Labels

Active Directory Concepts (1)

Overview of AD DS

AD DS is composed of both logical and physical components

Logical Components

 

Physical Components

 

AD DS Domains

  • AD DS requires one or more domain controllers
  • All domain controllers hold a copy of the domain database, which is continually synchronized
  •  The domain is the context within which user accounts, computer accounts, and groups are created
  • The domain is a replication boundary
  • The domain is an administrative center for configuring and managing objects
  • Any domain controller can authenticate any sign-in
  • anywhere in the domain

 

 What Are OUs?

  • Containers that can be used to group objects within a domain
  • Create OUs to:
  1. Configure objects by assigning GPOs 
  2. Delegate administrative permissions

 

AD DS Forest

A forest is a logical construct used by Active Directory Domain Services (AD DS) to group one or more domains. The domains then store objects for user or groups, and provide authentication services. In an Azure AD DS managed domain, the forest only contains one domain


AD DS Schema

Domain Controller

  • Servers that host the AD DS database (Ntds.dit) and SYSVOL
  • Kerberos authentication service and KDC services perform authentication
  • Best practices:
  1. Availability: At least two domain controllers in a domain
  2. Security: RODC and BitLocker

Global Catalog

The global catalog (GC) allows users and applications to find objects in an Active Directory domain tree, given one or more attributes of the target object. The global catalog contains a partial replica of every naming context in the directory. It contains the schema and configuration naming contexts as well


The AD DS Sign-in Process

  1. The user account is authenticated to the domain controller.
  2. The domain controller returns a TGT back to client.
  3. The client uses TGT to apply for access to the workstation.
  4. The domain controller grants access to the workstation.
  5. The client uses TGT to apply for access to the server.
  6. The domain controller returns access to the server.

Operations Masters

In the multi-master replication model, some operations must be single master
Many terms are used for single master operations in AD DS, including:

  • Operations master (or operations master roles)
  • Single master roles
  • Flexible single master operations (FSMOs)

Five FSMOs

Forest:

  • Domain naming master
  • Schema master

Domain:

  • RID master
  • Infrastructure master
  • PDC Emulator master


 

 

 

 

 

 

 

Labels:

Comments

Post a Comment

Popular Posts

Disclaimer

This blog is not intended to be advice on how to manage your environment. these accounts are based on experiences of my own lab. Always approach information you find outside official documentation with skepticism and follow the golden rule: Never test in production.