During the Active Directory Domain Services (AD DS) installation, the Windows server is set up as a Domain Controller (DC).
The Domain Controller is a database of all objects for the network/domain.
This database will allow only authorized objects such as users, computers, or printers to connect and access resources.
The administration is eased as users are managed centrally instead of managing logins on individual computers.
The top level of an Active Directory network is called a Forest.
This forest can consist of multiple sub-domains that, while separate, can interact with each other should the administrator choose.
Active Directory Domain Services (AD DS)
Microsoft’s Active Directory Domain Services (AD DS) is a sub-feature of Active Directory that allows administrators to build a centralized and scalable Windows network. These networks are based on logical and hierarchical structures.
Active Directory Domain Services (AD DS) manages critical network functions such as:
- User logins
- Security permissions
- Organizational units
Let’s discuss some basic features and terminologies.
Active Directory Objects
There are two main object categories within Active Directory.
Container: These can group other objects inside, for example, an organizational unit that groups user accounts together
Leaf: These cannot contain other objects inside, for example, a user account
Active Directory Terminology
Schema: This is a set of instructions that govern attributes and objects in the AD DS.
Global Catalog: This is a repository of objects contained in the AD. In the Global Catalog, you’ll find users’ details, such as names and contacts.
Sites: This represents the network topology of a Windows network.
Query and Index Mechanism: This feature ensures users can locate each other in the Active Directory. A perfect example is when you start typing a user’s email address in the client’s recipient field, and the possible matches are displayed.
Lightweight Directory Access Protocol: Commonly abbreviated as LDAP, this protocol enables the Active Directory to communicate with LDAP-enabled directory services in the network.
Replication Service: As the name suggests, replication ensures the Domain Controller is replicated onto another Domain Controller, thereby having the same schema and catalog.
Active Directory Services
Active Directory offers a long list of services. Some of the most used features are:
Domain Services: The AD DS offers core services such as centralization of data and management of communication between users in the domain, search functionality, and login authentication.
Lightweight Directory Services: This feature supports applications that are directory enabled using the LDAP protocol.
Rights Management: Rights management handles information rights. It encrypts and limits access to personal content such as emails, documents, and other confidential data.
Directory Federation Services: DFS provides a single-sign-on functionality that enables secure user authentication, especially when interacting with multiple web applications during a single session.
Certificate Services: These features allow for the generation, management, and sharing of security certificates. The certificates encrypt data sent over the Internet and guarantee their privacy and confidentiality, thereby averting attempts by hackers to steal the information.
Active Directory Domain Controller Functions
Domain Controllers, or DCs for short, are the servers that host the Active Directory database.
Their primary role is to authenticate user requests based on their username and password and the appropriate permissions they have been assigned.
The Domain Controller (DC) also hosts a variety of services that complement the authentication, such as:
NetLogon: This service runs silently in the background. Its primary purpose is to validate users’ login credentials in the domain network. If stopped, many server functions would be adversely affected, and domain users could not access their accounts.
Kerberos Key Distribution Center (KDC): KDC is a service that issues, validates, and performs encryption of Kerberos tickets. It consists of an Authenticating Server and a Ticket Granting Server (TGS). The service authenticates users when the Kerberos protocol is used. Kerberos is a protocol designed for security and authentication purposes. It provides a mechanism for establishing users to use the services on a Windows network; for example, accessing a file server while, at the same time, encrypting the connections between clients and servers.
W32time service: Also referred to as Windows time, W32time is a service that uses Network Time Protocol (NTP) to synchronize time and date for all computers joined to the Active Directory. The NTP synchronizes all the clocks on the computers in the domain network. For Kerberos to function correctly demands that the date and time for all computers in the network are synchronized.
Intersite Messaging (IsmServ): This service allows the exchange of information between computers in a networked environment with Windows servers. This protocol provides replication between mail sites by employing SMTP over a TCP/IP network.
Active Directory is a key component for wide-scale Windows networks.
Understanding how it works can assist in maintaining an optimal network.