Network & System Administrator

Chapter-03:
System Administrations (MS-Server 2019)
 Managing Active Directory Domain Services

Understanding Active Directory

➢ Overview of AD DS

➢ AD DS Physical Components

➢ AD DS Logical Components
 Managing Active Directory Domain Services

Overview of AD DS

•What is Authentication?

•What is Authorization?

•Why Deploy AD DS?

•Centralized Network Management

•Requirements for Installing AD DS

•Overview of AD DS Components
 Managing Active Directory Domain Services

✓ Active Directory (AD) is a directory service developed by Microsoft.

✓ It is used to manage and organize resources, such as users,

computers, and groups, within a network environment.

✓ AD provides centralized authentication and authorization services,

making it easier to manage user accounts, assign permissions, and
control access to network resources.
 Managing Active Directory Domain Services

✓ A Domain Controller (DC) is a server that runs the Active Directory

Domain Services (AD DS) role in a Windows Server environment.

✓ It is responsible for authenticating users, enforcing security policies,

and managing network resources within a specific domain.

✓ A domain is a logical grouping of computers and users that share a

common security database.
 Managing Active Directory Domain Services

✓ The Active Directory Domain Controller Service (NTDS) is a

Windows service that runs on a domain controller.

✓ It is responsible for maintaining and replicating the Active Directory

database, handling authentication requests, and providing directory
services to clients within the domain.

✓ The NTDS service ensures that changes made to the directory are
synchronized across all domain controllers in the domain, ensuring
consistency and fault tolerance.
What is Authentication?

Authentication is the process of verifying a user’s identity on a network

Authentication includes two components:

• Interactive logon: grants access to • Network authentication: grants
the local computer access to network resources
What is Authorization?

Authorization is a process of verifying that an authenticated user has permission to

perform an action

Security principals are issued User accounts are issued security

security identifiers (SIDs) when tokens during authentication that
the account is created include the user’s SID and all
related group SIDs

Shared resources on a network The security token is compared

include access control lists (ACL) against the Discretionary Access
that define who can access the Control List (DACL) on the
resource resource and access is granted or
denied
Why Deploy AD DS?

AD DS provides a centralized system for managing users, computers, and other

resources on a network

AD DS features include:
• Centralized directory

• Single sign-on access

• Integrated security

• Scalability

• Common management interface

Requirements for Installing AD DS

Requirements for Installing AD DS

Object Description
TCP/IP • Configure appropriate TCP/IP and DNS server addresses.

• To install a new AD DS forest, you need to be local

Administrator on the server. To install an additional domain
Credentials
controller in an existing domain, you need to be a member of
the Domain Admins group.
• Verify that a DNS infrastructure is in place. When you install AD
DS, you can include DNS server installation, if it is needed.
Domain Name
System )DNS) • When you create a new domain, a DNS delegation is created
Infrastructure automatically during the installation process. Creating a DNS
delegation requires credentials that have permissions to
update the parent DNS zones.
Component AD DS

Component Overview
AD DS is composed of both physical and logical components

Physical Components Logical Components

• Data store • Partitions

• Domain controllers • Schema

• Global catalog server • Domains

• Read-Only Domain Controller • Domain trees

(RODC)
• Forests

• Sites

• Organizational units (OUs)

Overview of AD DS physical Components
Overview of AD DS Logical Components
Domain Controllers

A domain controller is a server with the AD DS server role installed that has
specifically been promoted to a domain controller

Domain controllers:
• Host a copy of the AD DS directory store

• Provide authentication and authorization services

• Replicate updates to other domain controllers in the domain and forest

• Allow administrative access to manage user accounts and network resources

Windows Server 2008 and later supports RODCs

Global Catalog Servers

Global catalog servers are domain controllers that also store a copy of the global
catalog

The global catalog:

• Contains a copy of all AD DS objects in a forest that includes only some of

the attributes for each object in the forest

• Improves efficiency of object searches by avoiding unnecessary referrals to

domain controllers

• Required for users to log on to a domain

What is the AD DS Data Store?

The AD DS data store contains the database files and processes that store and
manage directory information for users, services, and applications

The AD DS data store:

• Consists of the Ntds.dit file

• Is stored by default in the %SystemRoot%\NTDS folder on all domain

controllers

• Is accessible only through the domain controller processes and protocols

What is AD DS Replication?

AD DS replication copies all updates of the AD DS database to all other domain

controllers in a domain or forest

AD DS replication:
• Ensures that all domain controllers have the same information

• Uses a multimaster replication model

• Can be managed by creating AD DS sites

The AD DS replication topology is created automatically as new domain controllers

are added to the domain
What are Sites?

An AD DS site is used to represent a network segment where all domain controllers

are connected by a fast and reliable network connection

Sites are:
• Associated with IP subnets

• Used to manage replication traffic

• Used to manage client logon traffic

• Used by site aware applications such as Distributed File Systems (DFS) or

Exchange Server

• Used to assign group policy objects to all users and computers in a company
location
Why Deploy AD DS?

What is the AD DS Schema?

The AD DS Schema:
● Defines every type of object that can be stored in the directory

● Enforces rules regarding object creation and configuration

Object Types Function Examples

What objects can be created in the • User

Class Object
directory • Computer

Information that can be attached to an

Attribute Object • Display name
object
The Basics: Domains

Domains are used to group and manage objects in an

organization

Contoso.co
m

Domains:

• An administrative boundary for applying policies to groups of objects

• A replication boundary for replicating data between domain controllers

• An authentication and authorization boundary that provides a way to limit

the scope of access to resources
The Basics: Trees

contoso.co
m
A domain tree is a hierarchy of domains in AD DS

emea.contoso.co
m na.contoso.com

All domains in the tree:

• Share a contiguous namespace with the parent domain

• Can have additional child domains

• By default create a two-way transitive trust with other domains

The Basics: Forests

A forest is a collection of
one or more domain trees

Forests:
• Share a common schema

• Share a common configuration partition

• Share a common global catalog to enable searching

• Enable trusts between all domains in the forest

• Share the Enterprise Admins and Schema Admins groups

The Basics: Organizational Units (OUs)

OUs are Active Directory containers that can contain users, groups, computers, and
other OUs

OUs are used to:

• Represent your organization hierarchically and logically

• Manage a collection of objects in a consistent way

• Delegate permissions to administer groups of objects

• Apply policies
Why Deploy AD DS?

Trusts
Trusts provide a mechanism for users to gain access to resources in another domain

Types of Trusts Description Diagram

The trust direction flows from Access

Directional trusting domain to the trusted
domain
TRUST

The trust relationship is extended Trust &

Transitive beyond a two-domain trust to Access
include other trusted domains

• All domains in a forest trust all other domains in the forest

• Trusts can extend outside the forest
Why Deploy AD DS?

AD DS Objects
Object Description
User • Enables network resource access for a user

• Similar to a user account

InetOrgPerson
• Used for compatibility with other directory services

• Used primarily to assign e-mail addresses to external users

Contacts
• Does not enable network access

Groups • Used to simplify the administration of access control

• Enables authentication and auditing of computer access to

Computers
resources
• Used to simplify the process of locating and connecting to
Printers
printers

Shared folders • Enables users to search for shared folders based on properties
 Installation and Management ADDS

Observe the installation of AD DS

●

–Installation occurs without promotion to a domain controller

Domain Controller Promotion

●

Active Directory Users and Computers

●

Active Directory Administrative Center

●

Active Directory Sites and Services

●
Installation and Management ADDS
Installation and Management ADDS
Installation and Management ADDS
Installation and Management ADDS
Installation and Management ADDS
Installation and Management ADDS
Installation and Management ADDS
Installation and Management ADDS
Installation and Management ADDS
Installation and Management ADDS
Installation and Management ADDS
Installation and Management ADDS
Installation and Management ADDS
Installation and Management ADDS
Installation and Management ADDS
Installation and Management ADDS
Installation and Management ADDS
Thanx !!!