Active Directory: forests and domains. Active Directory in simple words (Base) What is an active directory forest

In our previous materials, we discussed general issues related to directory services and Active Directory. Now it's time to move on to practice. But don’t rush to the server; before deploying a domain structure in your network, you need to plan it and have a clear understanding of the purpose of individual servers and the processes of interaction between them.

Before creating your first domain controller, you need to decide on its operating mode. The operating mode determines the available capabilities and depends on the version of the operating system used. We will not consider all possible modes, except those that are relevant at the moment. There are three such modes: Windows Server 2003, 2008 and 2008 R2.

Windows Server 2003 mode should be selected only when servers running this OS are already deployed in your infrastructure and you plan to use one or more of these servers as domain controllers. In other cases, you need to select Windows Server 2008 or 2008 R2 mode, depending on the purchased licenses. It should be remembered that the operating mode of a domain can always be increased, but it will not be possible to lower it (unless by restoring from a backup), so approach this issue carefully, taking into account possible extensions, licenses in branches, etc. and so on.

Now we will not consider in detail the process of creating a domain controller; we will return to this issue later, but now we would like to draw your attention to the fact that in a full-fledged Active Directory structure of domain controllers there should be at least two. Otherwise, you expose yourself to unnecessary risk because if your only domain controller fails, your AD structure will be completely destroyed. It's good if it's relevant backup copy and you will be able to recover from it, in any case, all this time your network will be completely paralyzed.

Therefore, immediately after creating the first domain controller, you need to deploy a second one, regardless of the network size and budget. The second controller should be provided at the planning stage, and without it, AD deployment should not even be undertaken. Also, you should not combine the role of a domain controller with any other server roles; in order to ensure the reliability of operations with the AD database on the disk, write caching is disabled, which leads to a sharp drop in the performance of the disk subsystem (this also explains the long loading time of domain controllers).

As a result, our network should take the following form:

Contrary to popular belief, all controllers in a domain are equal, i.e. each controller contains complete information about all domain objects and can serve a client request. But this does not mean that the controllers are interchangeable; failure to understand this point often leads to AD failures and downtime of the enterprise network. Why is this happening? It's time to remember the FSMO roles.

When we create the first controller, it contains all the available roles, and is also a global directory; with the advent of the second controller, the roles of infrastructure master, RID master and PDC emulator are transferred to it. What happens if the administrator decides to temporarily disable the DC1 server, for example, to clean it from dust? At first glance, there’s nothing wrong with it, well, the domain will switch to read-only mode, but it will work. But we forgot about the global catalog, and if your network has applications that require it, for example Exchange, deployed, then you will know about it before you remove the lid from the server. You will learn from dissatisfied users, and management is unlikely to be delighted.

From which the conclusion follows: there must be at least two global directories in the forest, and preferably one in each domain. Since we have one domain in the forest, both servers must be global catalogs; this will allow you to put any of the servers on maintenance without any problems; the temporary absence of any FSMO roles does not lead to AD failure, but only makes it impossible to create new objects.

As a domain administrator, you must clearly understand how FSMO roles are distributed among your servers and when decommissioning a server long term transfer these roles to other servers. What happens if the server containing the FSMO roles fails irreversibly? It’s okay, as we already wrote, any domain controller contains all the necessary information, and if such a problem does occur, then you will need to seize the necessary roles by one of the controllers, this will allow you to restore the full operation of the directory service.

Time passes, your organization grows and it has a branch on the other side of the city and the need arises to include their network in the general infrastructure of the enterprise. At first glance, nothing complicated; you set up a communication channel between offices and place an additional controller in it. Everything would be fine, but there is one thing. You cannot control this server, and therefore is not excluded unauthorized access to him, and the local admin raises doubts about his qualifications. What to do in such a situation? For these purposes, there is a special type of controller: read-only domain controller (RODC), this function available in domain operating modes starting from Windows Server 2008 and higher.

The read-only domain controller contains full copy all domain objects and can be a global catalog, but it does not allow you to make any changes to the AD structure; it also allows you to assign any user as a local administrator, which will allow him to fully service this server, but again without access to AD services. In our case, this is what the doctor ordered.

We set up the RODC branch, everything works, you are calm, but users begin to complain about long logins and traffic bills at the end of the month show excess. What's happening? It's time to once again remember about the equivalence of controllers in a domain; a client can send his request to any domain controller, even one located in another branch. Take into account the slow and, most likely, congested communication channel - this is the reason for login delays.

The next factor that poisons our lives in this situation is replication. As you know, all changes made on one domain controller are automatically propagated to others and this process is called replication; it allows you to have an up-to-date and consistent copy of the data on each controller. The replication service does not know about our branch and the slow communication channel, and therefore all changes in the office will be immediately replicated to the branch, loading the channel and increasing traffic consumption.

Here we come close to the concept of AD sites, which should not be confused with Internet sites. Active Directory Sites represent a method of physically dividing a directory service structure into areas separated from other areas by slow and/or unstable communication links. Sites are created on the basis of subnets and all client requests are sent primarily to the controllers of their site; it is also highly desirable to have its own global directory in each site. In our case, we will need to create two sites: AD Site 1 for the central office and AD Site 2 for a branch, or rather one, since by default the AD structure already contains a site that includes all previously created objects. Now let's look at how replication occurs in a network with multiple sites.

Let's assume that our organization has grown a little and the main office contains as many as four domain controllers; replication between controllers of one site is called intrasite and it happens instantly. The replication topology is built according to a ring scheme with the condition that there are no more than three replication steps between any domain controllers. The ring scheme is maintained for up to 7 controllers inclusive, each controller establishes a connection with its two nearest neighbors, when more controllers, additional connections appear and the common ring turns into a group of rings superimposed on each other.

Intersite replication occurs differently; in each domain, one of the servers (bridgehead server) is automatically selected, which establishes a connection with a similar server on another site. By default, replication occurs once every 3 hours (180 minutes), however, we can set our own replication schedule and to save traffic, all data is transmitted in compressed form. If there is only an RODC in a site, replication occurs unidirectionally.

Of course, the topics we touched on are very deep and in this material we only touched on them lightly, however, this is the necessary minimum knowledge that you need to have before the practical implementation of Active Directory in the enterprise infrastructure. This will allow you to avoid stupid mistakes during deployment and emergency situations during maintenance and expansion of the structure, and each of the topics raised will be discussed in more detail.

Active Directory (AD) are utilities designed for the operating system Microsoft Server. It was originally created as a lightweight algorithm for accessing user directories. WITH Windows versions Server 2008 introduced integration with authorization services.

Makes it possible to comply with group policy that applies the same type of settings and software on all controlled PCs using System Center Configuration Manager.

If in simple words for beginners, this is a server role that allows you to manage all access and permissions on your local network from one place

Functions and purposes

Microsoft Active Directory – (the so-called directory) a package of tools that allows you to manipulate users and network data. primary goal creation – facilitating the work of system administrators in large networks.

Directories contain various information related to users, groups, network devices, file resources - in a word, objects. For example, user attributes that are stored in the directory should be the following: address, login, password, number mobile phone etc. The directory is used as authentication points, with which you can find out necessary information about the user.

Basic concepts encountered during work

There are a number of specialized concepts that are used when working with AD:

1. Server is a computer that contains all the data.
2. The controller is a server with the AD role that processes requests from people using the domain.
3. An AD domain is a collection of devices united under one unique name, simultaneously using a common directory database.
4. The data store is the part of the directory responsible for storing and retrieving data from any domain controller.

How active directories work

The main operating principles are:

• Authorization, with which you can use your PC on the network simply by entering your personal password. At the same time, all information from account transferred.
• Security. Active Directory contains user recognition functions. For any network object, you can remotely, from one device, set the necessary rights, which will depend on the categories and specific users.
• Network administration from one point. When working with the Active Directory, the system administrator does not need to reconfigure all PCs if it is necessary to change access rights, for example, to a printer. Changes are carried out remotely and globally.
• Full DNS integration. With its help, there is no confusion in AD; all devices are designated exactly the same as on the World Wide Web.
• Large scale. A set of servers can be controlled by one Active Directory.
• Search produced according to various parameters, for example, computer name, login

Objects and Attributes

An object is a set of attributes, united under its own name, representing a network resource.

Attribute - characteristics of an object in the catalog. For example, these include the user’s full name and login. But the attributes of a PC account can be the name of this computer and its description.

“Employee” is an object that has the attributes “Name”, “Position” and “TabN”.

LDAP container and name

Container is a type of object that can consist of other objects. A domain, for example, may include account objects.

Their main purpose is organizing objects by types of signs. Most often, containers are used to group objects with the same attributes.

Almost all containers map a collection of objects, and resources are mapped to a unique Active Directory object. One of the main types of AD containers is the organization module, or OU (organizational unit). Objects that are placed in this container belong only to the domain in which they are created.

Lightweight Directory Access Protocol (LDAP) is the basic algorithm for TCP/IP connections. It is designed to reduce the amount of nuance when accessing directory services. LDAP also defines the actions used to query and edit directory data.

Tree and site

A domain tree is a structure, a collection of domains that have general diagram and configuration, which form a common namespace and are bound by trust relationships.

A domain forest is a collection of trees connected to each other.

A site is a collection of devices in IP subnets, representing a physical model of the network, the planning of which is carried out regardless of the logical representation of its construction. Active Directory has the ability to create an n-number of sites or combine an n-number of domains under one site.

Installing and configuring Active Directory

Now let's move directly to setting up Active Directory on Windows example Server 2008 (the procedure is identical on other versions):

Click on the “OK” button. It is worth noting that such values ​​are not required. You can use the IP address and DNS from your network.

• Next, you need to go to the “Start” menu, select “Administration” and “”.
  
• Go to the “Roles” item, select the “ Add roles”.
  
• Select “Active Directory Domain Services”, click “Next” twice, and then “Install”.
  
• Wait for the installation to complete.
  
• Open the “Start” menu-“ Execute" Enter dcpromo.exe in the field.
  
• Click “Next”.
  
• Select “ Create new domain in the new forest” and click “Next” again.
  
• In the next window, enter a name and click “Next”.
  
• Choose Compatibility Mode(Windows Server 2008).
  
• In the next window, leave everything as default.
  
• Will start configuration windowDNS. Since it had not been used on the server before, no delegation was created.
  
• Select the installation directory.
  
• After this step you need to set administration password.

To be secure, the password must meet the following requirements:

After AD completes the component configuration process, you must reboot the server.

The setup is complete, the snap-in and role are installed on the system. AD can only be installed on Windows family Server regular versions, such as 7 or 10, may only allow installation of the management console.

Administration in Active Directory

By default, in Windows Server, the Active Directory Users and Computers console works with the domain to which the computer belongs. You can access computer and user objects in this domain through the console tree or connect to another controller.

The tools in the same console allow you to view Extra options objects and search for them, you can create new users, groups and change permissions.

By the way, there is 2 types of groups in the Asset Directory - security and distribution. Security groups are responsible for delimiting access rights to objects; they can be used as distribution groups.

Distribution groups cannot differentiate rights and are used primarily for distributing messages on the network.

What is AD delegation

Delegation itself is transfer of part of permissions and control from the parent to another responsible party.

It is known that every organization has several system administrators at its headquarters. Different tasks should be assigned to different shoulders. In order to apply changes, you must have rights and permissions, which are divided into standard and special. Special - applicable to specific object, and standard is a set of existing permissions that make individual features available or unavailable.

Establishing trust

There are two types of trust relationships in AD: "unidirectional" and "bidirectional". In the first case, one domain trusts the other, but not vice versa; accordingly, the first has access to the resources of the second, but the second does not have access. In the second type, trust is “mutual”. There are also “outgoing” and “incoming” relationships. In outgoing, the first domain trusts the second, thus allowing users of the second to use the resources of the first.

During installation, the following procedures should be followed:

• Check network connections between controllers.
• Check settings.
• Tune name resolution for external domains.
• Create a connection from the trusting domain.
• Create a connection from the side of the controller to which the trust is addressed.
• Check the created one-way relationships.
• If the need arises in establishing bilateral relations - make an installation.

Global catalog

This is a domain controller that stores copies of all objects in the forest. It gives users and programs the ability to search for objects in any domain of the current forest using attribute discovery tools included in the global catalog.

The global catalog (GC) includes a limited set of attributes for each forest object in each domain. It receives data from all domain directory partitions in the forest, and it is copied using the standard Active Directory replication process.

The schema determines whether the attribute will be copied. There is a possibility configuration additional characteristics , which will be recreated in the global catalog using the “Active Directory Schema”. To add an attribute to the global catalog, you need to select the replication attribute and use the “Copy” option. This will create replication of the attribute to the global catalog. Attribute parameter value isMemberOfPartialAttributeSet will become true.

In order to find out location global catalog, you need to enter on the command line:

Dsquery server –isgc

Data replication in Active Directory

Replication is a copying procedure that is carried out when it is necessary to store equally current information that exists on any controller.

It is produced without operator participation. There are the following types of replica content:

• Data replicas are created from all existing domains.
• Replicas of data schemas. Since the data schema is the same for all objects in the Active Directory forest, replicas of it are maintained across all domains.
• Configuration data. Shows the construction of copies among controllers. The information is distributed to all domains in the forest.

The main types of replicas are intra-node and inter-node.

In the first case, after the changes, the system waits, then notifies the partner to create a replica to complete the changes. Even in the absence of changes, the replication process occurs automatically after a certain period of time. After breaking changes are applied to directories, replication occurs immediately.

Replication procedure between nodes happens in between minimal load on the network, this avoids information loss.

Once you have installed Active Directory in your network environment and have begun implementing a service design that suits your business goals, you will work with the Active Directory logical structure. It is a directory service model that defines each security participant in an enterprise, as well as the organization of those participants. The Active Directory database contains the following structural objects:

• sections;
• domains;
• domain trees;
• forests;
• websites;
• organizational units.

The following provides an introduction to these components and the concepts of trust relationships that are used to grant security principal access permissions to resources stored in different domains. In Chapter 5, you'll learn how these building blocks are used to achieve specific goals (such as protecting access to resources) and optimize network performance. The security principals themselves (users, groups, and computers) are not discussed in this chapter.
Active Directory Partitions
As you already know, the Active Directory database is stored in a file on the hard drive of each domain controller. It is divided into several logical partitions, each of which stores Various types information. Active Directory partitions are called naming contexts (NC). You can view them using the Ldp.exe or ADSI Edit tool (Figure 2-4).

Rice. 2-4. Viewing Active Directory Partitions Using the ADSI Edit Tool

Directory domain section

The domain section is where most of the action happens. It contains all the domain information about users, groups, computers, and contacts: everything that can be viewed using the Active Directory Users And Computers administration tool.
The domain partition is automatically replicated to all controllers in the domain. The information it contains is required by each domain controller to authenticate users.

Directory configuration section

The configuration section contains forest configuration information, such as information about sites, site links, and replication connections. Many application programs store information in it. Exchange Server 2000, Microsoft applications Internet Security And Acceleration (ISA) Servers place their configuration information in the Active Directory directory configuration partition rather than in their own directory service. When you install the first ISA firewall in your organization, you can configure an array that will store all ISA configuration information in Active Directory. Additional ISA firewalls are then easily installed using the same configuration, which is read from Active Directory.
The directory configuration partition has copies of itself throughout the forest. Each domain controller contains a writable copy of the configuration partition, and changes to this directory partition can be made from any domain controller in the organization. This means that configuration information is replicated to all domain controllers. When replication is fully synchronized, every domain controller in the forest will have the same configuration information.

Directory schema section

The schema section contains the schema for the entire forest. As you already know, a schema is a set of rules about what types of objects can be created in Active Directory, as well as rules for each type of object. The schema partition is replicated to all domain controllers in the forest. However, only one domain controller, the schema master, maintains a writable copy of the directory schema partition. All changes to the schema are made on the schema master controller and then replicated to other domain controllers.

Global catalog partition

A GC global catalog partition is not a partition in the true sense. It is stored in the database like another partition, but administrators cannot enter information into it directly. The GC partition is read-only across all GC servers and is built from the contents of the domain's databases. Each attribute in the schema has a boolean value named isMemberOfPartialAttributeset. If it is set to true(true), the attribute is copied to the GC directory.

Catalog application sections

The last type of partition in Windows Server 2003 Active Directory is the directory application partition. Only one type of directory application partition is created in Active Directory by default, and that is the partition dedicated to the Domain Name System (DNS) server service. When you install the first integrated Active Directory zone, application directory partitions ForestDnsZones and DomainDnsZones are created. The directory application partition can store any type of Active Directory object except security principals. Additionally, catalog application partitions are created to manage the data replication process, and none of the catalog application partition objects can be replicated to a GC partition.
Directory application partitions are used to store application-specific information. The benefit of using them is that it is possible to control the replication of information into the partition. For information that is too dynamic, replicas must be managed to limit the amount of network traffic. When you create a directory application partition, you can specify which domain controllers will receive a replica of the partition. The domain controllers that receive the application partition replica can be in any domain or site in the forest.

The naming scheme for application directory partitions is identical to other Active Directory directory partitions. For example, the DNS name for the configuration directory partition in the Contoso.com forest is dc=Configuration, dc=Contoso, dc=com. If you create a directory application partition named AppPartitionl in the Contoso.com domain, its DNS name is dc=AppPartitionl, dc=Contoso, dc=com. Directory application partitions are quite flexible with respect to where they are created, or more precisely, their naming context. For example, you can create an additional catalog application partition under AppPartitionl. This will cause the partition to be named dc=AppPartition2, dc=AppPartitionl, dc=Contoso, dc=com. It is possible to create a directory application partition with a DNS name that is not adjacent to any domain in the forest. You can create an application partition in the Contoso.com domain that has the DNS name dc=AppPartition, thus creating a new tree in the forest.

Note. Choosing a DNS name for the application namespace has no effect on functionality applications section. The only difference will be the configuration of the LDAP client that accesses the partition. Directory application partitions are intended for LDAP access, so the client must be configured to look up the server in the correct namespace.
Creating a directory application partition is complicated by the need to maintain permissions on partition objects. Default Active Directory partitions have permissions assigned automatically. When you create an object in a domain directory partition, the Domain Admins group is automatically assigned full permissions to the object. When you create an object in a configuration section or directory schema section, permissions are assigned to user accounts and groups that belong to the forest root domain. Because an application directory partition can be created in any partition in the directory domain or as a separate tree in a forest, the default permission assignment path does not apply. It's easy to give the Domain Admins group full control over the objects in a partition, but it's not clear which domain is the default. Therefore, directory application partitions are always created with a reference to the domain that contains the security descriptors. This domain becomes the default and is used to assign permissions to objects in the application section of the catalog. If a directory application partition is created in a directory domain partition, the parent domain is used as the domain containing the security descriptors and permission inheritance is created. If the directory application partition creates a new tree in the forest, then the forest root domain is used as the domain containing the security descriptors.

Advice. Typically, directory application partitions are created during the installation process of an application that requires the use of a directory partition. The application installation procedure must allow the creation of additional replicas on other domain controllers. You can create an application catalog using the Ntdsutil utility, but this is not typically used in an enterprise environment. For procedures for managing directory application partitions, see the Windows Server 2003 Help And Support Center. Windows support Server 2003). For detailed information about directory application partitions and how to access them programmatically, search for "Using application directory partitions" on msdn.microsoft.com.

Once a directory application partition with multiple replicas is created, partition replication is managed in the same way as other partitions. Additional information about Active Directory replication, see chap. 4.

Domains

The domain is the basic building block in the Active Directory service model. By installing Active Directory on your computer running Windows control Server 2003, you create a domain. The domain serves as an administrative boundary; it also defines the boundaries
zu security policy. Every domain has at least one domain controller (it's optimal to have two or more).
Active Directory domains are organized in a hierarchical manner. The first domain in the enterprise becomes forest root domain it is usually called root domain or forest domain. The root domain is Starting point for the Active Directory namespace. For example, the first domain in the Contoso organization is Contoso.com. The first domain could be appointed(dedicated) or unassigned(non-dedicated) root domain. A designated root domain, called empty root is an empty placeholder domain designed to run Active Directory. This domain will not contain any real user (group) accounts and will be used to assign access to resources. The only accounts that are contained in the designated root domain are default user and group accounts, such as the Administrator account and the Domain Admins global group. The unassigned root domain is the domain in which actual user and group accounts are created. The reasons for choosing a designated or unassigned forest root domain are discussed in Chapter 1. 5.
The remaining domains in the enterprise exist either as peers in relation to the root domain, or as child domains. Peer domains are at the same hierarchical level as the root domain. Figure 2-5 shows the peer domain model.

Rice. 2-5. Active Directory domains organized as peers

It is generally accepted that domains installed after the root domain become child domains. Child domains share the same Active Directory namespace with the parent domain. For example, if the first domain in the Contoso organization is named Contoso.com, then a child domain in that structure might be called NAmerica.Contoso.com and be used to manage all security participants in the Contoso organization located in North America. If the organization is large or complex enough, additional subdomains may be required, such as Sales.NAmerica.Contoso.com. Figure 2-6 shows the parent-child domain hierarchy for the Contoso organization.

Rice. 2-6. Parent-Child Domain Model for Contoso Corporation

Domain trees

Domains that are created in the Active Directory infrastructure after the root domain is created can share an existing Active Directory namespace or have a separate namespace. To allocate a separate namespace for a new domain, you need to create a new domain tree. Regardless of whether a single namespace is used or multiple ones, additional domains in the same forest function exactly the same. Creating additional domain trees is purely an organizational and naming issue and does not affect functionality in any way. A domain tree contains at least one domain. Even an organization with a single domain has a tree of domains. Using multiple trees instead of child domains affects DNS configuration, as you'll learn about in Chapter 1. 3.

A domain tree occurs when an organization creates a domain following the creation of a forest root domain, but does not want to use an existing namespace. In the case of Contoso, if an existing domain tree uses the Contoso.com namespace, a new domain can be created that uses a completely different namespace, such as Fabrikam.com. If domains need to be created in the future to suit the needs of a Fabrikam unit, they can be created as children of the Fabrikam domain tree. Figure 2-7 shows a Contoso organization with multiple domain trees.

Rice. 2-7. Contoso Corporation with multiple domain trees

Forests

Forest represents the furthest replication and is the security boundary for the enterprise. All domains and domain trees exist within one or more Active Directory forests. The forest is shared among all domain controllers in the forest. Common components may be:

• Common schema: All domain controllers in a forest have the same schema. The only way to deploy two various schemes in one organization is to deploy two separate forests.
• General directory configuration section. All domain controllers in a forest have the same configuration container, which is used for replication within the forest. The directory configuration partition is heavily used by applications that support Active Directory (Exchange Server 2000 and ISA).
• General global catalog GC. It contains information about all objects in the forest. This makes searching for any object more efficient and allows users to log into any domain in the forest using their UPN.
• A common set of administrators within a forest. INroot domain Two security groups are created for the forest. They are granted permissions that no other user has. The Schema Admins group is the only group that has permission to modify the schema, and the Enterprise Admins group is the only group that has permission to perform forest-level actions, such as adding or removing domains from the forest. The Enterprise Admins group is automatically added to each local Administrators group on domain controllers in each domain in the forest.
• General configuration of trust relationships. All domains in the forest are automatically configured to trust all other domains in the forest. Trust relationships are discussed in more detail in the next section.

Figure 2-8 shows the Contoso forest.

Trusting relationship

By default, a domain is the boundary of access to resources in an organization. With the appropriate permissions, any security principal (such as a user or group account) can access any public resource in the same domain. Active Directory trusts are used to gain access to resources that are outside the domain. Trusting relationship represent an authentication relationship between two domains through which security principals can obtain authority to access resources located in another domain. There are several types of trust relationships, including:

• transitive trust relationships;
• one-way trust relationships;
• forest trust relationships;
• trust relations of the region.

Transitive trusts

All domains in a tree maintain transitive two-way trust relationships with other domains in the tree. In the example above, when the domain NAmerica.Contoso.com is created as a child domain of the root domain Contoso.com, a two-way trust relationship is automatically created between the domains NAmerica.Contoso.com and Contoso.com. Through a trust relationship, any user in the NAmerica.Contoso.com domain can access any resource in the Contoso.com domain that they have permission to access. Likewise, if there are any security principals in the Contoso.com domain (as in an unassigned root domain), they can be given access to resources in the NAmerica.Contoso.com domain.

Within a forest, trusts are established as either parent-child trusts or tree root trusts (treeroot). An example of a parent-child trust relationship is the relationship between the domains NAmerica.Contoso.com and Contoso.com. A tree root trust is a relationship between two trees in a forest, for example between Contoso.com and Fabrikam.com.
All trusts between forest domains are transitive. This means that all domains in the forest trust each other. If the domain Contoso.com trusts the domain NAmerica.Contoso.com and the domain Europe.Contoso.com trusts the domain Contoso.com, then transitivity indicates that the domain Europe.Contoso.com also trusts the domain NAmerica.Contoso.com. Therefore, users in the NAmerica domain. Contoso.com can access resources found in the Europe.Contoso.com domain, and vice versa. The transitivity property of trust relationships applies to tree root trust relationships. The domain NAmerica.Contoso.com trusts the domain Contoso.com, and the domain Contoso.com trusts the domain Fabrikam.com. Therefore, the domain is NAmerica. Contoso.com and the Fabrikam.com domain also have transitive trust relationships with each other.

One-way trust relationship

In addition to the two-way transitive trusts that are established when a new child domain is created, one-way trusts can be created between forest domains. This is done to allow access to resources between domains that do not have a direct trust relationship. One-way trust relationships are also used
are created to optimize performance between domains that are connected by transitive trust relationships. These one-way trusts are called shortened trusts (shortcuttrusts). Short trust relationships are needed when frequent access to resources is required between domains that are remotely connected through a domain tree or forest. An example of this is the Contoso forest shown in Figure 2-9.

Rice. 2-9. Trust Relationships in Contoso Forest

If a security group in the Sales.Europe.Contoso.com domain frequently accesses a share in the Research.NAmerica.Contoso.com domain, then if there are only transitive trusts between domains, users in the Sales.Europe.Contoso.com domain must authenticate to each domain in the tree located between them and the domain that contains the resource. This organization of work is ineffective if there is a frequent need to access these resources. Shortened trusts are straight, one-way trusts that will enable users in the Sales.Europe.Contoso.com domain to effectively authenticate to the Research.NAmerica.Contoso.com domain without having to traverse the entire directory tree to get there. Figure 2-10 illustrates these direct trust relationships. If there is a need to establish the same trust in a different direction, you can create a direct trust between the two domains by reversing their roles. (Such dual direct trusts appear to be transitive relationships, but these exclusive trusts do not extend beyond those two domains).

Forest trust relationships

Forest trust relationships are new feature in Windows Server 2003. They represent a two-way transitive trust relationship between two separate forests. By using forest trusts, a security principal belonging to one forest can be given access to resources in any domain in an entirely different forest. Additionally, users can sign in to any domain in both forests using the same UPN.

• Forest trusts are not transitive to other forests. For example, if Forest 1 has a forest trust with Forest2, and Forest2 has a forest trust with Forest3, then Forestl does not have an automatic forest trust with Forest3.
• Forest trusts only enable cross-forest identification; they do not provide other functionality. For example, each forest will have a unique GC directory, schema, and directory configuration section. Information is not copied between the two forests; forest trusts simply make it possible to assign access to resources between forests.
• In some cases, you will need to establish a trust between all domains in one forest and all domains in another forest. To achieve this, you can establish one-way, non-transitive trust relationships between individual domains in two separate forests.

Figure 2-11 shows Contoso's forest trusts.

Rice. 2-11. The Contoso forest trust relationship connects the domains Contoso.com and NWTraders.com, which are located in different forests

Trust relations of the region

The last type of trust is scope trust. (RealmTrusts). They are installed between a Windows Server 2003 domain or forest and a non-Windows implementation of the Kerberos v5 realm. Kerberos security is based on an open standard, and there are other network security systems based on the Kerberos protocol. Realm trusts can be created between any Kerberos realms that support the Kerberos v5 standard. Realm trusts can be one-way or two-way, and can be configured as transitive or non-transitive.

Websites

All of the logical components of Active Directory discussed so far are largely independent of the physical network infrastructure. For example, when designing a domain structure for a corporation, where users are located is not the most important question. All users in a domain can be located in a single office building or in offices located throughout the world. The independence of logical components from the network infrastructure arises due to the use of sites in

Active Directory.

Sites provide the connection between logical Active Directory components and the physical network infrastructure. Website represents an area of ​​the network where all domain controllers are connected by a fast, inexpensive, and reliable network connection. In most cases, a site contains one or more Internet Protocol (IP) subnets connected local network(LAN) or fast wide area network (WAN), connected to the rest of the network via slower WAN connections.
The main reason for creating websites is to be able to manage any network traffic that needs to use slow network connections. Sites are used to control network traffic within a Windows Server 2003 network in three different ways.

• Replication. One of the most important ways that sites optimize network traffic is to manage replication traffic between domain controllers and GC servers. Within the site, any change made to the directory will be copied within approximately five minutes. The replication schedule between sites can be controlled so that replication occurs during non-business hours. By default, replication traffic between sites is compressed to conserve network bandwidth; replication traffic within a site is not compressed. (Chapter 4 provides more details on the differences between intrasite and intersite replication.)
• Identification. When a user logs into a Windows Server 2003 domain from a client that is running Windows system 2000 or Microsoft Windows XP Professional, the client's computer tries to connect to a domain controller located in the same site where the client is located. Chapter 3 will discuss how each domain controller registers site-specific service locator (SRV) records. When a client computer tries to find a domain controller, it always queries DNS servers for site records. This means that client login traffic will remain within the site. If the domain is running at the Windows 2000 native or Windows Server 2003 functional level, the client will attempt to find the GC directory during logon. If the site has a GC server, the client will connect to that server. (The role of sites in finding domain controllers is discussed in detail in Chapter 3.)

Note. Client computers running Windows NT 4 SP6a can register with Active Directory domain controllers if they have installed the Directory Services Client, which is available for download at http://www.microsoft.com/windows2000/server /evaluation/news/bulletins/adextension.asp. For those clients that were not upgraded from Windows 95 or Windows 98, the Directory Services Client software is available on the Windows Server 2000 CD.

• Network services that take into account the presence of sites. The third method that allows sites to maintain high throughput, consists of limiting client connections to a site to only those applications and services that take into account the presence of sites. For example, using distributed file system(DFS - Distributed File System), you can create multiple replicas of a folder on different sites on the network. Because DFS is designed to be site-aware, client computers always try to access the DFS replica at their own site before using WAN links to access information at another site.

Each computer on the Windows Server 2003 network will be assigned to a site. When Active Directory is installed in Windows environment Server 2003, a default site called Default First Site Name is created, and all computers in the forest will be assigned to that site unless additional sites are created. When additional sites are created, they are associated with IP subnets. When a server running Windows Server 2003 becomes a domain controller, it is automatically assigned to the site that is assigned to the computer's IP address. If necessary, you can move domain controllers between sites using the Active Directory Sites And Services administration tool.
Client computers detect their sites the first time they start and join the domain. Since the client computer does not know which site it belongs to, it connects to any domain controller in the domain. During the logon process, the domain controller will tell the client which site it belongs to, and the client will cache this information for the next logon.
Note. If a domain controller or client computer has an IP address that is not associated with a specific site, then that computer will be assigned to the site's Default First Site Name. Each computer that is part of a Windows Server 2003 domain must belong to a site.
As stated above, there is no direct connection between sites and other logical concepts in Active Directory. One site can contain more than one domain, and one domain can belong to multiple sites. Figure 2-12 shows that the Seattle site contains two domains: Contoso.com and NAmerica.Contoso.com. The NWTraders.com domain is distributed among several sites.

Notes: Sites are discussed in detail in other chapters. Chapter 3 details the role of DNS and client login sites. Chapter 4 discusses the role of sites in replication and how to create and configure sites. Chapter 5 gives detailed information on designing the optimal site configuration for an Active Directory forest.
Organizational units
By implementing multiple domains in a forest as one or more trees, Windows Server 2003 Active Directory can scale to provide directory services to any size network. Many of the components of Active Directory, such as the global catalog and automatic transitive trusts, are designed to make using and managing an enterprise directory efficient, no matter how large the directory becomes.
Organizational Units (OU) are designed to make Active Directory easier to manage. OUs are used to make it more efficient to manage a single domain, rather than having to deal with managing multiple Active Directory domains. OUs serve to create a hierarchical structure within a domain. A domain can contain hundreds of thousands of objects. Managing so many objects without using some means of organizing objects into logical groups is difficult. Organizational units perform precisely these functions. Figure 2-13 shows an example of an OU structure in Contoso Corporation.

Rice. 2-13. Example of organizational unit structure

OUs are object containers containing several types of directory service objects:

• computers;
• contacts;
• groups;
• inetOrgPerson;
• printers;
• users;
• public folders;
• organizational units.

Organizational units are used to group objects for administrative purposes. They can delegate administrative rights and manage a group of objects as a separate unit.
Using organizational units to delegate administrative rights
Organizational units can be used to delegate administrative rights. For example, a user may be given rights to perform administrative tasks in a specific OU. These can be high-level rights, where the user has full control over the organizational unit, or very limited and specific (for example, only the ability to reset user passwords in this organizational unit). A user who has administrative rights to access an organizational unit does not, by default, have any administrative rights outside the OU.
Organizational units have a flexible structure for assigning access rights to objects within the OU. In many dialogues Windows windows and in the Properties tabs they are called permissions. The organizational unit OU itself has an access control list (ACL - Access Control List), in which you can assign access rights to this OU. Every object in an OU and every attribute of an object has an ACL. This means that you can have very precise control over the administrative rights given to anyone in that department. For example, you can give the Help Desk group the right to change user passwords in an OU without changing any other user account properties. You can give Human Resources the right to change personal information related to any user account in any OU, but not give them any rights to other objects.
Using organizational units to manage groups of objects
One of the functions of an OU is to organize objects into groups so that these objects can be managed in the same way. If you want to manage all the computers in a department equally (for example, by placing restrictions on which users have the right to log into the operating system), you can group the computers into an OU and
Set the Logon Locally permission at the OU level. This permission will be set for all computers in this OU. Another example of grouping objects for administrative purposes is when a set of users require the same standard desktop configuration and the same set of applications. In this case, users are combined into one OU, and group policy is used to configure the desktop and manage application installations.
In many cases, objects in an OU will be managed through Group Policy. Group Policy Object Editor is a tool that can be used to manage each user's work environment. Group policies can be used to lock user desktops, making them standard view, providing login and logout scripts, folder redirection. Table 2-3 gives short list The types of settings available in the Group Policy Object Editor.
Table 2-3. Types of Group Policy settings

Group policies are most often assigned at the OU level. This makes the task of user management easier because you can assign one Group Policy Object (GPO), such as a software installation policy, to an organizational unit, which is then distributed to all users or computers in the OU.
Warning. Organizational units are not security participants. They cannot be used to assign permissions to a resource so that users throughout the OU automatically inherit those permissions. OUs are used for administrative purposes. You must use groups to provide access to resources.

Active Directory Basics

Service Active Directory

Extensible and scalable directory service Active Directory allows you to effectively manage network resources.

Active Directory is a hierarchically organized repository of data about network objects, providing convenient means for searching and using this data. Computer running Active Directory, called domain controller . WITH Active DirectoryAlmost all administrative tasks are related.

Active Directory technology is based on standard Internet protocols and helps to clearly define the network structure.

Active Directory and DNS

IN Active DirectoryThe domain name system is used.

DomainName System (DNS) is a standard Internet service that organizes groups of computers into domains.DNS domains have a hierarchical structure that forms the basis of the Internet. The different levels of this hierarchy identify computers, organizational domains, and domains top level. DNS also serves to resolve hostnames, e.g. z eta.webatwork.com to numeric IP addresses, such as 192.168.19.2. Using DNS, the Active Directory domain hierarchy can be integrated into the Internet space or left independent and isolated from external access.

To access resources in The domain uses the fully qualified host name, for example zeta.webatwork.com. Herezeta- the name of the individual computer, webatwork - the domain of the organization, and com - the top-level domain. Top-level domains form the foundation of the DNS hierarchy and are therefore called root domains (root domains). They are organized geographically, with names based on two-letter country codes (rufor Russia), by type of organization (hundreds for commercial organizations) and for intended purposes ( mil for military organizations).

Regular domains, such as microsoft.com, are called parents (parent domain) since they form the basis of the organizational structure. Parent domains can be divided into subdomains of different branches or remote branches. For example, the full computer name in Microsoft office in Seattle it might be jacob.seattle.microsoft.com , Where jacob- computer name, sealtle - subdomain, and microsoft.com is the parent domain. Another name for the subdomain is child domain (child domain).

Components Active Directory

Active Directory combines the physical and logical structure for network components. Active Directory logical structures help organize directory objects and manage network accounts and shares. The logical structure includes the following elements:

organizational unit - a subgroup of computers, usually reflecting the structure of the company;

domain ( domain) - a group of computers sharing a common catalog database;

domain tree (domain tree) - one or more domains sharing a contiguous namespace;

domain forest - one or more trees sharing directory information.

Physical elements help plan the actual network structure. Based on physical structures, network connections and physical boundaries of network resources are formed. The physical structure includes the following elements:

subnet ( subnet) - network group with a specified area IP addresses and network mask;

website ( site) - one or more subnets. The site is used to configure access to the directory and for replication.

Organizational divisions

Organizational units (OUs) are subgroups within domains that often reflect the functional structure of an organization. OUs are a kind of logical containers that house accounts, shares, and other OUs. For example, you can create in a domain microsoft. com divisions Resources, IT, Marketing. This schema can then be expanded to contain child units.

Only objects from the parent domain are allowed to be placed in the OP. For example, OUs from the domain Seattle.microsoft.com contain objects from that domain only. Add objects from theremy. microsoft.com is not allowed. OP are very convenient when forming a functional or business structures organizations. But this is not the only reason for their use.

OPs allow you to define group policy for a small set of resources in a domain without having to apply it to the entire domain. OP creates compact and more manageable views of directory objects in a domain, which helps you manage resources more efficiently.

OPs allow you to delegate authority and control administrative access to domain resources, which helps set the limits of administrator authority in the domain. It is possible to grant administrative rights to user A for only one OU and at the same time transfer to user B administrative rights for all OUs in the domain.

Domains

Domain Active Directory is a group of computers that share a common directory database. Active Directory domain names must be unique. For example, there cannot be two domains microsoft.com, but there may be a parent domain microsoft.com with child domains seattle.microsoft.com and my.microsoft.com. If the domain is part of a closed network, the name assigned to the new domain must not conflict with any existing domain names on that network. If the domain is part global network Internet, its name must not conflict with any existing Internet domain name. To ensure that names are unique on the Internet, the parent domain name must be registered through any authorized registration organization.

Each domain has its own security policies and trust relationships with other domains. Often, domains are distributed over several physical locations, that is, they consist of several sites, and sites combine several subnets. The domain directory database stores objects that define accounts for users, groups, and computers, as well as shared resources such as printers and folders.

The functions of a domain are limited and regulated by the mode of its operation. There are four domain functional modes:

mixed mode Windows 2000 (mixed mode) - supports domain controllers running Windows NT 4.0, Wi ndows 2000 and Windows Server 2003;

Windows 2000 native mode - supports domain controllers running Windows 2000 and Windows Server 2003;

intermediate mode Windows Server 2003 ( interim mode) - supports domain controllers running Windows NT 4.0 and Windows Server 2003;

mode Windows Server 2003 - supports domain controllers running Windows Server 2003.

Forests and trees

Every domain Active Directory has DNS-type name microsoft.com. Domains that share directory data form a forest. Forest domain names in the DNS name hierarchy are non-contiguous(discontiguous) or adjacent(contiguous).

Domains that have a contiguous naming structure are called a domain tree. If forest domains have non-contiguous DNS names, they form separate domain trees in the forest. A forest can include one or more trees. The console is used to access domain structuresActive Directory- domains and trust (ActiveDirectory Domainsand trusts).

The functions of forests are limited and regulated by the functional regime of the forest. There are three such modes:

Windows 2000 - supports domain controllers running Windows NT 4.0, Windows 2000 and Windows Server 2003;

intermediate ( interim) Windows Server 2003 - supports domain controllers running Windows NT 4.0 and Windows Server 2003;

Windows Server 2003 - supports domain controllers running Windows Server 2003.

The latest Active Directory features are available in Windows mode Server 2003: If all domains in the forest are running in this mode, you can enjoy improved global catalog replication and more efficient replication of Active Directory data. You can also disable schema classes and attributes, use dynamic helper classes, rename domains, and create one-way, two-way, and transitive trust relationships in the forest.

Sites and subnets

Website is a group of computers on one or more IP subnets used to plan the physical structure of a network. Site planning occurs regardless of the logical structure of the domain. Active Directory allows you to create multiple sites in one domain or one site spanning multiple domains.

Unlike sites, which can span multiple IP address scopes, subnets have a specified IP address scope and netmask. Subnet names are specified in the format network/bitmask, for example 192.168.19.0/24, where network address 192.168.19.0 and netmask 255.255.255.0 are combined into the subnet name 192.168.19.0/24.

Computers are assigned to sites based on their location on a subnet or set of subnets. If computers on subnets are able to communicate at high enough speeds, they are called well connected (well connected).

Ideally, sites are made up of well-connected subnets and computers. If traffic between subnets and computers is slow, you may need to create multiple sites. Good connectivity gives sites some advantages.

When a client logs into a domain, the authentication process first looks for a local domain controller in the client's site, meaning local controllers are queried first when possible, limiting network traffic and speeding up authentication.

Directory information is replicated more frequently inside sites than between sites. This reduces cross-network traffic caused by replication and ensures that local domain controllers quickly receive updated information.

You can configure the order in which directory data is replicated using site links (site links). For example, define bridgehead server (bridgehead) for replication between sites.

The bulk of the load from cross-site replication will fall on this dedicated server, rather than on any available site server. Websites and subnets are configured in the console Active Directory - sites and services(Active Directory Sites and Services).

Working with domains Active Directory

Online Windows Server 2003 service ActiveDirectoryconfigured simultaneously withDNS. However, Active Directory domains and DNS domains have different purposes. Active Directory domains help manage accounts, resources, and security.

The DNS domain hierarchy is designed primarily for name resolution.

Computers running Windows XP Professional and Windows 2000 can take full advantage of Active Directory. They operate on the network as Active Directory clients and have access to transitive trust relationships that exist in a tree or forest of domains. These relationships allow authorized users to access resources in any domain in the forest.

System Windows Server 2003 functions as a domain controller or as a member server. Member servers become controllers after Active Directory is installed; controllers are demoted to member servers after Active Directory is removed.

Both processes are performed Active Directory Installation Wizard. There can be multiple controllers in a domain. They replicate directory data among themselves using a multi-master replication model, which allows each controller to process directory changes and then propagate them to other controllers. With a multi-master structure, all controllers have equal responsibility by default. However, you can give some domain controllers priority over others for certain tasks, such as creating a bridgehead server that has priority when replicating directory data to other sites.

In addition, some tasks are better performed on a dedicated server. A server that processes a specific type of task is called master of operations (operations master).

Accounts are created for all Windows 2000, Windows XP Professional, and Windows Server 2003 computers that are joined to a domain and, like other resources, they are stored as Active Directory objects. Computer accounts are used to control access to the network and its resources. Before a computer can access a domain using its account, it must undergo an authentication procedure.

Directory structure

Directory data is made available to users and computers through data store (data stores) and global directories (globalcatalogs). Although most featuresActiveDirectoryaffect data storage, global catalogs (GCs) are no less important because they are used for logging into the system and searching for information. If the GC is not available, regular users will not be able to log into the domain. The only way to get around this condition is to cache the membership locally universal groups.

Access and distribution of Active Directory data is provided by means directory access protocols (directory accessprotocols) And replication (replication).

Replication is needed to distribute updated data to controllers. The main method for distributing updates is multi-master replication, but some changes are processed only by specialized controllers - masters of operations (operations masters).

The way multi-master replication is performed in Windows Server 2003 has also changed with the introduction of catalog sections applications (applicationdirectorypartitions). Through them system administrators can create replication partitions in a domain forest, which are logical structures used to manage replication within a domain forest. For example, you can create a partition that will handle the replication of DNS information within a domain. Other systems in the domain are not allowed to replicate DNS information.

Application directory partitions can be child element domain, a child of another application partition, or a new tree in a forest of domains. Replicas of partitions can be hosted on any Active Directory domain controller, including global catalogs. Although application directory partitions are useful in large domains and forests, they increase planning, administration, and maintenance costs.

Data store

The repository contains information about the most important objects of the Active Directory directory service - accounts, shared resources, OP and group policies. Sometimes a data warehouse is simply called catalog (directory). On the domain controller, the directory is stored in the NTDS.DIT ​​file, the location of which is determined when Active Directory is installed (this must be an NTFS drive). Some directory data can be stored separately from the main storage, for example, group policies, scripts, and other information recorded in the SYSVOL system share.

Sharing directory information is called publication (publish). For example, when a printer is opened for use on a network, it is published; shared folder information is published, etc. Domain controllers replicate most changes to storage in a multi-master fashion. An administrator in a small or medium-sized organization rarely manages storage replication because it is automatic, but it can be configured to suit the specifics of the network architecture.

Not all directory data is replicated, only:

Domain data - information about objects in the domain, including objects of accounts, shared resources, OP and group policies;

Configuration data - information about the directory topology: a list of all domains, trees and forests, as well as the location of controllers and GC servers;

Schema data - information about all objects and data types that can be stored in the directory; The standard Windows Server 2003 schema describes account objects, shared resource objects, etc., and can be extended by defining new objects and attributes or adding attributes to existing objects.

Global catalog

If local membership caching universal groups are not performed; login to the network is based on information about membership in the universal group provided by the Civil Code.

It also provides directory search across all domains in the forest. Controller, role-playing GK server stores a full replica of all directory objects in its domain and a partial replica of objects in other domains of the forest.

Only a few object properties are needed for login and search, so partial replicas can be used. To form a partial replica, replication requires transferring less data, which reduces network traffic.

By default, the first domain controller becomes the main domain controller. Therefore, if there is only one controller in a domain, then the main domain server and the domain controller are the same server. You can place the GC on another controller to reduce the time it takes to wait for a response when logging in and speed up the search. It is recommended to create one GC in each domain site.

There are several ways to solve this problem. Of course, you can create a GC server on one of the domain controllers in a remote office. The disadvantage of this method is that it increases the load on the GK server, which may require additional resources and careful planning of the operating time of this server.

Another workaround is to cache universal group memberships locally. In this case, any domain controller can service login requests locally, without contacting the main domain server. This speeds up the login procedure and makes the situation easier in the event of a GK server failure. In addition, this reduces replication traffic.

Instead of periodically updating the entire group across the entire network, it is sufficient to update the cached information about universal group membership. By default, the update occurs every eight hours on each domain controller that uses local universal group membership caching.

Membership in universal group individually for each site. Let us recall that a site is a physical structure consisting of one or more subnets that have an individual set of IP addresses and a network mask. Domain controllers Windows Server 2003 and the GC they access must be in the same site. If there are several sites, you will have to configure local caching on each of them. Additionally, users logging into the site must be part of a Windows Server 2003 domain running in Windows Server 2003 forest mode.

Replication in Active Directory

The directory stores three types of information: domain data, schema data, and configuration data. Domain data is replicated to all domain controllers. All domain controllers have equal rights, i.e. all changes made from any domain controller will be replicated to all other domain controllers. The design and configuration data is replicated to all domains in the tree or forest. In addition, all objects of an individual domain and some of the properties of forest objects are replicated in the GC. This means that a domain controller stores and replicates schema for a tree or forest, configuration information for all domains in the tree or forest, and all directory objects and properties for its own domain.

The domain controller on which the GC is stored contains and replicates schema information for the forest, configuration information for all domains in the forest, and a limited set of properties for all directory objects in the forest (it is replicated only between GC servers), as well as all directory objects and properties for your domain.

To understand the essence of replication, consider this scenario for setting up a new network.

1. In the domain The first controller has been installed. This server is the only domain controller. He is also the GK server. Replication does not occur in such a network, since there are no other controllers.

2. In the domain And a second controller is installed, and replication begins. You can designate one controller as the infrastructure master and the other as the GC server. The infrastructure owner monitors and requests GL updates for changed objects. Both of these controllers also replicate schema and configuration data.

3. In the domain And a third controller is installed, which does not have a main control unit. The infrastructure master monitors for GC updates, requests them for changed objects, and then replicates the changes to a third domain controller. All three controllers also replicate schema and configuration data.

4. A new domain B is created and controllers are added to it. The GC servers in Domain A and Domain B replicate all schema and configuration data, as well as a subset of the domain data from each domain. Replication in domain A continues as described above, plus replication within domain B begins.

ActiveDirectory And LDAP

Lightweight Directory Access Protocol (LDAP) is a standard protocol for Internet connections in TCP/IP networks. LDAP is designed specifically for accessing directory services with minimal overhead. LDAP also defines the operations used to query and change directory information.

Clients Active Directory uses LDAP to communicate with computers running Active Directory whenever they log on to the network or search for shared resources. LDAP simplifies directory interconnection and migration to Active Directory from other directory services. To improve compatibility, you can use the Active Directory Services interfaces (ActiveDirectory Service- Interfaces, ADSI).

Operations Master Roles

The operations master handles tasks that are inconvenient to perform in a multi-master replication model. There are five operations master roles that can be assigned to one or more domain controllers. Some roles must be unique at the forest level, while others need to be unique at the domain level. The following roles must exist in each Active Directory forest:

Schema master) - manages updates and changes to the directory schema. To update a directory schema, you must have access to the schema master. To determine which server is currently the owner of the schema in the domain, just open the window command line and enter: dsquery server -hasfsmo schema.

Domain naming master - manages the addition and removal of domains in the forest. To add or remove a domain, you need access to the domain naming master. To determine which server is currently the domain naming master, just enter in the command line window: dsquery server -hasfsmo name.

These roles, common to the forest as a whole, must be unique to it.

The following roles are required in every Active Directory domain.

Relative ID master - allocates relative identifiers to domain controllers. Every time you create a user, group object or computer controllers assign an object a unique security identifier, consisting of a domain security identifier and a unique identifier that has been allocated by the relative identifier master. To determine which server is currently the owner of relative identifiers in the domain, simply enter in the command line window: dsqueryserver -hasfsmorid.

PDC emulator - In mixed or intermediate domain mode, acts as a Windows NT master domain controller. It authenticates Windows NT logins, handles password changes, and replicates updates to the P DC. To determine which server is currently the PDC emulator in the domain, just enter in the command line window dsquery server - hasfsmo pdc.

Infrastructure owner master ) - updates object links by comparing its catalog data with the GK data. If the data is out of date, it requests updates from the GC and replicates them to the remaining controllers in the domain. To determine which server is currently the owner of the infrastructure in the domain, just in the command line window and enter dsqueryserver -hasfsmo infr .

These roles, which are common to the entire domain, must be unique within the domain. In other words, you can configure only one relative identity master, one PDC emulator, and one infrastructure master per domain.

Operations master roles are typically assigned automatically, but they can be reassigned. When installing a new network, the first domain controller of the first domain assumes all operations master roles. If a new child domain or root domain is later created in the new tree, the operations master roles are also automatically assigned to the first domain controller. In a new domain forest, the domain controller is assigned all operations master roles. If a new domain is created in the same forest, its controller is assigned the role of Relative ID Master, Emulator PDC and the owner of the infrastructure. The roles of schema master and domain naming master remain with the first domain in the forest.

If there is only one controller in a domain, it performs all operations master roles. If there is only one site on the network, the standard location of operations masters is optimal. But as you add domain controllers and domains, sometimes you need to move the operations master roles to other domain controllers.

If there are two or more domain controllers in a domain, it is recommended that two domain controllers be configured to serve as operations master roles. For example, designate one domain controller as the primary master of operations, and the other as a backup, which will be needed if the main one fails.

Administration Active Directory

CUsing the Active Directory service, computer accounts are created, they are connected to the domain, and computers, domain controllers, and organizational units (OUs) are managed.

Administration and support tools are provided to manage Active Directory. The tools listed below are also implemented as MMC console snap-ins (Microsoft ManagementConsole):

Active Directory - Users and Computers (Active Directory Users and Computers) allows you to manage users, groups, computers and organizational units (OU);

Active Directory- domains and trust ( Active Directory Domainsand Trusts ) serves to work with domains, domain trees and domain forests;

Active Directory - sites Andservices (Active Directory Sites and Services) allows you to manage sites and subnets;

Resultant policy (Resultant Set of Policy) used to view the current policy of a user or system and to schedule changes to the policy.

IN In Microsoft Windows 2003 Server, you can access these snap-ins directly from the Administrative Tools menu.

Another administrative tool is the snap-in Scheme ActiveDirectory (Active Directory Schema) - allows you to manage and modify the directory schema.

Command Line Utilities Active Directory

To manage objects Active Directory There are command line tools that allow you to perform a wide range of administrative tasks:

DSADD - adds to Active Directory computers, contacts, groups, OP and users.

DSGET - displays properties of computers, contacts, groups, OPs, users, sites, subnets and servers registered in Active Directory.

DSMOD - changes the properties of computers, contacts, groups, OPs, users and servers registered in Active Directory.

DSMOVE - Moves a single object to a new location within a domain or renames an object without moving it.

DSQXJERY - searches for computers, contacts, groups, OPs, users, sites, subnets and servers in Active Directory according to specified criteria.

DSRM - removes an object from Active Directory.

NTDSUTIL - allows you to view information about a site, domain or server, manage masters of operations (operations masters) and maintain the databaseActive Directory.

The domain or forest functional level determines the functionality available for use. A higher functional level of a domain or forest allows you to use additional features that have appeared in recent versions of Active Directory. However, even if you use latest versions domain controllers, but you have not promoted your domain, the new AD domain functionality will not be available.
For example, you have Windows Server 2012 or Windows Server 2016 domain controllers installed, but the domain functional level is Windows Server 2003, then such an option as using the Active Directory Recycle Bin will not be available, since the ability to enable it appears only at the Windows Server domain functional level 2008 R2 and up.

Determine the current domain and forest functional level through the GUI
To determine the current domain and forest functional level using the GUI, you must launch the Active Directory Domains and Trusts snap-in and the General tab will display the current domain and forest functional level.

Determine current functional level via PowerShell

How to increase the functional level of a domain through the GUI

In the window that opens, select the desired functional level of the domain and click the Raise button

How to increase the functional level of the forest through the GUI

Important: Domain and forest functional level elevations cannot be reversed or downgraded. Exception: Domain functional level can only be downgraded from Windows Server 2008 R2 to Windows Server 2008; in all other cases this operation cannot be reversed.

How to Raise a Domain Functional Level Using PowerShell

• Windows Server 2000: 0 or Windows2000Domain
• Windows Server 2003 Interim Domain: 1 or Windows2003InterimDomain
• Windows Server 2003: 2 or Windows2003Domain
• Windows Server 2008: 3 or Windows2008Domain
• Windows Server 2008 R2:4 or Windows2008R2Domain
• Windows Server 2012: 5 or Windows2012Domain
• Windows Server 2012 R2:6 or Windows2012R2Domain
• Windows Server 2016: 7 or Windows2016Domain

• Windows Server 2000: Windows2000Forest or 0
• Windows Server 2003: Windows2003InterimForest or 1
• Windows Server 2003: Windows2003Forest or 2
• Windows Server 2008: Windows2008Forest or 3
• Windows Server 2008 R2: Windows2008R2Forest or 4
• Windows Server 2012: Windows2012Forest or 5
• Windows Server 2012 R2: Windows2012R2Forest or 6
• Windows Server 2016: Windows2016Forest or 7