components of Active Directory Domain Services?

What are the main components of Active Directory Domain Services?

What are the different types of trusts that can be established in Active Directory?

What are the different types of trusts that can be established in Active Directory?

Microsoft

Active Directory Domain Services

Authentication includes two components:

Security principals are issued User accounts are issued security

Shared resources on a network The security token is compared

• Single sign-on access

• To install a new AD DS forest, you need to be local

AD DS domain controller records DNS zones can be stored in AD

Physical Components Logical Components

• Domain controllers • Domains

• Global catalog server • Domain trees

• Organizational units (OUs)

• Provide authentication and authorization services

• Replicate updates to other domain controllers in the domain and forest

The global catalog:

• Improves efficiency of object searches by avoiding unnecessary referrals to

• Required for users to log on to a domain

The AD DS data store:

• Is stored by default in the %SystemRoot%\NTDS folder on all domain

• Is accessible only through the domain controller processes and protocols

• Uses a multimaster replication model

• Can be managed by creating AD DS sites

The AD DS replication topology is created automatically as new domain controllers

Object Types Function Examples

What objects can be created in the • User

Information that can be attached to an

• A replication boundary for replicating data between domain controllers

• An authentication and authorization boundary that provides a way to limit the

A domain tree is a hierarchy of domains in AD DS

All domains in the tree:

• Share a contiguous namespace with the parent domain

• Can have additional child domains

• By default create a two-way transitive trust with other domains

Types of Trusts Description Diagram

The trust direction flows from Access

The trust relationship is extended Trust &

• All domains in a forest trust all other domains in the forest

OUs are used to:

• Manage a collection of objects in a consistent way

• Delegate permissions to administer groups of objects

• Similar to a user account

• Used primarily to assign e-mail addresses to external users

Groups • Used to simplify the administration of access control

• Enables authentication and auditing of computer access to

You might also like