This document provides an overview of Active Directory and covers several key topics:
- It discusses the logical structure of Active Directory, including the data store, schema, global catalog, and replication.
- It describes different Active Directory objects like users, computers, groups and organizational units.
- It introduces Windows Server 2008 server roles and the benefits of using Active Directory for identity and access management.
- It also gives an overview of Active Directory domains, forests and trees and how objects are organized within this hierarchical structure.
In summary, the document provides a comprehensive introduction to the components, objects and benefits of Microsoft's Active Directory directory service.
4. Suleyman Demirel University, 2012
MCTS Course Overview
• Chapter 1 - Overview of Active Directory
• Chapter 2 - Domain Name System (DNS)
• Chapter 3 - Planning and Installation of Active Directory
• Chapter 4 - Installing and Managing Trees and Forests
• Chapter 5 - Configuring Sites and Replication
• Chapter 6 - Configuring Active Directory Server Roles
• Chapter 7 - Administering Active Directory
• Chapter 8 - Configuring Group Policy Objects
• Chapter 9 - Planning Security for Active Directory
• Chapter 10 - Active Directory Optimization and Reliability
5. Suleyman Demirel University, 2012
Chapter 1 - Overview of Active Directory
• The Industry before Active Directory
• The Benefits of Active Directory
• Understanding Active Directory’s Logical Structure
• Understanding Active Directory Objects
• Introducing Windows Server 2008 Server Roles
• Introducing Identity and Access (IDA) in Windows Server
2008
8. Suleyman Demirel University, 2012
The Benefits of Active Directory
• Hierarchical organization
• Extensible schema
• Centralized data storage
• Replication
• Ease of administration
• Network security
• Client configuration management
• Scalability
• Search functionality
9. Suleyman Demirel University, 2012
Hierarchical organization
• Active Directory is based on a hierarchical layout.
Through the use of various organizational components (or
objects), a company can create a network management
infrastructure and directory structure that mirrors the
business organization.
11. Suleyman Demirel University, 2012
Hierarchical organization
• Active Directory also integrates with the network naming
service, the Domain Name System (DNS).
• DNS provides for the hierarchical naming and location of
resources throughout the company and on the public
Internet.
• Example:
stellacon.com
• sales.stellacon.com
• hr.stellacon.com
sales.stellacon.com hr.stellacon.com
12. Suleyman Demirel University, 2012
Extensible schema
• It is very difficult to store all type of information in one
storage repository.
• That’s why Active Directory has been designed with
extensibility in mind.
13. Suleyman Demirel University, 2012
Extensible schema
• The schema is the actual structure of the database—
what data types it contains and the location of their
attributes.
• The schema is important because it allows applications to
know where particular pieces of information reside.
14. Suleyman Demirel University, 2012
Centralized data storage
• All of the information within Active Directory resides within
a single, distributed, data repository.
• Users and systems administrators must be able to easily
• access the information they need wherever they may be
within the company.
15. Suleyman Demirel University, 2012
Benefits of centralized data storage
• The benefits of centralized data storage include reduced
administrative requirements, less duplication, higher
availability, and increased visibility and organization of
data.
16. Suleyman Demirel University, 2012
Replication
• If server performance and reliability were not concerns, it
might make sense to store the entire Active Directory on a
single server.
• Active Directory provides for this functionality.
18. Suleyman Demirel University, 2012
Replication
• What kind of problems can be occurred in replication?
• Your idea…
19. Suleyman Demirel University, 2012
Ease of administration
• In order to accommodate various business models, Active
Directory can be configured for centralized or
decentralized administration.
• This gives network and systems administrators the ability
to delegate authority and responsibilities throughout the
organization while still maintaining security.
20. Suleyman Demirel University, 2012
Ease of administration
• Furthermore, the tools and utilities used to add, remove,
and modify Active Directory objects are available with all
Windows Server 2008 domain controllers (except read-
only domain controllers).
21. Suleyman Demirel University, 2012
Network security
• Through the use of a single logon and various
authentication and encryption mechanisms, Active
Directory can facilitate security throughout an entire
enterprise.
• Through the process of delegation, higher-level security
authorities can grant permissions to other administrators.
For ease of administration, objects in the Active Directory
tree inherit permissions from their parent objects.
22. Suleyman Demirel University, 2012
Network Security
• Application developers can take advantage of many of
these features to ensure that users are identified uniquely
and securely.
• Network administrators can create and update
permissions as needed from within a single repository,
thereby reducing chances of inaccurate or outdated
configuration.
23. Suleyman Demirel University, 2012
Client configuration management
• One of the biggest struggles for systems administrators
comes with maintaining a network of heterogeneous
systems and applications.
• A fairly simple failure—such as a hard disk crash—can
cause hours of work in reconfiguring and restoring a
workstation, especially an enterprise-class server.
• The overall benefit is decreased downtime, a better end-
user experience, and reduced administration.
24. Suleyman Demirel University, 2012
Scalability
• Large organizations often have many users and large
quantities of information to manage.
• Active Directory was designed with scalability in mind.
Not only does it allow for storing millions of objects within
a single domain, it also provides methods for distributing
the necessary information between servers and locations.
25. Suleyman Demirel University, 2012
Search functionality
• For example, if we need to find a printer, we should not
need to know the name of the domain or print server for
that object.
• Using Active Directory, users can quickly find information
about other users or resources, such as printers and
servers, through an intuitive querying interface.
27. Suleyman Demirel University, 2012
Components and Mechanisms of Active
Directory
• Data Store
• Schema
• Global Catalog
• Searching Mechanisms
• Replication
28. Suleyman Demirel University, 2012
Data Store
• The term data store is used to refer to the actual
structure that contains the information stored within Active
Directory.
• The data store is implemented as a set of files that
resides within the file system of a domain controller. This
is the fundamental structure of Active Directory.
29. Suleyman Demirel University, 2012
Schema
• The Active Directory schema consists of rules on the
types of information that can be stored within the
directory.
• The schema is made up of two types of objects: attributes
and classes.
31. Suleyman Demirel University, 2012
Attribute
• An attribute is a single granular piece of information
stored within Active Directory. First Name and Last Name,
for example, are considered attributes, which may contain
the values of Bob and Smith respectively.
32. Suleyman Demirel University, 2012
Class
• A class is an object defined as a collection of attributes.
For example, a class called Employee could include the
First Name and Last Name attributes.
33. Suleyman Demirel University, 2012
Comparison of Attribute and Class
Class Employee
Att.Name Att.Surname
Berik Serikov
34. Suleyman Demirel University, 2012
Attributes and Classes
Att.Name
Class Employee Berik
Any number of classes can use
the same attributes.
Att.Surname
Class AwardWinners Serikov
35. Suleyman Demirel University, 2012
Global Catalog
• The Global Catalog is a database that contains all of the
information belongs to objects within all domains in the
Active Directory environment.
• You can think of the Global Catalog as something like a
universal phone book.
36. Suleyman Demirel University, 2012
An Overview of Active Directory Domains
• An Active Directory domain contains a logical partition of
users, groups, and other objects within the environment.
Domain
37. Suleyman Demirel University, 2012
Objects in Domain shares
Objects in
Domain
Shares
Group Policy Hierarchical
Hierarchical Trust
and Security Object
inheritance relationships
Permission Naming
38. Suleyman Demirel University, 2012
Group Policy and security permissions
• Security for all of the objects within a domain can be
administered based on policies.
• These policies can apply to all of the users, computers,
and objects within the domain. For more granular security
settings, however, permissions can be granted on specific
objects, thereby distributing administration responsibilities
and increasing security.
39. Suleyman Demirel University, 2012
Hierarchical object naming
• All of the objects within an Active Directory container
share a common namespace.
• Example:
• zhamanov@sdu.edu.kz
• shalkar.ardak@sdu.edu.kz
• Common part of addresses is sdu.edu.kz
40. Suleyman Demirel University, 2012
Hierarchical object naming
• Example with different departments:
• zhamanov@engineering.sdu.edu.kz
• baribayev@philology.sdu.edu.kz
• Common part of addresses sdu.edu.kz
• Zhamanov – is on engineering faculty
• Baribayev – is on philology faculty
41. Suleyman Demirel University, 2012
Hierarchical inheritance
• Containers called organizational units (OUs) can be
created within a domain.
• These units are used for creating a logical grouping of
objects within Active Directory.
• The specific settings and permissions assigned to an OU
can be inherited by lower-level objects.
42. Suleyman Demirel University, 2012
Hierarchical inheritance
If we will make configuration to OU EN
Lower-layer objects will inherit that configurations
OU EN
5B070400 5B070300 5B010900
43. Suleyman Demirel University, 2012
Trust relationships
Domain A Domain B Domain C
Implicit trust between Domains A and C
= Transitive
two-way trust
44. Suleyman Demirel University, 2012
Overview of an Active Directory Forest
• Domain trees are hierarchical collections of one or more
domains that are designed to meet the organizational
needs of a business
46. Suleyman Demirel University, 2012
Root Domain
• First installed domain gets status of Root Domain
• By default, trust relationships are automatically
established between parent and child domains within a
tree.
47. Suleyman Demirel University, 2012
Active Directory Forest
• Active Directory Forest - noncontiguous group of
domains.
50. Suleyman Demirel University, 2012
Objects
• The Active Directory database is made up of units called
objects.
• Each object represents a single unique database entry.
52. Suleyman Demirel University, 2012
GUID/SID
• GUID - globally unique identifier
• Is used in Replication.
• SID - security identifier
• All rights and permissions of object placed into the SID not to
account name.
53. Suleyman Demirel University, 2012
Example of SID
Farida is Sales Manager and she is going to maternity leave. HR hire for
temporary work Manshuk and Manshuk needs the same permissions like
Farida had. System administrator changes Account name, but SID is the
same.
Farida Manshuk
57. Suleyman Demirel University, 2012
Answer
• Full DN consist in this components:
• O – Organization
• DC – Domain Components - > en.sdu.kz, ph.sdu.kz
• CN – Common Name
• /O=Internet/DC=kz/DC=sdu/DC=en/CN=instructor/CN=Berik Serikov
• /O=Internet/DC=kz/DC=sdu/DC=ph/CN=instructor/CN=Berik Serikov
58. Suleyman Demirel University, 2012
Comparison of SID and DN
• If you change structure of domain, DN will be changed,
SID will not be changed.
59. Suleyman Demirel University, 2012
Organizational Unit
• OUs are container objects that can be hierarchically
arranged within a domain.
60. Suleyman Demirel University, 2012
Using Organizational Units (OUs) in
Active Directory
= OU
Engineering faculty
•Administration
•Teachers
•Stuff
Philology faculty
•Administration
•Teachers
•Stuff
65. Suleyman Demirel University, 2012
User Accounts
• User accounts define the login information and
passwords that individuals using your network need to
enter to receive permissions to use network objects.
66. Suleyman Demirel University, 2012
Computer Objects
• Computer objects allow systems administrators to
configure the functions that can be performed on client
machines throughout the environment.
67. Suleyman Demirel University, 2012
Group Objects Security
Database
Engineer
Files
Place Permissions
Philology
in to
Economists
Printers
Users Groups Resource
69. Suleyman Demirel University, 2012
Security Groups
• Security groups are used to administer permissions. All
members of a security group receive the same security
settings and are able to send email and other messages
to several different users at once.
• For security permissions.
70. Suleyman Demirel University, 2012
Distribution Groups
• Distribution groups are used only to send email and
other messages to several different users at once. You
don’t have to maintain security permissions when using
distribution groups, but they can help you handle multiple
users.
• For mail distribution.
71. Suleyman Demirel University, 2012
Delegation of Administrative Control
• An OU is the smallest component within a domain to
which administrative permissions and group policies can
be assigned.
• Delegation occurs when a higher security authority
assigns permissions to a lower security authority.
73. Suleyman Demirel University, 2012
Server Manager
• Server Manager - Server Manager is a Microsoft
Management Console (MMC) snap-in that allows an
administrator to view information about server
configuration, the status of roles that are installed, and
links for adding and removing features and roles
75. Suleyman Demirel University, 2012
Roles in Windows Server 2008 AD
• Active Directory Certificate Services
• Active Directory Domain Services
• Active Directory Federation Services
• Active Directory Lightweight Directory Services
• Active Directory Rights Management Services
76. Suleyman Demirel University, 2012
Active Directory Certificate Services
• AD CS - allows administrators to configure services for
issuing and managing public key certificates.
• Companies can benefit from AD CS security by combining
a private key with an object (such as users and
computers), devices (such as routers), or services.
77. Suleyman Demirel University, 2012
AD CS
To Customer
I can not use
Support:
I need to get
private
I am your subscriber
Certificate now I
Thank you,
resources certificate
andhave rights for
I need
to get resources
resources
To Customer:
I know you, here is
your Certificate
Customer
Customer
Support
78. Suleyman Demirel University, 2012
AD CS Components
AD CS
Components
Network
Certification Online
Web Device
authorities Responder
enrollment Enrollment
(CAs) Service
Service
79. Suleyman Demirel University, 2012
Web Enrollment
• This feature allows users to request certificates and
retrieve certificate revocation lists (CRLs) through the use
of a web browser.
80. Suleyman Demirel University, 2012
Certification Authorities (CAs)
AD CS
Components
Enterprise Stand Alone
Root CAs CAs
81. Suleyman Demirel University, 2012
Enterprise Root CAs
• Enterprise Root CAs (automatically integrated with Active
Directory) are the topmost trusted CAs of the hierarchy.
They hold the certificates that you issue to the users
within your organization.
82. Suleyman Demirel University, 2012
Stand Alone CAs
• The Stand Alone Root CAs hold the CAs that you issue to
Internet users.
83. Suleyman Demirel University, 2012
Certification Authorities (CAs)
• The Enterprise or Stand Alone Root CAs give certificates
to the Subordinate CAs, which in turn issue certificates to
objects and services
84. Suleyman Demirel University, 2012
Network Device Enrollment Service
• The Network Device Enrollment Service allows network
devices (such as routers) to obtain a certificate even
though they do not have an account in the Active
Directory domain.
85. Suleyman Demirel University, 2012
Online Responder Service
• Some applications such as Secure/Multipurpose Internet
Mail Extensions (S/MIME), Secure Sockets Layer (SSL),
Encrypting File System (EFS), and smart cards may need
to validate the status of a certificate.
• The Online Responder service responds to certificate
status requests, evaluates the status of the certificate that
was requested, and answers the request with a signed
response containing the certificate’s status information.
86. Suleyman Demirel University, 2012
Active Directory Domain Services
AD DS
Restartable Active
Read-Only Domain Fine-Grained
Auditing Directory Domain
Controllers(RODCs) Password Policies
Services
87. Suleyman Demirel University, 2012
Read-Only Domain Controllers (RODCs)
• Read-Only Domain Controllers are placed in small offices
without security data centers.
• Users or someone else don’t have permission to change
Active Directory database.
88. Suleyman Demirel University, 2012
Read-Only Domain Controllers (RODCs)
Writable Windows Server
In Secure Data Center
RODC RODC RODC
90. Suleyman Demirel University, 2012
Auditing in Windows Server 2008
• In previous versions of Microsoft Windows Server, you
had the ability to audit Active Directory by watching for
successes or failures.
• The problem with this was that, although you could view
the Security Log and notice that someone accessed an
object, you could not view what they might have changed
in that object’s attributes.
• In Microsoft Windows Server 2008, you can view the
new and old values of the object and its attributes.
91. Suleyman Demirel University, 2012
Fine-Grained Password Policies
• Different passwords for different purposes, for same
account.
92. Suleyman Demirel University, 2012
Fine-Grained Password Policies
Resources
Read only Email distribution Full access
User
93. Suleyman Demirel University, 2012
Restartable Active Directory Domain
Services
• In Windows Server 2008 Active Directory we have new
ability to turn off window Domain Service wile other
services will still work.
94. Suleyman Demirel University, 2012
Restartable Active Directory Domain
Services
Physical Server
Includes logical services
Logical Logical Logical
DNS Service DHCP Service Active Directory
Service
95. Suleyman Demirel University, 2012
Active Directory Federation Services
• AD FS gives users the ability to do a single sign-on (SSO)
and access applications on other networks without
needing a secondary password.
96. Suleyman Demirel University, 2012
Active Directory Federation Services
To ADFS A:
ADFS A
Yes To ADFS B: ADFS B
I believe him!
AD
To Web Server:
I need resources
ADFS thinking:
ToTo ADFS A:
Web Server:
To AD: Berik can access
Can you prove that
Give him what he
Is it really Berik? this is really but I
resources, Berik?
want.
have to prove Berik.
Web Server
97. Suleyman Demirel University, 2012
Active Directory Lightweight Directory
Services
• Active Directory Lightweight Directory Services (AD LDS) is a
Lightweight Directory Access
• Protocol (LDAP) directory service. This type of service allows
directory-enabled applications
• to store and retrieve data without needing the dependencies AD DS
requires.
• To fully understand AD LDS, you must first understand the LDAP.
LDAP is an application
• protocol used for querying and modifying directory services.
• Think of directory services as an address book. An address book is a
set of names (your
• objects) that you organize in a logical and hierarchical manner
(names organized alphabetically).
• Each name in the address book has an address and phone number
(the attributes of your
• objects) associated with it. LDAP allows you to query or modify this
address book.
98. Suleyman Demirel University, 2012
Active Directory Rights Management
Services
• Active Directory Rights Management Services (AD RMS),
included with Microsoft Windows Server 2008, allows
administrators or users to determine what access (open,
read, modify, etc.) they give to other users in an
organization.
• This access can be used to secure email messages,
• internal websites, and documents.
104. Suleyman Demirel University, 2012
Strong Authentication
• Another easy way to help with strong authentication is to
enforce a strong password policy (minimum password
lengths, unique characters, a combination numbers and
letters, and mixed capitalization).
105. Suleyman Demirel University, 2012
Federated Identities
• AD FS gives users the ability to do a single sign-on (SSO)
and access applications on other networks without a
secondary password.
• Federated Identities enables new models for cross-over
SSO systems between organizations. SSO can be used
for Windows and non-Windows environments.
106. Suleyman Demirel University, 2012
Information Protection
• Active Directory Rights Management Service (AD RMS) is
what information protection is all about.
• This service allows administrators or users to determine
• what access (open, read, modify, etc.) they give to other
users in an organization. This access can be used to
secure email messages, internal websites, and
documents.
107. Suleyman Demirel University, 2012
Identity Lifecycle Management
• Allow user to reset their own passwords. By using
instruments like secret question.
• Example of new service of www.homebank.kz
• Helpdesk support technicians reportedly spend an
average of one-third of their workdays resetting
passwords.