What is Active Directory and why is it important? In an organization, security is very important. It does not only cover the physical setup of the company but also the security of their network. The overall security of the organization’s network is a critical responsibility of the Network and System…
What is Active Directory and why is it important?
In an organization, security is very important. It does not only cover the physical setup of the company but also the security of their network. The overall security of the organization’s network is a critical responsibility of the Network and System Administrator. Just like people are filtered and screened as they get inside the building, system administrators also need to make sure that only authorized users are able to access the company resources. This is where Active Directory comes in the picture.
Active Directory or AD plays a vital role in an organization. It is a form of database where users, groups and computers are stored. Not only is it a database, but it also defines the security of the organization’s network. This would define who will have access to the company resources including what type of access they will have. As a result, only the defined users will have access according to their defined type of access.
If you are eyeing to be a system administrator, your knowledge about Active Directory is very important. Let’s learn what an active directory is, how it plays a vital role in an organization and its components.
What are the components of AD?
Now let’s get into the details of the components of AD. In a Windows Server Operating System, AD is termed as Active Directory Domain Services or AD DS. According to Microsoft, AD DS provides the methods for storing directory data and making this data available to network users and administrators. A window server that runs AD DS is called a domain controller. AD has four major components – domain, tree, forest and objects.
- Domain – or Active Directory Domain is typically a collection of all objects within an AD DS network. This is grouped in a tree structure. AD Domains are identified by a DNS name that is usually the same as the organization’s public domain name, sub-domain or any alternate version.
- Tree – is a collection of domains within AD DS. The main reason why it is called a tree is because each domain has exactly one parent which leads to a hierarchical tree structure. A domain tree typically starts from a single parent or root and then branches out into different child domains.
- Forest – this is considered as the highest level of organization within AD. It also acts as the centralized mechanism for managing as well as controlling authentication and authorization across the organization.
- Object – it refers to the single element contained in an AD such as a user, group, application and devices. It may also be defined as resources or security principals.
What are AD Objects?
As discussed above, Active Directory is composed of four major components and one of which is an Object. Listed below are the different types of objects that you need to be familiar with in order to administer Active Directory successfully:
- User
- Contact
- Computer
- Shared folder
- Group
- Organization Unit
- Domain
- Domain Controller
- Site
Now that you know the different types of objects in Active Directory, let’s get into the details of each object.
- User – this type of object represents a real user who is an active part of an organization’s AD network. A user object can be either an employee of the organization such as IT Admins, Human Resources managers, Directors, and Executives who may have usually an elevated permission compared to other users.
- Contact – similar to a user object, a contact in AD represents a real contact person who is not part of the organization. They may have a significant contribution or role in the organization such as partners, vendors or agencies that have specific tasks or roles in the organization.
- Group – this type of object can contain other AD objects such as other groups, users as well as computers and printers. Group object serves as a container type of object in Active Directory.
- Organizational Unit (OU) – like group objects, organizational unit objects can also contain other AD objects.
- Domain – this is a structural component of the active directory. Just like group and OU objects, domains can contain other AD objects. Each domain in an AD has its own database, and its own set of defined policies that are applied to all AD objects within it.
- Domain Controller – this object is responsible for maintaining the policies, authentication to all AD users and provides roles that other Domain Controllers in a domain should be performing.
- Site – this object in AD is overall in charge of managing and facilitating the process of replications.
- Builtin – these objects contain local groups that are predefined during the creation of the active directory.
Apart from understanding the different types of AD objects, as a system administrator, it is also important that you understand the two main categories of AD objects – leaf and container AD objects.
- Container AD Objects – these are objects that can contain other AD objects within them. Good example of this object is Organization Unit and Groups.
- Leaf AD Objects – these are objects that cannot contain other objects within them such as User, Computer, and printer.
Now that you know the components of an AD, let’s also get into the details of a domain. As discussed above, a domain serves as the structural component of your organization. It serves as the fundamental unit of AD that typically shares common administration, security, and replication requirements. Active directory can have multiple subdomains. This is how a system administrator will design the AD if the organization has several regions of business or branches.
Subdomains on the other hand allows a logical partitioning of Active Directory. This fits perfectly if the organization has several regions of their business. You can divide active directory into smaller directories to allocate rights delegation to the subdomains. With this setup you will be able to keep everything organized from an administrative standpoint.
Your main goal as the system administrator is to build up the structure for your organization to support delegation of permission. This is also to take advantage of all customizations of policies without applying it to every single user or object in your active directory. Speaking of building up the structure, managing a large-scale organization would require some users to be able to access networks or resources from one location to another without issuing different credentials. For example, a company director should be able to login to a computer from the headquarters and to another computer located offshore. This is where Domain Trust comes in.
An Active Directory trust (AD trust) is a way of connecting two different or distinct AD domains or forests to allow users in one domain to be authenticated against resources from the other domain. This serves as a communication bridge that establishes the connection of one domain and another domain in your organization’s AD network. With this connection, resources between two different domains can be shared, and therefore provide seamless access to the users.
Another term you would hear a lot is Domain Controller. It is a windows server that manages network, identity, security, and policies and hosts the Active Directory database. It effectively acts as a gatekeeper for the authentication and authorization of users into your organization’s IT resources within the domain. Therefore, it is very important to secure the domain controller. It serves as the key door in your organization’s IT resources. If you want to learn how to start creating your own active directory domain, click here.
As a system administrator, you may also encounter some unexpected failures managing active directory. Some or could be the whole network or system may fail to access company resources because of this. There are also instances, that your network administrator depends on Active Directory to assign IP addresses to all of your company devices via DHCP server or DNS server which are both being managed under your domain controller. As critical as this set up, it is important to have multiple domain controllers for replication and redundancy.
AD allows the possibility of maintaining a writable copy of its own domain’s partition. To put it simply, it replicates automatically whatever changes are made to your domain controller to your other domain controllers. This process is called multi-master replication. This allows most of the operations to be processed reliably by multiple domain controllers and so it provides high levels of redundancy, availability and accessibility in your Active Directory. With all of these capabilities, you have to apply some exceptions to some AD operations that are highly sensitive or simply restrict them to a specific domain controller. This is where Flexible Single-Master Operator (FSMO) roles.
Before we discuss these five roles, let’s give you an overview of how FSMO roles work. In every forest, there is a single Schema Master and a single Domain Naming Master. In each domain, there is one Infrastructure Master, one RID Master and one PDC Emulator. However at any given time, there can be only one DC performing the functions of each role. Therefore, a single DC could be running all five FSMO roles; however, in a single-domain environment, there can be no more than five servers that run the roles.
An Active Directory has five FSMO roles:
- Schema Master – Schema Master is an enterprise-level FSMO role; there is only one Schema Master in an Active Directory forest. The Schema Master role owner is the only domain controller in an Active Directory forest that contains a writable schema partition. As a result, the DC that owns the Schema Master FSMO role must be available to modify its forest’s schema. Examples of actions that update the schema include raising the functional level of the forest and upgrading the operating system of a DC to a higher version than currently exists in the forest.
- Domain Naming Master – Domain Naming Master is an enterprise-level role; there is only one Domain Naming Master in an Active Directory forest. The Domain Naming Master role owner is the only domain controller in an Active Directory forest that is capable of adding new domains and application partitions to the forest. Its availability is also necessary to remove existing domains and application partitions from the forest. The Domain Naming Master role has little overhead and its loss can be expected to result in little to no operational impact, since the addition and removal of domains and partitions are performed infrequently and are rarely time-critical operations. Consequently, the Domain Naming Master role should need to be seized only when the DC that owns the role cannot be brought back online.
- Infrastructure Master – Infrastructure Master is a domain-level role; there is one Infrastructure Master in each domain in an Active Directory forest. The Infrastructure Master synchronizes objects with the global catalog servers. The Infrastructure Master will compare its data to a global catalog server’s data and receive any data not found in its database from the global catalog server. If all DCs in a domain are also global catalog servers, then all DCs will have up-to-date information (assuming that replication is functional). In such a scenario, the location of the Infrastructure Master role is irrelevant since it doesn’t have any real work to do.
- Relative ID (RID) Master – Relative Identifier Master (RID Master) is a domain-level role; there is one RID Master in each domain in an Active Directory forest. The RID Master role owner is responsible for allocating active and standby Relative Identifier (RID) pools to DCs in its domain. RID pools consist of a unique, contiguous range of RIDs, which are used during object creation to generate the new object’s unique Security Identifier (SID). The RID Master is also responsible for moving objects from one domain to another within a forest.
- PDC Emulator – The Primary Domain Controller Emulator (PDC Emulator or PDCE) is a domain-level role; there is one PDCE in each domain in an Active Directory forest. The PDC Emulator controls authentication within a domain, whether Kerberos v5 or NTLM. When a user changes their password, the change is processed by the PDC Emulator.
What are the duties of an Active Directory Administrator?
An Active Directory administrator plays a critical role, not just in the IT department but also in the whole organization. You’re in charge of one of the most precious resources of any company, data. Some of your primary duties will include:
- Creating and maintaining user accounts, schema, and groups
- Controlling the domain and ensuring overall system security
- Establishing and implementing group policies
- Offering technical assistance to users
- Ensuring compliance to policies and regulations
- Helping with disaster recovery
- Performing security audits
How can Server Academy help you learn Active Directory?
Server Academy provides you with a clear path to becoming a System Administrator. One of the key topics that the vast curriculum covers is Active Directory. In fact, many users join the platform specifically because of the Active Directory course.
It remains one of the biggest motivational factors for students who decide to start their Windows Server journey with Server Academy.
In this post, we wanted to cover the fundamentals of Active Directory and help you better understand the processes that are taking place in an organization. But learning and mastering Active Directory must be done through practice. That’s where Server Academy comes in.
The most popular feature that Server Academy offers are the hands-on labs, which help you practice and gain work-equivalent experience. You no longer have to imagine the problem as you’re reading text and watching the videos, you get to acquire the skill through practice and guided content.
Besides that, a major problem with learning Windows Server is not knowing where to start and in which order to learn the skills. Server Academy provides you with a clear-cut learning path that helps you learn step-by-step, at your own pace.
If you’re interested in mastering Active Directory and becoming a Windows Server expert, make sure to check out our plans and become a member.