Active Directory Domain Services are the core piece of software that power enterprise networks running the Windows operating system. An Active Directory Domain Services database is the means by which all domain objects, user accounts, computer accounts, and groups are stored. This provides a searchable directory while providing a method to apply configuration and security settings for any object in the network. Other components of Active Directory Domain Services include forest, domain, and organizational units (OUs).
High level view of Active Directory Domain Services
The Active Directory Domain Services database contains information on resources such as user identity, computers, groups, and services. It is the job of domain controllers to provide the service that authenticates user and computer accounts when they attempt to log on to the domain. Active Directory Domain Services give you the power to configure and manage user and computer accounts on the network.
Active Directory Domain Services has both physical and logical components to make up the overall network. These services work together so that you can efficiently manage and control the resources users have access to. Furthermore, it is possible to install and configure software updates, manage security, enable Remote Access and configure certificate handling.
Group Policy is a key feature of ADDS, which offers the ability to configure centralized policies to manage most objects in Active Directory Domain Services. Having a good understanding of Active Directory Domain Services is very important to successfully use Group Policy in your network.
Active Directory Domain Services information is stored on the domain controller’s hard disk and is replicated to any additional domain controllers. Let’s get familiar with some of the key components.
- Require one or more domain controllers.
- All domain controllers contain a copy of the domain database and replicate between each other.
- The replication boundary is formed by the domain.
- Provides an umbrella of organization for configuring and managing objects within the domain.
- Users and computers can logon to any domain controller within the domain.
- An OU is a container object within a domain used to consolidate users, groups, computers, and other objects.
- Used to delegate administrative permissions to other users.
- Used to link and apply Group Policy.
Every Active Directory Domain Services domain contains a preinstalled set of containers and OUs such as Domain, Builtin, Users, Computers, and Domain Controllers OU. These provide a baseline of organization but note that no default containers in the Active Directory Domain Services domain can have Group Policy Objects linked to them, except for the default Domain Controllers OU and the domain itself. The remaining containers are just folders. In order to link GPOs to apply configurations and restrictions, you must first create a hierarchy of OUs to which you can link said Group Policy Objects.
A forest can be thought of as one or more domain trees while a tree is a collection of one or more domains. The forest root domain is the first domain to be created in the forest. The forest root domain contains the schema master as well as the domain naming master. The Enterprise Admins group, which has full control over every domain within the forest, and the Schema Admins group exist only in the forest root domain.
By default, no users from outside the forest can access resources inside the forest since the forest creates a security boundary. The Active Directory Domain Services forest is the replication boundary for the configuration and schema partitions in the Active Directory Domain Services database. Therefore, all domain controllers in the forest share the same schema. The Global Catalog also respects the forest as a replication boundary. This helps users in different domains communicate easily as long as they are in the same forest.
Typically, all domains in the forest will automatically trust other domains in the forest. This enables access to resources for all users in the forest, regardless of the domain to which they belong.
The schema defines all object types and attributes that Active Directory Domain Services uses to store data and as such can be thought of as the blueprint for Active Directory Domain Services.
Objects are the basis of what Active Directory Domain Services uses as units of storage. Any time the directory handles data, the schema is queried for the appropriate object definition and type. The directory creates the object and stores the data based on the definition of the object in the schema.
In Active Directory Domain Services, the schema defines:
- Objects used to store data in the directory.
- Rules that define the types of objects you can create, what attributes must be defined when you create the object, and what attributes are optional.
- The Structure and content of the directory itself.
User, computer, group, and site are examples of objects that are defined in the schema. Attributes include things like location, accountExpires, buildingName, company, manager, and displayName.
You can only make changes to the schema by targeting the domain controller that holds the schema master operations role. It is then replicated to all domain controllers in the forest. Because of this, changes to the schema should be mostly avoided, except for carefully planned and tested scenarios where a modified schema is mandatory for additional features in the network. Unpleasant side effects can result in the forest due to a poorly modified schema.
Thank you for reading What is Active Directory – If you found this post helpful, Please do share using the buttons below!