Active Directory Domain Services (ADDS) | Windows Server

Active Directory Domain Services (ADDS) is a directory service that stores information about all objects in the domain, including devices and users, verifies their credentials, and defines their access rights. ADDS provides secure, structured, searchable, hierarchical data storage for objects and the admin can easily manage all objects. Active Directory domain controller is a server that runs Active Directory Domain Services, domain controller verifies credentials and access rights when a user logs into a device and accesses another device across the network. Active Directory Domain Services (ADDS) is composed of both logical and physical components, ADDS logical components are structures that you use to implement an Active Directory design that is appropriate for an organization.

Active Directory Logical Components

PartitionThe Active Directory database is organized into partitions. different partitions contain different data and follow a specific replication pattern
SchemaActive Directory schema contains formal definitions of every object class that can be created in an Active Directory Forest. The schema also contains formal definitions of every attribute that can exist in an Active Directory object.
ADDS ForestA forest is a collection of one or more active directory domain trees that share a common directory schema and global catalog.
Domain TreeA domain tree is the collection of one or more domains that share a common root name and contiguous Domain Name System namespace.
DomainADDS domain is a logical administrative container for objects such as users, computers, groups, and other objects.
Organization unit and ContainerAn organization unit is a group of objects within a domain, used to consolidate users, computers, groups, and other objects. The primary difference between OUs and containers is the management capabilities Containers have limited management capabilities and cannot apply GPO directly to the container.

Active Directory Physical Components

Global catalogThe global catalog is a partial read-only searchable copy of all objects in the forest. It speeds up searches for objects that might be stored on all domain controllers in the forest
Data storeADDS information is stored within the directory database. The AD DS database uses Microsoft Jet database technology and stores the directory information in the Ntds.dit file and associated log files.
SiteThe site is a container for AD DS objects, such as computers and services that are specific to a physical location
SubnetThe subnet is a portion of the network IP addresses assigned to computers in a site. A site can have one or more subnets.
RODC (Read only domain controller)Read-only domain controller (RODC) is a server that contains a read-only copy of an active directory database and responds to security authentication requests.

Active Directory FSMO Roles

Flexible Single Master Operation (FSMO) roles can be assigned to different or Same Domain Controllers to prevent multiple domain controllers from simultaneously making changes to the same Active Directory Objects. By default, the first domain controller installed in a forest hosts all five roles and can transfer these roles after deploying additional domain controllers. Each forest has one schema master and one domain naming masterĀ and each AD DS domain has one relative ID master, one infrastructure master, and one primary domain controller emulator.

  • Schema master
    The schema master FSMO role holder is the DC responsible for performing updates to the directory schema. This DC is the only one that can process updates to the directory schema. Once the Schema update is complete, it’s replicated from the schema master to all other DCs in the directory.
  • Domain naming master
    The domain naming master FSMO role holder is the DC responsible for making changes to the forest-wide domain name space of the directory. This is the domain controller that you must contact when you add or remove a domain or make domain name changes.
  • Relative ID (RID) master
    The RID master FSMO role holder is the single DC responsible for processing RID Pool requests from all DCs within a given domain. It’s also responsible for removing an object from its domain and putting it in another domain during an object move.
  • Primary domain controller (PDC) emulator
    The PDC emulator is necessary to synchronize time in an enterprise. Password changes done by other DCs in the domain are replicated preferentially to the PDC emulator. When authentication failures occur at a given DC because of an incorrect password, the failures are forwarded to the PDC emulator before a bad password failure message is reported to the user. Account lockout is processed on the PDC emulator.
  • Infrastructure master
    The infrastructure FSMO role holder is the DC responsible for updating an object’s SID and distinguished name in a cross-domain object reference.

Group Policy

Group Policy is a feature of the Microsoft Windows operating systems that controls the working environment of user accounts and computer accounts. Group Policy provides centralized management and configuration of operating systems, applications, and user’s settings in an Active Directory environment. Group policy object (GPO) is an object that contains one or more policy settings that apply to one or more configuration settings for a user or a computer. A Group policy object can be linked to one or more Active Directory containers, such as domain, or organizational unit.

Active Directory Domain Services (ADDS) Configuration Tutorials | Windows Server 2022

Scroll to Top