ITOM - Active Directories
ITOM - Active Directories
Outline
Active Directory Domain Services
Active Directory Structure
DomainTrees
Forests
Trust Relationships
Active Directory Domain Services
Active Directory (AD) is Microsoft's proprietary directory
service.
It runs on Windows Server and allows administrators to
manage permissions and access to network resources.
It is a distributed, hierarchical database structure that
shares infrastructure information for locating, securing,
managing, and organizing computer and network
resources including files, users, groups, peripherals and
network devices.
Active Directory stores data as objects.
An object is a single element, such as a user, group,
application or device, such as a printer
Active Directory Domain Services
The main service in Active Directory is Domain Services
(AD DS), which stores directory information and handles
the interaction of the user with the domain.
AD DS verifies access when a user signs into a device or
attempts to connect to a server over a network.
AD DS controls which users have access to each
resource
It provides authentication and authorization functions, as
well as providing a framework for other such services.
The server that hosts ADDS is Domain Controller
Other Active Directory Services
Active Directory lightweight directory services
This light version of Domain Services offer basic directory
service functionality, without the use of domain controllers,
forests or domains. Typically used in small, single office network
environments.
Active Directory certificate services
Certificate Services offers digital certification services and
supports public key infrastructure, or PKI
Active Directory federation services
Provides a web-based, single sign-on authentication and
authorization service primarily for use across organizations
Active Directory rights management services
This is a rights management services that breaks down
authorization beyond an access granted or access denied
model and limits what a user can do with particular files or
documents
Active Directory Structure
Active Directory Domains and Forests
A domain is the logical container that sits directly
below the forest container.
A domain houses other containers and objects
below it.
The forest is the highest level of the organization
hierarchy.
A forest is a security boundary within an
organization.
Forest information is stored on all domain
controllers, in all domains, within the forest.
Active Directory Domains
Domains are structured into trees and forests.
A domain tree is a collection of related domains.
A domain forest is a collection of related domain trees.
Once your infrastructure grows beyond a single domain,
trust relationships come into play.
A trust relationship allows one domain to trust objects in
another for authentication and for access to resources
For example, if domain A trusts domain B, a user from
domain B can access resources in domain A if granted
the necessary access permissions in domain A
Active Directory Domains and Forests
Forest Illustration
Domains and Trust Relationships
Domain Controller
Domain controllers are Windows Servers enabled with
Domain Controller role.
Domain Controllers contain the Active Directory
database and perform Active Directory related
functions, including authentication and authorization.
Each domain controller stores a copy of the Active
Directory database containing information about all
objects within the same domain.
In addition, each domain controller stores the schema
for the entire forest, as well as all information about
the forest.
A domain controller will not store a copy of any
schema or forest information from a different forest
even if they are on the same network.
Active Directory Domains
Several components work together in a domain. A
domain includes the following components:
Schema
Global catalog
Replication service
Operations master roles
Schema - defines objects that are used in a domain.
These can be both physical and logical objects.
For example, a physical computer is represented by
a computer account object, while a subnet is
represented by a subnet object.
AD Domains
Objects have many attributes.
Object attributes define the properties, limits, and
format of the objects.
Attributes can be multi-valued, strings, integers,
Boolean (true or false), or many other types.
Global catalog server stores information about every
object within a domain.
Administrators and users query a global catalog
server to find information about objects.
For example, if an administrator needs to look up
information about a user account, including address,
phone number, and office location, he would query
the global catalog server to retrieve the information.
References
AD Domains –
https://www.paessler.com/it-explained/active-directory
https://blog.netwrix.com/2017/01/31/active-directory-
domain/
Domains and Trust Relationships –
https://www.techrepublic.com/blog/the-enterprise-clo
ud/an-overview-of-the-active-directory-domains-and-t
rusts-console/
AD Forests –
https://www.varonis.com/blog/active-directory-forest/
AD Replication Concepts –
https://docs.microsoft.com/en-us/windows-server/iden
tity/ad-ds/get-started/replication/active-directory-