A domain is the basic administrative unit in an enterprise's network infrastructure, which includes all network objects such as users, computers, printers, shares, etc. A collection (hierarchy) of domains is called a forest. Each company can have an external and internal domain.
For example, a website is an external domain on the Internet that was purchased from a name registrar. This domain hosts our WEB site and mail server. lankey.local – the internal domain of the Active Directory directory service that hosts Accounts users, computers, printers, servers and enterprise applications. Sometimes external and internal domain names are made the same.
Microsoft Active Directory has become the standard for enterprise unified directory systems. A domain based on Active Directory has been implemented in almost all companies in the world, and Microsoft has practically no competitors left in this market, the share of the same Novell Directory Service (NDS) is negligible, and the remaining companies are gradually migrating to Active Directory.
Active Directory (Directory Service) is a distributed database that contains all objects in a domain. The Active Directory domain environment provides a single point of authentication and authorization for users and applications across the enterprise. It is with the organization of a domain and the deployment of Active Directory that the construction of an enterprise IT infrastructure begins. The Active Directory database is stored on dedicated servers – domain controllers. Active Directory is a server role operating systems Microsoft Windows Server. At the moment, the LanKey company is implementing Active Directory domains based on the operating Windows systems Server 2008 R2.
Deploying Active Directory over a Workgroup provides the following benefits:
- Single point of authentication. When computers work in a workgroup, they do not have a single user database; each computer has its own. Therefore, by default, no user has network access to another user's computer or server. And, as you know, the point of the network is precisely so that users can interact. Employees need to share documents or applications. In a workgroup, on each computer or server, you will have to manually add a complete list of users who require network access. If suddenly one of the employees wants to change his password, then it will need to be changed on all computers and servers. It's good if the network consists of 10 computers, but if there are 100 or 1000 of them, then using a workgroup will be unacceptable. When using an Active Directory domain, all user accounts are stored in one database, and all computers look to it for authorization. All domain users are included in the appropriate groups, for example, “Accounting”, “HR”, “Finance Department”, etc. It is enough to set permissions for certain groups once, and all users will have appropriate access to documents and applications. If a new employee joins the company, an account is created for him, which is included in the appropriate group, and that’s it! After a couple of minutes, the new employee gets access to all network resources to which he should be allowed access, on all servers and computers. If an employee quits, then it is enough to block or delete his account, and he will immediately lose access to all computers, documents and applications.
- Single point of policy management. In a peer-to-peer network (workgroup), all computers have equal rights. None of the computers can control the other, all computers are configured differently, and it is impossible to monitor compliance with uniform policies or security rules. When using a single Active Directory, all users and computers are hierarchically distributed across organizational units, each of which is subject to the same group policies. Policies allow you to set uniform settings and security settings for a group of computers and users. When a new computer or user is added to a domain, it automatically receives settings that comply with accepted corporate standards. Also, using policies, you can centrally assign network printers to users, install the necessary applications, set Internet browser security settings, configure Microsoft Office applications, etc.
- Integrations with corporate applications and equipment. The big advantage of Active Directory is its compliance with the LDAP standard, which is supported by hundreds of applications, such as mail servers (Exchange, Lotus, Mdaemon), ERP systems (Dynamics, CRM), proxy servers (ISA Server, Squid), etc. Moreover, this is not only applications for Microsoft Windows, but also servers based on Linux. The advantages of such integration are that the user does not need to remember a large number of logins and passwords to access a particular application; in all applications the user has the same credentials, because its authentication occurs in a single Active Directory. In addition, the employee does not need to enter his username and password several times; it is enough to log in once when starting the computer, and in the future the user will be automatically authenticated in all applications. Windows Server provides the RADIUS protocol for integration with Active Directory, which is supported by a large number of network equipment. This way, you can, for example, provide authentication for domain users when connecting to Cisco router via VPN.
- Unified application configuration repository. Some applications store their configuration in Active Directory, such as Exchange Server or Office Communications Server. Deployment of the Active Directory directory service is a prerequisite for these applications to work. You can also store the DNS domain name server configuration in the directory service. Storing application configuration in a directory service offers flexibility and reliability benefits. For example, in the event of a complete failure of the Exchange server, its entire configuration will remain intact, because stored in Active Directory. And to restore functionality corporate mail, it will be enough to reinstall the Exchange server in recovery mode.
- Increased level information security. Using Active Directory significantly increases the level of network security. Firstly, it is a single and secure account storage. In a peer-to-peer network, user credentials are stored in a local account database (SAM), which can theoretically be hacked by taking over the computer. In a domain environment, all domain user passwords are stored on dedicated domain controller servers, which are usually protected from external access. Secondly, when using a domain environment, the Kerberos protocol is used for authentication, which is much more secure than NTLM, which is used in workgroups. You can also use two-factor authentication using smart cards to log users into the system. Those. In order for an employee to gain access to the computer, he will need to enter his username and password, as well as insert his smart card.
Active Directory Scalability and Resiliency
The Microsoft Active Directory directory service is highly scalable. More than 2 billion objects can be created in an Active Directory forest, which allows the directory service to be implemented in companies with hundreds of thousands of computers and users. The hierarchical structure of domains allows you to flexibly scale the IT infrastructure to all branches and regional divisions of companies. For each branch or division of a company, a separate domain can be created, with its own policies, its own users and groups. For each child domain, administrative authority can be delegated to local system administrators. At the same time, child domains are still subordinate to their parents.
In addition, Active Directory allows you to configure trust relationships between domain forests. Each company has its own forest of domains, each with its own resources. But sometimes you need to provide access to your corporate resources to employees from partner companies. For example, when participating in joint projects, employees from partner companies may need to work together on common documents or applications. To do this, trust relationships can be set up between organizational forests, which will allow employees from one organization to log in to the domain of another.
Fault tolerance of the directory service is ensured by deploying 2 or more servers - domain controllers in each domain. All changes are automatically replicated between domain controllers. If one of the domain controllers fails, the functionality of the network is not affected, because the remaining ones continue to work. An additional level of fault tolerance is provided by placing DNS servers on domain controllers in Active Directory, which allows each domain to have multiple DNS servers serving the main domain zone. And if one of the DNS servers fails, the remaining ones will continue to work, and they will be accessible both for reading and writing, which cannot be ensured using, for example, BIND DNS servers based on Linux.
Benefits of upgrading to Windows Server 2008 R2
Even if your company already has an Active Directory directory service running on Windows Server 2003, you can reap a number of benefits by upgrading to Windows Server 2008 R2. Windows Server 2008 R2 provides the following additional features:
Read-only Domain Controller RODC (Read-only Domain Controller). Domain controllers store user accounts, certificates, and much other sensitive information. If the servers are located in secure data centers, then you can be calm about the safety of this information, but what to do if the domain controller is located in a branch office in a publicly accessible place. In this case, there is a possibility that the server will be stolen by attackers and hacked. And then they use this data to organize an attack on your corporate network in order to steal or destroy information. It is to prevent such cases that branch offices install read-only domain controllers (RODCs). Firstly, RODC controllers do not store user passwords, but only cache them to speed up access, and secondly, they use one-way replication, only from central servers to the branch, but not back. And even if attackers take over the RODC domain controller, they will not receive user passwords and will not be able to cause damage to the main network.
Recovering deleted Active Directory objects. Almost every system administrator has faced the need to restore an accidentally deleted user account or an entire group of users. In Windows 2003, this required restoring the directory service from a backup, which often did not exist, but even if there was one, the restoration took quite a long time. Windows Server 2008 R2 introduced the Active Directory Recycle Bin. Now, when you delete a user or computer, it goes to the recycle bin, from which it can be restored in a couple of minutes within 180 days, preserving all the original attributes.
Simplified management. Windows Server 2008 R2 includes a number of changes that significantly reduce the burden on system administrators and make IT infrastructure easier to manage. For example, such tools have appeared as: Audit of Active Directory changes, showing who changed what and when; password complexity policies can be configured at the user group level; previously this was only possible at the domain level; new user and computer management tools; policy templates; control using command line PowerShell, etc.
Implementing Active Directory
The Active Directory directory service is the heart of an enterprise's IT infrastructure. If it fails, the entire network, all servers, and the work of all users will be paralyzed. No one will be able to log into the computer or access their documents and applications. Therefore, the directory service must be carefully designed and deployed, taking into account all possible nuances. For example, the structure of sites should be built on the basis of the physical topology of the network and the capacity of channels between branches or offices of the company, because This directly affects the speed of user login, as well as replication between domain controllers. In addition, based on the site topology, Exchange Server 2007/2010 performs mail routing. You also need to correctly calculate the number and placement of global catalog servers that store universal group lists and many other commonly used attributes across all domains in the forest. That's why companies assign the task of implementing, reorganizing or migrating the Active Directory directory service to system integrators. However, you should not make a mistake when choosing a system integrator; you should make sure that he is certified to perform this type of work and has the appropriate competencies.
LanKey is a certified system integrator and has Microsoft Gold Certified Partner status. LanKey has the Datacenter Platform (Advanced Infrastructure Solutions) competence, which confirms our experience and qualifications in matters related to the deployment of Active Directory and the implementation of server solutions from Microsoft.
All work in the projects is performed by Microsoft certified engineers MCSE, MCITP, who have extensive experience in large and complex projects to build IT infrastructures and implement Active Directory domains.
LanKey will develop the IT infrastructure, deploy the Active Directory directory service and ensure the consolidation of all existing enterprise resources into a single information space. The implementation of Active Directory will help reduce the total cost of ownership of an information system, as well as increase the efficiency of sharing common resources. LanKey also provides services for domain migration, consolidation and separation of IT infrastructures during mergers and acquisitions, maintenance and support of information systems.
Examples of some Active Directory implementation projects implemented by LanKey:
Customer | Description of the solution |
In connection with the transaction for the purchase of 100% of the shares of the company OJSC SIBUR-Minudobreniya (later renamed OJSC SDS-Azot) of the Holding Company Siberian Business Union in December 2011, the need arose to separate the IT infrastructure of OJSC SDS -Azot" from the SIBUR Holding network. LanKey company migrated the Active Directory directory service of the SIBUR-Minudobreniya division from the SIBUR holding network to a new infrastructure. User accounts, computers, and applications were also migrated. Based on the results of the project, a letter of gratitude was received from the customer. |
|
In connection with business restructuring, the Active Directory directory service was deployed for the central office and 50 Moscow and regional stores. The directory service provided centralized management of all enterprise resources, as well as authentication and authorization of all users. | |
As part of a comprehensive project to create an enterprise IT infrastructure, LanKey deployed an Active Directory domain for the management company and 3 regional divisions. A separate site was created for each branch; 2 domain controllers were deployed in each site. Certification services were also deployed. All services were deployed on virtual machines running Microsoft Hyper-V. The quality of work of the LanKey company was noted by the review. | |
As part of a comprehensive project to create a corporate information system, the Active Directory directory service was deployed based on Windows Server 2008 R2. The system was deployed using server virtualization technology running Microsoft Hyper-V. The directory service provided unified authentication and authorization for all hospital employees, and also ensured the functioning of applications such as Exchange, TMG, SQL, etc. | |
|
The Active Directory directory service was deployed on Windows Server 2008 R2. In order to reduce costs, the installation was carried out in a server virtualization system based on Microsoft Hyper-V. |
As part of a comprehensive project to create an enterprise IT infrastructure, a directory service based on Windows Server 2008 R2 was deployed. All domain controllers were deployed using the Microsoft Hyper-V server virtualization system. The quality of work is confirmed by the feedback received from the customer. | |
|
The functionality of the Active Directory directory service was restored in the shortest possible time in a critical business situation. LanKey specialists literally restored the functionality of the root domain in just a couple of hours and wrote instructions for restoring replication of 80 branch offices. We received feedback from the customer for the efficiency and quality of work. |
As part of a comprehensive project to create an IT infrastructure, an Active Directory domain was deployed based on Windows Server 2008 R2. The functionality of the directory service was ensured using 5 domain controllers deployed on a cluster of virtual machines. Backup directory services was implemented using Microsoft Data Protection Manager 2010. The quality of work was confirmed by feedback. | |
As part of a comprehensive project to build a corporate information system, the Active Directory unified directory service was deployed based on Windows Server 2008. The IT infrastructure was built using Hyper-V virtualization. After completion of the project, an agreement was concluded for further maintenance of the information system. The quality of the work is confirmed by the review. |
|
Oil and gas technologies | As part of a comprehensive project to create an IT infrastructure, a single Active Directory directory was deployed based on Windows Server 2008 R2. The project was completed in 1 month. After completion of the project, an agreement was concluded for further maintenance of the system. The quality of work is confirmed by the review. |
Active Directory was deployed on Windows Server 2008 as part of the Exchange Server 2007 implementation project. | |
Reorganized the Active Directory directory service based on Windows Server 2003 before implementing Exchange Server 2007. The quality of work was confirmed by feedback. | |
The Active Directory directory service was deployed on Windows Server 2003 R2. After completion of the project, a contract was signed for further maintenance of the system. The quality of work is confirmed by the review. | |
|
Active Directory was deployed on Windows Server 2003. After completion of the project, an agreement was signed for further support of the system. |
Because Microsoft Windows Server 2003 and Microsoft Exchange Server 2007 depend on Active Directory for directory services, you must determine how to integrate Exchange 2007 into your Active Directory structure. Active Directory includes the following logical elements, the combination of which defines the Active Directory topology:
- One or more domains
- One or more Active Directory sites
Active Directory forests
Forest represents the outermost boundary of the directory service. The forest operates in the context of end-to-end security so that all resources within the forest explicitly trust each other regardless of their location in the forest. Inside each forest is used general structure directories and directory service configuration. A forest can consist of one or more domains. There are two types of forest topologies: single forest and multiple forests.
Single forest topology
In a single-forest topology, Exchange is installed in a single Active Directory forest that spans the entire organization. All user and group accounts, as well as all Exchange configuration data, reside in the same forest.
If your organization uses a single Active Directory forest, Exchange 2007 can be installed in that forest. We recommend using the Exchange single-forest design because it offers the maximum range of email system capabilities and because it provides the simplest administration model. Because all resources are contained in a single forest, one GAL contains all users from the entire forest. This case is shown in the following figure.
The single scaffold option offers the following advantages:
- The richest set of email system features.
- Simple administration model.
- Take advantage of your existing Active Directory structure.
- GAL synchronization is not required.
The main disadvantage associated with a single forest is that administrators must determine how to consolidate or share responsibility for managing Active Directory and Exchange objects.
Multi-forest topology
Although a single forest topology is recommended because it provides the greatest range of messaging capabilities, there are various reasons why you might want to implement multiple forests. These reasons may include, for example:
- Having multiple departments that require messaging service isolation.
- The presence of several departments with different requirements for the scheme.
- A merger, acquisition or division that has occurred.
In any case, the only way to establish strict boundaries between organizational units is to create a separate Active Directory forest for each organizational unit. When using this Active Directory configuration, the preferred way to implement Exchange is to create an Exchange resource forest. For more information about Exchange resource forests, see the "Resource Forest Topology" section later in this topic.
But there are scenarios in which a resource forest may not be possible (for example, during mergers or acquisitions, or when multiple forests already have their own Exchange instances running). In these cases, a cross-forest topology can be implemented.
Cross forest topology
In a cross-forest topology, a company uses multiple Active Directory forests, each containing an Exchange organization. Unlike a resource forest topology, user accounts are not separated from their mailboxes. Instead, the user account and the corresponding mailbox are in the same forest.
The main benefit of implementing a cross-forest topology is the ability to isolate data and security boundaries between Exchange organizations. But this topology has the following disadvantages:
- The richest set of messaging features is not available.
- When you move mailboxes from one forest to another, delegated permissions are not preserved if there is no contact in the target forest to delegate, or if you move a mailbox delegate at the same time.
- Although you can synchronize free/busy information across forests so you can use it to schedule meetings, you cannot use the Open another user's folder to view a user's calendar data from another forest.
- Because the group from another forest is represented as a contact, you cannot view the group members. Until a letter is sent to the forest containing the group represented by the contact, the group's membership is not expanded.
- Synchronization of directory objects across forests is required, as is replication of free/busy information. The most commonly used directory synchronization solutions are Microsoft Identity Integration Server (MIIS) 2003 SP2 or Identity Integration Feature Pack for Microsoft Windows Server Active Directory Service Pack 2. For sharing free/busy and calendar information between Exchange organizations in different forests Exchange 2007 Availability service can be used.
Resource forest topology
In some cases, you may need to create a separate, dedicated Active Directory forest to run Exchange. For example, there may be a situation where you want to preserve an existing Active Directory forest. Or you may want to separate the administration of Active Directory objects from Exchange objects. Therefore, you may need to create a separate Active Directory forest dedicated to running Exchange. This separate dedicated forest is called forest of resources Exchange. In the resource forest model, Exchange is installed in an Active Directory forest that is separate from the Active Directory forest that contains users, computers, and application servers. This option is typically used by companies that require security boundaries between Active Directory administration and Exchange administration.
An Exchange resource forest is dedicated to running Exchange and hosting mailboxes. User accounts are contained in one or more forests called account forests. Account forests are separate from the Exchange resource forest. Between the forest of accounts and the forest Exchange resources creates a one-way trust that allows the Exchange forest to trust the account forest so that users in the account forest can access mailboxes in the Exchange resource forest. Because an Exchange organization cannot span Active Directory forest boundaries, each mailbox created in the Exchange resource forest must have a corresponding user object in the Exchange resource forest. User objects in the Exchange resource forest are never used for user logon and are disabled to prevent their use. Users usually do not even know about the existence of a duplicate account. Because the account in the Exchange resource forest is disabled and is not used for logon, the real user account in the account forest must be given the logon right to the mailbox. Access is granted by including the security identifier (SID) of the user object from the account forest in the attribute msExchMasterAccountSID disabled user object in the Exchange resource forest.
You may not need directory synchronization if you are using an Exchange resource forest. From an Exchange and Outlook perspective, all objects listed in the directory service come from one place, in this case the directory service that hosts the Exchange forest. However, if you have data associated with GALs in your account forests, synchronization may be required to get the data into the Exchange resource forest for use in GALs. Additionally, you may need to configure the process so that when you create accounts in the account forest in the Exchange resource forest, a disabled account with a mailbox is created.
An enabled user in the resource forest is associated with a mailbox that is attached to a disabled user in the resource forest. This configuration gives users access to mailboxes located in other forests. This scenario configures a trust relationship between the resource forest and the account forest. You may also want to configure the provisioning process so that each time an administrator creates a user in the account forest, a disabled user with a mailbox is created in the Exchange resource forest.
Because all Exchange resources are in the same forest, one GAL will contain all users in the forest. The main benefit of the Exchange dedicated forest scenario is the security boundary between Active Directory and Exchange administration.
There are a number of disadvantages associated with this topology, including the following:
- Implementing a resource forest provides separation of Exchange and Active Directory administration, but the cost associated with deploying a resource forest may outweigh the need for such separation.
- Microsoft Windows hosts that will run Exchange will require the installation of additional domain controllers and global catalog servers, which will increase the cost.
- An initialization process is required to reflect Active Directory changes in Exchange. When you create an object in one forest, you must be sure that the corresponding objects are created in the other forest. For example, if you create a user in one forest, make sure that a placeholder is created for that user in another forest in the other forest. The corresponding objects can be created manually, or the process can be automated.
A variant of the resource forest scenario is multiple forests, one of which hosts Exchange. When using multiple Active Directory forests, Exchange deployment depends on the degree of autonomy that you plan to maintain between forests. For companies with departments that require security boundaries (forests) of directory objects but can share Exchange objects, you might consider deploying Exchange in one of the forests and using that forest to host mailboxes from other forests in the company. Because all Exchange resources are in the same forest, one GAL will contain all users from all forests.
This scenario has the following main advantages:
- Using an existing Active Directory structure.
- Using existing domain controllers and global catalog servers.
- Ensuring strict safety boundaries between forests.
The disadvantages of this scenario include the following features:
- The need for an initialization process that reflects Active Directory changes in Exchange. For example, you could create a script that, when a new Active Directory user is created in Forest A, creates a disabled object in Forest B with permissions that grant access to a mailbox.
- The need for forest administrators to determine how to consolidate or share responsibility for managing Active Directory and Exchange objects.
Active Directory Domains
A domain is a collection of security principals and jointly administered other entities. Domains are flexible structures. The choice of what will be included in the domain remains open and left to the discretion of the administrator. For example, a domain may represent a group of users and computers physically located in one location, or it may represent all users and all computers across many locations in a large geographic region. By consolidating administration and infrastructure, domains tend to be spread over larger geographic regions to reduce support costs. But as directory services grow in size, the target directory must be able to access relevant resources as efficiently as possible.
Active Directory Sites
Active Directory sites are a logical collection of securely linked computers in Active Directory. Within an Active Directory site, you can separate client computers to use specific sets or groups of directory resources. An Active Directory site is one or more well-connected TCP/IP subnets that allow administrators to configure Active Directory access and required replication. These subnets may or may not correspond to the physical topology.
The following figure shows several of the most typical relationships between Active Directory logical definitions and physical locations.
Active Directory Deployment Scenarios
There are four main scenarios for integrating Exchange with Active Directory:
- The only forest
- Forest of resources
- Cross forest
- Mergers and acquisitions
The following table summarizes the benefits of each scenario.
Active Directory Scenario | Description | Why is this script used? |
---|---|---|
The only forest |
Users and their mailboxes are in the same forest. |
|
Forest of resources |
One of the forests is dedicated to running Exchange and hosting Exchange mailboxes. User accounts associated with mailboxes are contained in one or more separate forests. |
|
Cross forest |
Exchange runs in separate forests, but the email feature is available in other forests. |
|
Mergers and acquisitions |
Mergers and acquisitions often involve the coexistence of Exchange organizations prior to the merger. Planning issues are similar to the multiple forest scenario with additional migration considerations. |
Mergers and acquisitions present a special case of multi-forest deployments that require additional attention to migration issues |
The domain or forest functional level determines the functionality available for use. A higher functional level of a domain or forest allows you to use additional features that have appeared in recent versions of Active Directory. However, even if you are using the latest versions of domain controllers, but you have not promoted the domain level, the new AD domain functionality will not be available.
For example, you have Windows Server 2012 or Windows Server 2016 domain controllers installed, but the domain functional level is Windows Server 2003, then such an option as using the Active Directory Recycle Bin will not be available, since the ability to enable it appears only at the Windows Server domain functional level 2008 R2 and up.
Determine the current domain and forest functional level through the GUI
To determine the current domain and forest functional level using the GUI, you must launch the Active Directory Domains and Trusts snap-in and the General tab will display the current domain and forest functional level.
Determine current functional level via PowerShell
To determine the current functional level of a domain using , you need to start Windows PowerShell and run the command: Get-ADDomain | fl Name, DomainMode To determine the current forest functional level using PowerShell, you must start Windows PowerShell and run the command: Get-ADForest | fl Name, ForestMode The result of executing the commands is shown in the figure below:How to increase the functional level of a domain through the GUI
Before you can promote a domain functional level, all domain controllers must be running the same version of Windows Server or later. For example, before you can raise a domain functional level to Windows Server 2012 R2, all domain controllers in the domain must be running Windows control Server 2012 R2 or higher. When setting up a new AD domain, it is recommended to set the domain functional level to the highest possible level, provided that you do not plan to use older versions of servers as domain controllers. Raising the domain functional level will allow you to gain access to features that are exclusive to a particular domain functional level. To raise the functional level of a domain, you must be a member of the Domain Admins group.To elevate a domain using the GUI, you must run the Active Directory Domains and Trusts snap-in. Select the domain for which you want to raise the functional level and right-click and select Raise Domain Functional level:
In the window that opens, select the desired functional level of the domain and click the Raise button
How to increase the functional level of the forest through the GUI
Before you can raise the forest functional level, all domains in the forest must be configured to the same functional level or to a higher domain functional level. To increase the forest functional level, you must be a member of the Enterprise Admins group.To elevate a domain using the GUI, you must run the Active Directory Domains and Trusts snap-in. Right-click on the root item of the tree in the Active Directory Domains and Trusts snap-in and select Raise Forest Functional level:
In the window that opens, select the desired forest functional level and click the Raise button
Important: Domain and forest functional level elevations cannot be reversed or downgraded. Exception: Domain functional level can only be downgraded from Windows Server 2008 R2 to Windows Server 2008; in all other cases this operation cannot be reversed.
How to Raise a Domain Functional Level Using PowerShell
To increase the functional level of a domain using PowerShell, you need to run the command: Set-ADDomainMode -identity lab.lan -DomainMode Windows2012R2Domain where,identity- DNS domain name (in the example the domain name lab.lan)
DomainMode- target value of the functional level of the domain. This parameter can take the following values:
- Windows Server 2000: 0 or Windows2000Domain
- Windows Server 2003 Interim Domain: 1 or Windows2003InterimDomain
- Windows Server 2003: 2 or Windows2003Domain
- Windows Server 2008: 3 or Windows2008Domain
- Windows Server 2008 R2:4 or Windows2008R2Domain
- Windows Server 2012: 5 or Windows2012Domain
- Windows Server 2012 R2:6 or Windows2012R2Domain
- Windows Server 2016: 7 or Windows2016Domain
To increase the functional level of the forest using PowerShell, you need to run the command: Set-ADForestMode -Identity lab.lan -ForestMode Windows2012Forest where,
identity- DNS forest name (in the example the forest name is lab.lan)
ForestMode- target value of the forest functional level. this parameter can take the following values:
- Windows Server 2000: Windows2000Forest or 0
- Windows Server 2003: Windows2003InterimForest or 1
- Windows Server 2003: Windows2003Forest or 2
- Windows Server 2008: Windows2008Forest or 3
- Windows Server 2008 R2: Windows2008R2Forest or 4
- Windows Server 2012: Windows2012Forest or 5
- Windows Server 2012 R2: Windows2012R2Forest or 6
- Windows Server 2016: Windows2016Forest or 7
Active Directory
Active Directory(“Active directories”, AD) - LDAP-Compatible implementation of the corporation's directory service Microsoft for family operating systems Windows NT. Active Directory allows administrators to use group policies to ensure uniform configuration of the user's work environment, deploy software on multiple computers through group policies or through System Center Configuration Manager(previously Microsoft Systems Management Server), install operating system, application and server software updates on all computers on the network using the Update Service Windows Server . Active Directory stores data and environment settings in a centralized database. Networks Active Directory can be of different sizes: from several tens to several million objects.
Performance Active Directory took place in 1999, the product was first released with Windows 2000 Server, and then modified and improved upon release Windows Server 2003. Subsequently Active Directory has been improved in Windows Server 2003 R2, Windows Server 2008 And Windows Server 2008 R2 and renamed to Active Directory Domain Services. The directory service was previously called NT Directory Service (NTDS), this name can still be found in some executable files.
Unlike versions Windows before Windows 2000, which mainly used the protocol NetBIOS for network communication, service Active Directory integrated with DNS And TCP/IP. The default authentication protocol is Kerberos. If the client or application does not support authentication Kerberos, the protocol is used NTLM .
Device
Objects
Active Directory has a hierarchical structure consisting of objects. Objects fall into three main categories: resources (such as printers), services (such as email), and user and computer accounts. Active Directory provides information about objects, allows you to organize objects, control access to them, and also establishes security rules.
Objects can be containers for other objects (security and distribution groups). An object is uniquely identified by its name and has a set of attributes—characteristics and data—that it can contain; the latter, in turn, depend on the type of object. Attributes form the basis of the structure of an object and are defined in the schema. The schema defines what types of objects can exist.
The schema itself consists of two types of objects: schema class objects and schema attribute objects. One schema class object defines one object type Active Directory(such as a User object), and one schema attribute object defines the attribute that the object can have.
Each attribute object can be used in several different schema class objects. These objects are called schema objects (or metadata) and allow you to change and extend the schema as needed. However, every schema object is part of the object definitions Active Directory, so disabling or changing these objects can have serious consequences, since as a result of these actions the structure will be changed Active Directory. Changes to a schema object are automatically propagated to Active Directory. Once created, a schema object cannot be deleted, it can only be disabled. Typically, all schema changes are carefully planned.
Container similar object in the sense that it also has attributes and belongs to a namespace, but, unlike an object, a container does not stand for anything specific: it can contain a group of objects or other containers.
Structure
The top level of the structure is the forest - the collection of all objects, attributes and rules (attribute syntax) in Active Directory. A forest contains one or more trees connected by transitive relationships of trust . The tree contains one or more domains, also linked into a hierarchy by transitive trust relationships. Domains are identified by their DNS name structures - namespaces.
Objects in a domain can be grouped into containers - divisions. Divisions allow you to create a hierarchy within a domain, simplify its administration and allow you to model the organizational and/or geographical structure of a company in Active Directory. Divisions may contain other divisions. Corporation Microsoft recommends using as few domains as possible in Active Directory, and use divisions for structuring and policies. Often group policies are applied specifically to departments. Group policies are themselves objects. A division is the lowest level at which administrative authority can be delegated.
Another way of dividing Active Directory are sites , which are a method of physical (rather than logical) grouping based on network segments. Sites are divided into those that have connections via low-speed channels (for example, via global network channels, using virtual private networks) and via high-speed channels (for example, via a local network). A website can contain one or more domains, and a domain can contain one or more websites. When designing Active Directory It is important to consider the network traffic created when data is synchronized between sites.
Key design decision Active Directory is the decision to divide the information infrastructure into hierarchical domains and top-level units. Typical models used for such separation are models of separation by functional divisions of the company, by geographical location and by roles in the company's information infrastructure. Combinations of these models are often used.
Physical structure and replication
Physically, information is stored on one or more equivalent domain controllers, replacing those used in Windows NT primary and backup domain controllers, although a so-called “single master operations” server is retained for some operations, which can emulate a primary domain controller. Each domain controller maintains a read-write copy of the data. Changes made on one controller are synchronized to all domain controllers through replication. Servers on which the service itself Active Directory not installed, but which are part of the domain Active Directory, are called member servers.
Replication Active Directory performed upon request. Service Knowledge Consistency Checker creates a replication topology that uses sites defined in the system to control traffic. Intrasite replication occurs frequently and automatically using a consistency checker (notifying replication partners of changes). Cross-site replication can be configured for each site channel (depending on the quality of the channel) - a different "score" (or "cost") can be assigned to each channel (e.g. DS3, , ISDN etc.), and replication traffic will be limited, scheduled and routed according to the assigned link estimate. Replication data can flow transitively across multiple sites via site link bridges if the "score" is low, although AD automatically assigns a lower score to site-to-site links than to transitive links. Site-to-site replication is performed by bridgehead servers at each site, which then replicate changes to each domain controller in its site. Intra-domain replication follows the protocol RPC according to the protocol IP, interdomain - can also use the protocol SMTP.
If the structure Active Directory contains several domains, it is used to solve the problem of searching for objects global catalog: A domain controller that contains all the objects in the forest, but with a limited set of attributes (a partial replica). The catalog is stored on specified global catalog servers and serves cross-domain requests.
Single-host capability allows requests to be processed when multi-host replication is not possible. There are five types of such operations: master domain controller emulation (PDC emulator), relative identifier master (relative identifier master or RID master), infrastructure master (infrastructure master), schema master (schema master), and domain naming master. (domain naming wizard). The first three roles are unique within the domain, the last two are unique within the entire forest.
Base Active Directory can be divided into three logical stores or "partitions". The diagram is a template for Active Directory and defines all types of objects, their classes and attributes, attribute syntax (all trees are in the same forest because they have the same schema). The configuration is the structure of the forest and trees Active Directory. A domain stores all information about objects created in that domain. The first two stores are replicated to all domain controllers in the forest, the third partition is fully replicated between replica controllers within each domain and partially replicated to global catalog servers.
Naming
Active Directory supports the following object naming formats: generic type names UNC, URL And LDAP URL. Version LDAP X.500 naming format used internally Active Directory.
Each object has distinguished name (English) distinguished name, DN) . For example, a printer object named HPLaser3 in the Marketing OU and in the domain foo.org will have the following distinguished name: CN=HPLaser3,OU=Marketing,DC=foo,DC=org , where CN is the common name, OU is the section, DC is the domain object class. Distinguished names can have many more parts than the four parts in this example. Objects also have canonical names. These are distinguished names written in reverse order, without identifiers and using forward slashes as delimiters: foo.org/Marketing/HPLaser3. To define an object inside its container, use relative distinguished name : CN=HPLaser3 . Each object also has a globally unique identifier ( GUID) is a unique and immutable 128-bit string that is used in Active Directory for search and replication. Certain objects also have a UPN ( UPN, in accordance with RFC 822) in the format object@domain.
UNIX integration
Various levels of interaction with Active Directory can be implemented in most UNIX-like operating systems through standard-compliant LDAP clients, but such systems, as a rule, do not perceive most of the attributes associated with the components Windows, such as group policies and support for one-way powers of attorney.
Third party vendors offer integrations Active Directory on platforms UNIX, including UNIX, Linux, Mac OS X and a number of applications based on Java, with a package of products:
Schema additions included with Windows Server 2003 R2 include attributes that are closely enough related to RFC 2307 to be used in general. Basic implementations of RFC 2307, nss_ldap and pam_ldap, proposed PADL.com, directly support these attributes. The standard scheme for group membership follows RFC 2307bis (proposed). Windows Server 2003 R2 includes Microsoft Management Console for creating and editing attributes.
An alternative is to use another directory service, such as 389 Directory Server(previously Fedora Directory Server, FDS), eB2Bcom ViewDS v7.1 XML Enabled Directory or Sun Java System Directory Server from Sun Microsystems, which performs two-way synchronization with Active Directory, thus realizing “reflected” integration when clients UNIX And Linux are authenticated FDS, and clients Windows are authenticated Active Directory. Another option is to use OpenLDAP with translucent overlay capability extending remote server elements LDAP additional attributes stored in the local database.
Active Directory are automated using Powershell .
Literature
- Rand Morimoto, Kenton Gardinier, Michael Noel, Joe Coca Microsoft Exchange Server 2003. Complete Guide = Microsoft Exchange Server 2003 Unleashed. - M.: “Williams”, 2006. - P. 1024. - ISBN 0-672-32581-0
see also
Links
Notes
Microsoft Windows Components | |
---|---|
Basic | |
Services management |
|
Applications |
DVD Maker Contacts Faxes and scanning Internet Explorer Magazine Magnifier Media Center Windows Media Player Collaboration Program Windows Mobile Device Center Mobility Center Narrator Paint Personal symbol editor Remote Assistance Speech recognition WordPad Notebook Side panel Sound recording Calendar Calculator Scissors Mail symbol table Historical: Movie Maker NetMeeting Outlook Express Program Manager File Manager Photo album |
Games | |
OS kernel | |
Services | |
File systems |
|
Server |
Active Directory Deployment Services File Replication Service DNS Domains Folder redirection Hyper-V IIS Media Services MSMQ Network Access Protection (NAP) Print Services for UNIX Remote differential compression Remote Installation Services Rights Management Service Roaming user profiles SharePoint System Resource Manager Remote Desktop WSUS Group Policy Distributed Transaction Coordinator |
Architecture | |
Safety | |
Compatibility |
Microsoft | ||
---|---|---|
BY | ||
Server software | ||
Technologies | ||
Internet | ||
Games | ||
Hardware security |
||
Education | ||
Licensing | ||
Divisions | ||
Windows network administrators cannot avoid getting acquainted with . This review article will focus on what Active Directory is and what they are used with.
So, Active Directory is a directory service implementation from Microsoft. In this case, a directory service means a software package that helps the system administrator work with such network resources as shared folders, servers, workstations, printers, users and groups.
Active Directory has a hierarchical structure consisting of objects. All objects are divided into three main categories.
- User and computer accounts;
- Resources (for example, printers);
- Services (eg Email).
Each object has a unique name and has a number of characteristics. Objects can be grouped.
User PropertiesActive Directory has a forest structure. The forest has several trees that contain domains. Domains, in turn, contain the above-mentioned objects.
Active Directory structure
Typically, objects in a domain are grouped into organizational units. Divisions serve to build a hierarchy within a domain (organizations, territorial divisions, departments, etc.). This is especially important for organizations that are dispersed geographically. When building a structure, it is recommended to create as few domains as possible, creating, if necessary, separate divisions. It is on them that it makes sense to apply group policies.
Workstation PropertiesAnother way to structure Active Directory is sites. Sites are a method of physical, rather than logical, grouping based on network segments.
As already mentioned, each object in Active Directory has a unique name. For example, a printer HPLaserJet4350dtn, which is located in the division Lawyers and in the domain primer.ru will have a name CN=HPLaserJet4350dtn,OU=Lawyers,DC=primer,DC=ru. CN is a common name OU- division, DC— domain object class. An object name can have many more parts than in this example.
Another form of writing an object name looks like this: primer.ru/Lawyers/HPLaserJet4350dtn. Also, each object has a globally unique identifier ( GUID) is a unique and immutable 128-bit string that is used in Active Directory for lookup and replication. Some objects also have a UPN ( UPN) in the format object@domain.
Here is an overview of what Active Directory is and why it is needed in local networks Windows based. Finally, it makes sense to say that the administrator has the ability to work with Active Directory remotely using Remote Server Administration Tools for Windows 7 (KB958830)(Download) And Remote Server Administration Tools for Windows 8.1 (KB2693643) (Download).