What is Active Directory (AD)?
Active Directory is abbreviated as AD. It was originally released together with Windows Server 2000 and later modified additional functions in Windows Server 2008. It provides a common interface for building and maintaining information resources related to various computer network directories. The computer network directory can be a system-based directory (such as Windows OS), a designated application, or a network resource like a printer. The role of Windows Active Directory: It is used to quickly access all user data and set access permissions for all users according to computer network security policies. Therefore, It is also regarded as a data storage center.
What is the nature of Active Directory?
Active Directory is a hierarchical database. In the AD table, you can query all user accounts, computer names, certificates, security policies, and other information in the computer network. Before Microsoft released Active Directory, computers were independent devices and were not easy to manage. Imagine that in an era when the Internet was not so developed, you were a system administrator. The company had 300 employees and 300 independent computers. You had to install a new printer for all employees in the office, which meant You have to manually install a printer driver on each computer. Can you imagine the workload? Today, if there is no AD, many of the things that system administrators take for granted, such as sharing files and printers, network group policies, etc., are impossible to achieve. Therefore, the essence of AD is a hierarchical database, which makes it easier to manage user accounts, computers, and other network resources through single sign-on.
The working mechanism of Active Directory
The understanding of Active Directory is like our phone book. The phone book simply matches the name with the phone number, while the AD table matches the user’s account with network objects and information. Unlike the phone book, the AD table can store a lot of information, such as organizations, units, systems, users, shared resources, and other information related to user accounts. The AD table is more flexible than the phone book, but the difference between the two The principle is the same.
Active Directory includes
The server on which Active Directory is installed is called a domain controller. Sometimes the terms Active Directory and Domain Controller are used interchangeably.
What is Active Directory Forest:
AD Forest (AD Forest) is the highest level of the logical structure hierarchy of Active Directory. The AD Forest is an independent, self-contained directory. The AD forest is a security boundary, which means that the AD forest administrator has absolute control over the access to the information stored in the forest and the domain controllers running the forest.
What is the Active Directory Tree:
The AD Tree is composed of multiple domains with trust relationships. These individual domains are called subdomains/child domains. The subdomains are branches of the root domain. All subdomains in the domain tree share a contiguous namespace.
AD structure definition file (AD Schema for short):
AD Schema has corresponding definitions for the information of all objects stored in the directory, and each AD forest has its own corresponding structure definition file.
AD architecture master (Operations Masters) or AD operations master role (full name is flexible single operation master, Flexible single master operation, FSMO):
There are many FS MO roles in AD Active Directory, but the most commonly used are Primary Domain Controller (PDC) and Backup Domain Controller (BCD). The role of the primary domain controller is to maintain the original files of the directory database and verify the identity of the accessing users. The standby domain controller contains a copy of the directory database and also verifies the user’s identity. If the primary domain controller cannot work normally, the backup domain controller can be upgraded to the primary domain controller, but if the backup domain controller does not back up the files in the primary domain controller in time, data loss events will occur. If the standby domain controller is promoted to the primary domain controller, then the primary domain controller will be demoted to the standby domain controller.
The global catalog (The global catalog, GC), also known as the global catalog (GC):
It is a distributed storage database. In a multi-domain AD domain service (Active Directory Domain Services, AD DS) forest, every object in each domain can be retrieved by GC and displayed by the corresponding abbreviation. The global catalog GC stored on the domain controller is also named global catalog servers (global catalog servers). The global catalog is accessed by multiple users in a multi-host replication mode. Searches that point to the full catalog will be faster, because the search results will not involve other domain controllers.
The dependence of Active Directory on the DNS system:
Active Directory has a strong dependence on the DNS system, so please do not install it until the domain name has been selected. Unlike the website domain name, the domain name when installing AD does not need to be unique. If you are using a public domain name, you can use the same domain name when installing AD. For example: if your public domain name is wintesting.com, then the domain name of Active Directory can be ad.wintesting.com or a similar name. Once all components of AD are successfully installed on the server, the domain name will become a domain forest. It requires a DNS server. If there is no DNS server when installing Active Directory, you can set the server where it is installed as a DNS server; if you are setting up AD for a running environment, it is recommended to set up at least two domain controllers.
What are the functions of Active Directory?
Above we discussed the Windows Active Directory Domain Service. Like other Windows server versions, Windows Server 2016 Active Directory consists of five major roles:
Federation Services (AD FS)
What is AD FS?
Introduction to AD FS: Federation Services, referred to as AD FS, the Chinese name is federated identity authentication service, is a single sign-on (Single sign-on, SSO) solution created by Microsoft, as a component of the windows server operating system, AD FS is unable to pass AD Active Directory enables users with Integrated Windows Authentication (IWA ) to provide authentication for accessing applications.
What scenarios are AD FS roles used in? What is the principle?
If it involves cross-enterprise or cross-domain systems to verify applications or services, the AD FS role is extremely important. For example, if a company has registered a Facebook company account and needs to verify the user’s identity through Active Directory, then AD FS role can establish an OSS and SAML authentication protocol to help the user connect to the application requesting access.
Lightweight Directory Services (AD LDS)
AD Lightweight Directory Service ( AD LDS ):
Lightweight directory services are not unfamiliar to us, because LDAP ( Lightweight Directory Access Protocol ) is often used, especially when Kerberos authentication fails, the AD LDAP lightweight directory service authentication application or service.
Certificate Services (AD CS)
AD Certificate Service ( AD CS ):
AD CS certificate service is responsible for managing certificates and other cryptographic service components in the network. When we install the certificate in the network, we will use the AD CS certificate service.
Rights Management Services (AD RMS)
AD Rights Management Service (AD RMS):
It protects data in real-time by implementing data access policies. For files to be protected by AD RMS (Active Directory Rights Management Service), the related application must be able to enable the RMS service.
Domain Services (AD DS)
AD Domain Services (AD DS) :
This is the main role of AD. AD Domain Services stores and manages all network information resources.
What is Session Hijacking? Learn more