Monday, December 9, 2013

Basics: Active Directory

Directory Service
Active Directory (AD) is Microsoft's official Directory Service. It was introduced with Windows 2000 and is the successor of NTDS 4.0 (Windows NT 4.0 Directory Services).  Microsoft made some good decisions when designing AD, because it included a Kerberos implementation with their existing capabilities.
AD not only stores users, computers, printers, etc; but since version 31 (Windows Server 2003 R2) it contains the RFC 2307 schema (more on that later).

In Summary, Active Directory provides:
  • An LDAP Directory that supports Discretionary Access Control Lists (securable objects)
  • A Kerberos authentication infrastructure
  • Group Policy, for policy enforcement and computer and configuration management 
  • A Certificate Authority that leverages Group Policy for digital certificate life-cycle management
  • Highly-available and highly scalable:  this is a key capability, especially for big enterprises

Basic AD Concepts

For an official explanation, go here.  I think that understanding these basic concepts will help understand the rest of this blog.
 
Component Description
Organizational UnitsOUs are like folders.  They can store objects.  Use them to organize your domain in a way that makes sense to you or your organization.
DomainsDomains are containers that share a common database and security policy.  Think about them as a major management unit.  They can span multiple locations and can contain millions of objects.
Domain TreesDomain trees are hierarchical structures.  They are named like DNS.  E.g.  contoso.com is a parent domain.  sub1.contoso.com and sub2.contoso.com are part of the contoso tree.
ForestsA forest is a full instance of AD.  It can contain multiple domains that share the same global structure, schema and directory configuration.  Forests serve as security boundaries.
Sites and 
Services
Sites are typically collections of subnets connected to a fast network link.
Services are scoped to sites, so that services that rely on Active Directory can find the best connected server



Name Resolution
Active Directory depends on DNS to provide name resolution and also has the ability to store the DNS database in Active Directory, this makes DNS fully replicated and scalable; however it's possible to host AD DNS zones in BIND servers. SRV records provide the information required by hosts to find the nearest services.

Domain Controllers
Domain Controllers (DCs) contain a copy of the Active Directory database.  DCs process and return results of LDAP queries, process authentication requests (over Kerberos), and present Group Policy objects that are processed by clients.  Communications between DCs and clients are encrypted.  
There are special domain controllers:
RODCs - DCs that only contain read-only data
Global Catalogs - Contain a subset of attributes for all the objects in an AD forest
Flexible Single Master Operations (FSMO) - these are DCs that hold special roles in an AD given that there are DCs that have an authoritative copy of a particular role.  Read more here.

Connection Points
According to Technet:   "A Connection Point object represents one or more instances of a service that is available in a network." Centrify uses service connection points to instantiate multiple UNIX identities for AD principals.
 
For now, these are enough concepts.  We will cover more concepts throughout the process.



No comments:

Post a Comment