Windows Server 2022

Active Directory Domain Services (ADDS) | Windows Server

Active Directory Domain Services (ADDS) is a directory service that stores information about all objects in the domain and makes this data available to network users and administrators. It provides secure, structured, hierarchical data storage for objects and the admin can easily manage all objects. Active Directory is a directory service developed by Microsoft for Windows domain networks, Directory is a hierarchical structure that stores information about objects on the network. It stores information about members of the domain, including devices and users, verifies their credentials, and defines their access rights. Active Directory Domain Controller is a server running Active Directory Domain Services. ADDS uses domain controllers to give network users access to permitted resources anywhere on the network through a single logon process.

Active Directory Logical & Physical Components

Active Directory Domain Service is composed of logical and physical components. ADDS logical components are structures that are used to implement an Active Directory design that is appropriate for an organization. Active Directory Logical components are Partitions, Schema, Domain Trees, Domains, Forests, OU, and Container. Active Directory Physical components: Domain controllers, Data stores, Global Catalog servers, Read-only domain controller (RODC), Site, and Subnet.

Partition

The Active Directory database is organized in partitions. different partitions contain different data and follow a specific replication pattern.

  • Configuration: This partition contains information on the physical structure and configuration of the forest. Replicate to all domains in the Forest.
  • Schema: Partition contains the definition of object classes and attributes within the Forest. Replicate to all domains in the Forest.
  • Domain: Partition contains all objects created in that domain and replicates only within its domain.
  • Application: Information about the application

Schema

Active Directory schema contains formal definitions of every object class that can be created in an Active Directory forest. The schema also contains formal definitions of every attribute that can exist in an Active Directory object. This section provides the reference for each schema object and provides a brief explanation of the attributes, classes, and other objects that make up the Active Directory schema. It is sometimes referred to as the blueprint for ADDSand Any changes that are made to the schema are replicated to every domain controller in the forest from the schema master holder.

ADDS Forest

A forest is a collection of one or more active directory domain trees that share a common directory schema and global catalog. The first domain in the forest is called the forest root domain. The forest root domain contains a few objects that do not exist in other domains in the forest. Domains in the same forest are automatically linked with two-way, transitive trust relationships.

Domain Tree

A domain tree is the collection of one or more domains that share a common root name and contiguous Domain Name System namespace.

Domain

ADDS domain is a logical administrative container for objects such as users, computers, groups, and other objects. All domain objects are stored in the ADDS database and a copy of All domain objects is stored on each domain controller.

Organization unit and Container

An Organization unit is a group of objects within a domain, used to consolidate users, computers, groups, and other objects. The primary difference between OUs and containers is the management capabilities Containers have limited management capabilities and cannot apply GPO directly to the container.

Global catalog

The global catalog is a partial read-only searchable copy of all objects in the forest. It speeds up searches for objects that might be stored on all domain controllers in the forest

Data store

ADDS information is stored within the directory database. The AD DS database uses Microsoft Jet database technology and stores the directory information in the Ntds.dit file and associated log files.  ADDS database files are stored in the e:\windows NTDS folder by default.

Different file-level components of ADDS DATABASE

  • ntds.dit: Main ADDS database file contains all ADDS partitions and objects
  • EDB *log: Transaction logs
  • EDB.chk: Database checkpoint file
  • Edbres00001.jrs & Edbres00002.jrs: Reserve transaction log file that allows the directory to process transactions if the server runs out of disk space

Site

The site is a container for AD DS objects, such as computers and services that are specific to a physical location.

Subnet

The subnet is a portion of the network IP addresses assigned to computers in a site. A site can have one or more subnets.

RODC (Read only domain controller)

Read-only domain controller (RODC) is a server that contains a read-only copy of an active directory database and responds to security authentication requests.

Active Directory FSMO roles (Flexible Single Master Operations)

Flexible Single Master Operation (FSMO) roles can be assigned to different or Same Domain Controllers to prevent multiple domain controllers from simultaneously making changes to the same Active Directory Objects. By default, the first domain controller installed in a forest hosts all five roles and can transfer these roles after deploying additional domain controllers. 

  • Forest operations masters: Schema master and Domain naming master
  • Domain operations masters: RID master, PDC emulator and Infrastructure master

Schema master

The schema master FSMO role holder is the DC responsible for performing updates to the directory schema. This DC is the only one that can process updates to the directory schema. Once the Schema update is complete, it’s replicated from the schema master to all other DCs in the directory

Domain naming master

The domain naming master FSMO role holder is the DC responsible for making changes to the forest-wide domain name space of the directory. This is the domain controller that you must contact when you add or remove a domain or make domain name changes.

RID master

The RID master FSMO role holder is the single DC responsible for processing RID Pool requests from all DCs within a given domain. It’s also responsible for removing an object from its domain and putting it in another domain during an object move.

Domain Controller attaches a unique Security ID (SID) to the object When creates a security principal object This SID consists of:

  • A domain SID is the same for all SIDs created in a domain.
  • A relative ID (RID) is unique for each security principal SID created in a domain.

PDC emulator

The PDC emulator is necessary to synchronize time in an enterprise. Password changes done by other DCs in the domain are replicated preferentially to the PDC emulator. When authentication failures occur at a given DC because of an incorrect password, the failures are forwarded to the PDC emulator before a bad password failure message is reported to the user. Account lockout is processed on the PDC emulator. The PDC emulator performs all of the functionality that a Windows NT 4.0 Server-based PDC or earlier PDC performs for Windows NT 4.0-based or earlier clients.

Infrastructure master

The infrastructure FSMO role holder is the DC responsible for updating an object’s SID and distinguished name in a cross-domain object reference.

Security groups

Security groups Used to assign permissions to shared resources. Default security groups are created automatically when you create an Active Directory domain. These predefined groups are used to control access to shared resources.

Administrators: Members of the Administrators group have complete and unrestricted access to the computer, or if the computer is promoted to a domain controller, members have unrestricted access to the domain.

Schema Admins: Members of the Schema Admins group can modify the Active Directory schema. This group exists only in the root domain of an Active Directory forest of domains.

Domain Users: The Domain Users group includes all user accounts in a domain. When you create a user account in a domain, it is automatically added to this group.

Group Policy Creator Owners: This group is authorized to create, edit, or delete group policy objects in the domain. By default, the only member of the group is the Administrator.

Remote Desktop Users: The Remote Desktop Users group on an RD Session Host server is used to grant users and groups permission to remotely connect to an RD Session Host server.

Backup Operators: Members of the Backup Operators group can back up and restore all files on a computer, regardless of the permissions that protect those files. Backup Operators also can log on to and shut down the computer.

Active Directory Objects

Active Directory stores data as objects. Objects are either resources or security principals.

  • Resources: printers or computers
  • Security principals: users or groups

Active Directory Object Attributes

Active Directory (AD) object attributes are pieces of information or data that define the properties of the objects for example, a user object in Active Directory will have attributes such as their First Name, Second Name, Manager Name 

Active Directory Object Classes

An object class is a component of the Active Directory schema that defines the “type” for an object or in other words, it defines the set of mandatory and optional attributes an object can have.

Active Directory SYSVOL

SYSVOL is simply a folder that resides on every domain controller within the domain. It contains the domain’s public files and these files are accessed by clients and kept synchronized between domain controllers. The location of the SYSVOL folder is C:\Windows\SYSVOL it can be moved to another location during the promotion of a domain controller.

SYSVOL is made up of Folders. The folders are used to store:

  • Group policy templates (GPTs), which are replicated via SYSVOL replication. The group policy container (GPC) is replicated via Active Directory replication.
  • Scripts, such as startup scripts are referenced in a GPO.
  • Junction points. Junction points work like a shortcut. One directory can point to a different directory. In File Explorer, a junction point and a directory look and feel the same. You can view junction points by running the dir /AL /S command.

Group Policy

Group Policy is a feature of the Microsoft Windows NT family of operating systems that controls the working environment of user accounts and computer accounts. Group Policy provides centralized management and configuration of operating systems, applications, and users’ settings in an Active Directory environment. Group Policy Object (GPO) is a virtual collection of policy settings. A GPO has a unique name, such as a GUID, A GPO can represent policy settings in the file system and in the Active Directory. A GPO can be linked to one or more Active Directory containers, such as a site, domain, or organizational unit.

Group Policy Storage

  • Group policy container: GPC is an Active Directory container that contains GPO properties, such as version information, GPO status, and other component settings.
  • Group policy template: GPT is a file system folder that includes policy data specified by .adm files, security settings, script files, and information about applications that are available for installation. The GPT is located in the system volume folder (SysVol) in the domain \Policies subfolder.

Active Directory Domain Services (ADDS) Configuration Tutorials | Windows Server 2022