This document provides an overview of Active Directory (AD) in Windows Server 2019. It describes what AD is, when and why it is used, and how to configure and manage it. Key components of AD are discussed such as domains, organizational units, group policy, backups. AD services like certificate services, domain services, and federation services are also summarized. The document provides best practices for using group policy and designing the AD structure.
2. TABLE OF CONTENTS
What is active directory ?
When we use active directory ?
Why use active directory ?
Configure and manage active directory
3. What is active directory ?
Active Directory (AD) is Microsoft's proprietary directory service. It runs on Windows Server and enables
administrators to manage permissions and access to network resources.
Active Directory stores data as objects. An object is a single element, such as a user, group, application or device
such as a printer. Objects are normally defined as either resources, such as printers or computers, or security
principals, such as users or groups
4. When we use active directory ?
– A lot of user
– Need centralize management
– If need policy to organize whole organization
– Control network usage
– When asset need to be control
– When organization need to be collaboration
5. Why using active directory ?
Active Directory simplifies life for administrators and end users while enhancing security for organizations.
Administrators enjoy centralized user and rights management, as well as centralized control over computer
and user configurations through the AD Group Policy feature.
6. Active directory licensing
User CAL
Device CAL
When you decide to use per user licensing then
you need to buy as many CALs as you have
users in your domain. This case is better to use
in case of having more computers/devices than
users in your environemnt.
The second case, per device licensing is better
if you have more users than
computers/devices. Then each device should
have CAL bought.
9. Active Directory Certificate Service
Active Directory Certificate Services (AD CS) is one of the
server roles introduced in Windows Server 2008 that provides
users with customizable services for creating and managing
Public Key Infrastructure (PKI) certificates, which can be used
for encrypting and digitally signing electronic documents,
emails, and messages.
The applications supported by AD CS are secure wireless
networks, Virtual Private Networks (VPN), Internet Protocol
Security (IPSec), Network Access Protection (NAP), Encrypting
File Systems (EFS), smart card logon, and more.
10. Active Directory Domain Service
Active Directory Domain Services (AD DS) is a server role in Active Directory that allows admins to
manage and store information about resources from a network, as well as application data, in a
distributed database.
11. Active Directory Federation Service
Active Directory Federation Services (AD FS) is a feature of the Windows Server operating system
(OS) that extends end users' single sign-on (SSO) access to applications and systems outside the
corporate firewall.
12. AD Lightweight Directory Service
Active Directory Federation Services (AD FS) is a feature of the Windows Server operating system
(OS) that extends end users' single sign-on (SSO) access to applications and systems outside the
corporate firewall.
Use Case:
You need to provide authentication services for a Web application such as Microsoft Sharepoint
portal Server in a perimeter network or extranet. AD LDS can query the internal AD DS structure
through a firewall to obtain user account information and store it securely in the perimeter
network. This avoids the need to deploy AD DS in the perimeter.
13. Different ADDS & ADLDS
– Support multiple instances (one schema per instance)
– Does not require DNS
– No group policy support
– No global catalog support
– Cannot manage workstatios/server
– Support different sites and replication but not with trust
14. AD Right Management Services
AD RMS has its own set of tools to help organizations work with security technologies
and manage the rights on an organization’s intellectual property (that includes email
messages, Microsoft Office documents, project information, contacts, etc.).
AD RMS integrates with existing
Microsoft products and OS including
Windows Server, Exchange Server,
SharePoint Server, Microsoft Office
Suite and Microsoft Azure.
17. Domain Name System
Active Directory Domain Services (AD DS) uses Domain Name System (DNS) name
resolution services to make it possible for clients to locate domain controllers and
for the domain controllers that host the directory service to communicate with each
other.
19. LDAP
LDAP (Lightweight Directory Access Protocol) is a software protocol for enabling
anyone to locate data about organizations, individuals and other resources such as
files and devices in a network -- whether on the public Internet or on a corporate
Intranet.
20. Active Directory Schema
A schema is the definition of attributes and classes that are part of a distributed
directory and is similar to fields and tables in a database. Schemas include a set of
rules which determine the type and format of data that can be added or included in the
database.
21. Forest-wide information about the Active Directory
Structure
Forest wide definitions and rules for creating and
manipulating object and attributes
Contain Information about domain-specific object
created in active directory
Contains application data
ForestDNSZone
DomainDNSZone
24. FSMO Role
manages the read-write copy of your
Active Directory schema
makes sure that you don’t create a
second domain in the same forest with
the same name as another
assigns blocks of
Security Identifiers
(SID) to different DCs
they can use for newly
created objects.
The PDC Emulator
responds to
authentication
requests, changes
passwords, and
manages Group
Policy Objects
translates Globally
Unique Identifiers
(GUID), SIDs, and
Distinguished
Names (DN)
between domains.
28. Physical Component - RODC
Read only domain controller
An RODC is a new type of domain controller that hosts read-
only partitions of the Active Directory database. Every
Changes must be made on a writable domain controller and
then replicated back to the RODC.
An RODC is designed primarily to be deployed in remote or
branch office environments, which typically have relatively
few users, poor physical security, relatively poor network
bandwidth to a hub site, and personnel with limited
knowledge of information technology (IT).
29. Group Policy
Group Policy is an integral feature built into Microsoft Active Directory. Its core
purpose is to enable IT administrators to centrally manage users and computers
across an AD domain. This includes both business users and privileged users
like IT admins, and workstations, servers, domain controllers (DCs) and other
machines.
30. Group Policy Best Practice
Do not modify the Default Domain Policy
and Default Domain Controller Policy
Use the Default Domain Policy for account,
account lockout, password and Kerberos
policy settings only
Create a well-designed organizational unit
(OU) structure in Active Directory
Having a good OU structure makes it easier
to apply and troubleshoot Group Policy.
Give GPOs descriptive names
Policies for user accounts: U_<name
of the policy>
Policies for computer accounts:
C_<name of the policy>
Policies for computer and user
accounts: CU_<name of the policy>
31. Group Policy Best Practice
Do not set GPOs at the domain level
Each Group Policy object that is set at the
domain level will be applied to all user and
computer objects.
the only GPO that should be set at the
domain level is the Default Domain Policy
Apply GPOs at the OU root level
Applying GPOs at the OU level will allow sub
OUs to inherit these policies; you don’t need
to link the policy to each sub OU.
32. Active Directory Backup
System running 24x7
‒ User and Computer
‒ Group and permission
‒ Group Policy Object
‒ Entire computer (Baremetal)
34. CREDITS: This presentation template was created by Slidesgo,
including icons by Flaticon, and infographics & images by Freepik
THANKS
Editor's Notes
For example, you Finance Manager copies a spreadsheet file containing the compensation packages of an organization’s executives from a protected folder on a file server to the Manager’s personal USB drive. During the commute home, the Manager leaves the USB drive on the train, where someone with no connection to the organization finds it. Without AD RMS, whoever finds the USB drive can open the file. With AD RMS, it is possible to ensure that the file cannot be opened by unauthorized users.
For example, you can configure standard templates that grant view-only rights, block the ability to edit, save, and print, or if used with Exchange Server, block the ability to forward or reply to messages.
LDAP provides the communication language that applications use to communicate with other directory services servers. Directory services store the users, passwords, and computer accounts, and share that information with other entities on the network.
Active Directory is a database based system that provides authentication, directory, policy, and other services in a Windows environment
LDAP (Lightweight Directory Access Protocol) is an application protocol for querying and modifying items in directory service providers like Active Directory, which supports a form of LDAP.
Short answer: AD is a directory services database, and LDAP is one of the protocols you can use to talk to it.
Schema stored in its own partition in the directoru. Schema replicated among all the domain controller in the forest, and any change that is made to the schema is replicated to every domain controller in the forest.
Because the schema dictates how information is stored, and because any changes that are made to the schema affect every domain controller, change to the schema should be made only when necessary . So carefully
Child domain shares the same Domain naming master & schema master role & it inherits namespace of parent domain. In child domain, you don't have Enterprise admin account, it exists in parent domain only for most of the configuration. trust between parent & child is Parent-child two way transitive trust.Like Parent is ABC.com, the child domain will be XYZ.ABC.com
If you don't want to inherit parent domain name, you use new tree in the forest like parent is ABC & you can have new tree as XYZ.com.Tree root domain have their own Enterprise admin group to manage their own AD