Transcription

Active Directory basics. Explaining Active Directory to IT professionals1 2015 Enterprise Daddy

Active Directory basics. Explaining Active Directory to IT professionalsContentsIntroduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3Active Directory and its components. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4Domain Controllers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4Grouping of Domain Controllers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5Inside the Active Directory database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6Containers and objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Replication and High Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Intrasite and intersite replication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8Global Catalog servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8Flexible single-master operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9Functional levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Active Directory and its networking services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10DNS Domain Names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11DNS Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11DNS Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11DNS Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12DHCP Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12DHCP and Dynamic DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Active Directory in the networking infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Device-independent productivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Single Sign-On . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Centralized systems management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Consistent user experience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Distributed File System for optimized access to files . . . . . . . . . . . . . . . . . . . . . . . . . . 14Best practices when deploying Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14Thank You So Much . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162 2015 Enterprise Daddy

Active Directory basics. Explaining Active Directory to IT professionalsIntroductionMicrosoft’s Active Directory offers a central way for IT systems administrators to manage user accounts anddevices within an IT infrastructure network. Changes in Active Directory can be made by these administratorscentrally for consistency across the environment. Through Active Directory, people enjoy benefits such as beingable to log onto devices and into applications with the same combination of username and password (andoptionally other methods of authentication) and use their settings and files across all devices that are membersof Active Directory. Optionally, when a device is lost, defective or stolen, people can remain productive onanother Active Directory-managed device.3 2015 Enterprise Daddy

Active Directory basics. Explaining Active Directory to IT professionalsActive Directory and its ComponentsDomain ControllersOn Microsoft Servers, a domain controller (DC) is a server that responds to security authentication requests(logging in, checking permissions, etc.) within the Windows Server domain.These are Windows Server installations equipped with the Active Directory Domain Services (AD DS) ServerRole. Domain Controllers can be physical hosts and virtual machines.The two most important elements of Domain Controllers are:1. The Active Directory DatabaseThe Active Directory database (ntds.dit) and its supporting files contain the definition of objects and theconfiguration of objects. Examples of objects are Containers, Organizational Units, user accounts and computeraccounts.The screenshot below shows you the Active Directory database (ntds.dit) and its supporting files on the filesystem of a Domain Controller:4 2015 Enterprise Daddy

Active Directory basics. Explaining Active Directory to IT professionals2. The Active Directory System VolumeThe Active Directory System Volume (SYSVOL) is an SMB-based network share, used to share files with ActiveDirectory members.There are two different types of domain controllers:1. Read/write Domain ControllersThese Domain Controllers allow changes to their Active Directory databases and System Volumes from ActiveDirectory members and can be used to bring changes to other Domain Controllers.2. Read-only Domain ControllersRead-only Domain Controllers are Domain Controllers that only allow read-access to their Active Directorydatabases and System Volumes. Changes are brought in by Read/write Domain Controllers.Grouping of Domain ControllersDomain Controllers are grouped into sites, domains and forests. An Active Directory site, typically, represents ageographical site of high-speed connectivity. You may think of an Active Directory site as a building. ActiveDirectory sites govern replication between Domain Controllers configured in Active Directory sites. By default,authentication traffic from within an Active Directory site is directed to a Domain Controller in that site. A DomainController can only be part of one Active Directory site at a time.Active Directory domains are containers of replication. By default, all Domain Controllers in a domain can receivechanges and replicate those changes to all other Domain Controllers in it. Each domain in Active Directory isidentified by a Domain Name System (DNS) domain name.An Active Directory forest is a collection of one or more Active Directory domains that share a common ActiveDirectory schema.Most Active Directory environments exist with one Active Directory domain in its own Active Directory forest.Inside the Active Directory databaseThe Active Directory database consists of two types of data:The Active Directory schema Objects are defined in the schema. This way, their behavior andrelationships are shaped. For instance, the fact that a user account object can have a last name where acomputer object cannot, is defined in the Active Directory schema.The Active Directory configuration The objects themselves and the information in their properties (calledattributes) are stored in the configuration part of the Active Directory database.5 2015 Enterprise Daddy

Active Directory basics. Explaining Active Directory to IT professionalsObjectsEach object within the Active Directory configuration is identified with a security identifier, the SID.The securityidentifier consists of two parts: The domain identification part and the relative identifier, relative to the domain.In the screenshot below you can see the properties for the Ronnie user object (after the Advanced Featureswere enabled in the View menu of the Active Directory Users and Computers management tool).The Security Identifier for the user object used by Ronnie is S-1-5-21-2225613072-2737155430-37584911991128.Its relative identifier is 1128.Containers and objectsAlthough, strictly speaking, every object is a container in the world of Active Directory, only true containerobjects have objects under them. Organizational Units (OUs) and Containers (CNs) in the configuration part of theActive Directory database are represented in the Active Directory management tools as folders.The differences between OUs and CNs is that the first can be used to deploy settings (through Group PolicyObjects).The special thing about CNs is that you cannot delete them using standard tooling. Containers that areavailable in a default Active Directory environment are Builtin, Users and Computers.6 2015 Enterprise Daddy

Active Directory basics. Explaining Active Directory to IT professionalsIn the screenshot of Active Directory Users and Computers below, you can see the Organizational Units andContainers for an Active Directory domain based on Windows Server 2012 R2 Domain Controllers:The Exchange Users, New Users, Security and Distribution Grroups and Domain Controllers Organizational Units(OUs) are clearly distinguishable from the containers by their icons.AttributesObjects have properties based on the Active Directory schema. These properties are called attributes. Someattributes contain a single value such as the password last set attribute for a user object. Other attributes maycontain multiple values such as the members attribute of a group object.Replication and High AvailabilityActive Directory High Availability is not based on Failover Clustering (like Hyper-V) or Log shipping (likeExchange and SQL Server).Instead, Domain Controllers all offer the Active Directory database and SystemVolume (SYSVOL) to whoever needs the information in it.7 2015 Enterprise Daddy

Active Directory basics. Explaining Active Directory to IT professionalsWhen you deploy at least two Domain Controllers for an Active Directory domain, you’ll gain redundancy andHigh Availability for that Active Directory domain. This requires a mechanism to keep the contents of thisdatabase in sync between Domain Controllers. Active Directory uses replication between Domain Controllers tokeep things in sync.Replication synchronizes changes that are made on one Domain Controller with all other Domain Controllers inscope of replication. Data integrity is maintained by tracking changes on each Domain Controller and updatingother Domain Controllers systematically. Active Directory replication uses a connection topology that is createdautomatically by the Knowledge Consistency Checker (KCC) to reduce administrative effort, but canalternatively be modified manually.Intrasite and intersite replicationReferring back to the previously mentioned Active Directory sites, two types of replication exist:Intrasite replicationWithin an Active Directory site, replication is based on pull replication. After being notified of changes, a DomainController will ask the Domain Controller with the change what changes it has seen. To reduce network chatter,intrasite replication is setup by default as a two-way ring topology. This avoids Domain Controllers within a siteto communicate to each of the other Domain Controllers. Instead, the ring topology allows it to communicate totwo of its site siblings.Intersite replicationBetween Active Directory sites, replication is schedule-based and between bridgehead servers. After the defaultschedule time-out (15 minutes by default), the bridgehead Domain Controller for a site asks the bridgeheadDomain Controller in the other site for the changes it has seen. Bridgehead Domain Controllers then replicate thechanges to the Domain Controllers in its site using intrasite replication.Replication is also where the schema and configuration parts of the Active Directory database come into play.The schema is replicated and used throughout an Active Directory forest, where larger parts of the configurationis only replicated among Domain Controllers of a domain.Global Catalog serversThe Active Directory databases of Domain Controllers configured as Global Catalog servers maintain all objectswithin a forest. These types of Domain Controllers store all attributes for all objects for the domain it is a DomainController for, but only the most important attributes for objects in the other domains in the forest. This allows forauthorization within the Active Directory forest. For instance: The ability to add a group from another domain in aforest to the access control list of a file share in your domain.8 2015 Enterprise Daddy

Active Directory basics. Explaining Active Directory to IT professionalsFlexible single-master operationsWhen it comes to replication, a couple of bottlenecks can be identified. Since all Domain Controllers are able tocommit to the database simultaneously, replication collisions may occur. Therefore, Active Directory replicationworks with five Flexible Single Master Operations (FSMO) roles:The Primary Domain Controller emulatorThe Domain Controller in the domain with the Primary Domain Controller emulator (PDCe) Flexible Single MasterOperations (FSMO) role, is authoritative for the replication of password changes, group policy changes andDistributed File Services (DFS) changes. A Domain Controller will replicate these changes to the PDCe first,which in turn will replicate it to the other Domain Controllers. This way, when a colleague changes the passwordfor a user object in a site across the globe, and I use the new password in my site, the PDCe will be able to tellme that the new password is correct even though the Domain Controller in my site has not received the changeyet. The Domain Controller with the PDCe FSMO role also serves as the default time server for all other DomainControllers in the domain.The RID pool masterSIDs, and thus RIDs, are used to create new objects. The Domain Controller with the RID pool Flexible SingleMaster Operations (FSMO) role is responsible for avoiding RID-based object creation collisions. To this purpose,it hands out 500-object RID pools to Domain Controllers within the Active Directory domain. When a DomainController depletes its 500-object RID pool, all it has to do is ask for a new pool.The infrastructure masterThe Domain Controller with the Infrastructure Master Flexible Single Master Operations (FSMO) role isresponsible for updating references from objects in its domain to objects in other domains. The infrastructuremaster compares its data with that of the previously mentioned Global Catalog servers. Domain Controllersconfigured as Global Catalog servers receive regular updates for objects in all domains through replication, sothe Global Catalog data will always be up to date. If the infrastructure master finds data that is out of date, itrequests the updated data from a global catalog. The infrastructure master then replicates that updated data tothe other Domain Controllers in the domain.The schema masterThe Domain Controller with the Schema Master Flexible Single Master Operations (FSMO) role is responsible forthe integrity of the Active Directory schema. Since schema changes impact all objects on all Domain Controllerswithin an Active Directory forest, changes to the Active Directory schema occur on the Domain Controller withthe Schema Master Flexible Single Master Operations (FSMO) role and replicated from there.9 2015 Enterprise Daddy

Active Directory basics. Explaining Active Directory to IT professionalsThe domain naming masterThe second forest-wide Flexible Single Master Operations (FSMO) role is the Domain Naming Master role. TheDomain Controller holding this role is authoritative for the Active Directory domains within an Active Directoryforest. When you add or remove a domain to a forest, the change originates from the Domain Controller holdingthe Schema Master Flexible Single Master Operations (FSMO) and replicates from there.Using the netdom query fsmo command, you can quickly find out the Domain Controllers holding the FlexibleSingle Master Operations (FSMO) roles in an Active Directory environment:Functional levelsActive Directory domains and forests are configured with a functional level. These levels govern the minimumWindows Server Operating System (OS) version for Domain Controllers. Raising these levels unlock newfunctionality.When you raise the Active Directory Domain Functional Level (DFL), you remove the ability to run and promoteWindows Servers below that version in the Active Directory domain. You can only upgrade when all DomainControllers with earlier Windows Server versions are removed from the domain or upgraded.After all Active Directory domains in an Active Directory forest have their Domain Functional Level (DFL) raisedto a certain version, you can raise the Active Directory Forest Functional Level (FFL) for the forest.Active Directory and its networkingservicesDNSActive Directory relies heavily on the Domain Naming System (DNS).First of all, each Active Directory domain isrepresented by a DNS domain name. Within an Active Directory forest, multiple domains may share a common10 2015 Enterprise Daddy

Active Directory basics. Explaining Active Directory to IT professionalsDNS name tree or have separate DNS domain names. Secondly, Active Directory-joined devices use DNS tolocate Active Directory services like Domain Controllers.You might already know a lot about DNS since it is commonly used on the internet. It is used to find the IPv4 andIPv6 addresses to websites you want to visit. In relation to Active Directory, there’s a little more to it:DNS Domain NamesThe Domain Naming System (DNS) is a hierarchical naming system. Its highest level is the root. Beneath the rootyou’ll find top level domains (TLDs), like .com, .net and .org. Then, there’s the domain name portion, which can beregistered: EnterpriseDaddy.com is a registered domain name for the company named Enterprise Daddy.When an Active Directory domain is created, a DNS domain name must be specified.Microsoft’s best practice is to register a domain name on the internet and use that, or an internal sub-domainbeneath it, as the Active Directory DNS domain name. This provides the best interoperability and connectivity tothe outside world.DNS ZonesFor each of the hierarchical layers in the Domain Naming System (DNS), two corresponding DNS zone typesexist:Forward Lookup ZonesDNS Forward Lookup Zones contain information on DNS records that allow you to convert a DNS name to IPv4and IPv6 addresses.Reverse Lookup ZonesDNS Reverse Lookup Zones perform the reverse job of Forward Lookup Zones. It allows for DNS clients to get aDNS name for a specific IPv4 or IPv6 address.DNS RecordsDNS Zones contain DNS Records. In DNS Forward Lookup Zones, A and AAAA records contain information onthe IPv4 and IPv6 addresses associated to certain hostnames, like www.DNS Forward Lookup Zones used byActive Directory typically contain a lot of SRV records to point to IPv4 and IPv6 addresses for Active Directoryfunctionality like Domain Control