What is windows server active directory

Active Directory (AD) is a directory service developed by Microsoft for Windows domain networks. It is included in most Windows Server operating systems as a set of processes and services.^[1][2] Initially, Active Directory was used only for centralized domain management. However, Active Directory eventually became an umbrella title for a broad range of directory-based identity-related services.^[3]

A server running the Active Directory Domain Service (AD DS) role is called a domain controller. It authenticates and authorizes all users and computers in a Windows domain type network, assigning and enforcing security policies for all computers, and installing or updating software. For example, when a user logs into a computer that is part of a Windows domain, Active Directory checks the submitted username and password and determines whether the user is a system administrator or normal user.^[4] Also, it allows management and storage of information, provides authentication and authorization mechanisms and establishes a framework to deploy other related services: Certificate Services, Active Directory Federation Services, Lightweight Directory Services, and Rights Management Services.^[5]

Active Directory uses Lightweight Directory Access Protocol (LDAP) versions 2 and 3, Microsoft’s version of Kerberos,^[6] and DNS.^[7]

Robert R. King defined it in the following way:^[8]

«A domain represents a database. That database holds records about network services-things like computers, users, groups and other things that use, support, or exist on a network. The domain database is, in effect, Active Directory.»

History[edit]

Like many information-technology efforts, Active Directory originated out of a democratization of design using Request for Comments (RFCs). The Internet Engineering Task Force (IETF), which oversees the RFC process, has accepted numerous RFCs initiated by widespread participants. For example, LDAP underpins Active Directory. Also, X.500 directories and the Organizational Unit preceded the Active Directory concept that makes use of those methods. The LDAP concept began to emerge even before the founding of Microsoft in April 1975, with RFCs as early as 1971. RFCs contributing to LDAP include RFC 1823 (on the LDAP API, August 1995),^[9] RFC 2307, RFC 3062, and RFC 4533.^[10][11][12]

Microsoft previewed Active Directory in 1999, released it first with Windows 2000 Server edition, and revised it to extend functionality and improve administration in Windows Server 2003. Active Directory support was also added to Windows 95, Windows 98 and Windows NT 4.0 via patch, with some features being unsupported.^[13][14] Additional improvements came with subsequent versions of Windows Server. In Windows Server 2008, additional services were added to Active Directory, such as Active Directory Federation Services.^[15] The part of the directory in charge of the management of domains, which was previously a core part of the operating system,^[15] was renamed Active Directory Domain Services (ADDS) and became a server role like others.^[3] «Active Directory» became the umbrella title of a broader range of directory-based services.^[16] According to Byron Hynes, everything related to identity was brought under Active Directory’s banner.^[3]

Active Directory Services[edit]

Active Directory Services consist of multiple directory services. The best known is Active Directory Domain Services, commonly abbreviated as AD DS or simply AD.

Domain Services[edit]

Active Directory Domain Services (AD DS) is the foundation of every Windows domain network. It stores information about members of the domain, including devices and users, verifies their credentials and defines their access rights. The server running this service is called a domain controller. A domain controller is contacted when a user logs into a device, accesses another device across the network or runs a line-of-business Metro-style app sideloaded into a device.

Other Active Directory services (excluding LDS, as described below) as well as most of Microsoft server technologies rely on or use Domain Services; examples include Group Policy, Encrypting File System, BitLocker, Domain Name Services, Remote Desktop Services, Exchange Server and SharePoint Server.

The self-managed Active Directory DS must not be confused with managed Azure AD DS, which is a cloud product.^[17]

Lightweight Directory Services[edit]

Active Directory Lightweight Directory Services (AD LDS), formerly known as Active Directory Application Mode (ADAM),^[18] is an implementation of the LDAP protocol for AD DS.^[19] AD LDS runs as a service on Windows Server. AD LDS shares the code base with AD DS and provides the same functionality, including an identical API, but does not require the creation of domains or domain controllers. It provides a Data Store for the storage of directory data and a Directory Service with an LDAP Directory Service Interface. Unlike AD DS, however, multiple AD LDS instances can run on the same server.

Certificate Services[edit]

Active Directory Certificate Services (AD CS) establishes an on-premises public key infrastructure. It can create, validate, revoke and perform other similar actions, public key certificates for internal uses of an organization. These certificates can be used to encrypt files (when used with Encrypting File System), emails (per S/MIME standard), and network traffic (when used by virtual private networks, Transport Layer Security protocol or IPSec protocol).

AD CS predates Windows Server 2008, but its name was simply Certificate Services.^[20]

AD CS requires an AD DS infrastructure.^[21]

Federation Services[edit]

Active Directory Federation Services (AD FS) is a single sign-on service. With an AD FS infrastructure in place, users may use several web-based services (e.g. internet forum, blog, online shopping, webmail) or network resources using only one set of credentials stored at a central location, as opposed to having to be granted a dedicated set of credentials for each service. AD FS uses many popular open standards to pass token credentials such as SAML, OAuth or OpenID Connect.^[22] AD FS supports encryption and signing of SAML assertions.^[23] AD FS’s purpose is an extension of that of AD DS: The latter enables users to authenticate with and use the devices that are part of the same network, using one set of credentials. The former enables them to use the same set of credentials in a different network.

As the name suggests, AD FS works based on the concept of federated identity.

AD FS requires an AD DS infrastructure, although its federation partner may not.^[24]

Rights Management Services[edit]

Active Directory Rights Management Services (AD RMS, known as Rights Management Services or RMS before Windows Server 2008) is a server software for information rights management shipped with Windows Server. It uses encryption and a form of selective functionality denial for limiting access to documents such as corporate e-mails, Microsoft Word documents, and web pages, and the operations authorized users can perform on them. These operations can include viewing, editing, copying, saving as or printing for example. IT administrators can create pre-set templates for the convenience of the end user if required. However, end users can still define who can access the content in question and set what they can do. ^[25]

Logical structure[edit]

As a directory service, an Active Directory instance consists of a database and corresponding executable code responsible for servicing requests and maintaining the database. The executable part, known as Directory System Agent, is a collection of Windows services and processes that run on Windows 2000 and later.^[1] Objects in Active Directory databases can be accessed via LDAP, ADSI (a component object model interface), messaging API and Security Accounts Manager services.^[2]

Objects[edit]

Active Directory structures are arrangements of information about objects. The objects fall into two broad categories: resources (e.g., printers) and security principals (user or computer accounts and groups). Security principals are assigned unique security identifiers (SIDs).

Each object represents a single entity—whether a user, a computer, a printer, or a group—and its attributes. Certain objects can contain other objects. An object is uniquely identified by its name and has a set of attributes—the characteristics and information that the object represents— defined by a schema, which also determines the kinds of objects that can be stored in the Active Directory.

The schema object lets administrators extend or modify the schema when necessary. However, because each schema object is integral to the definition of Active Directory objects, deactivating or changing these objects can fundamentally change or disrupt a deployment. Schema changes automatically propagate throughout the system. Once created, an object can only be deactivated—not deleted. Changing the schema usually requires planning.^[26]

Forests, trees, and domains[edit]

The Active Directory framework that holds objects can be viewed at a number of levels. The forest, tree, and domain are the logical divisions in an Active Directory network.

Within a deployment, objects are grouped into domains. The objects for a single domain are stored in a single database (which can be replicated). Domains are identified by their DNS name structure, the namespace.

A domain is defined as a logical group of network objects (computers, users, devices) that share the same Active Directory database.

A tree is a collection of one or more domains and domain trees in a contiguous namespace and is linked in a transitive trust hierarchy.

At the top of the structure is the forest. A forest is a collection of trees that share a common global catalog, directory schema, logical structure, and directory configuration. The forest represents the security boundary within which users, computers, groups, and other objects are accessible.

Organizational units[edit]

The objects held within a domain can be grouped into organizational units (OUs).^[27] OUs can provide hierarchy to a domain, ease its administration, and can resemble the organization’s structure in managerial or geographical terms. OUs can contain other OUs—domains are containers in this sense. Microsoft recommends using OUs rather than domains for structure and simplifying the implementation of policies and administration. The OU is the recommended level at which to apply group policies, which are Active Directory objects formally named group policy objects (GPOs), although policies can also be applied to domains or sites (see below). The OU is the level at which administrative powers are commonly delegated, but delegation can be performed on individual objects or attributes as well.

Organizational units do not each have a separate namespace. As a consequence, for compatibility with Legacy NetBios implementations, user accounts with an identical sAMAccountName are not allowed within the same domain even if the accounts objects are in separate OUs. This is because sAMAccountName, a user object attribute, must be unique within the domain.^[28] However, two users in different OUs can have the same common name (CN), the name under which they are stored in the directory itself such as «fred.staff-ou.domain» and «fred.student-ou.domain», where «staff-ou» and «student-ou» are the OUs.

In general, the reason for this lack of allowance for duplicate names through hierarchical directory placement is that Microsoft primarily relies on the principles of NetBIOS, which is a flat-namespace method of network object management that, for Microsoft software, goes all the way back to Windows NT 3.1 and MS-DOS LAN Manager. Allowing for duplication of object names in the directory, or completely removing the use of NetBIOS names, would prevent backward compatibility with legacy software and equipment. However, disallowing duplicate object names in this way is a violation of the LDAP RFCs on which Active Directory is supposedly based.

As the number of users in a domain increases, conventions such as «first initial, middle initial, last name» (Western order) or the reverse (Eastern order) fail for common family names like Li (李), Smith or Garcia. Workarounds include adding a digit to the end of the username. Alternatives include creating a separate ID system of unique employee/student ID numbers to use as account names in place of actual users’ names and allowing users to nominate their preferred word sequence within an acceptable use policy.

Because duplicate usernames cannot exist within a domain, account name generation poses a significant challenge for large organizations that cannot be easily subdivided into separate domains, such as students in a public school system or university who must be able to use any computer across the network.

Shadow groups[edit]

In Microsoft’s Active Directory, OUs do not confer access permissions, and objects placed within OUs are not automatically assigned access privileges based on their containing OU. This is a design limitation specific to Active Directory. Other competing directories such as Novell NDS can assign access privileges through object placement within an OU.

Active Directory requires a separate step for an administrator to assign an object in an OU as a member of a group also within that OU. Relying on OU location alone to determine access permissions is unreliable, because the object may not have been assigned to the group object for that OU.

A common workaround for an Active Directory administrator is to write a custom PowerShell or Visual Basic script to automatically create and maintain a user group for each OU in their directory. The scripts are run periodically to update the group to match the OU’s account membership but are unable to instantly update the security groups anytime the directory changes, as occurs in competing directories where security is directly implemented into the directory itself. Such groups are known as shadow groups. Once created, these shadow groups are selectable in place of the OU in the administrative tools.

Microsoft refers to shadow groups in the Server 2008 Reference documentation but does not explain how to create them. There are no built-in server methods or console snap-ins for managing shadow groups.^[29]

The division of an organization’s information infrastructure into a hierarchy of one or more domains and top-level OUs is a key decision. Common models are by business unit, by geographical location, by IT Service, or by object type and hybrids of these. OUs should be structured primarily to facilitate administrative delegation, and secondarily, to facilitate group policy application. Although OUs form an administrative boundary, the only true security boundary is the forest itself and an administrator of any domain in the forest must be trusted across all domains in the forest.^[30]

Partitions[edit]

The Active Directory database is organized in partitions, each holding specific object types and following a specific replication pattern. Microsoft often refers to these partitions as ‘naming contexts’.^[31] The ‘Schema’ partition contains the definition of object classes and attributes within the Forest. The ‘Configuration’ partition contains information on the physical structure and configuration of the forest (such as the site topology). Both replicate to all domains in the Forest. The ‘Domain’ partition holds all objects created in that domain and replicates only within its domain.

Physical structure[edit]

Sites are physical (rather than logical) groupings defined by one or more IP subnets.^[32] AD also holds the definitions of connections, distinguishing low-speed (e.g., WAN, VPN) from high-speed (e.g., LAN) links. Site definitions are independent of the domain and OU structure and are common across the forest. Sites are used to control network traffic generated by replication and also to refer clients to the nearest domain controllers (DCs). Microsoft Exchange Server 2007 uses the site topology for mail routing. Policies can also be defined at the site level.

Physically, the Active Directory information is held on one or more peer domain controllers, replacing the NT PDC/BDC model. Each DC has a copy of the Active Directory. Servers joined to Active Directory that is not domain controllers are called Member Servers.^[33] A subset of objects in the domain partition replicate to domain controllers that are configured as global catalogs. Global catalog (GC) servers provide a global listing of all objects in the Forest.^[34][35]
Global Catalog servers replicate to themselves all objects from all domains and, hence, provide a global listing of objects in the forest. However, to minimize replication traffic and keep the GC’s database small, only selected attributes of each object are replicated. This is called the partial attribute set (PAS). The PAS can be modified by modifying the schema and marking attributes for replication to the GC.^[36] Earlier versions of Windows used NetBIOS to communicate. Active Directory is fully integrated with DNS and requires TCP/IP—DNS. To be fully functional, the DNS server must support SRV resource records, also known as service records.

Replication[edit]

Active Directory synchronizes changes using multi-master replication.^[37] Replication by default is ‘pull’ rather than ‘push’, meaning that replicas pull changes from the server where the change was effected.^[38] The Knowledge Consistency Checker (KCC) creates a replication topology of site links using the defined sites to manage traffic. Intra-site replication is frequent and automatic as a result of change notification, which triggers peers to begin a pull replication cycle. Inter-site replication intervals are typically less frequent and do not use change notification by default, although this is configurable and can be made identical to intra-site replication.

Each link can have a ‘cost’ (e.g., DS3, T1, ISDN, etc.) and the KCC alters the site link topology accordingly. Replication may occur transitively through several site links on same-protocol site link bridges, if the cost is low, although KCC automatically costs a direct site-to-site link lower than transitive connections. Site-to-site replication can be configured to occur between a bridgehead server in each site, which then replicates the changes to other DCs within the site. Replication for Active Directory zones is automatically configured when DNS is activated in the domain-based by the site.

Replication of Active Directory uses Remote Procedure Calls (RPC) over IP (RPC/IP). Between Sites, SMTP can be used for replication, but only for changes in the Schema, Configuration, or Partial Attribute Set (Global Catalog) GCs. SMTP cannot be used for replicating the default Domain partition.^[39]

Implementation[edit]

In general, a network utilizing Active Directory has more than one licensed Windows server computer. Backup and restore of Active Directory is possible for a network with a single domain controller,^[40] but Microsoft recommends more than one domain controller to provide automatic failover protection of the directory.^[41] Domain controllers are also ideally single-purpose for directory operations only, and should not run any other software or role.^[42]

Certain Microsoft products such as SQL Server^[43][44] and Exchange^[45] can interfere with the operation of a domain controller, necessitating isolation of these products on additional Windows servers. Combining them can make configuration or troubleshooting of either the domain controller or the other installed software more difficult.^[46] A business intending to implement Active Directory is therefore recommended to purchase a number of Windows server licenses, to provide for at least two separate domain controllers, and optionally, additional domain controllers for performance or redundancy, a separate file server, a separate Exchange server, a separate SQL Server,^[47] and so forth to support the various server roles.

Physical hardware costs for the many separate servers can be reduced through the use of virtualization, although for proper failover protection, Microsoft recommends not running multiple virtualized domain controllers on the same physical hardware.^[48]

Database[edit]

The Active-Directory database, the directory store, in Windows 2000 Server uses the JET Blue-based Extensible Storage Engine (ESE98) and is limited to 16 terabytes and 2 billion objects (but only 1 billion security principals) in each domain controller’s database. Microsoft has created NTDS databases with more than 2 billion objects.^[49] (NT4’s Security Account Manager could support no more than 40,000 objects). Called NTDS.DIT, it has two main tables: the data table and the link table. Windows Server 2003 added a third main table for security descriptor single instancing.^[49]

Programs may access the features of Active Directory^[50] via the COM interfaces provided by Active Directory Service Interfaces.^[51]

Trusting[edit]

To allow users in one domain to access resources in another, Active Directory uses trusts.^[52]

Trusts inside a forest are automatically created when domains are created. The forest sets the default boundaries of trust, and implicit, transitive trust is automatic for all domains within a forest.

Terminology[edit]

One-way trust

One domain allows access to users on another domain, but the other domain does not allow access to users on the first domain.

Two-way trust

Two domains allow access to users on both domains.

Trusted domain

The domain that is trusted; whose users have access to the trusting domain.

Transitive trust

A trust that can extend beyond two domains to other trusted domains in the forest.

Intransitive trust

A one way trust that does not extend beyond two domains.

Explicit trust

A trust that an admin creates. It is not transitive and is one way only.

Cross-link trust

An explicit trust between domains in different trees or the same tree when a descendant/ancestor (child/parent) relationship does not exist between the two domains.

Shortcut

Joins two domains in different trees, transitive, one- or two-way.

Forest trust

Applies to the entire forest. Transitive, one- or two-way.

Realm

Can be transitive or nontransitive (intransitive), one- or two-way.

External

Connect to other forests or non-Active Directory domains. Nontransitive, one- or two-way.^[53]

PAM trust

A one-way trust used by Microsoft Identity Manager from a (possibly low-level) production forest to a (Windows Server 2016 functionality level) ‘bastion’ forest, which issues time-limited group memberships.^[54][55]

Management tools[edit]

Microsoft Active Directory management tools include:

• Active Directory Administrative Center (Introduced with Windows Server 2012 and above),
• Active Directory Users and Computers,
• Active Directory Domains and Trusts,
• Active Directory Sites and Services,
• ADSI Edit,
• Local Users and Groups,
• Active Directory Schema snap-ins for Microsoft Management Console (MMC),
• SysInternals ADExplorer

These management tools may not provide enough functionality for efficient workflow in large environments. Some third-party tools extend the administration and management capabilities. They provide essential features for a more convenient administration process, such as automation, reports, integration with other services, etc.

Unix integration[edit]

Varying levels of interoperability with Active Directory can be achieved on most Unix-like operating systems (including Unix, Linux, Mac OS X or Java and Unix-based programs) through standards-compliant LDAP clients, but these systems usually do not interpret many attributes associated with Windows components, such as Group Policy and support for one-way trusts.

Third parties offer Active Directory integration for Unix-like platforms, including:

• PowerBroker Identity Services, formerly Likewise (BeyondTrust, formerly Likewise Software) – Allows a non-Windows client to join Active Directory^[56]
• ADmitMac (Thursby Software Systems)^[56]
• Samba (free software under GPLv3) – Can act as a domain controller^[57][58]

The schema additions shipped with Windows Server 2003 R2 include attributes that map closely enough to RFC 2307 to be generally usable. The reference implementation of RFC 2307, nss_ldap and pam_ldap provided by PADL.com, support these attributes directly. The default schema for group membership complies with RFC 2307bis (proposed).^[59] Windows Server 2003 R2 includes a Microsoft Management Console snap-in that creates and edits the attributes.

An alternative option is to use another directory service as non-Windows clients authenticate to this while Windows Clients authenticate to Active Directory. Non-Windows clients include 389 Directory Server (formerly Fedora Directory Server, FDS), ViewDS v7.2 XML Enabled Directory, and Sun Microsystems Sun Java System Directory Server. The latter two are both able to perform two-way synchronization with Active Directory and thus provide a «deflected» integration.

Another option is to use OpenLDAP with its translucent overlay, which can extend entries in any remote LDAP server with additional attributes stored in a local database. Clients pointed at the local database see entries containing both the remote and local attributes, while the remote database remains completely untouched.^{[citation needed]}

Administration (querying, modifying, and monitoring) of Active Directory can be achieved via many scripting languages, including PowerShell, VBScript, JScript/JavaScript, Perl, Python, and Ruby.^{[60][61][62][63]} Free and non-free Active Directory administration tools can help to simplify and possibly automate Active Directory management tasks.

Since October 2017 Amazon AWS offers integration with Microsoft Active Directory.^[64]

See also[edit]

• AGDLP (implementing role based access controls using nested groups)
• Apple Open Directory
• Flexible single master operation

• FreeIPA
• List of LDAP software
• System Security Services Daemon (SSSD)
• Univention Corporate Server

References[edit]

External links[edit]

• Microsoft Technet: White paper: Active Directory Architecture (Single technical document that gives an overview about Active Directory.)
• Microsoft Technet: Detailed description of Active Directory on Windows Server 2003
• Microsoft MSDN Library: [MS-ADTS]: Active Directory Technical Specification (part of the Microsoft Open Specification Promise)
• Active Directory Application Mode (ADAM)
• Microsoft MSDN: [AD-LDS]: Active Directory Lightweight Directory Services
• Microsoft TechNet: [AD-LDS]: Active Directory Lightweight Directory Services
• Microsoft MSDN: Active Directory Schema
• Microsoft TechNet: Understanding Schema
• Microsoft TechNet Magazine: Extending the Active Directory Schema
• Microsoft MSDN: Active Directory Certificate Services
• Microsoft TechNet: Active Directory Certificate Services

Organizations of all sizes all over the world use Active Directory to help manage permissions and control access to critical network resources. But what exactly is it, and how can it potentially help your business?

By using the Active Directory® Domain Services (AD DS) server role, you can create a scalable, secure, and manageable infrastructure for user and resource management, and you can provide support for directory-enabled applications, such as Microsoft® Exchange Server.

In the following sections, learn more about AD DS, features in AD DS, and software and hardware considerations. For more information about planning, deploying, and operating the AD DS server role, see Active Directory Domain Services (http://go.microsoft.com/fwlink/?LinkID=48547).

What is a Directory?

A directory, in the most generic sense, is a comprehensive listing of objects. A phone book is a type of directory that stores information about people, businesses, and government organizations. Phone books typically record names, addresses, and phone numbers.
AD DS is similar to a phone book in several ways, and it is far more flexible. AD DS will store information about organizations, sites, computers, users, shares, and just about any other network object that you can imagine. Not all objects are as similar to
each other as those stored in the phone book, so AD DS includes the ability to record different types of information about different objects.  

Lightweight Directory Access Protocol (LDAP)

AD DS reflects Microsoft’s trend toward relying on standard protocols. The Lightweight Directory Access Protocol (LDAP) is a product of the
IETF (Internet Engineering Task Force). It defines how clients and servers exchange information about a directory. LDAP version 2 and version 3 are used in AD DS .

Distinguished Names

It is very important to understand the structure of
distinguished names, as you will be referring to them often in the course of your job. My distinguished name is /O=Internet/DC=COM/DC=Microsoft/ DC=MSPress/CN=Users/CN=Tony Northrup. Consider the following figure, which shows how I fit into a sample AD DS 
tree. The distinguished name I gave starts to make some sense—it identifies each container from the very top down to my specific object. Each container is separated by a slash and an identifier. For example, COM, Microsoft, and MSPress are each preceded by
/DC=. The DC stands for Domain Component, which identifies a DNS domain.

Distinguished names describe the location of an object in a tree.

To simplify distinguished names, relative distinguished names can also be used. The relative distinguished name of the
previous example is CN=Tony Northrup, identifying the user name but not the context in which it resides. The context must be known already for the relative distinguished name to be an effective identifier.

User Principal Name

Distinguished names are great for computers but too cumbersome for people to remember. People have grown accustomed to e-mail addresses, so AD DS  provides these addresses as a shortcut to the full object name. In Figure 11-9, Tony Northrup is a user of
the mspress.microsoft.com domain. An administrator could create a user principal name within the microsoft.com domain to allow simpler access to my user account and hold a place for my e-mail address, like northrup@microsoft.com.

Users will rely on their user principal name to log onto their computers. In other words, user principal names will replace the user names used in older Windows networks. Obviously, this helps the users by saving them the trouble of typing their distinguished
names. However, it also benefits users because the user principal name will stay the same even if administrators move or rename the underlying user account. 

What is the AD DS server role?

Features in AD DS

Installing the AD DS server role

Managing the AD DS server role

You can manage server roles with Microsoft Management Console (MMC) snap-ins. To manage a domain controller (that is, a server
that is running AD DS), click Start, click Control Panel, click
Administrative Tools, and then double-click the appropriate snap-in:

As an alternative, you can double-click the appropriate snap-in on the
Active Directory Domain Services page in Server Manager.

Security

AD DS plays an important role in the future of Windows networking. Administrators must be able to protect their directory from attackers and users, while delegating tasks to other administrators where necessary. This is all possible using the AD DS security
model, which associates an access control list (ACL) with each container, object, and object attribute within the directory. The following figure shows
a step from the Delegation Of Control wizard, a helpful utility for assigning permissions to AD DS objects.

The Delegation Of Control wizard makes it simple to assign permissions to objects.

This high level of control allows an administrator to grant individual users and groups varying levels of permissions for objects and their properties. Administrators can even add attributes to objects and hide those attributes from certain groups of users.
For example, the administrator could set the ACLs such that only managers can view the home phone numbers of other users. Nonmanagers would not even know that the attribute existed.

A concept new to Windows Server is delegated administration. This allows administrators to assign administrative tasks to other users, while not granting those users more power than necessary. Delegated administration can be assigned over specific
objects or contiguous subtrees of a directory. This is a much more effective method of giving authority over the networks; rather than granting someone the all powerful Domain Administrator permissions, he or she can be given permissions for just those computers
and users within a specific subtree. AD DS supports inheritance, so any new objects inherit the ACL of their container.

Try to forget what you’ve learned about Windows NT domain trusts. The term
trusts is still used, but trusts have very different functionality. There is no distinction between one-way and two-way trusts because all AD DS trusts are bidirectional. Further, all trusts are transitive. So, if Domain A trusts Domain B, and Domain B
trusts Domain C, then there is an automatic implicit trust between Domain A and Domain C. This new functionality is shown in the following figure.

Windows Server trusts are bidirectional and transitive.

Another AD DS security feature is auditing. Just as you can audit NTFS partitions, objects and containers within AD DS can be audited. This is a useful way to determine who is attempting to access objects, and whether or not they succeed.

Use of DNS (Domain Name System)

Domain Name System, or DNS, is necessary to any Internet-connected organization. DNS provides name resolution between common names, such as mspress.microsoft.com, and the raw IP addresses that network layer components use to communicate. AD DS makes extensive
use of DNS technology and relies on DNS to locate objects within AD DS. This is a substantial change from previous Windows operating systems that require NetBIOS
names to be resolved to IP addresses, and to rely on WINS
or another NetBIOS name resolution technique.

AD DS works best when used with Windows Server–based DNS servers. Microsoft has made it easy for administrators to transition to Windows Server–based DNS servers by providing migration wizards that walk the administrator through the process. Other DNS servers
can be used, but administrators will need to spend more time managing the DNS databases. If you decide not to use Windows Server–based DNS servers, you should make sure your DNS servers comply with the new DNS dynamic update protocol. AD DS servers rely on
dynamic update to update their pointer records, and clients rely on these records to locate domain controllers. If dynamic update is not supported, you will have to update the databases manually.

Note: DNS dynamic update protocol is defined in RFC 2136.

Windows domains and Internet domains are now completely compatible. A domain name such as mspress.microsoft.com will identify AD DS domain controllers responsible for the domain, so any client with DNS access can locate a domain controller. AD DS clients
can use DNS resolution to locate any number of services because AD DS servers publish a list of addresses to DNS using the new features of dynamic update. These addresses identify both the domain and the service being provided and are published via Service
Resource Records (SRV RRs). SRV RRs follow this format:

service.protocol.domain

AD DS servers provide the LDAP service for object location, and LDAP relies on TCP as the underlying transport-layer protocol. Therefore,
a client searching for an AD DS server within the mspress.microsoft.com domain would look up the DNS record for ldap.tcp.mspress.microsoft.com. 

Global Catalog

AD DS provides a global catalog (GC). No, this does not mean that you can find any piece of information on the planet—but it is still
very significant. AD DS provides a single source to locate any object within an organization’s network.

The global catalog is a service within Windows Server that allows users to find any objects to which they have been granted access. This functionality far surpasses that of the Find Computer application included in previous versions of Windows, because users
can search for any object within AD DS: servers, printers, users, and applications. For example, the following figure shows how a user can search for all color printers in his or her building that have the capability to print double-sided documents.

The global catalog helps users find network resources.

This feature is especially important because of the complexity of LDAP names. Older versions of Windows relied on 15-character NetBIOS computer names, which users could often remember. Few people would be able to recall LDAP names, such as the following:

/O=Internet/DC=COM/DC=Microsoft
/DC=MSPress/CN=Computers/CN=Server1.

Because users can easily search for objects, remembering names is much less important.

The GC is an index stored on AD DS servers. It contains the names of all objects in the AD DS server, regardless of how the server has been partitioned. The GC also contains a handful of searchable attributes for each object. For example, the GC would store
the distinguished names, first names, and last names of all users—allowing someone to search for anyone named Tony and find the distinguished name of the user. The global catalog is a subset of AD DS, and stores only those attributes that users tend to search
on. Useful defaults are provided by Microsoft, and administrators can specify other attributes to be searchable by using the AD DS Schema, described later in this chapter.

Not All Indexes Are Created Equal!

If you have done any database administration, you already know that some types of information are more useful to index than other types. Naturally, you should index attributes that will be searched for often, but there are other factors involved. Indexes
take up space, so it is not efficient to index everything. Indexes also slow down updates and inserts—if an indexed attribute is modified, the index must be modified as well. Indexing works better when the data being stored varies from user to user. Therefore,
never index true or false attributes or any attribute with less than five possible values. Names are an excellent attribute to index since they are almost unique for each user. Finally, don’t index attributes that aren’t usually filled in. If few users enter
a value for their middle name, the indexing of that attribute is a waste.

As new objects are created in AD DS, they are assigned a unique number called a GUID (globally unique identifier). The GUID is useful because
it stays the same for any given object, regardless of where the object is moved. The GUID is a 128-bit identifier, which isn’t particularly meaningful to users, but applications that reference objects in AD DS can record the GUIDs for objects and use the global
catalog to find them even after they’ve moved.

Replication

Administrators who implement AD DS will quickly discover that their network relies heavily on its services. This reliance means that AD DS  must be available on multiple servers—so that if a single server fails, clients can contact a server with duplicate
services and information. Unlike the Windows NT domain databases used with previous versions of Windows NT, updates to the database can be sent to
any of the AD DS servers. While this complicates the replication process, it eliminates the possibility that the failure of a single domain controller would stop updates to the databases. It also reduces the high load placed on Windows NT 4.0 primary
domain controllers.

AD DS includes a replication component that makes this a simple task for administrators. Simply adding domain controllers to an AD DS is sufficient to begin the replication process.

One of the most complex parts of making redundant servers work properly is replicating the information and ensuring that all servers have the most up-to-date content. AD DS uses
multimaster replication, which is another way of stating that updates can occur on any AD DS server. Each server keeps track of which updates it has received from which servers, and can intelligently request only necessary updates in case of a failure.

How AD DS Replication Works

Each update is assigned its own 64-bit unique sequence number (USN) from a counter that is incremented whenever a change is made. These updates
are system-specific, so every AD DS server maintains a separate counter.

When a server replicates an update to other AD DS domain controllers, it sends the USN along with the change. Each server maintains an internal list of replication partners and the highest USN received from them. The server receiving the update requests
only those changes with USNs higher than previously received. This method has the added benefit of stopping updates from propagating endlessly between multiple AD DS domain controllers.

One problem inherent in any multimaster replication scheme is that updates to a single object can occur in multiple places at the same time. For example, if an administrator in Boston changes a user’s name from «Curt» to ‘»Kurt» and an administrator in Chicago
simultaneously changes that same user’s name from «Curt» to «Kirk,» a replication collision will occur. There are two problems to deal with when a collision occurs: detecting the collision and resolving the collision.

AD DS stores property version numbers to allow replication collision detection. These numbers are specific to each property of every object within AD DS and are updated every time the property is modified. These numbers are propagated through AD DS
along with the change, so a server that receives two different updates to the same property with the same property version number can conclude that a replication collision has occurred.

AD DS domain controllers resolve collisions by applying the update with the later timestamp. The timestamp is created by the server that initiated the change, so it is very important to keep system time synchronized between servers.

Note: Use the built-in distributed time synchronization service to keep all servers working together!

Partitioning

Large networks can contain hundreds of thousands of objects. Windows NT required multiple domains to allow that many objects to be manageable. Administrators often divided users and resources into separate domains and created a trust between the domains.
The structure of the databases simply did not allow them to grow to hundreds of thousands of objects. These size limitations are less a factor in AD DS domains, thankfully. However, supporting a very large AD DS could be an incredible burden to any single
domain controller.

Active Directories can be partitioned to lessen this load. Partitioning allows different domain controllers to manage different sections of the database, reducing the load on any individual server. The clients can use resources located within different AD DS
partitions transparently. Therefore, administrators can manage massive AD DS domains without requiring domain controllers to handle the entire database.

Objects

Many people are initially confused by the relationship between object
classes,
attributes, and the objects themselves. Objects are created based on an object class. Attributes describe an object class. When an object
is created, it inherits all the attributes of its object class. Here’s where it gets tricky:
object classes and attributes are also objects in AD DS. Fortunately, most user interfaces hide this fact.

An object can be either a reference to something concrete or the actual useful information itself. For example, every bit of information about a user account is stored within AD DS. However, only a reference to a disk volume is stored in AD CS. While the
reference is not useful by itself, it is used to locate the volume on the file server. When creating new object classes, carefully consider whether the object will store a reference to something external or whether all necessary information will be contained
in the object’s attributes. While AD DS is extremely convenient, it should not be used to store large amounts of information, constantly changing information, or rarely used information.

Anytime you add a user or a computer to AD DS, you are creating an object. Creating an object is often referred to as
publishing, because it kicks off a process of replicating the new information across all AD DS domain controllers in the domain.

Schema: Attributes and Object Classes

A schema is a set of attributes used to describe a particular object class in AD DS. Different types of information need to be tracked for
different object classes, and that’s why the schema is so important. For example, the Users object class needs attributes for a first name, last name, phone number, e-mail address, and mailing address. The Printer object class must have many different attributes—users
will want to know how fast a printer is and whether it can duplex or print in color. These attributes can be viewed and edited using the AD DS Schema MMC snap-in, as shown in the following figure.

Experienced programmers and system administrators can manage the AD DS schema, but the AD DS Schema snap-in is not installed by default. In addition, the Schmmgmt.dll file (regsvr32 schmmgmt.dll) must be registered from an

elevated command prompt before the snap-in can be installed. The AD DS Schema does not have an icon within the Start menu; you must launch the MMC interface and add the snap-in named AD DS Schema.

The AD DS Schema allows classes and attributes to be modified.

By default, object classes come with a logical set of attributes that will fit most organization’s needs. However, many organizations will need to track additional information about particular object classes. For example, if employees are assigned a badge
number, it is useful to track that information in the object class. The first step is to create an attribute called BadgeID, as shown in the following figure. The second step is to make the new attribute optional for the Users class.

Attributes can be added with the AD DS Schema snap-in.

The schema is stored within AD DS just like other objects. Therefore, the schema inherits the ability to be automatically replicated throughout a domain. It also benefits from the security features of AD DS, and allows administrators to delegate authority
over the schema to different users and groups. By changing the ACLs on a schema object, an administrator can allow any user to add or modify attributes for an object class. The example in the following figure shows that the group East Coast Administrators
has been granted full control over the schema.

Modifying the schema can be delegated to groups and users.

New attributes have several properties that must be set. The user creating a new attribute must define a name for the attribute (such as Badge ID #), the type of data to be stored (such as a string or a number), and the range limits (such as string length).
A unique Object Identifier (OID) must also be provided. New attributes can be indexed, which adds the attributes to the global catalog. Indexes should be created for attributes that users will search with. In this example, if security needs to look up user
accounts by the Badge ID number, this attribute should be indexed. For a search to occur on a nonindexed attribute, a slow and processor-intensive walk of the directory tree must be done.

Where Do Object Identifiers Come From?

The only way to ensure Object Identifiers are globally unique is to have a central agency that assigns

OIDs. This is already common practice on the Internet; the InterNIC assigns domain names and the Internet Assigned Numbers Authority (IANA) assigns IP subnets. Object Identifiers are assigned by a National Registration Authority, or NRA. NRAs vary from
country to country. In the United States, the American National Standards Institute (ANSI) provides NRA services. For a modest fee,
ANSI can supply your organization with a root OID. Any objects created by your organization will have this root OID as the prefix, ensuring that Object Identifiers are globally unique.

A list of NRAs can be found at the International Standards Organization’s Web site, at
http://www.iso.ch.

The schema is cached by AD DS domain controllers for performance reasons. It will take up to five minutes for the cache to be updated after you change the schema. So, wait a few minutes before you try to create objects based on your new object classes and
attributes. If you must reload the cache immediately, add the attribute schemaUpdateNow to the root object (the object without a distinguished name), and set the value to 1.

Extending the schema of AD DS is a powerful capability. However, most administrators will never need to use anything but the classes and attributes .Microsoft has provided by default.

ADSI (Active Directory Service Interface)

ADSI (Active Directory Service Interface) allows applications to interact with any directory service without being forced to know the internal
details of the underlying protocols. Administrators can write programs and scripts that make use of ADSI to read or write to legacy Windows NT 4.0 directories, NetWare NDS directories, NetWare 3 binderies, and LDAP directories such as AD DS. Developers can
even create applications that make use of directories at the customer’s site, without previous knowledge of the type of directory being used.

For example, the following Microsoft Visual Basic code uses ADSI to display a list of users in the debug window:

Set ou = GetObject(«ldap://dcserver/OU=Sales,DC=ArcadiaBay,DC=COM»)
For Each obj In ou
    Debug.Print obj.Name
Next

As you can see, gathering a list of users is much simpler than in previous Windows operating systems. ADSI makes use of the Component Object Model (COM),
so almost any Windows development environment can immediately make use of the interface. Developers will be interested to know that they can access Active Directory through the LDAP C API
and through
MAPI, though ADSI is the preferred interface.

Note: The LDAP C API is defined in RFC 1823.

Active Directory Wiki Pages

• Active Directory Replication over Firewalls
• Design Considerations for Delegation of Administration in Active Directory

Directory services are becoming a key part in managing IT infrastructure. Microsoft’s service, Active Directory, is one of the most well-known directory services in the world. In this article, we will cover the basics and explain exactly what Active Directory is and how to use it.

As the complexity of networking resources has grown, directory services have become ever more important for managing IT infrastructure. There is no directory service with a bigger name than Active Directory. Microsoft’s directory service has been established as a staple tool amongst network administrators. In this Active Directory tutorial we’re going to look at what Active Directory is, how to use it, and Active Directory tools like SolarWinds Access Rights Manager and ManageEngine AD360. Topics to learn include:

• What is Active Directory?
• What does Active Directory do?
• How to Set Up Active Directory
• How to Use Active Directory: Setting Up a Domain Controller, Creating Directory Users
• Active Directory Events to Monitor
• Trust Relationships (and Trust Types)
• An Overview of Active Directory Forests and Trees
• Active Directory Reporting (with SolarWinds Access Rights Manager)
• How to Find the Source of Account Lockouts in Active Directory

What is Active Directory? 

Active Directory is a directory service or container which stores data objects on your local network environment. The service records data on users, devices, applications, groups, and devices in a hierarchical structure.

The structure of the data makes it possible to find the details of resources connected to the network from one location. In essence, Active Directory acts like a phonebook for your network so you can look up and manage devices easily.

What does Active Directory do? 

There are many reasons why enterprises use directory services like Active Directory. The main reason is convenience. Active Directory enables users to log on to and manage a variety of resources from one location. Login credentials are unified so that it is easier to manage multiple devices without having to enter account details to access each individual machine.

How to Setup Active Directory (with RSAT) 

To begin you will need to first make sure that you have Windows Professional or Windows Enterprise installed otherwise you won’t be able to install Remote Server Administration Tools. Then do the following:

For Windows 10 Version 1809 and Windows 11:

1. Right-click on the Start button and go to Settings > Apps > Manage optional features > Add feature.
2. Now select RSAT: Active Directory Domain Services and Lightweight Directory Tools.
3. Finally, select Install then go to Start > Windows Administrative Tools to access Active Directory once the installation is complete.

For Windows 8 (And Windows 10 Version 1803) 

1. Download and install the correct version of Server Administrator Tools for your device: Windows 8, Windows 10.
2. Next, right-click the Start button and select Control Panel > Programs > Programs and Features > Turn Windows features on or off.
3. Slide down and click on the Remote Server Administration Tools option.
4. Now click on Role Administration Tools.
5. Click on AD DS and AD LDS Tools and verify AD DS Tools has been checked.
6. Press Ok.
7. Go to Start > Administrative Tools on the Start menu to access Active Directory.

How to use Active Directory: How to Setup a Domain Controller, Creating Directory Users 

How to Setup A Domain Controller

One of the first things you need to do when using Active Directory is to set up a domain controller. A domain controller is a central computer that will respond to authentication requests and authenticate other computers throughout the network. The domain controller stores the login credentials of all other computers and printers.

All other computers connect to the domain controller so that the user can authenticate every device from one location. The advantage of this is that the administrator won’t have to manage dozens of login credentials.

The process of setting up a domain controller is relatively simple. Assign a static IP address to your Domain Controller and install Active Directory Domain Services or ADDS. Now follow these instructions:

1. Open Server Manager and click Roles Summary > Add roles and features.
2. Click Next.
3. Select Remote Desktop Services installation if you’re deploying a domain controller in a virtual machine or select role-based or feature-based installation.
4. Select a server from the server pool.
5. Select Active Directory Domain Services from the list and click Next.
6. Leave the Features checked by default and press Next.
7. Click Restart the destination server automatically if required and click Install. Close the window once the installation is complete.
8. Once the ADDS role has been installed a notification will display next to the Manage menu. Press Promote this server into a domain controller.
9. Now click Add a new forest and enter a Root domain name. Press Next.
10. Select the Domain functional level you desire and enter a password into the Type the Directory Services Restore Mode (DSRM password) section. Click Next.
11. When the DNS Options page displays click Next again.
12. Enter a domain in the NetBios Domain name box (preferably the same as the root domain name). Press Next.
13. Select a folder to store your database and log files. Click Next.
14. Press Install to finish. Your system will now reboot.

Add a Domain Controller to an Existing Domain in Windows Server 2016

The procedures for adding a domain controller to an existing domain in Active Directory are the same, no matter which operating system you have. However, these instructions were organized during an exercise on Windows Server 2016. It is always a good idea to have at least two domain controllers in your AD domain just in case one goes down.

The second Domain Controller is a separate computer from the one identified for your first Domain Controller. That second computer needs to be set up with Windows Server 2016. Get it fully patched and assign it an IP address before starting the AD setup on that machine. Then follow these steps:

1. Open Server Manager, click on the Manage option on the menu ribbon and select Add Roles and Features.
2. In the opening screen of the wizard, click on Next.
3. In the Installation Type screen select the Role-based or feature-based installation radio button and click on Next.
4. In Server Selection leave the only server in the list highlighted and press Next.
5. In the Server Roles screen, Check the Active Directory Domain Services box. A dialogue box appears. Click on the Add Features button.
6. Back in the main feature selection screen, click the Next button.
7. This cycles through to the Features screen. Just click on the Next button. In the AD DS screen, click on the Next button.
8. Finally, click the Install button. Once the installation process finishes, you will see a notice telling you that additional steps are required. Click on the link that says Promote this server to a domain controller. This brings up the Deployment Configuration screen.
9. Leave the Add a domain controller to an existing domain radio button active. At the bottom of the list of options, you will see <no credentials provided>. Click on the Change button next to that.
10. Enter the username and password of the Administrator account on the AD instance that you first set up. This username should be in the format <domain>Administrator. Click OK.
11. On return from the login popup, you will see that the Domain field has been populated with the domain that you entered for the user account. Click on the Next button.
12. Decide whether to make this a read-only domain controller (RODC). If so, check that box in the Options screen, if not, check both the DNS server and Global Catalogue boxes.
13. Enter a DSRM password and confirm it. Click on the Next button. You will see a warning but just click on the Next button again.
14. In Additional Options choose your original domain controller for the Replicate from: field. Click on Next.
15. Leave all of the paths in their default settings and click on Next. In the Review Options screen, click Next.
16. The system will perform a prerequisites check. If that completes satisfactorily, the Install button will become active. Click it.
17. Wait for the installation to complete. The computer will reboot. Log in to the machine.

Go back to your original domain controller computer and open Active Directory Users and Computers and you will see that your new DC is listed there in the Domain Controllers folder.

Creating Active Directory Users

Users and computers are the two most basic objects that you will need to manage when using Active Directory. In this section, we’re going to look at how to create new user accounts. The process is relatively simple, and the easiest way to manage users is through the Active Directory Users and Computer or ADUC tool that comes with the Remote Server Administration Tools or RSAT pack. You can install ADUC by following the instructions listed below:

Install ADUC on Windows 10 Version 1809 and Higher or Windows 11:

1. Right-click on the Start button and click Settings > Apps, then click Manage optional features > Add feature.
2. Select RSAT: Active Directory Domain Services and Lightweight Directory Tools.
3. Select Install and wait for the installation to complete.
4. Go to Start > Windows Administrative Tools to access the feature.

Install ADUC on Windows 8 and Windows 10 Version 1803 or Lower: 

1. Download and install Remote Server Administrator Tools for your version of Windows. You can do so from one of these links here:
   Remote Server Administrator Tools for Windows 10, Remote Server Administrator Tools for Windows 8, or Remote Server Administrator Tools for Windows 8.1.

1. Right-click on Start > Control Panel > Programs > Programs and Features > Turn Windows features on or off.
2. Scroll down and select Remote Server Administration Tools.
3. Expand Role Administrator Tools > AD DS and AD LDS Tools.
4. Check AD DS Tools and press Ok.
5. Go to Start > Administrative Tools and select Active Directory Users and Computers.

How to Create New Users with ADUC 

1. Open the Server Manager, go to the Tools menu and select Active Directory Users and Computers.
2. Expand the domain and click Users.
3. Right-click on the right pane and press New > User.
4. When the New Object-User box displays enter a First name, Last name, User logon name, and click Next.
5. Enter a password and press Next.
6. Click Finish.
7. The new user account can be found in the Users section of ADUC.

Active Directory Events to Monitor 

Like all forms of infrastructure, Active Directory needs to be monitored to stay protected. Monitoring the directory service is essential for preventing cyber-attacks and delivering the best end-user experience to your users.

Below we’re going to list some of the most important network events that you should look out for. If you see any of these events then you should investigate further ASAP to make sure that your service hasn’t been compromised.

An Overview of Active Directory Forests and Trees 

Forest and trees are two terms you will hear a lot when delving into Active Directory. These terms refer to the logical structure of Active Directory. Briefly, a tree is an entity with a single domain or group of objects that is followed by child domains. A forest is a group of domains put together. When multiple trees are grouped together they become a forest.

Trees in the forest connect to each other through a trust relationship, which enables different domains to share information. All domains will trust each other automatically so you can access them with the same account info you used on the root domain.

Each forest uses one unified database. Logically, the forest sits at the highest level of the hierarchy and the tree is located at the bottom. One of the challenges that network administrators have when working with Active Directory is managing forests and keeping the directory secure.

For example, a network administrator will be tasked with choosing between a single forest design or multi-forest design. The single-forest design is simple, low-cost and easy to manage with only one forest comprising the entire network. In contrast, a multi-forest design divides the network into different forests which is good for security but makes administration more complicated.

Trust Relationships (and Trust Types) 

As mentioned above, trusts are used to facilitate communication between domains. Trusts enable authentication and access to resources between two entities. Trusts can be one-way or two-way in nature. Within a trust, the two domains are divided into a trusting domain and a trusted domain.

In a one-way trust, the trusting domain accesses the authentication details of the trusted domain so that the user can access resources from the other domain. In a two-way trust, both domains will accept the other’s authentication details. All domains within a forest trust each other automatically, but you can also set up trusts between domains in different forests to transfer information.

You can create trusts through the New Trusts Wizard. The New Trust Wizard is a configuration wizard that allows you to create new trust relationships. Here you can view the Domain Name, Trust Type, and Transitive status of existing trusts and select the type of trust you want to create.

Trust Types 

There is a range of trust types in Active Directory. We’ve listed these in the table below:

Active Directory Reporting with SolarWinds Access Rights Manager (FREE TRIAL)

Generating reports on Active Directory is essential for optimizing performance and staying in accordance with regulatory compliance. One of the best Active Directory reporting tools is SolarWinds Access Rights Manager (ARM). The tool has been created to increase visibility into how directory credentials are used and managed. For example, you can view accounts with insecure configurations and credential abuse that could indicate a cyber attack.

Using a third-party tool like SolarWinds Access Rights Manager is beneficial because it provides you with information and features that would be much more difficult or impossible to access through Active Directory directly.

As well as generating reports you can automatically delete inactive or expired accounts that cybercriminals target. SolarWinds Access Rights Manager starts at $3,444 (£2,829). There is also a 30-day free trial version that you can download.

SolarWinds Access Rights Manager
Download 30- day FREE Trial

See also: Access Rights Management

How to Find the Source of Account Lockouts in Active Directory

The easiest way to find account lockouts in Active Directory is to use the Event Viewer, which is built into Windows. Active Directory generates Windows Events messages for each of its actions, so your first task is to track down the right event log.

1. Open a PowerShell window by pressing the Windows key and R together. In the Run popup, type powershell and hit ENTER.
2. At the command line type (get-addomain).pdcemulator
3. Note down the address of the PCD Emulator domain controller, which will be shown on the next line.
4. Type exit to close the PowerShell window.
5. The standard event log viewer that is built into the Windows operating system will help you find the account lockouts.
6. Go to the DC named as the PDC Emulator.
7. Open the Event Viewer by expanding Windows Administrative Tools in the Start menu and clicking on the Event Viewer entry in that submenu.
8. In the Event Viewer, expand the Windows Logs node in the left-hand menu tree. Click on Security. The Security events list will appear in the central panel of the Event Viewer.
9. In the right panel of the Event Viewer, click on Filter Current Log, which will open a popup window.
10. In the Event IDs field replace <All Event IDs> with 4740.
11. Select a time horizon in the Logged drop-down list at the top of the form.
12. Optionally, enter a username or a hostname if you are specifically looking for a lockout on a specific user or resource.
13. Press OK.
14. Double click on the log entry that relates to the user or resource that interests you and that has a timestamp that matches the moment you think the lockout occurred. This will open the Event Report.

The Event Report will show you the user that was locked out, the computer that the event occurred on, and the source, or reason for the lockout.

Active Directory Management with ManageEngine AD360 (FREE TRIAL)

ManageEngine AD360 is a compendium of ManageEngine Active Directory management systems plus a backup and recovery service. This package represents a good example of the tools that are available to automate the management tasks surrounding Active Directory usage. It is able to interface to AD implementations for SharePoint, Microsoft 365, Azure, and AWS, as well as the Active Directory system that you have in your Windows Server operating system.

ManageEngine AD360 is available on a 30-day free trial.

ManageEngine AD360
Start 30-day FREE Trial

Active Directory Tutorial: The Basics 

Active Directory is one of the best tools for managing resources in your network. In this article, we’ve just scratched the surface of the potential of this tool. If you’re using Active Directory remember that it is a potential entry point for cyber attackers. Making a note of key directory events and use a directory monitor will go a long way towards minimizing the risk of a malicious attack and protecting the availability of your service.

Active Directory FAQs

What should you look for in Active Directory tools?

We reviewed the market for Active Directory monitoring software and analyzed the options based on the following criteria:

• An interface that offers an easier way to organize Active Directory
• Reporting functions for auditing
• The ability to monitor many AD instances
• Tracking for replication, synchronization, backup, and migration
• Fast account status identification
• A free trial that provides a no-cost assessment period
• Value for money from a tool that pays for itself in efficiency improvements

In this post, we’ll learn about the Structure and components of the Active Directory domain controller with examples. Before you actually install a domain controller, you need to understand what it does and the environment to which it works.

Enterprise networks that run Windows operating systems depend on Active Directory Domain Services (ADDS) and its related services for many functions. The ADDS database contains all the domain objects, such as user accounts, computer accounts, and groups for your network.

Installing and configuring an ADDS domain controller enables you to create and store the ADDS database.

ADDS is a distributed database that stores and manage information about network resources and application-specific data from directory-enable applications. It helps administrators to organize network objects such as user accounts, computer accounts, and devices into a hierarchical collection of containers or folders – This is known as the logical structure of Active Directory.

Active Directory consists of Both physical and logical structures. The Physical structure is made up of the domain tree and the corresponding domain controller, it contains objects such as user accounts, computer accounts, group accounts, organizational units, and printers.

Structure of Active Directory

Active Directory Logical structure consists of the logical objects you create or  (Windows server 2012 R2 creates automatically) for organizational and administrative purposes.

For example, when you install the first windows domain controller, Windows Server 2012 R2 creates the logical forest, domain tree, and the domain at the top level of the domain tree.

When you install additional domain controllers, you can add them to the forest root domain or create a child domain below the forest root domain.

For example, look at the figure below. You will see the forest root domain named serverroompro.com, with two child domains named Boston.serverroompro.com and Texas.serverroompro.com. 

Please know that both the Serverrroompro.com domain (The Head Quarters)  and the Texas domain are located in Texas being housed in a single office.

Microsoft recommends that you create a site that contains both (Serverrroompro.com and Texas.serverroompro.com) because they are connected by high-speed networks. A second site should also be created for Boston because the networks in Texas connect to Boston’s networks through a wide area network (WAN) connections.

This is done by Microsoft to reduce the amount of time it takes to manage domain objects. You can delegate administrative rights or permissions at any level with Active Directory.

For example, you can create a new user account and grant it an administrative privilege at the child domain level of  Texas.serverroompro.com domain. These permission enable the user to administer the contents of the domain.

Another example, You can create a user account to which you assign administrative permissions at the forest root domain level  Serverrroompro.com. 

This user could then manage all the objects within the forest root domain and also both child domains. Additionally, you can also assign a user administrative permissions at the organizational unit (OU) level, this will enable the user to administer only the contents of the OU.

Leaf Objects

These are objects in Active Directory that have no child objects. They are the most basic components in the ADDS logical structure. Examples are Computer accounts, user accounts, group accounts, printers.

Active Directory Components

There are two components of Active Directory namely, Physical Components and Logical Components.

Physical components include the following:

1. Domain controller: These is the server that holds the server role Active Directory Domain Services (ADDS) and store the content if the AD Database. The file contained in the AD Database can be called the data store
2. Global Catalog Server: This server contains a partial read-only copy of the objects in the forest. This was implemented by Microsoft to make it possible for faster searches of objects in a different domain in the forest.
3. Read-Only Domain Controller (RODC): These are domain controllers that host a read-only copy of the AD database. RODCs are configured in office locations with low security or in-experienced administrators. In case someone hacks into the server at this location, the hacker won’t be able to change anything in the AD database.

Logical components include the following:

1. Domain: A domain is a collection of an administrative defined object that shares a common directory database, security policy and trust relationships with other domains. Domains exist within a forest and share common logical structure, global catalog, directory schema, and directory configurations.
2. Tree: A tree is a collection of domains that are arranged in hierarchical structures. When you add a domain to a tree, it becomes a child of the tree root domain, and also know that a domain to which a child is joined to is called its parent domain. The name of a child domain is combined with the name of its parent domain to form its own unique DNS name such as boston.serverroompro.com so that each tree has a similar namespace.
3. Forest: A forest is a complete instance of Active Directory. Each forest acts as a top-level container for all the domain containers for a particular Active Directory instance. A forest can contain one or more domain controller objects, as well as an automatic two-way transitive trust relationship. The name of that domain refers to the forest, such as serverroompro.com. By default, information in the Active Directory is only shared within the forest. So the forest is known as the security boundary for information that is contained in that instance of Active Directory. Simply put, a forest is a collection of domain trees that share ADDS
4. Site: Sites helps to organize users, groups, and computers based on their geographic location and the speed of their connection. At their most basic, sites are just groups of well-connected IP subnets
5. OU: These are container objects, that you can use to arrange other objects to support your administrative works. It helps in arranging objects. OU makes it easier to locate and manage your AD objects
6. Partition: You can create partitions to create logical sections within the Active Directory database. Using partitions enables you to optimize tasks such as replications.
7. Schema: Lastly, Microsoft uses the schema to define all attributes for each type of object you can create and store in Active Directory. For example, the schema contains attributes of user objects such as the user’s first name, last name, address, group membership, date of birth, etc. The schema is extensible which mean it can be modified or you can insert additional attributes for an object.

What is Active Directory?

Active Directory is a Microsoft product that operates on Windows Server. It is a database and set of services developed to help you with access, management, and permissions for your network resources. The organizational data is stored as an object in the Active Directory, and it can be in the form of devices, files, users, applications, groups, or shared folders. In addition, these objects can be categorized by their name or attribute.

The directory or database stores critical information related to your IT environment, including essential details about users, user permissions, and computers. In short, it helps you control various activities going on in your IT environment. Most importantly, AD also ensures user authentication, generally via user ID and passwords, and allows them to access data they’re authorized to use.

How does Active Directory work?

In the AD, the domain is the primary unit in a logical structure. The objects named under the same directory database, trust relationships, and security policies with other domains are called Domains. Each domain will store data about objects belonging to that domain only.

Settings and security policies, for example, Access Control Lists (ACLs), admin rights, etc., do not pass from one domain to another. In short, the admin can set policies only for the domain they belong to. Domains allow admins to set boundaries for objects and handle security policies for shared network resources.

One of the primary Active Directory services is the AD DS (Active Directory Domain Services), a crucial part of the Windows Server OS. The AD DS runs on servers known as Domain Controllers (DCs). An enterprise usually has multiple DCs, and each of these controllers has a copy of the main directory for the domain. Any changes made to the directory on one DC- for example, deleting a user account or changing a password are all applied to the other DCs in a domain to keep them up-to-date.

Another DC called Global Catalog server stores a copy of all objects within a directory of its domain along with a partial copy of all objects of other domains within a forest. This allows applications and users to find objects in any domain of its forest quickly.

Other laptops, desktops, and devices that run Windows (instead of Windows Server) do not run AD DS, but they can be a part of an Active Directory environment.

AD DS depends upon standards and protocols, such as DNS, Kerberos, and LDAP (Lightweight Directory Access Protocol). An important thing to know is that AD is exclusive to On-prem Microsoft environments. To run it in cloud Microsoft environments, you need to use Azure Active Directory, which works similar to the On-prem variant. Azure AD and AD are different but can run together if an organization has a hybrid deployment (cloud and on-prem).

Why is Active Directory So Important?

To simplify and understand the concept of AD better, consider Active Directory as the “Contacts” application on your mobile phone. The Contacts app itself acts as an Active Directory, while individual contacts in the app would be its “objects”. The values stored in each object, such as phone number, address, email, etc., would be your Active Directory. The only difference is that objects like in the mobile app aren’t just limited to people, but AD may also contain group objects such as printers, computers, devices, etc.

Active Directory is vital for organizations as it helps you efficiently manage company users, computers, devices, and applications. For example, IT managers can leverage Active Directory to systematically organize company data in a hierarchy structure, which states which users or computers belong to which network, or which users have access to which network resources, and so forth.

How to Setup Active Directory Domain Controller?

A domain controller contains many computers on the network and allows the system administrators to manage them from the central place. It is a server or computer used to authenticate other computers throughout the network. It stores the login credentials of all other computers and printers in the network.

This section will show you how to install Active Directory Domain Services and set up a domain controller on Windows server 2019.

Follow the below steps to install Active Directory Domain Services:

Step 1 – Login to Windows server 2019 as an administrator and open the Server Manager as shown below:

Step 2 – Click on the Add Roles and Features. This will open the Add Roles and Features Wizard as shown below:

Step 3 – Click on the Next button. You will be asked to select the installation type as shown below:

Step 4 – Select Add Roles and Features Wizard and click on the Next button. Next, you will be asked to select a destination server as shown below:

Step 5 – Select “Select a server from the server pool” and click on the Next button. Next, you will be asked to select server roles as shown below:

Step 6 – Select Active Directory Domain Services and click on the Next button. You will be asked to select features as shown below:

Step 7 – Leave all default settings and click on the Next button. Next, you should see the confirm installations selections page.

Step 8 – Click on the Install button to start the installation. Once the installation has been finished. You should see the following page.

Step 9 – Click on the Close button. You should see the following page.

Step 10– Click on the yellow notification icon. You should see the following page:

Step 11 – Click on Promote this server to a domain controller. You should see the deployment configuration page:

Step 12 – Select add a new forest, define your domain name and click on the Next button. You should see the domain controller options page:

Step 13 – Define your directory service restore mode password and click on the Next button. You should see the DNS options page:

Step 14 – Leave the default configuration and click on the Next button. You will be asked to set a NetBIOS name as shown below:

Step 15 – Set your NetBIOS name and click on the Next button. You will be asked to define AD DS database path location:

Step 16 – Leave the default path as it is and click on the Next button. You should see the review all options page:

Step 17 – Review all the configurations and click on the Next button. You should see the prerequisites check page:

Step 18 – Make sure all prerequisite checks are successfully then click on the Install button. Once the installation has been finished, your system will be restarted automatically.

Verify Domain Controller

Next, you will need to verify whether the Domain Controller is adequately set up or not. Again, you can prove it from PowerShell.

To confirm the successful installation of the services, run the following command on Windows PowerShell.

Get-Service adws,kdc,netlogon,dns

You should see the status of all services on the following screen:

To display all the configuration details of the domain controller, run the following command:

Get-ADDomainController

You should see all the information on the following screen:

To get detailed information about your domain, run the following command:

Get-ADDomain mydomain.com

You should see the next screen:

To display your Active Directory Forest details, run the following command:

Get-ADForest mydomain.com

You should see the next screen:

Create Active Directory Users

After setting up the Active Directory Domain controller, you must create users for the network computers. So that all users are login to the Active Directory Domain Controller from the network computer. You can create a user, group, and computer using the Active Directory Users and Computer tool.

Follow the below steps to create a new user on Active Directory:

Step 1 – Open the Server Manager, go to the Tools menu and select Active Directory Users and Computers as shown below:

Step 2 – Right-click on the Users. You should see the following page:

Step 3 – Click on the New => User. You should see the following page:

Step 4 – Provide your First name, Last name, Logon name, and click on the Next button. You should see the following page:

Step 5 – Set your password and click on the Next button. You should see the following page:

Step 6 – Verify your user information and click on the Finish button.

Install Active Directory Remote Server Administration Tools

Active Directory Remote Server Administration Tools (RSAT) is a handy tool that allows the system administrators to manage Active Directory Domain Controller on a windows server from a computer running Windows 10 or other servers.

RSAT tools set can manage the following service running on the Windows server:

• Server Manager
• Consoles
• Microsoft Management Console (MMC) snap-ins
• Windows PowerShell cmdlets and providers
• Command-line tools to run features on Windows Server
• IP Address Management (IPAM) Tools
• DHCP Tools
• Routing and Remote Access Tools
• Network Policy Server Tools

Follow the below steps to install the RSAT tool on Windows Server 2019:

Step 1 – Open the Server Manager as shown below:

Step 2 – Click on the Add roles and features. You should see the following page:

Step 3 – Select Role-based or feature-based installation and click on the Next button. You should see the following page:

Step 4 – Select “Select a server from the server pool” and click on the Next button. You should see the following page:

Step 5 – Select “Remote Server Administration Tools” and click on the Next button. You should see the following page:

Step 6 – Click on the Add Features. You should see the following page:

Step 7 – Click on the Next button. You should see the following page:

Step 8 – Leave the default settings and click on the Next button. You should see the following page:

Step 9 – Confirm all settings and click on the Install button. Once the installation has been completed, click on the Close button to exit the window.

Step 10 – Now click on the Server Manager => Tools to access the RSAT as shown below:

What Are Active Directory Domain Services?

Active Directory Domain Services (AD DS) is one of the core directory services offered by AD. The main objective of AD DS is to employ authentication and authorization for easier management of access controls for network resources. It is the foundation of your Windows domain network. AD DS will store information about domain members, such as users/devices, verify their credentials and define their rights to access. Domain controller runs this service. Whenever a user logs into a device or tries to access another device in a network, the domain controller is alerted.

Multiple unique services fall under the category of AD DS to manage permissions, identities, and access rights to network resources. These services are as follows:

• Active Directory Certificate Services (AD CS) AD CS is a server role with which you can create a PKI (Public Key Infrastructure) and provide digital certificates for your company. These certificates can be used to authenticate computers and users and encrypt network traffic and application traffic. For example, if you see a browser address with “https”, the “s” stands for security certificate that it uses to encrypt the established communication between server and client.

• Active Directory Federation Services (AD FS) With AD Federation Services, you can employ single sign-on to external systems such as applications and websites. One typical example of the use of AD FS is Office 365. When a user signs in to Office 365, the user ID and password are redirected via the federation server to check whether the entered credentials are authentic against your On-prem AD. This is how it provides authentication to external systems through the local Active Directory.

• Active Directory Lightweight Directory Services (AD LDS) AD LDS offers directory services with the help of LDAP protocol without having to deploy any DCs. The service is used to provide directory service functionally to directory-enabled applications. But, it does not replace AD DS.

• Active Directory Rights Management Services (AD RMS) The service allows you to protect information within digital content. It secures the documents by defining which users can modify, open, view, print, forward, or take similar documents. For enhanced security, you can use local certificates to encrypt documents.

The Hierarchical Structure of Active Directory Domain Services

AD DS systematically organizes company data in a hierarchy that contains domains, trees, and forests. Here’s what the hierarchical structure of AD DS comprises of:

• Domains: A domain contains objects such as devices, groups, and users that fall under the same AD database. Think of a domain as a branch of a tree. A domain will have a structure the same as that of standard domains and subdomains.
• Trees: A tree is formed by grouping one or more domains in a logical hierarchy. All domains within a tree are logically linked; hence they “trust” each other.
• Forest: A forest is a topmost level in the Active Directory of your organization. It contains one or more trees grouped. Trees within a forest are also said to “trust” each other and share catalogs, directory schemas, domain configurations, and application data.
• Organizational units: Organizations Units or OU are used to organize groups, users, computers, and other entities.
• Containers: A container is almost similar to an OU; the only difference is that you cannot link a GPO (Group Policy Object) to a generic container within AD.

Introduction to Active Directory Forests and Trees

An object is a physical element present within a network, and an AD can have multiple objects. Two such objects are Forest and Tree.

Forests

A Forest comprises multiple grouped trees that share a standard global catalog, directory schema, logical structure, and configuration. It features two ways transitive trust relationships by default. The first and foremost domain created within a forest is known as the forest root domain.

In the case of different naming schemas, Forests allows organizations to group their divisions which may need to operate individually. But a company seeks to communicate with their various departments through transitive trusts and share the same schema and configuration container.

Tree

A tree features a group of one or more domains that allow the user to share resources globally. Single or multiple domains exist here in the contiguous namespaces. If you add a domain in the tree, it will become the child of the tree root domain, while the domain it is linked to becomes the parent domain. The child domain utilizes the parent domain’s name and attains the unique DNS (Domain Name System).

For example, if sbs.com is a root domain, you can create one or more child domains to this parent domain, such as sales.sbs.com or transfer.sbs.com. These child domains can also further have sub-child domains such as xyz.sales.sbs.com.

The domains within a tree have a two-way relationship, also known as Kerberos transitive trust relationship. For example, a Kerberos transitive trust implies that if Domain 1 trusts Domain 2, and Domain 2 trusts Domain 3, then Domain 1 trusts Domain 3 as well. In short, it means that a domain added to a tree will immediately establish trust relationships with every other domain inside that tree.

Difference between the Forest and the Tree

The Forest in an Active Directory sits at the highest level and contains multiple trees, while the Tree in an AD includes one or more domains.

Active Directory Trust Relationships and Types

A trust relationship is the formation of a logical link between two domains. One of them is known as the trusting domain, and the other is called the trusted domain. With a trust relationship, the trusting domain will honor the login authentication of the trusted domain.

Usually, the trusted domain stores the users, while the trusting domain comprises network resources. Thus, the users in the trusted domain are trusted and are allowed to access resources stored in the trusting domain.

Trusts can be created manually or automatically. These trusts are further classified into two categories viz—transitive and non-transitive trust. Transitive trust simply implies that if Domain 1 trusts Domain 2 and Domain 2 trusts Domain 3, then Domain 1 trusts Domain 3 as well. Non-transitive trust means that if Domain 1 trusts Domain 2, and Domain 2 trusts Domain 3, then Domain 1 DOES NOT trust Domain 3.

Trusts can further be one-way or two-way. Following are the types of trust relationships that are either one-way or two-way by default:

1. Tree-root trust A tree-root trust implicitly forms when a user adds a new tree root domain within a forest. Only the domains at the topmost part of each tree can take part in the tree-root trust. Tree-root trust is a type of two-way transitive trust that is formed automatically.
2. Parent-Child trust When a user adds a child domain in a tree, a parent-child trust relationship is implicitly formed. The DCPROMO process will automatically create a parent-child trust relationship in a DNS namespace hierarchy between the new domain and the preceding domain. This type of trust is a two-way transitive trust formed automatically.
3. Shortcut trust A system admin manually needs to create a shortcut trust between two domains within a forest. This type of trust is often made in extensive forests to enhance user logon time, specifically for users who logon into computers of other domains within the forest. It is a transitive type of trust, and you can configure it as one-way or two-way.
4. External trust A system admin creates an external trust between two domains belonging to different forests or between a domain in an AD forest and a domain in Windows NT 4.0 or earlier version. This type of trust is commonly created when users migrate resources from a Windows NT 4.0 domain to another domain in an AD. It is a non-transitive type of trust, which can be either one-way or two-way.
5. Forest Trust A system admin creates a forest trust explicitly between two forest root domains (functional for Windows Server 2003 and later domains). Such a type of trust allows all domains in one forest to trust all domains in another forest. Though it is a transitive trust, it will not be transitive against three or more forests. And it can either be one-way or two-way.
6. Realm Trust A system admin may create a realm trust explicitly between a Windows 2003 or later domain and a non-Windows Kerberos realm. This type of trust can be one-way or two-way and transitive or non-transitive.

Those were the core types of trust relationships in an Active Directory. Organizations need to have precise planning in place for trust relationships to ensure users get timely access to network resources they need.

What is Active Directory basics?

Active Directory is a Windows Server utility that controls access rights to system resources. There are two elements to the connection between a user and a resource. The first is credentials management of each user account and the second is a link from each account to a specific resource and the level of access permission granted. Each user will have access rights to many resources. The concept of user groups makes the allocation of access rights a lot easier. Rather than mapping each user account to each resource, the user is allocated to a group and then the permissions of the group to access a list of resources is mapped. Inheritance within the access rights system means that a group member gains all the access rights that are allocated to the group.

What is Active Directory structure?

Active Directory is structured in a hierarchy of three levels. Each collection of access rights definitions is called a Domain. The identity of this package is called a Domain Controller. The Domain Controller is based on a single database instance. Domains can be grouped together in a tree. The tree is like a circle of trust. All of the domains that belong to the same tree share a catalog, so a domain can be thought of a subdivision of the global catalog. For example, each department in a business could be a domain, which contains some of the users that are members of the business. A forest is a collection of trees that use a common catalog be guard different systems. For example, one tree might control on-premises access and the other, a SaaS platform’s accounts that give employees on the site access to the cloud platform’s services.

What are the 4 most important benefits of Active Directory?

Active Directory provides management of four resources:

• Security certificates
• Single Sign-On (SSO)
• Lightweight Directory Access Protocol (LDAP)
• Access rights management (ARM)