|

FEATURED POSTS

How to Change Outlook Password in 3 Different Ways

How to Change Outlook Password in 2 Easy Steps

Introduction Before you change your Outlook Password you have to first change it with your email provider. The reason...
spotify web player not working

Spotify Web Player Not Working [Fixed]

Introduction Spotify Web Player may stop working for you with the following error messages: "Spotify Web Player an Error...
DISM.exe /Online /Cleanup-Image /Restorehealth

DISM.exe /Online /Cleanup-Image /Restorehealth Explained

What is DISM.EXE /Online /Cleanup-image /RestoreHealth? "DISM.exe /Online /Cleanup-Image /Restorehealth" is a DISM command that repairs issue with the...
DHCP Relay agent

DHCP Relay Agent: Configuration in Windows Server 2016

What is a DHCP Relay Agent? A DHCP Relay Agent allows DHCP clients in a different network subnet to...
ForEach-Powershell

PowerShell ForEach: Syntax, Parameters, Examples

What is PowerShell ForEach? PowerShell ForEach (ForEach PowerShell) is a PowerShell construct used in iterating through values in a...

TRENDING POSTS

Remote Desktop Connection

Remote Desktop Connection an Internal Error Has Occurred [Fixed]

Introduction I recently received the error message "Remote Desktop Connection an Internal Error Has Occurred". It was strange because...

Find My Samsung: Register and Use Samsung Find my Mobile

Introduction Ever wondered how you could find your Samsung phone if you lost it? Find my Samsung or Samsung...
PowerShell vs CMD

Powershell vs CMD: Differences and Similarities Compared

Introduction This short guide compares PowerShell vs CMD (Windows command prompt). I will cover the history and nature of...
Spotify No Longer Supports this Version of Microsoft Edge

Spotify No Longer Supports this Version of Microsoft Edge [Fixed]

Introduction When you open Spotify web player on Microsoft Edge, you may receive the error message "Spotify No Longer...
Windows 10 Won't Boot

Windows 10 Won’t Boot With Black Screen? 3 Ways to Fix It

Why Won't Windows 10 Boot Up? If your Windows 10 stops with a black screen, the first question in...

BEST OF ITECHGUIDES

Remote Desktop Connection

Remote Desktop Connection an Internal Error Has Occurred [Fixed]

Introduction I recently received the error message "Remote Desktop Connection an Internal Error Has Occurred". It was strange because...

Gmail Search by Date: How to Search Gmail by Date

Introduction You can search Gmail by date for emails sent during certain time period. You could also search Gmail...
How to Make a Scatter Plot in Excel

How to Make a Scatter Plot in Excel

Introduction You make a scatter plot in Excel to compare 2 sets of data. Unlike a Line Chart, a...
mobile hotspot greyed out windows 10

Mobile Hotspot Greyed Out on Windows 10, iPhone or Android [Fixed]

Introduction If mobile hotspot is greyed out on windows 10, iPhone or Android it is likely that you do...
most useful powershell commands

18 Most Useful Powershell Commands for Windows Admins

Introduction This guide will cover 18 most useful powershell commands for sys admins. PowerShell commands,...

RECENT POSTS

how to merge cells in excel

How to Merge Cells in Excel in 2 Easy Ways

Introduction You can merge two Cells in Excel using CONCATENATE function or the “&” (ampersand) operator. Though Excel has...
How to Make a Pivot Table in Google Sheets

How to Make a Pivot Table in Google Sheets

Introduction You can make a Pivot Table in Google Sheets to simplify analysis of complex data. A Pivot Table...
how to make Pivot Table

How to Make a Pivot Table in Excel

Introduction A Pivot Table allows you to analyze, summarize and calculate large data to help find relationships. With a...
RAID 3 (Redundant Array of Independent Disks) Explained

RAID 3 (Redundant Array of Independent Disks) Explained

What is RAID 3? RAID 3 is a RAID implementation that uses striping with a dedicated parity disk....
RAID 5 vs RAID 6

RAID 5 vs RAID 6: Differences, Benefits and Disadvantages

What is RAID 5 vs RAID 6? RAID 5 and RAID 6 uses striping with distributed parity technique. However,...
concatenate excel

Concatenate in Excel: How to Concatenate Columns and Strings

What is Concatenate in Excel? Concatenate in Excel is joining two strings into one continuous string. You can join...

How to Add in Excel (Excel Sum) with Examples

Introduction There are different ways to add numbers in Excel. You could simply select the cells containing the data....
Excel Count

Excel Count: How to Count in Excel With Examples

Introduction Excel COUNT Function is used for counting items in a worksheet. Excel COUNT also has the conditional function,...
powershell.exe -command

Powershell.exe Command: Syntax, Parameters and Examples

Introduction You may be wondering why write on Powershell.exe Command. Are there special commands for Powershell.exe? Yes! When you...
how to move columns in excel

How to Move Columns to Rows and Rows to Columns in Excel

Introduction If you receive some Excel data in columns, you can easily move the columns to rows in Excel...

MUST READ

Powershell_Arrays

PowerShell Array and Add to Array: Applications and Examples

What is a PowerShell Array? A PowerShell array is a data structure that stores a collection of items. The...

Spotify Web Player: Your Definitive Guide

What is Spotify Web Player? Spotify Web Player is a browser-based player that allows you to stream Spotify via...
PowerShell-NoTypeInformation

Powershell NoTypeInformation: Applications and Examples

Powershell NoTypeInformation: Why So Much Interest? I chose to write on 'Powershell -NoTypeInformation' because so many people ask questions...
ClearScore

ClearScore Can Help Improve Your Credit Score for FREE (Here is How)

What is ClearScore and Who is ClearScore? ClearScore (Some call it Clear Score!) is a London-based financial services company...
how to make Pivot Table

How to Make a Pivot Table in Excel

Introduction A Pivot Table allows you to analyze, summarize and calculate large data to help find relationships. With a...

Active Directory Concepts & Administration

-

Introduction

Active Directory (AD) is a Microsoft directory service that stores information about objects in a network. AD also makes it easy for the stored data to be accessed by authorized users.

Examples of Active Directory objects are users, computers, printers and other resources in a network.

A user has to be authenticated before the user is allowed to logon to an AD network. Authentication is usually achieved by verifying the users username and password.

After a user logs on to the network Active Directory stores information about the users permissions (group memberships, etc) and access rights. When the user requests access to a resource, AD grants or denies access. The process of granting or denying access is called Authorization.

This tutorial will cover the main concepts of AD, including its physical and logical structure. It will also cover Domain Controllers, AD Schema, Forest and Domain. Some other concepts you will learn include Replication, Domain Controller Roles (Operations Master Roles), Global Catalog servers, Universal Group Membership Caching and Read-Only Domain Controllers.

By the time you complete this tutorial you can confidently discuss how Active Directory works and understand its major concepts. Finally, you will learn some tasks you can perform with Active Directory Users and Computers, Sites and Services, Domains and Trusts and more.

Some Important Active Directory Concepts

Active Directory has some very important concepts that you need to understand to effectively deploy and manage it. Here are some of the essential concepts:

Sponsored Content


AD Domain Controller

An AD Domain Control (AD DC) is a Windows Server running AD Domain Services. For a Windows Server to run AD DC service it has to be promoted to a Domain Controller using Server Manager. Later in this tutorial, you will learn how to promote a Windows Serer to a Domain Controller.

Active Directory Schema

Next important concept is AD Schema. AD Schema defines object classes and their attributes. An example of a AD object class is a user. A user has some attributes like the users name, manager, etc.

AD stores objects classes and their attributes using AD schema. Active Directory Schema has standard objects like users, computers, printers, etc. However, if you require additional objects, you could extend the schema. As an example you will need to extend AD schema before you install Microsoft Exchange or SCCM.

To see how you can extend the AD schema, see Extend the Schema in the Additional Resources and References at the end of this tutorial.

Active Directory Forest

In the AD hierarchical structure, the Forest is at the top of the logical structure of AD. The next level of the hierarchy are Domains, then you have Organization Units (OUs). Within OUs you have users and computers.

Consequently, an AD Forest contains a number of AD Domains interconnected by Trust Relationship. Below is a simple illustration of an AD Forest hierarchy. To read more about AD Forest, visit What is an Active Directory Forest?

Pro Tip
When you Create Trusts between two domains in a Forest users in one domain can be authenticated by the trusted domain. Also, resources can also be accessed between domains with a Trust relationship.
Active Directory Forest

Types of AD Trusts

You can create 4 types of Trust relationships in an AD Forest – external, forest, shortcut, and realm trusts. To read more about AD Trusts, open Advanced Active Directory Infrastructure for Windows Server 2012 R2 Services.

AD Domain

AD Domain is the next level to Forests in the hierarchy. An AD Domain contains a collection of objects. For example, Users and Computers. Domains are identified by their DNS names, for example, Domain1.com, Domain2.com.

Pro Tip
The DNS Names of AD Domains do not have to end in .com, they could also end in .local for example.

Active Directory Sites

AD sites configuration usually follow physical network subnets. Replication configuration within sites is usually different from the configuration between sites.

As an example, if you have 2 Domain Controllers within the same network subnet, you could configure replication between them to be optimized for speed.

AD Replication

If you deploy Active Directory in a production environment, it is recommended to have at least 2 Domain Controllers (DCs) in your AD Domain. The reason for this is obvious – create redundancy.

Before I proceed let me mention that AD operates what is called a multi-master model. Meaning that all Domain Controllers (DCs) within the domain contains writable copies of objects. As you will see later, there are some exceptions to this rule.

The fact that objects can be created in any DC means there is need for replication between the Domain Controllers. The process of created objects in one DC syncing or updating to other DCs is know as Replication.

Read more about AD replication by clicking the Active Directory Replication In Depth link on the Additional Resources and References section.

Sponsored Content


Active Directory Operations Masters

In the previous section, I mentioned that though Active Directory operates a multi-master model, there are exceptions to this rule.

There are certain tasks within an AD Domain that has to be be completed using the single-master model. That is, one Domain Controller is designated the role of handling the task.

The primary reason for the single-master model is to avoid conflicts. Due to the nature of the single-master roles, if more than one DC were to handle the task at the same time, it will create conflict. You will understand this better when you read the 5 Operations Master roles to be discussed shortly.

Below are the 5 Active Directory Flexible Single Master Operations (FSMO) Roles.

Schema Master

Earlier in this tutorial, I discussed AD Schema. I said that an Active Directory Schema defines object classes and their attributes. I also said that sometimes you may want to create additional AD AD Schema classes by extending the Schema.

The DC responsible for updating the Schema is called the Schema Master. When the Schema Master updates the Schema, it replicates the update to other DCs. There is one Schema Master in a Directory – this DC is know as the Schema Master.

Domain Naming Master

The DC assigned the Domain Naming Master FSMO role is responsible for adding or deleting domains in the forest-wide domain name space.

The Domain Naming Master DC is also responsible for adding or removing cross references to domains in external directories.

RID Master

Whenever a Domain Controller creates a security principal for example a user or a computer, the DC assigns the object a unique Security ID (SID). The SID is made up of a Domain SID and a Relative ID (RID). The Domain SID is the same for all objects created in the domain while the RID is unique for each security principal created.

Every DC has a pool of RIDs assigned to it. The DC responsible for allocating RID pools to other DCs is the RID Master.

The PDC Emulator Master

The DC that holds the PDC Emulator role is responsible for authenticating users, synchronizing password changes and also responsible for time synchronization.

It also manages account lockouts and forwards authentication failures due to incorrect passwords to other DCs.

Infrastructure Master (IM)

In a multi-domain AD forest, the DC assigned the Infrastructure Master FSMO role is responsible for keeping cross-domain object references up to date.

As an example, say an object in Domain 1 is referenced by another object in Domain 2. When the referenced object is modified the IM is responsible for updating the references.

In conclusion, before I discussed the 5 FSMO Active Directory DC roles, I said that AD operates a multi-master model. That is, all DCs contains writable copies of the AD database.

I also said that though in an AD domain, despite the multi-maser model, some tasks can only be performed via a single-master operations model. Thus the 5 FSMO roles.

Having said that, now that you know the 5 single-master operations roles, I hope it is easy to see why an RID pool for example can only be assigned by only one DC. If 2 DCs were to assign RID pools to other Domain Controller, there is a risk of overlap and two different objects may then have the same RID.

The same augment applies to the other 4 FSMO roles discussed earlier.

Global Catalog Servers (GC)

To understand the role of the Global Catalog Server, I will refer you to what I said earlier about Active Directory Forests. An AD Forest contains a number of AD Domains interconnected by Trust Relationships.

With that in mind, for every domain within the forest, all DCs stores data about every object within its own domain. As I pointed out earlier, within an AD forest, there may be need for cross-domain object referencing. For this to work effectively, a DC is assigned the role of GC to store information about ALL objects within the Forest.

If you relate this to the the IM FSMO role discussed earlier, it becomes easy to see why an Infrastructure Master will need to constantly communicate with a GC server. This is so it receives updates about cross-domain object references.

The Infrastructure Master is responsible for updating cross-object references within an AD Forest. The Global Catalog Server holds information about ALL objects within the Forest. It makes logical sense for the Infrastructure Master to receive object cross-referencing information from a GC Server.

Therefore, it is NOT recommended for one DC to be assigned the role of a GC Server and an Infrastructure Master role except:

  • There is only one domain in the forest – in this situation the same DC will be responsible for all roles.
  • Every DC in the domain is a global catalog server

Sponsored Content


Universal Groups Membership Caching

By default universal group memberships information are only stored in Global Catalog servers. For this reason, in a multi-domain AD Forest (where universal groups are present) if a user logs on to the domain for the first time, a GC server must be available for the logon to be processed.

For small AD Sites without a GC Server, other DCs may be enabled to store universal group membership information. This is achieved by enabling Universal Groups Membership Caching (UGMC) in the AD Site.

Pro Tip
UGMC is enabled on per site basis. When enabled in an AD site, all DCs in the site will participate.

Read-Only Domain Controllers (RoDCs)

In this tutorial, I already said that all DCs in an AD Domain are writable. That said, there are certain situations where you may want to install (RoDCs).

A typical situation may be in a remote site with limited physical security for DCs in that location. Under this circumstance you may want to install a DC that can only read AD data but cannot write to or update any object.

Pro Tip
RoDCs are only available in Windows Server 2008 and higher.

Physical and Logical Structure of Active Directory

So far I have covered a number of important Active Directory concepts. In this section I will be discussing two other important concepts in AD – physical and logical structures of Active Directory.

Physical Structure of AD

“Physical structure” entails things you can touch and feel. Therefore, the physical structure of AD are Domain Controllers and network Sites.

The tools you require to manage the physical structure of Active Directory Active Directory Sites and Services. Later in this tutorial I will discuss the tasks you can perform with AD Sites and Services.

Logical Structure of Active Directory

Compared to the physical structure of AD, the logical structure is “virtual”. The components that make up the logical structure of AD are: forests, trees, domains, OUs and global catalogs. To get detailed definitions of forests, trees, domains, OUs and global catalog, click Questions About Active Directory Infrastructure.

Active Directory Administration

So far we have covered some important concepts of AD. This section is about administering Active Directory. I will be discussing the following AD tools:

  • Active Directory Users and Computers
  • AD Sites and Services
  • Active Directory Domains and Trusts
  • AD PowerShell Module
  • Group Policy Management Console (GPMC)

Active Directory Users and Computers

Active Directory (AD)

This is one of the most used AD tools. With AD Users and Computers, you can:

  • Create Organizational Units
  • Create Containers
  • Delegate Authorities
  • Create Users
  • Transfer RID, PDC and Infrastructure FSMO Roles
  • Run Queries
  • Raise Domain Functional Levels

AD Sites and Services

Active Directory (AD) Sites and Services

As you get more comfortable with Active Directory administration, you will start working with Sites and Services.

You can perform the following tasks with AD Sites and Services tool:

  • Enable Universal Group Membership Caching (UGMC)
  • Configure Inter-Site Transports
  • Create new AD Site connections
  • Delegate Control to existing Sites
  • Create Subnets

Active Directory Domains and Trusts

This tool is used to perform some of the most advanced admin functions in AD. Below are some of the tasks you can complete with Active Directory Domains and Trusts:

  • Raise Forest Functional level
  • Transfer Domain Naming Master FSMO Role
  • Create Forest Trust
Important
Note that you can raise the Domain functional level using AD Users and Computers while you use AD Domains and Trusts to raise Forest functional level.

AD Module for Windows PowerShell

Active Directory PowerShell Module is required to manage AD with PowerShell. You can perform a number of tasks. I have listed a few below:

  • Create new users – New-ADUser
  • Modify existing users – Set-ADUser
  • Get information about existing users – Get-ADUser
  • Delete existing users – Remove-ADUser

To get all AD commands in PS, from your DC, run the Get-Command command. For more on PowerShell, read the following tutorials

18 Powershell Commands Every Windows Admin Should Kn
Get-Command in PowerShell: Applications and Use

Sponsored Content


Group Policy Management Console (GPMC)

GMPC is used to manage Group Policy across sites, domains, and organizational units within one or more forests. Though you can manage Group Policies from AD Users and Computers, GPMC provides more features.

With GMPC, you can perform the following tasks:

  • Create new Group Policies
  • Modify existing Group Policies
  • Manage all Group Policies under one container – Group Policy Objects
  • Create and apply WMI filters to Group Policies.
  • Create GP modelling and GP Results

Other Helpful Tutorials

  1. Active Directory Domain Services: Installation & Configuration
  2. 35 Active Directory Interview Questions and Answers (Grouped By Category)
  3. Outlook 365: Subscription, Installation and Set Up
  4. How to Install Windows 10: Step-By-Step with Images

Additional Resources and References

  1. Step-By-Step: Setting up Active Directory in Windows Server 2016
  2. How to Extend the Schema
  3. What is an Active Directory Forest?
  4. Advanced Active Directory Infrastructure for Windows Server 2012 R2 Services
  5. Active Directory Replication In Depth
  6. Active Directory FSMO roles in Windows
  7. Windows Server: Should the Infrastructure Master FSMO Role be Placed on a Global Catalog Server?
  8. Windows Server: The Functions of the Global Catalog in Active Directory

Sponsored Content


YOU MAY ALSO LIKE:

LEAVE A REPLY

Please enter your comment!
Please enter your name here

By using this website you agree to accept our Privacy Policy and Terms & Conditions