Any novice user, faced with the acronym AD, wonders, what is Active Directory? Active Directory is a directory service developed by Microsoft for Windows domain networks. Included in most Windows Server operating systems, as a set of processes and services. Initially, the service only dealt with centralized domain management . However, starting with Windows Server 2008, AD has become the name for a wide range of directory-based authentication services. This makes Active Directory for beginners more optimal for learning.
Basic definition
A server running Active Directory Domain Services is called a domain controller. It authenticates and authorizes all users and computers in the Windows network domain, assigning and applying a security policy for all PCs, as well as installing or updating software. For example, when a user logs on to a computer that is included in a Windows domain, Active Directory checks the provided password and determines whether the object is a system administrator or a regular user. It also allows you to manage and store information, provides authentication and authorization mechanisms, and establishes a structure for the deployment of other related services: certification services, federated and lightweight directory services and rights management.
Active Directory uses LDAP protocols version 2 and 3, the Kerberos version from Microsoft and DNS.
Active Directory - what is it? In simple words about complex
Tracking network data is a time-consuming task. Even on small networks, users tend to have difficulty finding network files and printers. Without a directory, medium and large networks cannot be managed, and often find it difficult to find resources.
Previous versions of Microsoft Windows included services to help users and administrators find data. Network environments are useful in many environments, but the obvious disadvantage is the inconvenient interface and its unpredictability. WINS Manager and Server Manager can be used to view a list of systems, but they were not available to end users. Administrators used User Manager to add and remove data from a completely different type of network object. These applications turned out to be ineffective for work in large networks and raised the question, why in the Active Directory company?
A directory, in the most general sense, is a complete list of objects. A phone book is a type of directory that stores information about people, enterprises, and government organizations, and they usually record names, addresses, and phone numbers. Asking the question, Active Directory - what is it, in simple words we can say that this technology is similar to a directory, but is much more flexible. AD stores information about organizations, sites, systems, users, shared resources, and any other network object .
Introduction to Active Directory Key Concepts
Why does an organization need Active Directory? As mentioned in the introduction to Active Directory, the service stores information about network components. The Active Directory for Beginners tutorial says that this allows clients to find objects in their namespace. This term (also called the console tree) refers to the area in which the network component can reside. For example, the table of contents of a book creates a namespace in which chapters can be mapped to page numbers.
DNS is a console tree that resolves host names to IP addresses, just as phone books provide a namespace for resolving names for phone numbers. How does this happen in Active Directory? AD provides a console tree for resolving the names of network objects to the objects themselves and can resolve a wide range of objects, including users, systems, and services on the network.
Objects and Attributes
Everything that tracks Active Directory is considered an object. In simple words, this in Active Directory is any user, system, resource or service. A generic term object is used because AD is able to track many elements, and many objects can share common attributes. What does it mean?
Attributes describe objects in the Active Directory Active Directory, for example, all user objects share attributes to store the username. This also applies to their description. Systems are also objects, but they have a separate set of attributes that includes the host name, IP address, and location.
The set of attributes available for any particular type of object is called a schema. It makes feature classes distinct from each other. Schema information is actually stored in Active Directory. What is the behavior of the security protocol is very important, says the fact that the scheme allows administrators to add attributes to classes of objects and distribute them over the network in all corners of the domain without restarting any domain controllers.
Container and LDAP Name
A container is a special type of object that is used to organize the work of a service. It does not represent a physical object, like a user or system. Instead, it is used to group other elements. Container objects can be nested in other containers.
Each item in AD has a name. These are not the ones you are used to, for example, Ivan or Olga. These are distinguished LDAP names. Distinguished LDAP names are complex, but they allow you to uniquely identify any object within a directory, regardless of its type.
Terms tree and site
A term tree is used to describe a set of objects in Active Directory. What is it? In simple words, this can be explained using a tree association. When containers and objects are hierarchically combined, they tend to form branches - hence the name. A related term is a continuous subtree, which refers to an inextricable main tree trunk.
Continuing the metaphor, the term “forest” describes a collection that is not part of the same namespace, but has a common layout, configuration, and global catalog. Objects in these structures are accessible to all users, if security permits. Organizations divided into several domains should group trees in a single forest.
A site is a geographic location defined in Active Directory. Sites correspond to logical IP subnets and, as such, can be used by applications to find the nearest server on the network. Using site information from Active Directory can significantly reduce traffic on wide area networks.
Active Directory Management
The Active Directory snap-in component is users. This is the most convenient tool for administering Active Directory. It is directly accessible from the Administration program group in the Start menu. It replaces and improves the performance of Server Manager and User Manager from Windows NT 4.0.
Security
Active Directory plays an important role in the future of Windows networks. Administrators should be able to protect their directory from intruders and users, while delegating tasks to other administrators. All this is possible using the Active Directory security model, which associates an access control list (ACL) with each attribute of the container and object in the directory.
A high level of control allows the administrator to provide individual users and groups with different permission levels for objects and their properties. They can even add attributes to objects and hide these attributes from specific user groups. For example, you can set an ACL so that only managers can view the home phones of other users.
Delegated administration
A concept new to Windows 2000 Server is delegated administration. This allows you to assign tasks to other users without providing additional access rights. Delegated administration can be assigned through specific objects or continuous directory subtrees. This is a much more efficient method of granting authority over networks.
At the destination of someone all the global rights of the domain administrator, the user can only be given permissions within a specific subtree. Active Directory supports inheritance, so any new objects inherit their container ACLs.
The term "trust"
The term “trust” is still used, but trust has different functionality. There is no distinction between unilateral and bilateral trusts. After all, all Active Directory trusts are bidirectional. In addition, they are all transitive. So, if domain A trusts domain B and B trusts C, then there is an automatic implicit trust relationship between domain A and domain C.
Auditing in Active Directory - what are these simple words? This is a security feature that allows you to determine who is trying to access objects and how successful this attempt is.
Using DNS (Domain Name System)
A domain name system , in other words, DNS, is necessary for any organization connected to the Internet. DNS provides name resolution between common names, such as mspress.microsoft.com, and raw IP addresses that use network layer components for communication.
Active Directory makes extensive use of DNS technology to find objects. This is a significant change from previous Windows operating systems, which required NetBIOS names to be resolved by IP addresses and rely on WINS or other NetBIOS name resolution techniques.
Active Directory works best when used with DNS servers running Windows 2000. Microsoft has made it easy for administrators to switch to DNS servers running Windows 2000 by providing migration wizards that manage the administrator through this process.
Other DNS servers may be used. However, in this case, administrators will have to spend more time managing DNS databases. What are the nuances? If you decide not to use DNS servers running Windows 2000, you must ensure that your DNS servers comply with the new Dynamic DNS Update protocol. Servers rely on dynamically updating their records to find domain controllers. It is not comfortable. Indeed, if dynamic updating is not supported, the databases have to be updated manually.
Windows domains and Internet domains are now fully compatible. For example, a name such as mspress.microsoft.com will determine the Active Directory domain controllers responsible for the domain, so any client with DNS access can find the domain controller. Customers can use DNS resolution to search for any number of services because Active Directory servers publish a list of addresses in DNS using the new dynamic update features. This data is defined as a domain and published through service resource records. SRV RRs follow the format service.protocol.domain.
Active Directory servers provide LDAP to host the object, and LDAP uses TCP as the underlying transport layer protocol. Therefore, a client who is looking for an Active Directory server in the mspress.microsoft.com domain will look for the DNS record for ldap.tcp.mspress.microsoft.com.
Global catalog
Active Directory provides a global catalog (GC) and provides a single source to search for any object in the organization’s network.
The global catalog is a service in Windows 2000 Server that allows users to find any objects that have been granted access. This functionality far exceeds the capabilities of Find Computer, which was included in previous versions of Windows. After all, users can search for any object in Active Directory: servers, printers, users and applications.