Chapter 6 – Active Directory

Windows Active Directory – Introduce in Windows Server 2000

 Directory Service - as the name suggests, stores information about a computer network and offers
features for retrieving and managing that information.
 X.500 - a suite of protocols the International Telecommunication Union (ITU) developed, is the basis for
its hierarchical structure and for how Active Directory objects are named and stored.
 Lightweight Directory Access Protocol (LDAP) - created by the Internet Engineering Task Force (IETF), is
based on the X.500 Directory Access Protocol (DAP). DAP required the seldom used, high-overhead
Open Systems Interconnection (OSI) protocol stack for accessing directory objects. LDAP became a
streamlined version of DAP, using the more efficient and widely used TCP/IP—hence the term
“lightweight” in the protocol’s name.
 There are two aspects of Active Directory’s structure:
Physical Structure
 The physical structure consists of sites and servers configured as domain controllers.
 An Active Directory site is nothing more than a physical location in which domain controllers
communicate and replicate information regularly. Specifically, Microsoft defines a site as one or
more IP subnets connected by high-speed LAN technology.
 Typically, each physical location with a domain controller operating in a common domain connected
by a WAN constitutes a site. The main reasons for defining multiple sites are to control the
frequency of Active Directory replication and to assign policies based on physical location.
 Another component of the physical structure is a server configured as a domain controller, which is
a computer running Windows Server 2012/R2 with the Active Directory Domain Services role
installed. Although an Active Directory domain can consist of many domain controllers, each
domain controller can service only one domain. Each domain controller contains a full replica of the
objects that make up the domain and is responsible for the following functions:
 Storing a copy of the domain data and replicating changes to that data to all other domain
controllers throughout the domain
 Providing data search and retrieval functions for users attempting to locate objects in the
directory
 Providing authentication and authorization services for users who log on to the domain and
attempt to access network resources
Logical Structure
 There are four organizing components of Active Directory: Organizational units, Domains, Trees,
Forests
 Organizational Unit (OU) - is an Active Directory container used to organize a network’s users and
resources into logical administrative units. An OU contains Active Directory objects, such as user
accounts, groups, computer accounts, printers, shared folders, applications, servers, and domain
controllers. OUs can represent policy boundaries, in which different sets of policies can be applied
to objects in different OUs.
 Domain - is Active Directory’s core structural unit. It contains OUs and represents administrative,
security, and policy boundaries
  Tree - is less a container than a grouping of domains that share a common naming structure. A
tree consists of a parent domain and possibly one or more child domains (also called
“subdomains”) that have the same second-level and top-level domain names as the parent
domain.
 Forest - is a collection of one or more trees. A forest can consist of a sin gle tree with a single
domain, or it can contain several trees, each with a hierarchy of parent and child domains. Each
tree in a forest has a different naming structure. A forest’s main purpose is to provide a common
Active Directory environment, in which all domains in all trees can communicate with one
another and share information yet allow independent operation and administration of each
domain.

Installing Active Directory

 you must install the DNS Server role if DNS isn’t already in stalled on the network
 you have the option to export the Active Directory deployment configuration settings, which creates an
XML file with the installation settings you selected. This file can be used to automate Active Directory
installations on other servers.
 After the installation is finished, you must configure Active Directory. To get started, click the
notifications flag in Server Manager and click “Promote this server to a domain controller,” which starts
the Active Directory Domain Services Configuration Wizard.
 In the Deployment Configuration window, you select from these options: Add a domain controller to an
existing domain, Add a new domain to an existing forest, and Add a new forest
 FQDN - is a domain name that includes all parts of the name, including the top-level domain.
 For the most advanced features and security, you should choose the most current functional level,
which is Windows Server 2012 R2. For the most backward-compatibility with older DCs on the network,
you should choose Windows 2008 for the forest functional level. You can’t choose a forest functional
level earlier than Windows Server 2008. If you choose the Windows Server 2012 R2 forest functional
level, you can’t run DCs that run an OS version earlier than Windows Server 2012 R2. You can, however,
still run older servers as member servers.
 You then have three options to specify capabilities for the DC:
 Domain Name System (DNS) server—For the first DC in a new domain, DNS should be installed
unless you will be using an existing DNS server for the domain.
 Global Catalog (GC)—For the first DC in a forest, this check box is selected and disabled because
the first DC in a new forest must also be a global catalog server.
 Read only domain controller (RODC)—This check box isn’t selected by default. This option is
disabled for the first DC in the domain because it can’t be an RODC.
 Directory Services Restore Mode (DSRM) - This boot mode is used to perform restore operations on
Active Directory if it becomes corrupted or parts of it are deleted accidentally.
 SYSVOL Folder - is a shared folder containing file-based information that’s replicated to other domain
controllers. Storing the database and log files on separate disks, if possible, is best for optimal
performance.
 Microsoft recommends at least two domain controllers in every domain for fault tolerance and load
balancing.

 When a new DC is added to an existing domain:

  Should you install DNS? Installing DNS is recommended if you’re installing the second DC in a
domain because one reason you want to install another DC is for fault tolerance.
 Should the DC be a global catalog (GC) server? The first DC is always configured as a GC server,
but when you’re installing additional DCs in a domain, this setting is optional. In most cases, it
makes sense to make all your DCs global catalog servers as well, particularly in a single-domain
forest.
 Should this be a read only domain controller (RODC)? An RODC is most often used in branch
office situations, where ensuring the server’s physical security is more difficult. An RODC
doesn’t store account credentials, so if an RODC is compromised, no passwords can be
retrieved.
 In which site should the DC be located? If you have more than one site defined for your
network, you can choose where you want the DC to be located.
 The preferred method of installing Active Directory in a Windows Server 2012/R2 Server Core
installation is to use the PowerShell cmdlets
 If you want to see what a PowerShell cmdlet does without actually performing the operation, use the
-WhatIf parameter. PowerShell displays the steps needed to perform the command, showing you the
default settings and prompting you for other information the command requires.
 Install from media (IFM) - This utility copies the contents of an existing DC’s Active Directory database
(and optionally the SYSVOL folder) to disk.
 If you’re creating IFM data for a standard DC (a writeable DC, not an RODC), you must use a standard
DC to create this data. If you’re creating IFM data for an RODC, you can use an RODC or a standard DC.
 On the selected DC, run the ntdsutil command-line program at an elevated command prompt. Ntdsutil
is an interactive program, where you enter commands

Inside Active Directory

 Active Directory Administrative Center (ADAC) - The ADAC is a central console for performing many
Active Directory tasks, including creating and managing user, group, and computer accounts; managing
OUs; and connecting to other domain controllers in the same or a different domain. You can also
change the domain’s functional level and enable the Active Directory Recycle Bin. ADAC is built on
PowerShell, so each command you use in ADAC issues a PowerShell command to perform the task. You
can take advantage of this new feature in Windows Server 2012 by using the Windows PowerShell
History pane in ADAC
 Active Directory Users and Computers - has two panes. In the left pane, the top node shows the server
and domain being managed. The Saved Queries folder contains a list of Active Directory queries you
can save to repeat Active Directory searches easily. The third node represents the domain and contains
all the objects that make up the domain.

Active Directory Schema

 Object - is a grouping of information that describes a network resource, such as a shared printer; an
organizing structure, such as a domain or OU; or an account, such as a user or group.
 Schema - defines the type, organization, and structure of data stored in the Active Directory database
and is shared by all domains in an Active Directory forest. The information the schema defines is
divided into two categories: schema classes and schema attributes.
 Schema Classes - define the types of objects that can be stored in Active Directory, such as user or
computer accounts.
  Schema Attributes - define what type of information is stored in each object, such as first name, last
name, and password for a user account object called attribute values

Active Directory Container Objects

 Organizational Units - An OU is the primary container object for organizing and managing resources in
a domain. You can delegate administrative authority for an OU to a user, thereby allowing the user to
manage objects in the OU without giving the user wider authority. When a new DC is installed in the
domain, a new computer object representing it is placed in the Domain Controllers OU by default. A
GPO is linked to the Domain Controllers OU and used to set security and administrative policies that
apply to all DCs in the domain.
 Folder Objects - When Active Directory is installed, five folder objects are created:
 Builtin – Houses default groups created by Windows and is mainly used to assign permissions to
users who have administrative responsibilities in the domain.
 Computers – The default location for computer accounts created when a new computer or
server becomes a domain member.
 ForeignSecurityPrincipals - Initially empty but later contains user accounts from other domains
added as members of the local domain’s groups.
 Managed Service Accounts - Added to the schema in Windows Server 2008 R2; created
specifically for services to access domain resources. In this account, the password is managed
by the system, alleviating the administrator of this task. This folder is empty initially.
 Users - Stores two default users (Administrator and Guest) and several default groups.
 Domain Objects - The domain is the core logical structure container in Active Directory. Domains
contain OU and folder container objects but can also contain leaf objects, such as users, groups, and so
forth. A domain typically reflects the organization of the company in which Active Directory is being
used, but in large or geographically dispersed organizations, you can create multiple domains, each
representing a business unit or location. The main reasons for using multiple domains are to allow
separate administration, define security boundaries, and define policy boundaries.

Active Directory Leaf Objects

 A leaf object doesn’t contain other objects and usually represents a security account, network resource, or GPO.
Security account objects include users, groups, and computers.
 Network resource objects include servers, domain controllers, file shares, printers, and so forth.
 User Account - object contains information about a network user. Typically, when a user account is created, the
administrator enters at least the user’s name, logon name, and password.
 local user account - defined on a local computer, is au thorized to access resources only on that
computer. Local user accounts are mainly used on stand-alone computers or in a workgroup network
with computers that aren’t part of an Active Directory domain.
 domain user account - created in Active Directory, provides a single logon for users to access all
resources in the domain they’re authorized for.
 built in user accounts - automatically: Administrator and Guest. They can be local user accounts or
domain user accounts, depending on the computer where they’re created. On a workgroup or stand-
alone Windows computer, these two accounts are created when Windows is installed, and they’re local
accounts that have access to resources only on the local computer. When Active Directory is installed on
a Windows Server 2012/R2 computer, these two accounts are converted from local user accounts to
domain user accounts.
 Group object - represents a collection of users with common permissions or rights requirements on a computer
or domain.
  Permissions define which resources users can access and what level of access they have.
 right specifies what types of actions a user can perform on a computer or network.
 Computer account - object represents a computer that’s a domain controller or domain member and is used to
identify, authenticate, and manage computers in the domain.
 Computer accounts are created automatically when Active Directory is installed on a server or when a
server or workstation becomes a domain member.
 By default, domain controller computer accounts are placed in the Domain Controllers OU, and domain
member computer accounts are placed in the Computers folder.
 Like user accounts, computer accounts have a logon name and password, but a com puter account
password is managed by Active Directory instead of an administrator.
 Other Leaf Objects:
 Contact – person who is associated with the company but is not a network user.
 Printer – a shared printer in the domain. Printers shared on Windows 2000 or later computers
that are domain members can be added to Active Directory automatically.
 Shared Folder - folder—Represents a shared folder on a computer in the network. Shared folder
objects can be added to Active Directory manually or by using the publish option when creating
a shared folder
 Both printer and shared folder objects enable users to access shared printers and folders on any
computer in the domain without knowing exactly which computer the resource was created on.

Recovering Objects with the Active Directory Recycle Bin

 Active Directory Recycle Bin is disabled by default; it can be enabled in Active Directory Administrative
Center (ADAC).
 After it’s enabled, the Recycle Bin can’t be disabled without reinstalling all domain controllers in the
forest.
 To use the Recycle Bin, all DCs in the forest must be running Windows Server 2008 R2 or later, and the
forest functional level must be at least Windows Server 2008 R2.

Locating Active Directory Objects

 you can search for users, contacts, groups, computers, printers, shared folders,
 you can search in a single domain or in the entire directory (all domains).
 However, not all objects are available to all users, depending on the object’s security settings and its
container.

Working with Forests, Trees, and Domains

Active Directory Replication

  Replication is the process of maintaining a consistent database of information when the database is
distributed among several locations.
 Active Directory contains several databases called partitions that are replicated between domain
controllers by using intrasite replication or intersite replication.
 Intrasite replication takes place between domain controllers in the same site; Intrasite replication
occurs 15 seconds after a change is made on a domain controller, with a 3-second delay between each
replication partner.
 intersite replication occurs between two or more sites. The replication process differs in these two
types,
 multimaster replication for replicating Active Directory objects, such as user and computer accounts,
which means changes to these objects can occur on any DC and are propagated (replicated) to all other
domain controllers.
 Knowledge Consistency Checker (KCC) runs on every DC to determine the replication topology, which
defines the domain controller path through which Active Directory changes flow. This path is
configured as a ring (or multiple rings, if there are enough domain controllers), with each DC in the
path constituting a hop. The KCC is designed to ensure there are no more than three hops between any
two domain controllers, which can result in multiple rings,
 replication partner is a pair of domain controllers configured to replicate with one another.

Directory Partitions
 Each section of an Active Directory database is referred to as a directory partition. There are five
directory partition types in the Active Directory database:
 Domain directory partition Contains all objects in a domain, including users, groups,
computers, OUs, and so forth. There’s one domain directory partition for each domain in the
forest. Changes made to objects in domain directory partitions are replicated to each DC in the
domain. Some object attributes are also replicated to global catalog servers (described later in
“The Importance of the Global Catalog Server”) in all domains. Changes to the domain directory
partition can occur on any DC in the domain except read-only domain controllers.
 Schema directory partition Contains information needed to define Active Directory objects and
object attributes for all domains in the forest. The schema directory partition is replicated to all
domain controllers in the forest. One domain controller in the forest is designated as the
schema master domain controller (discussed in the next section) and holds the only writeable
copy of the schema.
 Global catalog partition The global catalog partition holds the global catalog, which is a partial
replica of all objects in the forest. It stores the most commonly accessed object attributes to
facilitate object searches and user logons across domains. The global catalog is built
automatically by domain replication of object attributes flagged for inclusion. Administrators
can’t make changes to this partition.
 Application directory partition - Used by applications and services to hold information that
benefits from automatic Active Directory replication and security. DNS is the most common
service to use an application directory partition for the DNS database. The information in this
partition can be configured to replicate to specific domain controllers rather than all domain
controllers, thereby controlling replication traffic. There can be more than one application
directory partition.
  Configuration partition—By default, the configuration partition holds configuration information
that can affect the entire forest, such as details on how domain controllers should replicate with
one another. Applications can also store configuration information in this partition. This
partition is replicated to all domain controllers in the forest, and changes can be made to
information stored in this partition on all domain controllers.

Operations Master Roles

A number of operations in a forest require having a single domain controller, called the operations master, with
sole responsibility for the function. In most cases, the first DC in the forest takes on the role of operations
master for these functions. How ever, you can transfer the responsibility to other domain controllers when
necessary. There are five operations master roles, referred to as Flexible Single Master Operation (FSMO)
roles, in an Active Directory forest:
 Schema master—As mentioned, the schema partition can be changed on only one DC, the schema
master. This DC is responsible for replicating the schema directory partition to all other domain
controllers in the forest when changes occur.
 Infrastructure master—This DC is responsible for ensuring that changes made to object names in one
domain are updated in references to these objects in other domains. By default, the first DC in each
domain is the infrastructure master for that domain.
 Domain naming master—This DC manages adding, removing, and renaming domains in the forest.
There’s only one domain naming master per forest, and the DC with this role must be available when
domains are added, deleted, or renamed.
 RID master—All objects in a domain are identified internally by a security identifier (SID). An object’s
SID is composed of a domain identifier, which is the same for all objects in the domain, and a relative
identifier (RID), The RID master is responsible for issuing unique pools of RIDs to each DC, thereby
guaranteeing unique SIDs throughout the domain. The RID master must be available when adding a DC
to an existing domain. There’s one RID master per domain.
 PDC emulator master—This role provides backward-compatibility with Windows NT servers configured
as Windows NT backup domain controllers or member servers. In addition, the PDC emulator master
manages password changes to help make sure user authentication occurs without lengthy delays. To
reduce this problem, password changes are replicated immediately to the PDC emulator master, and if
authentication fails at one DC, the attempt is retried on the PDC emulator master.
 Because domain controllers that manage FSMO role data are, by definition, single masters, special
attention must be paid to them. When removing domain controllers from a forest, make sure these
roles aren’t removed from the network accidentally.

Trust Relationships
 trust relationship defines whether and how security principals from one domain can access network
resources in another domain.
 Trust relationships are established automatically between all domains in a forest.
 trusts must be configured only when your Active Directory environ ment includes two or more forests
or when you want to integrate with other OSs.

The Role of Forests

  The Active Directory forest is the broadest logical component of the Active Directory structure. Forests
contain domains that can be organized into one or more trees. All domains in a forest share some
common characteristics:
 A single schema—The schema defines Active Directory objects and their attributes and can be
changed by an administrator or an application to best suit the organization’s needs. All domains
in a forest share the same schema, so a change to the schema affects objects in all domains.
This shared schema is one reason that large organizations or conglomerates with diverse
business units might want to operate as separate forests. With this structure, domains in
different forests can still share information through trust relationships, but changes to the
schema—perhaps from installing an Active Directory– integrated application, such as Microsoft
Exchange—don’t affect the schema of domains in a different forest.
 Forest-wide administrative accounts—Each forest has two groups defined with unique rights to
perform operations that can affect the entire forest: Schema Admins and Enter prise Admins.
Members of Schema Admins are the only users who can make changes to the schema.
Members of Enterprise Admins can add or remove domains from the forest and have
administrative access to every domain in the forest. By default, only the Administrator account
for the first domain created in the forest (the forest root domain) is a member of these two
groups.
 Operations masters—As discussed, certain forest-wide operations can be performed only by a
DC designated as the operations master. Both the schema master and the domain naming
master are forest-wide operations masters, meaning only one DC in the forest can perform
these roles.
 Global catalog—There’s only one global catalog per forest, but unlike operations masters,
multiple domain controllers can be designated as global catalog servers. Because the global
catalog contains information about all objects in the forest, it’s used to speed searching for
objects across domains in the forest and to allow users to log on to any domain in the forest.
 Trusts between domains—These trusts allow users to log on to their home domains (where
their accounts are created) and access resources in domains throughout the forest without
having to authenticate to each domain.
 Replication between domains—The forest structure facilitates replicating important
information between all domain controllers throughout the forest. Forest-wide replication in
cludes information stored in the global catalog, schema directory, and configuration partitions.

The Importance of the Global Catalog Server

 The first DC installed in a forest is always designated as a global catalog server, but you can use Active
Directory Sites and Services to configure additional domain controllers as global catalog servers for
redundancy. The follow ing are some vital functions the global catalog server performs:
 Facilitates domain and forest-wide searches—As discussed, the global catalog is contacted to
speed searches for resources across domains.
 Facilitates logon across domains—Users can log on to computers in any domain by using their
user principal name (UPN). A UPN follows the format username@domain. Because the global
catalog contains information about all objects in all domains, a global catalog server is contacted
to resolve the UPN. Without a global catalog server, users could log on only to computers that
were members of the same domain as their user accounts.
  Holds universal group membership information—When a user logs on to the network, all the
user’s group memberships must be resolved to determine rights and permissions. Global
catalog servers are the only domain controllers that hold universal group membership
information, so they must be contacted when a user logs on.

Forest Root Domain

 when the first domain is created in a Windows network, the forest root is also created. In fact, the first
domain is the forest root and is referred to as the forest root domain.
 It has a number of important responsibilities and serves as an anchor for other trees and domains
added to the forest.
 Certain functions that affect all domains in the forest are conducted only through the forest root
domain, and if this domain becomes inoperable, the entire Active Directory structure ceases
functioning.
 Some functions the forest root domain usually handles include the following:
 DNS server
 Global catalog server
 Forest-wide administrative accounts
 Operations masters
 The DNS server and global catalog server functions can be installed on other servers in other domains
for fault tolerance. However, the forest-wide operations masters and forest-wide administrative
accounts can reside only on a DC in the forest root domain.

Understanding Domains and Trees

 an Active Directory tree is a group of domains sharing a common naming structure.
 A tree can consist of a single domain or a parent domain and one or more child domains, which can
have child domains of their own.
 An Active Directory tree is said to have a contiguous namespace because all domains in the tree share
at least the last two domain name components: the second-level domain name and the top-level
domain name.
 Organizations operating under a single name internally and to the public are probably best served by an
Active Directory forest with only one tree.
 However, when two companies merge or a large company splits into separate business units that would
benefit from having their own identities, a multiple tree structure makes sense.
 there’s no major functional difference between domains in the same tree or domains in different trees,
as long as they’re part of the same forest.
 The only operational difference is the necessity of maintaining multiple DNS zones
 Most small and medium businesses choose a single domain for reasons that include the following:
 Simplicity
 Lower cost
 Easier Management
 Easier access to resources
 Using more than one domain makes sense or is even a necessity in the following circumstances:
 Need for differing account policies
 Need for different name identities
 Replication control
  Need for internal versus external domains
 Need for tight security

Introducing Group Policies

 Group Policy Object (GPO) is a list of settings administrators use to configure user and computer
operating environments remotely.
 They can be configured to affect an entire domain, a site, and, most commonly, users or comput ers in
an OU.
 You can link GPOs to sites, domains, and OUs, and GPOs linked to these containers affect only user or
computer accounts in the containers.
 When Active Directory is installed, two GPOs are created and linked to two containers:
 Default Domain Policy—This GPO is linked to the domain object and specifies default settings
that affect all users and computers in the domain. The settings in this policy are related mainly
to account policies, such as password and logon requirements, and some network security
policies.
 Default Domain Controllers Policy—This GPO is linked to the Domain Controllers OU and
specifies default policy settings for all domain controllers in the domain (provided the computer
objects representing domain controllers aren’t moved from the Domain Control lers OU). The
settings in this policy pertain mainly to user rights assignments, which specify the types of
actions users can perform on a DC.
 These default policies don’t define any user-specific policies; instead, they’re designed to provide
default security settings for all computers, including domain controllers, in the domain.
 In GPMC, you see only folders containing configured settings. By default, there are no configured
settings in the User Configuration node in the Default Domain Policy, which is why you don’t see a
Policies folder under User Configuration in Figure 6-31. Likewise, you don’t see the Preferences folder in
this figure because no preferences have been configured.
 Computer Configuration—Used to set policies that apply to computers within the GPO’s scope. These
policies are applied to a computer when the computer starts.
 User Configuration—Used to set policies that apply to all users within the GPO’s scope. User policies
are applied when a user logs on to any computer in the domain.
 Computer Configuration: the three folders under the Policies folder contain the following information:
 Software Settings—This folder contains an item (extension) called Software installation, which
enables administrators to install and manage applications remotely. Application installation
packages can be configured so that the next time a computer in the GPO’s scope starts, the
application is installed automatically. This feature is called “assigning” the application to the
computer.
 Windows Settings—This folder contains the Name Resolution Policy node, Scripts extension,
Security Settings node, and Policy-based QoS node. The Name Resolution Policy stores con
figuration settings for DNS security and DirectAccess. Administrators can use the Scripts ex
tension to create scripts that run at computer startup or shutdown. The Security Settings node
contains the lion’s share of policies that affect computer security, including account policies,
user rights, wireless network policies, Registry and file system permissions, and network com
munication policies, among others. The Policy-based QoS node can be used to prioritize and
control outgoing network traffic from a computer.
  Administrative Templates—This folder contains Control Panel, Network, Printers, System, and
Windows Components folders. The settings in these folders affect computer settings that apply
to all logged-on users. For example, the Network folder contains settings for configuring
Windows Firewall, and Windows Components contains settings for configuring Windows
Update. You can control hundreds of computer settings with the Administrative Templates
folder.
 User Configuration: In the User Configuration node, the Policies folder contains the same three folders
as in the Computer Configuration node. However, the policies defined here affect domain users within
the GPO’s scope, regardless of which computer the user logs on to.
 Software Settings—This folder also contains the Software installation extension. However,
application packages configured here can be assigned or published. An assigned application is
made available as an icon in the Start screen the next time a user affected by the policy logs on
to a computer in the domain. The first time the user tries to run the application or open a
document associated with it, the application is installed. A published application is made
available via Group Policy for a user to install by using Programs and Features in Control Panel.
 Windows Settings—This folder contains four items: the Scripts extension, the Security Settings
node, the Folder Redirection node, and the Policy-based QoS node.
 Administrative Templates—This folder contains a host of settings that enable administrators to
tightly control users’ computer and network environments.

How Group Policies Are Applied

 GPOs can be applied in four places: local computer, site, domain, and OU. Policies are applied in this
order, too. Policies that aren’t defined or configured are not applied at all, and the last policy to be
applied is the one that takes precedence. For example, a GPO linked to a domain affects all computers
and users in the domain, but a GPO linked to an OU over rides the domain policies if there are
conflicting settings.