What is Active Directory?
Active Directory Domain Services is Microsoft's Directory Server. It provides authentication et authorization mechanisms as well as a framework within qui autre related services can be deployed (AD Certificate Services, AD Federated Services, etc). C'est an LDAP compliant database that contains objects. The le plus commonly used objects are users, computers, et groups. These objects can be organized into organizational units (OUs) by tout number of logical ou business needs. Group Policy Objects (GPOs) can alors be linked to OUs to centralize le settings for various users ou computers across an organization.
When people say "Active Directory" they typically are referring to "Active Directory Domain Services." C'est important to note that there are autre Active Directory roles/products such as Certificate Services, Federation Services, Lightweight Directory Services, Rights Management Services, etc. This answer refers specifically to Active Directory Domain Services.
What is a domain et what is a forest?
A forest is a security boundary. Objects in separate forests are pas able to interact avec chaque other, sauf si le administrators of chaque separate forest créez un trust entre them. Par exemple, an Enterprise Administrator account for domain1.com, qui is normally le le plus privileged account of a forest, will have, no permissions at tous in a second forest named domain2.com, even si those forests exist within le même LAN, sauf si there is a trust in place.
If you have multiple disjoint business units ou have le need for separate security boundaries, you need multiple forests.
A domain is a management boundary. Domains are part of a forest. The premier domain in a forest is known as le forest root domain. In beaucoup de small et medium organizations (and even certains large ones), you will seulement find a single domain in a single forest. The forest root domain defines le par défaut namespace for le forest. Par exemple, si le premier domain in a nouveau forest is named domain1.com, alors that is le forest root domain. If you have a business need for a child domain, par exemple - a branch office in Chicago, you might name le child domain chi. The FQDN of le child domain would be chi.domain1.com. Vous pouvez see that le child domain's name was prepended forest root domain's name. Ceci est typically how it works. Vous pouvez have disjoint namespaces in le même forest, mais c'est a whole separate can of worms for a différent time.
In le plus cases, you'll want to try et do everything possible to have a single AD domain. It simplifies management, et modern versions of AD make it très easy to delegate control based on OU, qui lessens le need for child domains.
I can name mon domain whatever I want, right?
Not really. dcpromo.exe, le tool that handles le promotion of a server to a DC n'est pas idiot-proof. It does let you make bad decisions avec votre naming, so pay attention to this section si you are unsure. (Edit: dcpromo is deprecated in Server 2012. Use le Install-ADDSForest PowerShell cmdlet ou install AD DS depuis Server Manager.)
First of all, ne use made up TLDs like .local, .lan, .corp, ou tout of that autre crap. Those TLDs are not reserved. ICANN is selling TLDs now, so votre mycompany.corp that you're using today could actually belong to someone tomorrow. If you own mycompany.com, alors le smart thing to do is use something like internal.mycompany.com ou ad.mycompany.com for votre internal AD name. If you use mycompany.com as an externally resolvable website, you should avoid using that as votre internal AD name as well, depuis you'll end up avec a split-brain DNS.
Domain Controllers et Global Catalogs
A server that responds to authentication ou authorization requests is a Domain Controller (DC). In le plus cases, a Domain Controller will hold a copy of le Global Catalog. A Global Catalog (GC) is a partial set of objects in all domains in a forest. C'est directly searchable, qui means that cross-domain queries can usually be performed on a GC sans needing a referral to a DC in le target domain. If a DC is queried on port 3268 (3269 si using SSL), alors le GC is being queried. If port 389 (636 si using SSL) is queried, alors a standard LDAP query is being used et objects existing in autre domains may require a referral.
When a user tries to log in to a computer that is joined to AD using leur AD credentials, le salted et hashed username et password combination are sent to le DC for les deux le user account et le computer account that are logging in. Yes, le computer logs in too. Ceci est important, parce que si something happens to le computer account in AD, like someone resets le account ou deletes it, you may get an error that say that a trust relationship ne exist entre le computer et le domain. Even bien que votre network credentials are fine, le computer is no longer trusted to log into le domain.
Domain Controller Availability Concerns
I hear "J'ai a Primary Domain Controller (PDC) et want to install a Backup Domain Controller (BDC)" much more frequently that I would like to believe. The concept of PDCs et BDCs died avec Windows NT4. The dernier bastion for PDCs was in a Windows 2000 transitional mixed mode AD quand you encore had NT4 DCs around. Fondamentalement, sauf si you're supporting a 15+ year old
install that has jamais been upgraded, you really ne have a PDC ou a BDC, you juste have two domain controllers.
Multiple DCs are capable of answering authentication requests depuis différent users et computers simultaneously. If one fails, alors le others will continue to offer authentication services sans having to make one "primary" like you would have had to do in le NT4 days. C'est best practice to have at least two DCs per domain. These DCs should les deux hold a copy of le GC et should les deux be DNS servers that hold a copy of le Active Directory Integrated DNS zones for votre domain as well.
FSMO Roles
"So, si there are no PDCs, why is there a PDC role that seulement a single DC can have?"
I hear this a lot. Il y a a PDC Emulator role. C'est différent than being a PDC. In fact, there are 5 Flexible Single Master Operations roles (FSMO). These are aussi called Operations Master roles as well. The two terms are interchangeable. What are they et what do they do? Good question! The 5 roles et leur function are:
Domain Naming Master - Il y a seulement one Domain Naming Master per forest. The Domain Naming Master makes sure that quand a nouveau domain is added to a forest that it is unique. If le server holding this role is offline, you ne va pas be able to make changes to le AD namespace, qui includes things like adding nouveau child domains.
Schema Master - Il y a seulement one Schema Operations Master in a forest. C'est responsible for updating le Active Directory Schema. Tasks that require this, such as preparing AD for a nouveau version of Windows Server functioning as a DC ou le installation of Exchange, require Schema modifications. These modifications must be done depuis le Schema Master.
Infrastructure Master - Il y a one Infrastructure Master per domain. If you seulement have a single domain in votre forest, you ne really need to worry about it. If you have multiple forests, alors you should assurez-vous que this role is pas held by a server that is aussi a GC holder sauf si chaque DC in le forest is a GC. The infrastructure master is responsible for making sure that cross-domain references are handled properly. If a user in one domain is added to a group in another domain, le infrastructure master for le domains in question assurez-vous que it is handled properly. This role will pas function correctly si it is on a global catalog.
RID Master - The Relative ID Master (RID Master) is responsible for issuing RID pools to DCs. Il y a one RID master per domain. Any object in an AD domain has a unique Security Identifier (SID). Ceci est made up of a combination of le domain identifier et a relative identifier. Every object in a given domain has le même domain identifier, so le relative identifier is what makes objects unique. Each DC has a pool of relative IDs to use, so quand that DC creates a nouveau object, it appends a RID that it n'a pas used yet. Since DCs are issued non-overlapping pools, chaque RID should remain unique for le duration of le life of le domain. When a DC gets to 100 RIDs left in its pool, it requests a nouveau pool depuis le RID master. If le RID master is offline for an extended period of time, object creation may fail.
PDC Emulator - Finally, we get to le le plus widely misunderstood role of them all, le PDC Emulator role. Il y a one PDC Emulator per domain. If there is a failed authentication attempt, it is forwarded to le PDC Emulator. The PDC Emulator functions as le "tie-breaker" si a password was updated on one DC et n'a pas yet replicated to le others. The PDC Emulator is aussi le server that controls time sync across le domain. All autre DCs sync leur time depuis le PDC Emulator. All clients sync leur time depuis le DC that they logged in to. C'est important that everything remain within 5 minutes of chaque other, otherwise Kerberos breaks et quand that happens, everyone cries.
The important thing to remember is that le servers that these roles run on is pas set in stone. C'est usually trivial to move these roles around, so tandis que certains DCs do slightly more than others, si they go down for short periods of time, everything will usually function normally. If they're down for a long time, c'est easy to transparently transfer le roles. C'est much nicer than le NT4 PDC/BDC days, so please stop calling votre DCs by those old names. 🙂
So, um...how do le DCs share information si they can function independently of chaque other?
Replication, of course. Par défaut, DCs belonging to le même domain in le même site will replicate leur data to chaque autre at 15 second intervals. This makes sure that everything is relatively up to date.
Il y a certains "urgent" events that trigger immediate replication. These events are: An account is locked out for too beaucoup de failed logins, a change is made to le domain password ou lockout policies, le LSA secret is changed, le password is changed on a DC's computer account, ou le RID Master role is transferred to a nouveau DC. Any of these events will trigger an immediate replication event.
Password changes fall somewhere entre urgent et non-urgent et are handled uniquely. If a user's password is changed on DC01 et a user tries to log into a computer that is authenticating against DC02 avant replication occurs, you'd expect this to fail, right? Fortunately that ne happen. Assume that there is aussi a third DC here called DC03 that holds le PDC Emulator role. When DC01 is updated avec le user's nouveau password, that change is immediately replicated to DC03 also. When thee authentication attempt on DC02 fails, DC02 alors forwards that authentication attempt to DC03, qui verifies that it is, indeed, good, et le logon is allowed.
Let's talk about DNS
DNS is critical to a properly functioning AD. The official Microsoft party line is that tout DNS server can be used si it is set up properly. If you try et use BIND to host votre AD zones, you're high. Seriously. Stick avec using AD Integrated DNS zones et use conditional ou global forwarders for autre zones si you must. Your clients should tous be configured to use votre AD DNS servers, so c'est important to have redundancy here. If you have two DCs, have them les deux run DNS et configure votre clients to use les deux of them for name resolution.
Also, you're going to want to assurez-vous que si you have more than one DC, that they ne list themselves premier for DNS resolution. Cela peut lead to a situation où they are on a "replication island" où they are disconnected depuis le rest of le AD replication topology et cannot recover. If you have two servers DC01 - 10.1.1.1 et DC02 - 10.1.1.2, alors leur DNS server list should be configured like this:
Server: DC01 (10.1.1.1)
Primary DNS - 10.1.1.2
Secondary DNS - 127.0.0.1
Server: DC02 (10.1.1.2)
Primary DNS - 10.1.1.1
Secondary DNS - 127.0.0.1
OK, this seems complicated. Why do Je veux to use AD at all?
Because once you know what you're doing, you life becomes infinitely better. AD allows for le centralization of user et computer management, as well as le centralization of resource access et usage. Imagine a situation où you have 50 users in an office. If you wanted chaque user to have leur own login to chaque computer, you'd have to configure 50 local user accounts on chaque PC. With AD, you seulement have to made le user account once et it can log into tout PC on le domain par défaut. If you wanted to harden security, you'd have to do it 50 times. Sort of a nightmare, right? Also imagine that you have a file share that you seulement want half of those people to get to. If you're pas using AD, you'd soit need to replicate leur username et passwords by hand on le server to give seemless access, ou you'd have to make a shared account et give chaque user le username et password. One way means that you know (and have to constantly update) users' passwords. The autre way means that you have no audit trail. Not good, right?
You aussi get le ability to use Group Policy quand you have AD set up. Group Policy is a set of objects that are linked to OUs that define settings for users and/or computers in those OUs. Par exemple, si you want to make it so that "Shutdown" n'est pas on le start menu for 500 lab PCs, you can do that in one setting in Group Policy. Instead of spending hours ou days configuring le proper registry entries by hand, you créez un Group Policy Object once, link it to le correct OU ou OUs, et jamais have to think about it again. Il y a hundreds of GPOs that can be configured, et le flexibility of Group Policy is one of le major reasons that Microsoft is so dominant in le enterprise market.
