共用方式為


Understanding Active Directory for Beginners - Part 1

 This is the documentation for the Online discussion we conducted on Active Directory. 
 Recording of this session is available on
https://www.youtube.com/playlist?list=PLQupF2rE3mCcICksyRHABY1UIIUP4XqyB&feature=view_all
 Here we discussed about. 
  1. What is Directory Service?
  2. Active Directory
  3. History of Directory Service
  4. Advantage of LDAP
  5. Back to Active Directory
  6. Naming conventions
  7. Requirement of DNS
  8. AD objects
  9. AD Database
  10. Schema
  11. Domain, Tree and Forest
 What's a directory service? 
  • A directory service is a container that provides a hierarchical structure and allows to store objects for quick and easy access and manipulation. A directory service is like an electronic phone directory that lets you search for Name and retrieve the phone number, address, or other information without knowing where that person lives.
  • Before directory services, If you needed a file, you needed to know the name of the file, the name of the server on which it is stored and its folder path. Now this works well on small network, but as the network grows it becomes challenging.
  • Directory service is the means by which users and administrators can locate resources regardless of where those resources are located.
  • Also earlier typical user could have more than one user account or password, and as the network grows and the number of username and password also increases, like one for File Server, one for email server, etc.
 Active Directory
  • Active Directory is Microsoft’s answer to directory services and it does a lot more than just locating resources.
  • Active Directory take care of this by using Kerberos Authentication and Single Sign-On (SSO). SSO means ability of Kerberos to provide a user with one set of credentials and grant them access across a range of resources and services with that same set of credentials. Kerberos authenticates the credentials and issues the user a ticket with which the user gains access to the resources and services that support Kerberos.
  • Active Directory also makes user management more easier as it acts as a single repository for all of this user and computer related information.
 History of Directory Service
  • Earlier to today’s directory services is X.500 specification that emerged from the International Telecommunications Union (ITU), formerly the CCITT (Comité Consultatif International Téléphonique et Télégraphique).
  • X.500 sits at the Application layer in the OSI model. X.500 contain several component databases that work together as a single entity.
  • The primary database is the Directory Information Base (DIB), which stores information about the objects. Major limitation was its lack of integration with Internet Protocol (IP).
  • Protocol it used was Directory Access Protocol, or DAP. DAP offered more functionality than that is required for implementing directory services, so a scaled down version called Lightweight Directory Access Protocol (LDAP) was made. Later it was considered as a standard by Internet Engineering Task Force (IETF).
 Advantage of LDAP
  • LDAP relies on the TCP/IP stack rather than the OSI stack
  • Integrate with IP and enable IP clients to use LDAP to query directory services.
  • LDAP can perform hyper-searches. Giving one directory the ability to defer to another to provide requested data.
  • LDAP’s API is C-based
  • Like X.500, LDAP uses an inverted-tree hierarchical structure
  • LDAP supports Kerberos authentication, Simple Authentication Security Layer (SASL), and Secure Sockets Layer (SSL)
  • Simple Authentication and Security Layer (SASL) is a framework for authentication and data security in Internet protocols.
 
Back to Active Directory
  • AD is Microsoft’s answer to directory services and it does a lot more than just locating resources.
  • AD uses LDAP as its access protocol.
  • AD relies on DNS as its locator service, enabling clients to locate domain controllers through DNS queries.
  • Lets Understand Active Directory in more detail.
 Naming Conventions 
  • AD contains information about objects in your enterprise.
  • These objects can be computers, users, printers etc.
  • AD is a container with nested containers holding other containers or objects.
  • And we name these container and objects so that its easy to query or search.
 AD supports several Naming Conventions. 
  • User Principal Names, or UPN
  • LDAP names also known as Distinguished Name
 User Principal Names, or UPN
  • This one you’ll probably find most familiar, is as per RFC 822 specification.
  • This has the same format as your email address: Like ashwin@road2master.ms
  • They take the form user@domain
  • If you have a user named User01 under Active Directory domain Domain01.local, the UPN will be User01@Domain01.Local
  • We will discuss more about AD domain later.  
  • In AD you can create custom UPNs too, which means you can also add User01@Domain01.com or User01@xyz.com as UPN for above mentioned object.
  • More on these later.
 
LDAP names also known as Distinguished Name 
  • Typically it has this format 

cn=common name

ou=organizational unit

dc=domain

for eg. cn=Ashwin,ou=Trainer,dc=Road2Master,dc=ms

  • And query should look like this for the

LDAP://R2MAD01.road2master.ms/cn=Ashwin,ou=Trainer,dc=Road2Master,dc=ms

R2MAD01.road2master.ms is the FQDN of the Domain Controller.

 Requirement of DNS
  • DNS Server must support
  • Service resource (SRV) records
  • Dynamic update protocol specified by RFC 2136
  • AD relies on DNS as its primary locator service, although its not the only mechanism for locating domain controllers (DCs).
  • Domain Controller is the server which has Active Directory Installed.
  • When a Domain Controller starts,
  • It registers both its DNS name and NetBIOS name. More on NetBIOS name later.
  • It add LDAP-specific SRV records in DNS to enable LDAP clients to locate DCs through LDAP queries.
  • It also add Kerberos authentication protocol-specific SRV records to enable clients to locate servers running the Kerberos Key Distribution Center (KDC) service.
  • Also each DC also adds an A record that enables clients that don’t support SRV records to locate the DC through a simple host record lookup. You can disable this if required.
 Active Directory objects
  • Objects in AD can be either containers for other objects or they can be leaf objects, which do not serve as containers.
  • Objects in AD have attributes, and these attributes not only define the object but also store data. This defines the character of that Object.
  • Some attributes and optional and some are mandatory.
  • Optional : Phone Number
  • Mandatory: Username
  • When an Object is created AD assigns a GUID, which is a 128-bit number and no two objects in AD have the same GUID.
  • And If an object is moved from AD, it doesn't delete its GUID.
  • Objects in AD are protected by Access Control Lists (ACLs).
  • More on Security later.
 Active Directory Database

  • The ESE comprises of tables that define the structure of the directory.
  • The Database Layer has three partition that define the contents of AD with an optional 4th table or partition.
 Schema Partition
  • This stores Active Directory Schema.
  • Active Directory Schema defines what are the types of objects that can be created in the directory
  • How are those objects relate to one another, and what are the mandatory and optional attributes of each object.
  • And how can one create such objects.
 
Configuration Partition
  • This contains configuration of AD.
 Domain Partition 
  • This partition stores the objects.
 Application Partition
  • This is an optional 4th partition that an administrator can create.
  • More on this later.
  • More about Active Database in the upcomming parts.
 Active Directory Schema
  • Active Directory Schema defines what are the types of objects that can be created in the directory
  • How are those objects relate to one another, and what are the mandatory and optional attributes of each object.
  • And how can one create such objects.
  • Schema requires to updates whenever you need to create a new type of object or add anything that requires new attribute.
 Domain, Tree and Forest

AD Domain
  • Objects that are made on AD are grouped into domains.
  • The objects for a single domain are stored in a single database (which can be replicated).
 
AD Domain Tree
  • A tree is a collection of one or more domains
 
AD Forest
  • A forest is a collection of trees that share a common global catalog, directory schema, logical structure, and directory configuration.
 Please find the slides as attached. 
Thanks you all for spending your valuable time. 

[Video]

Understanding Active Directory - PART 1.pdf

Comments

  • Anonymous
    January 01, 2003
    it is extremely useful , i forgotten some of it, but it is a good find thank you .

  • Anonymous
    January 01, 2003
    Thanks it very help full.

  • Anonymous
    January 01, 2003
    good 1..thnx .

  • Anonymous
    January 01, 2003
    awesome...thanks

  • Anonymous
    January 01, 2003
    Helped fill in the gaps where I missed in my education. Thanks!

  • Anonymous
    January 01, 2003
    Good effort - This one is fantastic as far as beginner is concerned to know about AD. It was refreshing indeed- Thanks!

  • Anonymous
    January 01, 2003
    @Charles @GreenlightTech Thanks a lot for finding time to read through.

  • Anonymous
    January 01, 2003
    Nice Article !!!!!!!!!!!!

  • Anonymous
    February 27, 2013
    Thanks ....  Really Good  for begineers ...  

  • Anonymous
    October 31, 2013
    Great Lesson. Thank you for help the WWWorld.

  • Anonymous
    November 06, 2013
    Helpful indeed.Technet must do this for most of the complicataed stuff.

  • Anonymous
    November 14, 2013
    Extremly useful - easy to read too.

  • Anonymous
    November 28, 2013
    very very helpful...........the best blog on net !!!!

  • Anonymous
    February 05, 2014
    Really good free material, thanks!

  • Anonymous
    February 24, 2014
    It helped a lot...... ty :)

  • Anonymous
    March 12, 2014
    it helped me lot

  • Anonymous
    March 16, 2014
    Great job!

  • Anonymous
    March 28, 2014
    thanks very much

  • Anonymous
    April 19, 2014
    useless material

  • Anonymous
    May 18, 2014
    Soooo Nice Post.... Thanks a Lot!!!!!

  • Anonymous
    June 12, 2014
    Zabardast... ThanX

  • Anonymous
    June 18, 2014
    worthy effort, got to know the basics of it, thanks a ton .:)

  • Anonymous
    June 20, 2014
    content-full article 4 a Beginner like me.. :)

  • Anonymous
    July 21, 2014
    This is just excellent!
    Thanks a lot

  • Anonymous
    August 17, 2014
    Made me ***

  • Anonymous
    August 17, 2014
    The comment has been removed

  • Anonymous
    August 25, 2014
    Really refreshing stuff for forgetting ppl like me..!! :)

  • Anonymous
    November 09, 2014
    Verry good...........

  • Anonymous
    December 24, 2014
    Thanks....It is actually mind refreshing

  • Anonymous
    December 30, 2014
    Awesome contribution. Imagine how helpful it would be if all techies can dedicate some time to help others in need. Amazing public service. Kudos to you buddy.. Thanks.

  • Anonymous
    January 01, 2015
    very helpful

  • Anonymous
    January 01, 2015
    very helpful

  • Anonymous
    January 22, 2015
    thanks sir

  • Anonymous
    January 31, 2015
    Excellent for the beginners! Covers a lot of points

  • Anonymous
    March 16, 2015
    wow.great lecturer..helped me a lot

  • Anonymous
    July 20, 2015
    Nice blog to understand basics about AD.

  • Anonymous
    August 16, 2015
    Thanks for this useful article on AD.
    can anyone tell me active directory comes under which OSI MODEL LAYER
    THANKS

  • Anonymous
    August 25, 2015
    Thanks you for help me

  • Anonymous
    September 07, 2015
    very helpful.easy to understand although flow digrams can make it more easier to understand.
    thank you.

  • Anonymous
    September 25, 2015
    Really Thankxxx for basic concepts of AD

  • Anonymous
    August 14, 2016
    Thank you so much for information that you have updates. Its helped me very much which i needed.

  • Anonymous
    August 18, 2016
    thanks a lot, I even saved this to my BOOKMARKS :)

  • Anonymous
    December 06, 2016
    thank you

  • Anonymous
    December 19, 2016
    Very useful, nicely set out to the point and not weighed down with to much technicality

  • Anonymous
    January 04, 2017
    i want to know some basic about active directory

  • Anonymous
    January 19, 2017
    Brilliantly explained.. Extremely useful and a wonderful read for beginners..

  • Anonymous
    February 22, 2017
    This was indeed great

  • Anonymous
    February 28, 2017
    explained in simple terms thats easy to understand and remember points,thank you.

  • Anonymous
    March 27, 2017
    It s very useful, i learned more from this, its really gud, thank you

  • Anonymous
    March 28, 2017
    This was very helpful.Thank you very much