home Repair What is Active Directory. Active Directory: forests and domains Active directory and a single domain

What is Active Directory. Active Directory: forests and domains Active directory and a single domain

Basic concepts of Active Directory

Service Active Directory

Extensible and scalable directory service Active Directory (Active Directory) allows you to effectively manage network resources.

Active Directory is a hierarchically organized repository of data about network objects, providing a convenient means for finding and using this data. Computer running Active Directory, called domain controller . FROM Active Directoryalmost all administrative tasks are involved.

Active Directory technology is based on standard Internet protocols and helps to clearly define the structure of the network.

Active Directory and DNS

AT Active Directorythe domain name system is used.

DomainName System , (DNS) is a standard Internet service that organizes groups of computers into domains.DNS domains have a hierarchical structure that forms the basis of the Internet. different levels This hierarchy identifies computers, organizational domains, and top-level domains. DNS also serves to resolve hostnames, for example z eta.webwork.com to numerical IP addresses, such as 192.168.19.2. By means of DNS, the Active Directory domain hierarchy can be inscribed in the Internet space or left independent and isolated from external access.

To access resources in The domain uses the fully qualified hostname, such as zeta.webatwork.com. Herezetais the name of the individual computer, webwork is the domain of the organization, and com is the top-level domain. Top-level domains form the foundation of the DNS hierarchy and are therefore called root domains (root domains ). They are organized geographically, with names based on two-letter country codes (enfor Russia), by type of organization (cell for commercial organizations) and by appointment ( mil for military organizations).

Regular domains like microsoft.com, called parental (parent domain ) because they form the basis of the organizational structure. Parent domains can be divided into subdomains of different departments or remote affiliates. For example, the full name of a computer in the Microsoft office in Seattle might be jacob.seattle.microsoft.com , where jacob- computer name, seAltle - subdomain and microsoft.com is the parent domain. Another subdomain name - child domain (child domain).

Components Active Directory

Active Directory unifies the physical and logical structure for network components. Active Directory logical structures help organize directory objects and manage network accounts and shares. The logical structure is the following items:

organizational unit (organizational unit) - a subgroup of computers, usually reflecting the structure of the company;

domain ( domain ) - a group of computers sharing a common catalog database;

domain tree (domain tree) - one or more domains sharing a contiguous namespace;

domain forest - one or more trees that share directory information.

The physical elements help plan the actual network structure. Based on physical structures, network links and physical boundaries of network resources are formed. The physical structure includes the following elements:

subnet ( subnet) - network group with a given area IP addresses and netmask;

website ( site) one or more subnets. The site is used to set up directory access and replication.

Organizational units

Organizational units (OUs) are subgroups within domains that often reflect the functional structure of an organization. PUs are a kind of logical containers that host accounts, shares, and other PUs. For example, you can create in the domain microsoftt. com divisions resources, IT, Marketing. This schema can then be expanded to include child departments.

It is allowed to place objects in the OP only from the parent domain. For example, ROs from the Seattle.microsoft.com domain only contain objects from that domain. Add objects frommy. microsoft.com can't. OP is very convenient in the formation of a functional or business structures organizations. But this is not the only reason for their use.

OPs allow group policy to be defined for a small set of resources in a domain without applying it to the entire domain. OP creates compact and more manageable representations of directory objects in a domain, which helps manage resources more efficiently.

OPs allow you to delegate authority and control administrative access to domain resources, which helps to set limits on the authority of administrators in a domain. It is possible to give user A administrative privileges for only one OU, and at the same time give user B administrative privileges for all OUs in the domain.

Domains

Domain Active Directory is a group of computers that share a common directory database. Active Directory domain names must be unique. For example, there cannot be two domains microsoft.com, but there can be a parent domain microsoft.com with child domains seattle.microsoft.com and my.microsoft.com. If the domain is part of a closed network, the name given to the new domain must not conflict with any of the existing domain names on that network. If the domain is part of the global Internet, then its name should not conflict with any of the existing domain names on the Internet. To ensure that names are unique on the Internet, the parent domain name must be registered through any authorized registrar.

Each domain has its own security policies and trusting relationship with other domains. Often, domains are distributed over multiple physical locations, that is, they consist of multiple sites, and sites span multiple subnets. The domain directory database stores objects that define accounts for users, groups, and computers, as well as shared resources such as printers and folders.

Domain functions are limited and regulated by the mode of its operation. There are four functional modes of domains:

mixed windows mode 2000 (mixed mode) - supports domain controllers running Windows NT 4.0, Wi ndows 2000 and Windows server 2003;

Windows 2000 native mode ( native mode ) - supports domain controllers running Windows 2000 and Windows server 2003;

intermediate mode Windows server 2003 ( interim mode) - supports domain controllers running Windows NT 4.0 and Windows server 2003;

mode Windows Server 2003 - Supports domain controllers running Windows Server 2003.

Forests and trees

Each domain Active Directory has DNS-type name microsoft.com. Domains that share directory data form a forest. Forest domain names in the DNS name hierarchy are non-contiguous(discontinuous) or related(continuous).

Domains that have a contiguous name structure are called a domain tree. If forest domains have non-contiguous DNS names, they form separate domain trees in the forest. You can include one or more trees in a forest. The console is intended for access to domain structures.Active Directory- domains and trust (ActiveDirectory Domainsand trusts).

The functions of forests are limited and regulated by the functional regime of the forest. There are three such modes:

Windows 2000 - Supports domain controllers running Windows NT 4.0, Windows 2000 and Windows server 2003;

intermediate ( interim) Windows server 2003 - supports domain controllers running Windows NT 4.0 and Windows Server 2003;

Windows Server 2003 - Supports domain controllers running Windows Server 2003.

The most advanced Active Directory features are available in Windows Server 2003 mode. If all domains in the forest are running in this mode, you can enjoy improved global catalog replication and more efficient Active Directory data replication. You can also disable schema classes and attributes, use dynamic helper classes, rename domains, and create one-way, two-way, and transitive trusts in the forest.

Sites and Subnets

Website is a group of computers on one or more IP subnets used to plan the physical structure of a network. Site planning occurs independently of the logical structure of the domain. Active Directory allows you to create multiple sites within a single domain, or a single site spanning multiple domains.

Unlike sites that can span multiple IP address areas, subnets have a set IP address area and netmask. Subnet names are specified in the format net/bitmask, for example 192.168.19.0/24 where network address 192.168.19.0 and netmask 255.255.255.0 are combined to form the subnet name 192.168.19.0/24.

Computers are assigned to sites based on their location on a subnet or set of subnets. If computers on subnets are able to communicate at sufficiently high speeds, they are called well connected (well connected).

Ideally, sites consist of well-connected subnets and computers. If the traffic between subnets and computers is low, you may need to create multiple sites. Good communication gives sites some advantages.

When a client joins a domain, the authentication process first looks up the local domain controller in the client's site, i.e. local controllers are queried first if possible, which limits network traffic and speeds up authentication.

Directory information is replicated more frequently inside sites than between sites. This reduces network traffic caused by replication and ensures that local domain controllers receive updated information quickly.

You can customize the order in which directory data is replicated using site links (site links). For example, define bridgehead server (bridgehead ) for replication between sites.

The bulk of the load from replication between sites will fall on this specialized server, and not on any available server site. Sites and subnets are configured in the console Active Directory- sites and services(Active Directory Sites and Services).

Working with domains Active Directory

Online Windows server 2003 service ActiveDirectoryconfigured at the same timeDNS. However, Active Directory domains and DNS domains have different purposes. Active Directory domains help manage accounts, resources, and security.

The DNS domain hierarchy is primarily for name resolution.

Computers running Windows XP Professional and Windows 2000 can take full advantage of Active Directory. They operate as Active Directory clients on the network and have access to transitive trusts that exist in a domain tree or forest. These relationships allow authorized users to access resources in any domain in the forest.

System Windows Server 2003 functions as a domain controller or as a member server. Member servers become controllers after Active Directory is installed; controllers are demoted to member servers after Active Directory is removed.

Both processes are performed Active Directory Installation Wizard. A domain can have multiple controllers. They replicate directory data among themselves using a multi-master replication model that allows each controller to process directory changes and then propagate them to other controllers. Due to the multi-master structure, all controllers have equal responsibility by default. However, you can give some domain controllers priority over others in certain tasks, such as creating a bridgehead server that has priority when replicating directory data to other sites.

In addition, some tasks are best performed on a dedicated server. A server that handles a specific type of task is called master of operations (operations master ).

All Windows 2000, Windows XP Professional, and Windows Server 2003 computers that are joined to a domain have accounts created that are stored, like other resources, as Active Directory objects. Computer accounts are used to control access to the network and its resources. Before a computer gains access to a domain using its account, it must go through an authentication procedure.

Directory structure

Directory data is provided to users and computers through data store (data stores) and global directories (globalcatalogs). Although most of the featuresActiveDirectoryaffect the data warehouse, global catalogs (GCs) are just as important because they are used for logging in and searching for information. If the GC is not available, normal users will not be able to log on to the domain. The only way to get around this condition is to cache memberships locally. universal groups.

Access and distribution of Active Directory data are provided by means directory access protocols (directory accessprotocols) and replication (replication).

Replication is needed to distribute updated data to controllers. The main update distribution method is multi-master replication, but some changes are handled only by specialized controllers - operations masters (operations masters ).

The way multimaster replication is performed in Windows Server 2003 has also changed with the introduction of directory sections applications (applicationdirectorypartitions). Through them, system administrators can create replication partitions in the domain forest, which are logical structures used to manage replication within the domain forest. For example, you can create a partition that will handle the replication of DNS information within a domain. Other systems in the domain are not allowed to replicate DNS information.

Application directory partitions can be a child of a domain, a child of another application partition, or a new tree in the domain forest. Partition replicas can be hosted on any Active Directory domain controller, including global catalogs. Although application catalog partitions are useful in large domains and forests, they increase planning, administration, and maintenance overhead.

Data store

The repository contains information about the most important objects directory services Active Directory - accounts, shares, OP and group policies. Sometimes the data warehouse is simply called catalog (directory ). On the domain controller, the directory is stored in the NTDS.DIT file, the location of which is determined during the installation of Active Directory (it must be an NTFS drive). Some catalog data can be stored separately from the main storage, for example, group policies, scripts, and other information recorded in the SYSVOL system share.

Sharing directory information is called publication (publish). For example, when a printer is opened for use on the network, it is published; published information about shared folder and so on. Domain controllers replicate most changes to storage in a multi-master fashion. The administrator of a small or medium-sized organization rarely manages storage replication because it is automatic, but it can be configured according to the specifics of the network architecture.

Not all directory data is replicated, but only:

Domain data - information about objects in the domain, including objects of accounts, shares, OP and group policies;

Configuration data - information about the topology of the directory: a list of all domains, trees and forests, as well as the location of controllers and GC servers;

Schema data - information about all objects and data types that can be stored in the directory; standard scheme Windows Server 2003 describes account objects, share objects, and more, and can be extended by defining new objects and attributes, or by adding attributes to existing objects.

Global Directory

If local caching of membership in universal groups is not performed, network entry is based on membership information universal group provided by the GC.

It also provides directory search across all domains in the forest. Controller, acting GC server, stores a full replica of all directory objects in its domain and a partial replica of objects in the rest of the forest domains.

Only some object properties are needed for login and search, so partial replicas can be used. To form a partial replica, replication needs to transfer less data, which reduces network traffic.

By default, the first domain controller becomes the GC server. Therefore, if there is only one controller in the domain, then the GC server and the domain controller are the same server. You can place the GC on a different controller to reduce the login response time and speed up searches. It is recommended that you create one GC in each domain site.

There are several ways to solve this problem. Of course, you can create a ledger server on one of the domain controllers in the remote office. The disadvantage of this method is an increase in the load on the GC server, which may require additional resources and careful planning of the server's uptime.

Another way to solve the problem is to cache universal group memberships locally. However, any domain controller can service logon requests locally without contacting the ledger server. This speeds up the login procedure and makes things easier in the event of a G/L server failure. It also reduces replication traffic.

Instead of periodically refreshing the entire GC throughout the network, it is enough to update the information in the cache about membership in the universal group. By default, refresh occurs every eight hours on every domain controller that uses local caching of universal group membership.

Membership in universal group individually for each site. Recall that a site is a physical structure consisting of one or more subnets that have an individual set of IP addresses and a netmask. Domain controllers Windows Server 2003 and the GC they refer to must be in the same site. If there are several sites, you will have to set up local caching on each of them. In addition, the users logging on to the site must be part of a Windows Server 2003 domain running in Windows Server 2003 forest mode.

Replication in Active Directory

The directory stores three types of information: domain data, schema data, and configuration data. Domain data is replicated to all domain controllers. All domain controllers are equal, i.e. any changes you make from any domain controller will be replicated to all other domain controllers Schema and configuration data is replicated to all domains in the tree or forest. In addition, all individual domain objects and some properties of forest objects are replicated to the GC. This means that the domain controller stores and replicates the schema for the tree or forest, the configuration information for all domains in the tree or forest, and all directory objects and properties for its own domain.

The domain controller that hosts the GL contains and replicates the schema information for the forest, the configuration information for all domains in the forest, and a limited set of properties for all directory objects in the forest (it only replicates between GC servers), and all directory objects and properties. for your domain.

To understand the essence of replication, consider the following scenario for setting up a new network.

1. In the domain And the first controller is installed. This server is the only domain controller. It is also the GC server. Replication does not occur in such a network, since there are no other controllers.

2. In the domain A second controller is installed, and replication begins. You can designate one controller as the infrastructure master and the other as the GC server. The infrastructure master monitors and requests GL updates for changed objects. Both of these controllers also replicate schema and configuration data.

3. In the domain And a third controller is installed, on which there is no GC. The infrastructure master watches for GC updates, requests them for changed objects, and then replicates the changes to a third domain controller. All three controllers also replicate schema and configuration data.

4. A new domain B is created, controllers are added to it. The GC servers in Domain A and Domain B replicate all schema and configuration data, as well as a subset of domain data from each domain. Replication in domain A continues as described above, plus replication begins within domain B.

ActiveDirectory and LDAP

Lightweight Directory Access Protocol (LDAP) is a standard protocol for Internet connections over TCP/IP networks. LDAP is designed specifically for accessing directory services with minimal overhead. LDAP also defines the operations used to query and modify directory information.

Clients Active Directory uses LDAP to communicate with computers running Active Directory every time they log on to the network or search for shares. LDAP simplifies directory association and migration to Active Directory from other directory services. To improve compatibility, you can use the Active Directory Service Interfaces (ActiveDirectory Service- Interfaces, ADSI).

Operations master roles

The operations master performs tasks that are inconvenient to perform in a multi-master replication model. There are five operations master roles that can be assigned to one or more domain controllers. Some roles must be unique at the forest level, for others the domain level is sufficient. The following roles must exist in each Active Directory forest:

Schema master) - manages updates and changes to the directory schema. Updating the catalog schema requires access to the schema master. To determine which server given time is the master of the schema in the domain, just open the window command line and enter: dsquery server -hasfsmo schema .

Domain naming master - manages the addition and removal of domains in the forest. To add or remove a domain, access to the domain naming master is required. To determine which server is currently the domain naming master, simply type in a command prompt window: dsquery server -hasfsmo name .

These roles, which are common to the forest as a whole, must be unique within it.

The following roles are mandatory in every Active Directory domain.

Relative ID master (relative ID master ) - allocates relative identifiers to domain controllers. Every time you create a user object, group or computer, controllers assign a unique SID to an object, consisting of a domain SID and a unique identifier that has been allocated by the master of relative identifiers. To determine which server is currently the master of relative identifiers in the domain, it is enough to enter in the command line window: dsqueryserver-hasfsmorid.

PDC emulator (PDC emulator) - In mixed or staging domain mode, acts as a Windows NT primary domain controller. It authenticates Windows NT logins, handles password changes, and replicates updates to P DCs. In order to determine which server is currently the PDC emulator in the domain, it is enough to enter in the command line window dsquery server - hasfsmo pdc.

Infrastructure host (infrastructure master ) - updates links of objects, comparing the data of its catalog with the data of the general ledger. If the data is out of date, it queries the GC for updates and replicates them to the rest of the domain controllers. To determine which server is currently the infrastructure master in the domain, it is enough in the command line window and enter dsqueryserver -hasfsmo infr .

These roles, which are common to the entire domain, must be unique within it. In other words, you can only configure one relative ID master, one PDC emulator, and one infrastructure master per domain.

Operations master roles are usually assigned automatically, but they can be reassigned. When a new network is installed, all operations master roles are assigned to the first domain controller in the first domain. If a new child domain or root domain is later created in a new tree, the operations master roles are also automatically assigned to the first domain controller. In the new domain forest, the domain controller is assigned all of the operations master roles. If a new domain is created in the same forest, its controller is assigned the roles of master of relative identifiers, the P emulator.DC and infrastructure master. The schema master and domain naming master roles remain with the first domain in the forest.

If there is only one controller in the domain, it performs all the roles of operations masters. If there is only one site on the network, the default location of operations masters is optimal. However, as domain controllers and domains are added, it is sometimes necessary to move operations master roles to other domain controllers.

If there are two or more domain controllers in a domain, we recommend that you configure two domain controllers to serve as operations masters. For example, designate one domain controller as the primary operations master, and another as a backup, which will be needed when the primary fails.

Administration Active Directory

CUsing the Active Directory service, computer accounts are created, they are connected to the domain, and computers, domain controllers, and organizational units (OU) are managed.

Administration and support tools are provided to manage Active Directory. The tools listed below are implemented as MMC console snap-ins (Microsoft managementConsole):

Active Directory Users and Computers (Active Directory Users and computers) allows you to manage users, groups, computers and organizational units (OU);

Active Directory- domains and trust ( Active Directory Domainsand Trusts ) serves to work with domains, domain trees and domain forests;

Active Directory- sites andservices (Active Directory Sites and Services) allows you to manage sites and subnets;

Resultant politics (Resultant Set of Policy used to view the current user or system policy and to schedule policy changes.

AT Microsoft Windows 2003 Server can access these snap-ins directly from the Administrative Tools menu.

Another administration tool is a snap Scheme ActiveDirectory (Active Directory schema) - allows you to manage and modify the directory schema.

Command line utilities Active Directory

To manage objects Active Directory there are command-line tools that allow you to perform a wide range of administrative tasks:

DSADD - adds to Active Directory computers, contacts, groups, OPs and users.

DSGET - displays properties of computers, contacts, groups, OUs, users, sites, subnets and servers registered in Active Directory.

DSMOD - changes the properties of computers, contacts, groups, POs, users and servers registered in Active Directory.

DSMOVE - Moves a single object to a new location within a domain, or renames an object without moving it.

DSQXJERY - searches for computers, contacts, groups, POs, users, sites, subnets and servers in Active Directory according to the given criteria.

DSRM - removes an object from Active Directory.

NTDSUTIL - allows you to view information about the site, domain or server, manage operations masters (operations masters) and serve the databaseActive Directory.

Any novice user, faced with the abbreviation AD, wonders what is Active Directory? Active Directory is a directory service developed by Microsoft for domain Windows networks. Included in most Windows Server operating systems as a set of processes and services. Initially, the service dealt only with domains. However, since Windows Server 2008, AD has become the name for a wide variety of directory-based identity services. This makes Active Directory for beginners more optimal for learning.

Basic Definition

The server that runs Active Directory Domain Services is called a domain controller. It authenticates and authorizes all users and computers in a Windows network domain, assigning and applying a security policy to all PCs, and installing or updating software. For example, when a user logs on to a Windows domain-joined computer, Active Directory checks the provided password and determines whether the object is a system administrator or regular user. It also allows you to manage and store information, provides authentication and authorization mechanisms, and provides a framework for deploying other related services: certificate services, federated and lightweight directory services, and rights management.

Active Directory uses LDAP version 2 and 3, Microsoft's version of Kerberos, and DNS.

Active Directory - what is it? In simple words about complex

Tracking network data is a time-consuming task. Even on smaller networks, users tend to have difficulty finding network files and printers. Without some kind of directory, medium to large networks cannot be managed and often have difficulty finding resources.

Previous Versions Microsoft Windows included services to help users and administrators find data. network environment useful in many environments, but the obvious drawback is the inconvenient interface and its unpredictability. WINS Manager and Server Manager can be used to view a list of systems, but were not available to end users. Administrators used the User Manager to add and remove data of a completely different type of network object. These applications proved to be ineffective for large networks and begged the question, why in the company Active Directory?

A directory, in the most general sense, is full list objects. A phone book is a type of directory that stores information about people, businesses, and government organizations, andthey usually contain names, addresses, and telephone numbers. wondering Active Directory - what is it, in simple words we can say that this technology is similar to the reference book, but is much more flexible. AD stores information about organizations, sites, systems, users, shares, and any other network object.

Introduction to the basic concepts of Active Directory

Why does an organization need Active Directory? As mentioned in the introduction to Active Directory, the service stores information about network components. The "Active Directory for Beginners" guide says that this is allows clients to find objects in their namespace. This t term (also called console tree) refers to the area in which a network component can be located. For example, the table of contents of a book creates a namespace in which chapters can be mapped to page numbers.

DNS is a console tree that resolves hostnames to IP addresses, such asphonebooks provide a namespace for name resolution for phone numbers. And how does this happen in Active Directory? AD provides a console tree for resolving the names of network objects to the objects themselves andcan resolve a wide variety of objects, including users, systems, and services on the network.

Objects and Attributes

Anything that Active Directory keeps track of is considered an object. You can say in simple words that this in Active Directory is any user, system, resource, or service. The common terms object is used because AD is able to keep track of many elements, and many objects can share common attributes. What does it mean?

Attributes describe objects in Active Directory, for example, all user objects share attributes to store the user's name. This also applies to their descriptions. Systems are also objects, but they have a separate set of attributes that includes hostname, IP address, and location.

The set of attributes available for any particular object type is called a schema. It makes object classes distinct from each other. Schema information is actually stored in Active Directory. That this behavior of the security protocol is very important is the fact that the schema allows administrators to add attributes to object classes and distribute them over the network to all corners of the domain without restarting any domain controllers.

LDAP container and name

A container is a special type of object that is used to organize the operation of a service. It does not represent a physical entity like a user or a system. Instead, it is used to group other elements. Container objects can be nested within other containers.

Every element in AD has a name. These are not the ones you are used to, for example, Ivan or Olga. These are LDAP distinguished names. LDAP distinguished names are tricky, but they allow you to uniquely identify any object within a directory, regardless of its type.

Term tree and website

A term tree is used to describe a set of objects in Active Directory. What's this? In simple terms, this can be explained using a tree association. When containers and objects are combined hierarchically, they tend to form branches - hence the name. A related term is a contiguous subtree, which refers to the unbroken main trunk of a tree.

Continuing the metaphor, the term "forest" describes a collection that is not part of the same namespace, but shares a common schema, configuration, and global catalog. Objects in these structures are available to all users if security allows. Organizations that are divided into multiple domains should group trees into a single forest.

A site is a geographic location defined in Active Directory. Sites correspond to logical IP subnets and as such can be used by applications to find the nearest server on the network. Using site information from Active Directory can significantly reduce WAN traffic.

Active Directory Management

Active Directory snap-in component - Users. This is the most convenient tool for administering Active Directory. It is directly accessible from the Administrative Tools program group in the Start menu. It replaces and enhances the Server Manager and User Manager from Windows NT 4.0.

Safety

Active Directory plays an important role in the future of Windows networking. Administrators must be able to protect their directory from intruders and users while delegating tasks to other administrators. All of this is possible using the Active Directory security model, which associates an access control list (ACL) with every container and object attribute in the directory.

A high level of control allows an administrator to grant individual users and groups different levels of permissions on objects and their properties. They can even add attributes to objects and hide those attributes from certain user groups. For example, you can set an ACL so that only managers can view other users' home phones.

Delegated Administration

A concept new to Windows 2000 Server is delegated administration. This allows you to assign tasks to other users without granting additional access rights. Delegated administration can be assigned through specific objects or contiguous directory subtrees. This is a much more efficient method of granting permissions across networks.

AT destination for someone with all global domain administrator rights, the user can only be granted permissions within a specific subtree. Active Directory supports inheritance, so any new objects inherit their container's ACLs.

The term "trust"

The term "trust" is still used but has different functionality. There is no distinction between unilateral and bilateral trusts. After all, all Active Directory trusts are bidirectional. Moreover, they are all transitive. So, if domain A trusts domain B, and B trusts C, then there is an automatic implicit trust relationship between domain A and domain C.

Audit in Active Directory - what is it in simple terms? This is a security feature that allows you to determine who is trying to access objects, as well as how successful this attempt is.

Using DNS (Domain Name System)

The system, otherwise known as DNS, is essential for any organization connected to the Internet. DNS provides name resolution between common names such as mspress.microsoft.com and the raw IP addresses that components use network layer for communication.

Active Directory makes extensive use of DNS technology for object lookup. This is a significant change from previous operating Windows systems, which require NetBIOS names to be resolved by IP addresses, and rely on WINS or other NetBIOS name resolution techniques.

Active Directory works best when used with DNS servers running Windows 2000. Microsoft has made it easy for administrators to migrate to Windows 2000 DNS servers by providing migration wizards that guide the administrator through the process.

Other DNS servers may be used. However, in this case, administrators will have to spend more time managing DNS databases. What are the nuances? If you decide not to use Windows 2000 DNS servers, you must ensure that your DNS servers comply with the new DNS Dynamic Update Protocol. Servers rely on dynamically updating their records to find domain controllers. It is not comfortable. After all, eIf dynamic updating is not supported, databases must be updated manually.

Windows domains and internet domains are now fully compatible. For example, a name such as mspress.microsoft.com will identify the Active Directory domain controllers responsible for the domain, so any client with DNS access can find the domain controller.Clients can use DNS resolution to look up any number of services because Active Directory servers publish a list of addresses to DNS using the new dynamic update features. This data is defined as a domain and published through service resource records. SRV RR follow the format service.protocol.domain.

Active Directory servers provide an LDAP service to host an object, and LDAP uses TCP as the underlying transport layer protocol. Therefore, a client that looks up an Active Directory server in the mspress.microsoft.com domain will look up a DNS entry for ldap.tcp.mspress.microsoft.com.

Global Directory

Active Directory provides a global catalog (GC) andprovides a single source to search for any object in the organization's network.

The global catalog is a service in Windows 2000 Server that allows users to find any object that has been granted access. This functionality goes far beyond Find applications Computer included in previous versions Windows. After all, users can search for any object in Active Directory: servers, printers, users, and applications.

Active Directory - An extensible and scalable directory service Active Directory (Active Directory) allows you to efficiently manage network resources.
Active Directory is a hierarchically organized repository of data about network objects, providing convenient means for finding and using this data. The computer that runs Active Directory is called a domain controller. Almost all administrative tasks are related to Active Directory.
Active Directory technology is based on standard Internet protocols and helps to clearly define the network structure, in more detail how to deploy an Active Directory domain from scratch, read here ..

Active Directory and DNS

Active Directory uses the domain name system.

Active Directory Administration

With the help of the Active Directory service, computer accounts are created, they are connected to the domain, and computers, domain controllers, and organizational units (OU) are managed.

Administration and support tools are provided to manage Active Directory. The tools listed below are implemented as MMC (Microsoft Management Console) snap-ins:

Active Directory - users and computers (Active Directory Users and Computers) allows you to manage users, groups, computers and organizational units (OD);
Active Directory - domains and trust (Active Directory Domains and Trusts) is used to work with domains, domain trees and domain forests;
Active Directory - sites and services (Active Directory Sites and Services) allows you to manage sites and subnets;
The Resultant Set of Policy is used to view the current user or system policy and to schedule policy changes.
In Microsoft Windows 2003 Server, you can access these snap-ins directly from the Administrative Tools menu.

Another administrative tool - the Active Directory Schema snap-in - allows you to manage and modify the directory schema.

Active Directory Command Line Utilities

To manage Active Directory objects, there are command-line tools that allow you to perform a wide range of administrative tasks:

DSADD - adds computers, contacts, groups, OPs and users to Active Directory.
DSGET - Displays the properties of computers, contacts, groups, POs, users, sites, subnets and servers registered in Active Directory.
DSMOD - changes the properties of computers, contacts, groups, POs, users and servers registered in Active Directory.
DSMOVE - Moves a single object to a new location within a domain, or renames an object without moving it.
DSQXJERY - searches for computers, contacts, groups, OPs, users, sites, subnets and servers in Active Directory according to specified criteria.
DSRM - Removes an object from Active Directory.
NTDSUTIL - allows you to view site, domain, or server information, manage operations masters, and maintain the Active Directory database.

Being well acquainted with small business from the inside, I have always been interested in the following questions. Explain why the employee should use the browser that the system administrator likes on the work computer? Or take any other software, for example, the same archiver, mail client, an instant messaging client ... This I smoothly hint at standardization, and not on the basis of the personal sympathy of the system administrator, but on the basis of the sufficiency of functionality, the cost of maintenance and support of these software products. Let's start to consider IT as an exact science, not a craft, when everyone does what they can. Again, there are a lot of problems with this in small businesses too. Imagine that a company is changing several such administrators in a difficult time of crisis, what should poor users do in such a situation? Relearn constantly?

Let's look from the other side. Any leader should understand what is happening in the company (including in IT) now. This is necessary to monitor the current situation, to quickly respond to the emergence of various kinds of problems. But this understanding is more important for strategic planning. Indeed, having a strong and reliable foundation, we can build a house on 3 or 5 floors, make a roof of various shapes, make balconies or a winter garden. Similarly, in IT, we have a solid foundation - we can continue to use more complex products and technologies to solve business problems.

In the first article, we will talk about such a foundation - Active Directory services. They are designed to become a strong foundation for the IT infrastructure of a company of any size and any line of business. What it is? Let's talk about it here...

And let's start the conversation with simple concepts - domain and Active Directory services.

Domain is the main administrative unit in the network infrastructure of an enterprise, which includes all network objects, such as users, computers, printers, shares, and more. The collection of such domains is called a forest.

Active Directory Services (Active Directory Services) is a distributed database that contains all domain objects. The Active Directory domain environment is a single point of authentication and authorization for users and applications across the enterprise. It is with the organization of the domain and the deployment of Active Directory services that the construction of the IT infrastructure of the enterprise begins.

The Active Directory database is stored on dedicated servers - domain controllers. Active Directory Services is a server operating room role. Microsoft systems windows server. Active Directory Services is highly scalable. More than 2 billion objects can be created in an Active Directory forest, making it possible to implement a directory service in companies with hundreds of thousands of computers and users. The hierarchical structure of domains allows you to flexibly scale your IT infrastructure to all branches and regional divisions of companies. For each branch or division of the company, a separate domain can be created, with its own policies, its own users and groups. For each child domain, administrative authority can be delegated to local system administrators. At the same time, child domains are still subordinate to the parent ones.

In addition, Active Directory services allow you to set up trust relationships between domain forests. Each company has its own forest of domains, each with its own resources. But sometimes it may be necessary to provide access to your corporate resources to employees of another company - work with shared documents and applications as part of a joint project. To do this, trust relationships can be set up between the forests of organizations, which will allow employees of one organization to log in to the domain of another.

To provide fault tolerance for Active Directory services, you must deploy two or more domain controllers in each domain. All changes are automatically replicated between domain controllers. In the event of a failure of one of the domain controllers, the network is not affected, because the rest continue to work. An additional layer of resiliency is provided by hosting DNS servers on domain controllers in Active Directory, which allows each domain to have multiple DNS servers serving the primary domain zone. And if one of the DNS servers fails, the rest will continue to work. We will talk about the role and importance of DNS servers in the IT infrastructure in one of the articles in the series.

But these are all technical aspects of implementing and maintaining Active Directory services. Let's talk about the benefits a company gets by moving away from peer-to-peer networking using workgroups.

1. Single point of authentication

In a workgroup on each computer or server, you will have to manually add a complete list of users who need network access. If suddenly one of the employees wants to change his password, then it will need to be changed on all computers and servers. Well, if the network consists of 10 computers, but if there are more? When using an Active Directory domain, all user accounts are stored in one database, and all computers access it for authorization. All domain users are included in the appropriate groups, for example, "Accounting", "Financial Department". It is enough to set permissions for certain groups once, and all users will receive the appropriate access to documents and applications. If the company comes new employee, an account is created for him, which is included in the corresponding group - the employee gets access to all network resources to which he should be allowed access. If an employee quits, it is enough to block - and he will immediately lose access to all resources (computers, documents, applications).

2. Single point of policy management

In a workgroup, all computers are equal. None of the computers can control the other, it is impossible to control compliance with uniform policies and security rules. When using a single Active Directory directory, all users and computers are hierarchically distributed into organizational units, each of which is subject to uniform group policies. Policies allow you to set uniform settings and security settings for a group of computers and users. When a new computer or user is added to the domain, it automatically receives settings that comply with accepted corporate standards. With the help of policies, you can centrally assign users network printers, install required applications, set browser security settings, configure Microsoft applications office.

3. Increased level of information security

Using Active Directory services greatly improves network security. Firstly, it is a single and secure storage accounts. In a domain environment, all passwords for domain users are stored on dedicated servers, domain controllers, which are usually protected from external access. Secondly, when using a domain environment, the Kerberos protocol is used for authentication, which is much more secure than the NTLM used in workgroups.

4. Integration with corporate applications and equipment

A big advantage of Active Directory services is compliance with the LDAP standard, which is supported by other systems, such as mail servers (Exchange Server), proxy servers (ISA Server, TMG). And it is not necessarily only Microsoft products. The advantage of this integration is that the user does not need to remember a large number of logins and passwords to access a particular application, in all applications the user has the same credentials - his authentication takes place in a single Active Directory. Windows Server provides Active Directory integration with the RADIUS protocol, which is supported by a wide variety of network equipment. Thus, it is possible, for example, to provide authentication of domain users when connecting via VPN from the outside, using WiFi hotspots access to the company.

5. Unified Application Configuration Store

Some applications store their configuration in Active Directory, such as Exchange Server. Deploying the Active Directory directory service is a prerequisite for these applications to work. Storing application configuration in a directory service is beneficial in terms of flexibility and reliability. For example, in the event of a complete failure of the Exchange server, its entire configuration will remain intact. To restore functionality corporate mail, it will be enough to reinstall Exchange Server in recovery mode.

Summing up, I would like to once again focus on the fact that Active Directory services are the heart of an enterprise's IT infrastructure. In the event of a failure, the entire network, all servers, the work of all users will be paralyzed. No one will be able to log into the computer, access their documents and applications. Therefore, the directory service must be carefully designed and deployed, taking into account all possible nuances, for example, bandwidth channels between branches or offices of the company (the speed of user login to the system, as well as data exchange between domain controllers, directly depends on this).

In our previous articles, we have discussed common issues related to directory services and Active Directory. Now it's time to move on to practice. But do not rush to run to the server, before deploying a domain structure in your network, you need to plan it and have a clear idea of \u200b\u200bthe purpose individual servers and interactions between them.

Before you create your first domain controller, you need to decide on the mode of its operation. The mode of operation determines the available features and depends on the version of the application being used. operating system. We will not consider all possible modes, except for those that are relevant at the moment. There are three such modes: Windows Server 2003, 2008 and 2008 R2.

Windows Server 2003 mode should be selected only when servers on this OS are already deployed in your infrastructure and you plan to use one or more of these servers as domain controllers. In other cases, you need to select the Windows Server 2008 or 2008 R2 mode, depending on the purchased licenses. It should be remembered that the domain operation mode can always be increased, but it will not be possible to lower it (except by restoring from a backup copy), so approach this issue carefully, taking into account possible extensions, licenses in branches, etc. etc.

We will not now consider in detail the process of creating a domain controller, we will return to this issue later, but now we want to draw your attention to the fact that in the full Active Directory structure of domain controllers there should be at least two. Otherwise, you are exposing yourself to unnecessary risk, because in the event of a failure of a single domain controller, your AD structure will completely destroyed. It’s good if there is an up-to-date backup and you can recover from it, in any case, all this time your network will be completely paralyzed.

Therefore, immediately after creating the first domain controller, you need to deploy a second one, regardless of network size and budget. The second controller should be provided at the planning stage, and without it, the deployment of AD is not even worth undertaking. Also, do not combine the role of a domain controller with any other server roles, in order to ensure the reliability of operations with the AD database, write caching is disabled on the disk, which leads to a sharp drop in the performance of the disk subsystem (this explains and long loading domain controllers).

As a result, our network should take the following form:

Contrary to popular belief, all controllers in a domain are equal; each controller contains full information about all domain objects and can serve a client request. But this does not mean that the controllers are interchangeable, misunderstanding this point often leads to AD failures and downtime of the enterprise network. Why is this happening? It's time to remember about the role of FSMO.

When we create the first controller, it contains all available roles, and is also a global catalog, with the advent of the second controller, the roles of infrastructure master, RID master, and PDC emulator are transferred to it. What happens if the administrator decides to temporarily disable the DC1 server, for example, to clean it from dust? At first glance, it's okay, well, the domain will switch to "read-only" mode, but it will work. But we forgot about the global catalog, and if applications that require it, such as Exchange, are deployed on your network, then you will know about it before you remove the cover from the server. You learn from dissatisfied users, and the management is unlikely to be delighted.

From which the conclusion follows: there should be at least two global catalogs in the forest, and best of all, one in each domain. Since we have one domain in the forest, both servers must be global directories, this will allow you to take any of the servers for maintenance without any problems, the temporary absence of any FSMO roles does not lead to AD failure, but only makes it impossible to create new objects.

As a domain administrator, you must clearly understand how the FSMO roles are distributed between your servers and when decommissioning a server for an extended period, transfer these roles to other servers. And what will happen if the server containing the FSMO roles fails irreversibly? It's okay, as we already wrote, any domain controller contains all the necessary information, and if such a nuisance does occur, then you will need to capture the necessary roles by one of the controllers, this will restore the full operation of the directory service.

Time passes, your organization grows and it has a branch on the other side of the city and it becomes necessary to include their network in the overall infrastructure of the enterprise. At first glance, nothing complicated, you set up a communication channel between offices and place an additional controller in it. Everything would be fine, but there is one thing. You cannot control this server, and therefore unauthorized access to it is possible, and the local admin makes you doubt his qualifications. How to be in such a situation? For these purposes, there is a special type of controller specifically: read-only domain controller (RODC), given function available in domain functional modes starting with Windows Server 2008 and later.

A read-only domain controller contains a complete copy of all domain objects and can be a global catalog, but does not allow you to make any changes to the AD structure, it also allows you to appoint any user as a local administrator, which will allow him to fully serve given server, but again without access to AD services. In our case, this is what the doctor ordered.

We set up in the RODC branch, everything works, you are calm, but users begin to complain about the long login and traffic bills at the end of the month show an excess. What's happening? It's time to remember once again about the equivalence of domain controllers, the client can send his request to any domain controller, even located in another branch. Take into account the slow and, most likely, busy communication channel - this is the reason for the login delays.

The next factor that poisons our lives in this situation is replication. As you know, all changes made on one of the domain controllers are automatically propagated to others and this process is called replication, it allows you to have an up-to-date and consistent copy of the data on each controller. The replication service does not know about our branch and a slow communication channel, and therefore all changes in the office will immediately be replicated to the branch, loading the channel and increasing traffic consumption.

Here we come close to the concept of AD sites, which should not be confused with Internet sites. Active Directory Sites represent a way of physically dividing the structure of a directory service into areas separated from other areas by slow and/or unstable links. Sites are created on the basis of subnets and all client requests are sent first of all to the controllers of their site, it is also highly desirable to have a global catalog in each site. In our case, we need to create two sites: AD Site 1 for the central office and AD Site 2 for a branch, more precisely one, since by default the AD structure already contains a site, which includes all previously created objects. Now let's look at how replication occurs in a network with several sites.

We will assume that our organization has grown a little and the main office contains as many as four domain controllers, replication between controllers of one site is called intrasite and happens instantly. The replication topology is built according to the ring scheme with the condition that there are no more than three replication steps between any domain controllers. The ring scheme is saved up to 7 controllers inclusive, each controller establishes a connection with two nearest neighbors, with a larger number of controllers additional connections appear and the common ring, as it were, turns into a group of rings superimposed on each other.

Intersite replication occurs differently, in each domain one of the servers (bridgehead server) is automatically selected, which establishes a connection with a similar server of another site. By default, replication occurs once every 3 hours (180 minutes), however, we can set our own replication schedule and to save traffic, all data is transferred in a compressed form. If there is only an RODC in a site, replication occurs unidirectionally.

Of course, the topics we touched on are very deep, and in this material we only touched on them slightly, but this is the necessary minimum knowledge that you need to have before the practical implementation of Active Directory in the enterprise infrastructure. This will avoid silly mistakes during deployment and emergency situations during maintenance and expansion of the structure, and each of the topics raised will be discussed in more detail.

Just about the complex. Programs. Iron. Internet. Windows