Windows - What Is Active Directory Domain Services and How Does It Work - Server Fault

07/01/2019 windows - What is Active Directory Domain Services and how does it work?
- Server Fault
Server Fault is a question and answer site for system and
network administrators. Join them; it only takes a minute:
Sign up
Here's how it works:
Anybody can ask a question
Anybody can answer
The best answers are voted up and rise to the top
What is Active Directory Domain Ask Question
Services and how does it work?
This is a
Canonical
138 Question about
Active Directory
Domain
Services (AD
DS).
125
What is Active
Directory? What
does it do and how
does it work?
How is Active
Directory
organized: Forest,
Child Domain,
Tree, Site, or OU
I find myself
By using our site, you acknowledge that you have read and understand our
explaining some of Cookie Policy, Privacy Policy, and
our Terms of Service. what I assume is
https://serverfault.com/questions/402580/what-is-active-directory-domain-services-and-how-does-it-work 1/28
07/01/2019 windows - What is Active Directory Domain Services and how does it work? - Server Fault
common
knowledge about it
almost daily. This
question will,
hopefully, serve as
a canonical
question and
answer for most
basic Active
Directory
questions. If you
feel that you can
improve the answer
to this question,
please edit away.
windows
activedirectory
edited Apr 13 '17 at 12:14
Community ♦
1
asked Jun 27 '12 at 3:47
MDMarra
92.6k 27 173 314
We're looking for
long answers that
provide some
explanation and
context. Don't just
give a oneline
answer; explain
why your answer is
right, ideally with
citations. Answers
that don't include
explanations may
be removed.
7
I don't want to
look like I'm rep
whoring, but I
think it's worth
linking to a non
technical
description of
AD, too, if you
run into a
situation where
you need to
describe it in less
By using our site, you acknowledge that you have read and understand our Cookie Policy, Privacy Policy, and
technical detail:
our Terms of Service. serverfault.com/q
/18339/7200 –
Evan Anderson
Nov 15 '12 at
21:22
Possible links for
this question:
serverfault.com/q
uestions/568606/
…
serverfault.com/q
uestions/472562/
…
serverfault.com/q
uestions/21780/
…
serverfault.com/q
uestions/72878/
… just to name a
few. Maybe a
canonical is in
order @MDMarra
– TheCleaner
Jan 28 '14 at
16:57
2 Answers
What is
Active
148
Directory?
Active Directory
Domain Services
is Microsoft's
Directory Server. It
provides
authentication and
authorization
mechanisms as
well as a
framework within
which other related
services can be
deployed (AD
Certificate
Services, AD
Federated
Services, etc). It is
an LDAP
compliant
database that
contains objects.
The most Cookie Policy, Privacy Policy, and
our Terms of Service. commonly used
objects are users,
computers, and
groups. These
objects can be
organized into
organizational
units (OUs) by any
number of logical
or business needs.
Group Policy
Objects (GPOs)
can then be linked
to OUs to
centralize the
settings for various
users or
computers across
an organization.
When people say
"Active Directory"
they typically are
referring to "Active
Directory Domain
Services." It is
important to note
that there are other
Active Directory
roles/products
such as Certificate
Services,
Federation
Services,
Lightweight
Directory Services,
Rights
Management
Services, etc. This
answer refers
specifically to
Active Directory
Domain Services.
What is a
domain and
what is a
forest?
A forest is a
security boundary.
Objects in
separate forests
are not able to
our Terms of Service.
interact with each
other, unless the
administrators of
each separate
forest create a
trust between
them. For
example, an
Enterprise
Administrator
account for
domain1.com ,
which is normally
the most privileged
account of a forest,
will have, no
permissions at all
in a second forest
named
domain2.com ,
even if those
forests exist within
the same LAN,
unless there is a
trust in place.
If you have
multiple disjoint
business units or
have the need for
separate security
boundaries, you
need multiple
forests.
A domain is a
management
boundary.
Domains are part
of a forest. The
first domain in a
forest is known as
the forest root
domain. In many
small and medium
organizations (and
even some large
ones), you will only
find a single
domain in a single
forest. The forest
root domain
defines the default
namespace for the
forest. For
example, if the first
domain in a new
forest is named
domain1.com , then
that is the forest
root domain. If you
have a business
need for a child
domain, for
example a
branch office in
Chicago, you
might name the
child domain chi .
The FQDN of the
child domain would
be
chi.domain1.com .
You can see that
the child domain's
name was
prepended forest
root domain's
name. This is
typically how it
works. You can
have disjoint
namespaces in the
same forest, but
that's a whole
separate can of
worms for a
different time.
In most cases,
you'll want to try
and do everything
possible to have a
single AD domain.
It simplifies
management, and
modern versions of
AD make it very
easy to delegate
control based on
OU, which lessens
the need for child
domains.
I can name
my domain
whatever I
want, right?
Not really.
dcpromo.exe , the
tool that handles
the promotion of a
server to a DC isn't
idiotproof. It does
let you make bad
decisions with your
naming, so pay
attention to this
section if you are
unsure. (Edit:
dcpromo is
deprecated in
Server 2012. Use
the Install-
ADDSForest
PowerShell cmdlet
or install AD DS
from Server
Manager.)
First of all, don't
use made up TLDs
like .local, .lan,
.corp, or any of
that other crap.
Those TLDs are
not reserved.
ICANN is selling
TLDs now, so your
mycompany.corp
that you're using
today could
actually belong to
someone
tomorrow. If you
own
mycompany.com ,
then the smart
thing to do is use
something like
internal.mycompan
y.com or
ad.mycompany.com
for your internal
AD name. If you
use
mycompany.com as
an externally
resolvable website,
you should avoid
using that as your
internal AD name
as well, since you'll
end up with a split
brain DNS.
Domain
Controllers
and Global
Catalogs
A server that
responds to
authentication or
authorization
requests is a
Domain Controller
(DC). In most
cases, a Domain
Controller will hold
a copy of the
Global Catalog. A
Global Catalog
(GC) is a partial
set of objects in all
domains in a
forest. It is directly
searchable, which
means that cross
domain queries
can usually be
performed on a
GC without
needing a referral
to a DC in the
target domain. If a
DC is queried on
port 3268 (3269 if
using SSL), then
the GC is being
queried. If port 389
(636 if using SSL)
is queried, then a
standard LDAP
query is being
used and objects
existing in other
domains may
require a referral.
When a user tries
to log in to a
computer that is
joined to AD using
their AD
credentials, the
salted and hashed
username and
password
combination are
sent to the DC for
both the user
account and the
computer account
that are logging in.
Yes, the computer
logs in too. This is
important, because
if something
happens to the
computer account
in AD, like
someone resets
the account or
deletes it, you may
get an error that
say that a trust
relationship
doesn't exist
between the
computer and the
domain. Even
though your
network
credentials are
fine, the computer
is no longer trusted
to log into the
domain.
Domain
Controller
Availability
Concerns
I hear "I have a
Primary Domain
Controller (PDC)
and want to install
a Backup Domain
Controller (BDC)"
much more
frequently that I
would like to
believe. The
concept of PDCs
and BDCs died
with Windows
NT4. The last
bastion for PDCs
was in a Windows
2000 transitional
mixed mode AD
when you still had
NT4 DCs around.
Basically, unless
you're supporting a
15+ year old install
that has never
been upgraded,
you really don't
have a PDC or a
BDC, you just
have two domain
controllers.
Multiple DCs are
capable of
answering
authentication
requests from
different users and
computers
simultaneously. If
one fails, then the
others will continue
to offer
authentication
services without
having to make
one "primary" like
you would have
had to do in the
NT4 days. It is
best practice to
have at least two
DCs per domain.
These DCs should
both hold a copy of
the GC and should
both be DNS
servers that hold a
copy of the Active
Directory
Integrated DNS
zones for your
domain as well.
FSMO Roles
"So, if there are
no PDCs, why
is there a PDC
role that only a Cookie Policy, Privacy Policy, and
single DC can
have?"
I hear this a lot.
There is a PDC
Emulator role. It's
different than
being a PDC. In
fact, there are 5
Flexible Single
Master Operations
roles (FSMO).
These are also
called Operations
Master roles as
well. The two
terms are
interchangeable.
What are they and
what do they do?
Good question!
The 5 roles and
their function are:
Domain Naming
Master There is
only one Domain
Naming Master per
forest. The Domain
Naming Master
makes sure that
when a new
domain is added to
a forest that it is
unique. If the
server holding this
role is offline, you
won't be able to
make changes to
the AD
namespace, which
includes things like
adding new child
domains.
Schema Master
There is only one
Schema
Operations Master
in a forest. It is
responsible for
updating the Active
Directory Schema.
Tasks that require
this, such as
preparing AD for a
new version of
Windows Server
functioning as a
DC or the
installation of
Exchange, require
Schema
modifications.
These
modifications must
be done from the
Schema Master.
Infrastructure
Master There is
one Infrastructure
Master per
domain. If you only
have a single
domain in your
forest, you don't
really need to
worry about it. If
you have multiple
forests, then you
should make sure
that this role is not
held by a server
that is also a GC
holder unless
every DC in the
forest is a GC.
The infrastructure
master is
responsible for
making sure that
crossdomain
references are
handled properly. If
a user in one
domain is added to
a group in another
domain, the
infrastructure
master for the
domains in
question make
sure that it is
handled properly.
This role will not
function correctly if
it is on a global
catalog.
RID Master The
Relative ID Master
(RID Master) is
responsible for
issuing RID pools
to DCs. There is
one RID master
per domain. Any
object in an AD
domain has a
unique Security
Identifier (SID).
This is made up of
a combination of
the domain
identifier and a
relative identifier.
Every object in a
given domain has
the same domain
identifier, so the
relative identifier is
what makes
objects unique.
Each DC has a
pool of relative IDs
to use, so when
that DC creates a
new object, it
appends a RID
that it hasn't used
yet. Since DCs are
issued non
overlapping pools,
each RID should
remain unique for
the duration of the
life of the domain.
When a DC gets to
~100 RIDs left in
its pool, it requests
a new pool from
the RID master. If
the RID master is
offline for an
extended period of
time, object
creation may fail.
PDC Emulator
Finally, we get to
the most widely
misunderstood role
of them all, the
PDC Emulator
role. There is one
PDC Emulator per
domain. If there is
a failed
authentication
attempt, it is
forwarded to the
PDC Emulator.
The PDC Emulator
functions as the
"tiebreaker" if a
password was
updated on one
DC and hasn't yet
replicated to the
others. The PDC
Emulator is also
the server that
controls time sync
across the domain.
All other DCs sync
their time from the
PDC Emulator. All
clients sync their
time from the DC
that they logged in
to. It's important
that everything
remain within 5
minutes of each
other, otherwise
Kerberos breaks
and when that
happens, everyone
cries.
The important
thing to remember
is that the servers
that these roles
run on is not set in
stone. It's usually
trivial to move
these roles
around, so while
some DCs do
slightly more than
others, if they go
down for short
periods of time,
everything will
usually function
normally. If they're
down for a long
time, it's easy to
transparently
transfer the roles.
It's much nicer
than the NT4
PDC/BDC days, so
please stop calling
your DCs by those
old names. :)
So, um...how
do the DCs
share
information if
they can
function
independentl
y of each
other?
Replication, of
course. By default,
DCs belonging to
the same domain
in the same site
will replicate their
data to each other
at 15 second
intervals. This
makes sure that
everything is
relatively up to
date.
There are some
"urgent" events
that trigger
immediate
replication. These
events are: An
account is locked
out for too many
failed logins, a
change is made to
the domain
password or
lockout policies,
the LSA secret is
changed, the
password is
changed on a DC's
computer account,
our Terms of Service. or the RID Master
role is transferred
to a new DC. Any
of these events will
trigger an
immediate
replication event.
Password changes
fall somewhere
between urgent
and nonurgent
and are handled
uniquely. If a user's
password is
changed on DC01
and a user tries to
log into a computer
that is
authenticating
against DC02
before replication
occurs, you'd
expect this to fail,
right? Fortunately
that doesn't
happen. Assume
that there is also a
third DC here
called DC03 that
holds the PDC
Emulator role.
When DC01 is
updated with the
user's new
password, that
change is
immediately
replicated to DC03
also. When thee
authentication
attempt on DC02
fails, DC02 then
forwards that
authentication
attempt to DC03 ,
which verifies that
it is, indeed, good,
and the logon is
allowed.
Let's talk
about DNS
DNS is critical to a
our Terms of Service. properly
functioning AD.
The official
Microsoft party line
is that any DNS
server can be used
if it is set up
properly. If you try
and use BIND to
host your AD
zones, you're high.
Seriously. Stick
with using AD
Integrated DNS
zones and use
conditional or
global forwarders
for other zones if
you must. Your
clients should all
be configured to
use your AD DNS
servers, so it's
important to have
redundancy here.
If you have two
DCs, have them
both run DNS and
configure your
clients to use both
of them for name
resolution.
Also, you're going
to want to make
sure that if you
have more than
one DC, that they
don't list
themselves first for
DNS resolution.
This can lead to a
situation where
they are on a
"replication island"
where they are
disconnected from
the rest of the AD
replication
topology and
cannot recover. If
you have two
servers DC01 -
10.1.1.1 and
DC02 - 10.1.1.2 ,
then their DNS
server list should
be configured like
this:
Server: DC01
(10.1.1.1)
Primary DNS
10.1.1.2
Secondary
DNS
127.0.0.1
Server: DC02
(10.1.1.2)
Primary DNS
10.1.1.1
Secondary
DNS
127.0.0.1
OK, this
seems
complicated.
Why do I want
to use AD at
all?
Because once you
know what you're
doing, you life
becomes infinitely
better. AD allows
for the
centralization of
user and computer
management, as
well as the
centralization of
resource access
and usage.
Imagine a situation
where you have 50
users in an office.
If you wanted each
user to have their
own login to each
computer, you'd
have to configure
50 local user
accounts on each
PC. With AD, you
only have to made
the user account
once and it can log
into any PC on the
domain by default.
If you wanted to
harden security,
you'd have to do it
50 times. Sort of a
nightmare, right?
Also imagine that
you have a file
share that you only
want half of those
people to get to. If
you're not using
AD, you'd either
need to replicate
their username
and passwords by
hand on the server
to give seemless
access, or you'd
have to make a
shared account
and give each user
the username and
password. One
way means that
you know (and
have to constantly
update) users'
passwords. The
other way means
that you have no
audit trail. Not
good, right?
You also get the
ability to use
Group Policy when
you have AD set
up. Group Policy is
a set of objects
that are linked to
OUs that define
settings for users
and/or computers
in those OUs. For
example, if you
want to make it so
that "Shutdown"
isn't on the start
menu for 500 lab
PCs, you can do
that in one setting
in Group Policy.
Instead of
spending hours or
days configuring
the proper registry
entries by hand,
you create a
Group Policy
Object once, link it
to the correct OU
or OUs, and never
have to think about
it again. There are
hundreds of GPOs
that can be
configured, and
the flexibility of
Group Policy is
one of the major
reasons that
Microsoft is so
dominant in the
enterprise market.
dited Apr 13 '17 at 12:14
Community ♦
1
nswered Jun 27 '12 at 3:47
MDMarra
92.6k 27 173 314
19 Well done,
Mark. Awesome
QA. – EEAA
Jun 27 '12 at
4:00
12 @TheCleaner
Agreed, but part
of the mission of
Stack Exchange
is to be the
central
repository for all
useful
information on a
specific topic.
So, while the
info on
Wikipedia is
typically very
correct and
relevant, it's not
driving people
here and "here"
should be the
onestopshop
for everything Cookie Policy, Privacy Policy, and
our Terms of Service. systems
administration
related. –
MDMarra Jun
27 '12 at 4:12
6 @RyanBolger
This is all true,
but this Q&A is
geared towards
a newbie.
Supportability is
a big concern,
and Microsoft
will absolutely
not help you
sort out an AD
issue that could
be DNS related
if you're running
BIND (or
anything else).
It's an advanced
config that isn't
recommended
for someone
that needs to
ask the question
"What is AD and
how does it
work." On top of
it all, DNS is a
lowload role. If
you already
have DCs, it's
really hard to
make a case not
to run DNS on
them and have
a global
forwarder to the
rest of your
DNS
infrastructure. –
MDMarra Jun
27 '12 at 19:07
8
@RyanBolger
agreed with
MDMarra. If
Fred already
has a well
functioning and
complex internal
DNS
infrastructure,
then Fred would
not be posting
on SF asking
"So, I'm about to
install this
Active Directory
thing tell me all Cookie Policy, Privacy Policy, and
our Terms of Service. about it
please?" –
mfinni Jun 28
'12 at 1:15
1 Your answer
just reminded
me to check the
DNS server
search order on
the domain
controllers of a
network I
inherited... Yeah
they were
referring to
themselves! –
myronsemack
Jan 31 '14 at
20:36
Note: This answer
was merged into
17 this question from a
different question
that asked about
the differences
between forests,
child domains,
trees, sites, and
OUs. This was not
originally written as
an answer to this
specific question.
Forest
You want to create
a new forest when
you need a security
boundary. For
example, you may
have a perimeter
network (DMZ) that
you wish to
manage with AD,
but you don't want
your internal AD
available in the
our Terms of Service. perimeter network
for security
reasons. In this
case, you would
want to create a
new forest for that
security zone. You
may also want this
separation if you
have multiple
entities that do not
trust each other
for example a shell
corporation that
encompasses
individual
businesses that
operate
independently. In
this case, you'd
want each entity to
have its own forest.
Child Domain
Really, you don't
need these any
more. There are
few good examples
of when you would
want a child
domain. A legacy
reason is because
of different
password policy
requirements, but
this is no longer
valid, as there are
FineGrained
Password Policies
available since
Server 2008. You
really only need a
child domain if you
have areas with
incredible poor
network
connectivity and
you want to
drastically reduce
replication traffic a
cruise ship with
satellite WAN
connectivity is a
our Terms of Service. good example. In
this case, each
cruise ship may be
its own child
domain, so as to be
relatively self
contained while still
being able to
leverage the
benefits of being in
the same forest as
other domains from
the same company.
Tree
This is an oddball.
New trees are used
when you want to
maintain the
management
benefits of a single
forest but have a
domain in a new
DNS namespace.
For example
corp.example.com
may be the forest
root, but you could
have
ad.mdmarra.com in
the same forest
using a new tree.
The same rules
and
recommendations
for child domains
apply here use
them sparingly.
They're usually not
needed in modern
ADs.
Site
A site should
represent physical
or logical boundary
in your network.
For example,
branch offices.
Sites are used to
intelligently select Cookie Policy, Privacy Policy, and
our Terms of Service. replication partners
for domain
controllers in
different areas.
Without defining
sites, all DCs will
be treated as if they
were in the same
physical location
and replicate in a
mesh topology. In
practice, most
organizations are
configured in a
hubandspoke
logically, so sites
and services
should be
configured to reflect
this.
Other applications
also use Sites and
Services. DFS uses
it for namespace
referrals and
replication partner
selection.
Exchange and
Outlook use it to
find the "nearest"
global catalog to
query. Your
domainjoined
computers use it to
locate the "nearest"
DC(s) to
authenticate
against. Without
this, your
replication and
authentication
traffic are like the
Wild West.
Organizational
Unit
These should be
created in a way
that reflects your
organization's need
for delegation of Cookie Policy, Privacy Policy, and
our Terms of Service. permission and
group policy
application. Many
organizations have
one OU per site,
because they apply
GPO that way this
is silly, because
you can apply GPO
to a site from Sites
and Services as
well. Other
organizations
separate OUs by
department or
function. This
makes sense for
many people, but
really OU design
should meet your
needs and is rather
flexible. There's no
"one way" to do it.
A multinational
company may have
toplevel OUs of
North America ,
Europe , Asia ,
South America ,
Africa so that
they can delegate
administrative
privileges based on
continent. Other
organizations may
have toplevel OUs
of Human
Resources ,
Accounting ,
Sales , etc if that
makes more sense
for them. Other
organizations have
minimal policy
needs and use a
"flat" layout with
just Employee
Users and
Employee
. There's
Computers
really no right
answer here, it's
whatever meets
your company's
needs.
dited Jan 28 '14 at 20:08
nswered Jan 28 '14 at 17:06
MDMarra
92.6k 27 173 314
1 Someone knows
his AD pretty
thoroughly.. +1 –
NickW Jan 28
'14 at 17:09
3 @NickW AD
questions are
where 72k of my
72.9k rep have
probably come
from :D –
MDMarra Jan
28 '14 at 17:11
2 And still a great
Technet article to
read after all this
time:
technet.microsoft
.com/en
us/library/bb7270
30.aspx some
parts have been
superseded but
definitely worth
the read. –
TheCleaner Jan
28 '14 at 17:20
protected by
voretaq7 Oct 2
'13 at 22:23
Thank you for your
interest in this
question. Because
it has attracted low
quality or spam
answers that had
to be removed,
posting an answer
now requires 10
reputation on this
site (the
association bonus
does not count).

Would you like to
answer one of
these unanswered
questions instead?

Windows - What Is Active Directory Domain Services and How Does It Work - Server Fault

Transféré par

Informations du document

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Windows - What Is Active Directory Domain Services and How Does It Work - Server Fault

Transféré par

Droits d'auteur :

Formats disponibles

07/01/2019 windows - What is Active Directory Domain Services and how does it work?

Vous aimerez peut-être aussi