Active Directory Architecture and Active Directory Components

 

What is an Active Directory?

Active Directory (AD) is a directory service that runs on Microsoft Windows Server. The main function of Active Directory is to enable administrators to manage permissions and control access to network resources. In Active Directory, data is stored as objects, which include users, groups, applications, and devices, and these objects are categorized according to their name and attributes.

What are benefits of Using Active Directory?

Active Directory (AD) offers a range of benefits for organizations, enhancing both efficiency and security. It centralizes the management of user data, security, and distributed resources, and also streamlines user and resource management. Moreover, AD’s Group Policy allows for comprehensive control over user and computer settings, enforcing securipolicies,ies and automating routine tasks. The single sign-on feature simplifies user access to various resources, reducing password fatigue and improving productivity. Overall, AD is a robust framework that supports and secures the IT infrastructure of an organization.

How does Active Directory work?

Active Directory Domain Services (AD DS) is a critical component of the Windows Server operating system, transforming a server into a domain controller that holds the AD database. This database encompasses all domain objects and thinterrelationshipsions. Multiple domain controllers within an organization ensure redundancy and synchronization, keeping the directory consistent across changes, such as password updates or data modifications. While Windows-based devices can join an AD environment, they do not host AD DS. In contrast, Azure Active Directory is designed for cloud environments, offering identity management for various services, including Microsoft 365. Although AD and Azure AD are distinct, they can be integrated in hybrid setups, combining on-premise and cloud resources.

Hierarchical Structure of Active Directory

The Active Directory consists of the following hierarchical structure:

Forest: The top-level container in Active Directory. It is a collection of one or more domains that share a common schema, configuration, and global catalog. All domains within a forest are interconnected and share trust relationships.

Domain: A domain is a logical grouping of objects (such as users, computers, and printers) that share a common directory database. Domains are the basic unit of replication and security in AD. Each domain has its own security policies and trust relationships.

Organizational Units (OUs): OUs are containers within a domain used to organize objects into a hierarchical structure. They allow for delegation of administrative control and the applicagroupof Group Policies. OUs can be nested within each other to create a more granular structure.

Objects: These are individual items within Active Directory, such as user accounts, groups, computers, and printers. Each object is a distinct entry in the directory and is identified by a unique Distinguished Name (DN).

Attributes: Each object has attributes that store information about it, such as a user’s name, email address, and phone number. Attributes are part of the schema and can be used to search for and manage objects.

Global Catalog: This is a distributed data repository that contains a partial replica of every object in the forest. It is used to speed up searches and provide information about objects across the entire forest.

Schema: The schema defines the types of objects and attributes that can be stored in Active Directory. It acts as a blueprint for the types of data that AD can handle.

Sites: Sites are used to manage network traffic and replication between domain controllers. They are typically used to represent physical locations in your network infrastructure.

_{Basic Active Directory Components}

What is an Active Directory Forest?

In Active Directory (AD), a forest represents the top-level entity that contains one or more domain trees, which may include multiple domains and subdomains. The forest acts as the security boundary within an AD installation, encompassing all the domains, users, devices, and policies within it. This structure allows for centralized management while also providing the flexibility to enforce specific access controls and security measures at the domain level, catering to the needs of large and complex enterprise networks.

Forest Design Models

https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/forest-design-models

What is an Active Directory Domain ?

An Active Directory Domain is a key concept in Microsoft’s network services which essentially serves as a central hub for organizing and managing a company’s IT infrastructure. It is a logical group of network objects, such as users, computers, and other devices, that share the same Active Directory database. These objects are managed by the same administrative team and are typically located on the same physical network. Active Directory Domains are used to authenticate and authorize users and computers in a Windows domain type network, and they enforce security policies for securing data access and resources. The domain itself is identified by a DNS name and managed by a domain controller, which is a server running the Active Directory Domain Services (AD DS).

https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/get-started/virtual-dc/active-directory-domain-services-overview

What is an Active Domain Controllers ?

A domain controller is a server that responds to authentication requests and verifies users on computer networks. Domains are a hierarchical way of organizing users and computers that work together on the same network. The domain controller keeps all of that data organized and secured

Trust Relationships

1. Parent-Child Trusts:
   • Description: These are automatically established when you create a new domain in a domain tree within the same forest. The parent domain and child domain trust each other by default.
   • Purpose: Allows users in the child domain to access resources in the parent domain and vice versa.
2. Sibling Trusts:
   • Description: These are established between domains within the same tree in a forest. These trusts are also automatically created.
   • Purpose: Facilitates resource access between sibling domains.
3. Forest Trusts:
   • Description: These are created between two separate AD forests. Forest trusts can be one-way or two-way.
   • Direction: One-way or Two-way
   • Purpose: Allows users in one forest to access resources in another forest. This is useful for organizations that have multiple forests and need to share resources across them.
4. External Trusts:
   • Description: These are used to establish a trust relationship between domains in different forests or between a domain and a non-AD domain (such as a third-party directory service).
   • Direction: One-way or Two-way
   • Purpose: Provides resource access between domains outside of the AD forest.
5. Realm Trusts:
   • Description: These are used to establish trusts between AD domains and Kerberos realms. Kerberos realms are typically used in UNIX or non-Windows environments.
   • Direction: One-way or Two-way
   • Purpose: Facilitates access between AD and non-Windows environments that use Kerberos for authentication.

Trust Relationship Properties

• Transitivity: Trusts can be transitive or non-transitive.
  • Transitive Trusts: A trust relationship extends through the entire forest. For example, if Domain A trusts Domain B and Domain B trusts Domain C, then Domain A implicitly trusts Domain C.
  • Non-Transitive Trusts: A trust relationship is limited to the specific domains involved and does not extend further. External trusts and realm trusts are typically non-transitive.
• Directionality:
  • One-Way Trust: One domain (the trusting domain) allows access to resources for users from another domain (the trusted domain), but not the other way around.
  • Two-Way Trust: Both domains trust each other, allowing users from each domain to access resources in the other domain.

Trust Relationship Management

• Creation: Trust relationships are usually created using Active Directory Domains and Trusts or PowerShell commands.
• Validation: After creating a trust, it’s important to validate it to ensure that it is functioning correctly.
• Monitoring: Regularly monitor trust relationships to ensure they are operating as expected and to address any issues that may arise.

Organizational Units
Organizational Units (OUs) in Active Directory (AD) are containers used to organize and manage objects within a domain. They provide a way to structure and segment directory objects such as user accounts, computers, groups, and printers in a logical manner. Here’s a comprehensive look at OUs and their role in Active Directory:

Parent OU and Sub-OU Structure

Domain: Techhub.com
|– OU=Sales
| |– OU=NorthAmerica
| |– OU=Europe
|
|– OU=IT
| |– OU=HelpDesk
| |– OU=NetworkAdmins
|
|– OU=HR
| |– OU=Recruitment
| |– OU=Payroll

What is active directory group

A security group contains accounts which can be used for security access. For example, a security group could be assigned rights to a particular directory on a file server.

A distribution group is used for sending information to users. It cannot be used for security access.

Global: Global scope security groups contains users only from the domain in which is created. Global security groups can be members of both Universal and Domain Local groups.

Universal: Universal scope security groups can contain users, global groups, and universal groups from any domain. These groups are typically used in a multi-domain environment if access is required across domains.

FSMO roles, or Flexible Single Master Operations, are a set of specialized roles in Active Directory (AD) that are critical for the proper functioning of the AD environment. There are five FSMO roles:

FSMO Roles in Active Directory

Schema Master FSMO Role

The Schema Master role manages the read-write copy of your Active Directory schema. The AD Schema defines all the attributes – things like employee ID, phone number, email address, and login name – that you can apply to an object in your AD database.

Domain Naming Master FSMO Role

The Domain Naming Master makes sure that you don’t create a second domain in the same forest with the same name as another. It is the master of your domain names. Creating new domains isn’t something that happens often, so of all the roles, this one is most likely to live on the same DC with another role.

RID Master FSMO Role

The Relative ID Master assigns blocks of Security Identifiers (SID) to different DCs they can use for newly created objects. Each object in AD has an SID, and the last few digits of the SID are the Relative portion. In order to keep multiple objects from having the same SID, the RID Master grants each DC the privilege of assigning certain SIDs.

PDC Emulator FSMO Role

The DC with the Primary Domain Controller Emulator role is the authoritative DC in the domain. The PDC Emulator responds to authentication requests, changes passwords, and manages Group Policy Objects. And the PDC Emulator tells everyone else what time it is! It’s good to be the PDC.

Infrastructure Master FSMO Role

The Infrastructure Master role translates Globally Unique Identifiers (GUID), SIDs, and Distinguished Names (DN) between domains. If you have multiple domains in your forest, the Infrastructure Master is the Babelfish that lives between them. If the Infrastructure Master doesn’t do its job correctly you will see SIDs in place of resolved names in your Access Control Lists (ACL).

Directory Services

Schema

The schema defines the structure of objects stored in Active Directory such as User objects or Computer objects. It specifies what attributes an object can have along with their data types which help maintain consistency across all objects stored in active directory.

Windows Server AD Version	Schema objectVersion Value
Windows Server 2025	90
Windows Server 2022	88
Windows Server 2019	88
Windows Server 2016	87
Windows Server 2012 R2	69
Windows Server 2012	56
Windows Server 2008 R2	47
Windows Server 2008	44
Windows Server 2003 R2	31
Windows Server 2003	30
Windows Server 2000	13

1. Object Classes: The schema defines various types of objects that can exist in AD. Each object class specifies a set of attributes that are associated with that type of object. For example, the user object class defines attributes like username, password, email address, and so on.
2. Attributes: Each object class has a defined set of attributes that store information about the object. For instance, a user object might have attributes like givenName, surname, telephoneNumber, etc. The schema specifies the type, format, and constraints of these attributes.
3. Schema Object: The schema itself is an object in AD and is stored in the Schema Naming Context. This is a special partition of the AD database that contains the definitions of all classes and attributes.

   How the Schema Works

1. Schema Definitions: When AD is first installed, it uses a predefined schema that comes with the software. This schema includes a standard set of object classes and attributes that support common AD functionalities.
2. Schema Updates: The schema can be extended or modified to support additional requirements or applications. For example, installing certain applications or services might add new classes or attributes to the schema. This is done using schema modification tools like the Active Directory Schema MMC snap-in or the ldifde command-line tool.
3. Schema Master Role: In a multi-domain AD forest, one Domain Controller (DC) holds the Schema Master role. This DC is responsible for making and replicating changes to the schema across the entire forest.
4. Replication: Changes to the schema are replicated across all DCs in the forest. This ensures consistency and that all DCs have the same schema definitions.
5. Schema Constraints: Once modified, the schema is immutable in the sense that you can’t remove or alter the existing classes or attributes without additional steps. However, you can add new ones or extend existing ones.
6. 
   

Global Catalog

The Global Catalog contains information about all objects from every domain within a forest making it easier to locate objects from any part of the forest without needing specific knowledge about where they reside.

WHAT IS LDAP

LDAP (Lightweight Directory Access Protocol) is used by applications such as email clients or web browsers to search for information stored in Active Directory through queries sent over the network.

Key Features of LDAP

1. Directory Access:
   • Purpose: LDAP allows for the retrieval and management of directory information, which can include user details, group memberships, organizational structures, and more.
   • Function: Enables applications and systems to query directory databases to find and retrieve information based on criteria such as usernames, email addresses, or other attributes.
2. Hierarchical Structure:
   • Purpose: LDAP directories are organized in a hierarchical structure, reflecting the organizational layout or data model.
   • Function: Uses a tree-like structure where data is organized in entries, each with a unique Distinguished Name (DN) that represents its position in the hierarchy.
3. Standard Protocol:
   • Purpose: LDAP provides a standardized protocol for directory services, ensuring compatibility across different systems and applications.
   • Function: Defines how to interact with directory servers using standard operations such as search, bind, add, delete, and modify.
4. Authentication and Security:
   • Purpose: LDAP supports various authentication mechanisms to secure access to directory information.
   • Function: Includes simple authentication, SASL (Simple Authentication and Security Layer), and TLS (Transport Layer Security) to ensure data integrity and confidentiality.

LDAP Operations

1. Bind:
   • Purpose: Establishes a connection to the LDAP server and authenticates the user.
   • Function: Involves sending credentials to the LDAP server to gain access to directory information.

LDAP and Active Directory

• Integration: Active Directory uses LDAP as its primary protocol for accessing and managing directory information. LDAP queries can be used to interact with AD to retrieve user details, manage group memberships, and perform other directory-related operations.
• Port: By default, LDAP operates over port 389. For secure connections, LDAP over SSL (LDAPS) uses port 636.

LDAP Directory Structure

• Distinguished Name (DN): A unique identifier for each entry in the LDAP directory, representing its position within the hierarchical structure.
  • Format: Composed of various components, such as the Common Name (CN), Organizational Unit (OU), and Domain Component (DC).
  • Example: CN=John Doe,OU=Users,DC=example,DC=com
• Entry: A single record in the LDAP directory, composed of attributes and their associated values.
  • Attributes: Key-value pairs that describe properties of the entry, such as mail, telephoneNumber, or title.

Example LDAP Query

An example of an LDAP search query to find all users in the “Users” organizational unit might look like:

plaintextCopy codeldapsearch -x -b "OU=Users,DC=example,DC=com" "(objectClass=user)"

In this query:

• -x: Specifies simple authentication.
• -b "OU=Users,DC=example,DC=com": Defines the base DN for the search.
• "(objectClass=user)": The search filter to find objects of class “user”.
• 
  

Active Directory Database

Active Directory (AD) utilizes the Extensible Storage Engine (ESE), a database engine that differs from traditional relational databases like SQL. ESE is designed for high-speed record access, supporting a database file up to 16 terabytes and over 2 billion records. The AD database typically resides in C:\Windows\NTDS, but for enhanced performance and safety, it’s recommended to store it on a separate partition from the operating system.

You’ve got a good summary of the key Active Directory (AD) database files and their functions. To add a bit more detail:

1. ntds.dit: This is indeed the primary database file for Active Directory, containing the directory information like user accounts, groups, and computer accounts. It supports the various data structures necessary for AD operations.
2. edb.log: These are the transaction log files that record changes made to the AD database. They are used to maintain consistency and recover the database to a consistent state in case of a failure.
3. edb.chk: This checkpoint file keeps track of which transactions in the log files have been applied to the database. It helps in recovery processes by indicating the last checkpoint.
4. temp.edb: Used temporarily during database maintenance and is typically removed after the maintenance is completed. It helps manage large transactions that cannot be handled directly in the ntds.dit file.
5. res1.log and res2.log: These are reserved log files that are used when edb.log files are full. They ensure that there’s always a place for new log entries.
6. 
   

SYSVOL

This is a shared directory on each domain controller (DC) in the domain. It contains the public files that need to be accessible to all domain controllers in the domain. This includes:

• Group Policy Objects (GPOs): Settings that define user and computer configurations.
• Scripts: Logon, logoff, startup, and shutdown scripts.
• Domain-specific data: Such as configuration information and folder redirection settings.

Default Location: By default, SYSVOL is located at C:\Windows\SYSVOL. During the domain controller setup, this location can be changed, but it’s important to ensure that the new location is properly configured and replicated.

Replication: SYSVOL data is replicated between domain controllers using either the File Replication Service (FRS) or Distributed File System Replication (DFSR), depending on the version of Windows Server. FRS was used in earlier versions, but newer installations use DFSR by default for its improved performance and reliability.

Windows Backup System State

backing up the System State is a critical aspect of Windows server management, especially for domain controllers. Here’s a concise breakdown of what’s included in a System State backup

1. Active Directory DC Database File (ntds.dit): The core Active Directory database containing all directory objects and settings.
2. SYSVOL Folder and Its Files: Essential for domain-wide policy and script distribution; includes Group Policy Objects (GPOs) and logon scripts.
3. Certificate Store: Stores certificates used for various security functions, including SSL/TLS and code signing.
4. User Profiles: Contains individual user settings, desktop configurations, and personal files.
5. IIS Metabase: Holds configuration settings for Internet Information Services (IIS) if the server is running web services.
6. Boot Files: Includes files necessary for the system startup process.
7. DLL Cache Folder: Contains cached copies of system files to assist in quicker system repairs.
8. Registry Info: The Windows Registry stores critical configuration and setting information for the operating system and installed applications.
9. COM+ and WMI Info: Information related to Component Object Model (COM) and Windows Management Instrumentation (WMI) for system management and automation.
10. Cluster Service Info: Configuration and state information for failover clustering services, if applicable.
11. Windows Resource Protection System Files: Includes system files protected to ensure the integrity of the operating system.