Windows Server 2012 – active directory directory service is the industry standard for managing accounts. This is a note taken from watching ELI the IT Guy’s Introduction to Active Directory Directory Services Structure in Windows Server 2012
There probably isn’t much more info here than what is in the vid, or in Wikipedia page: http://en.wikipedia.org/wiki/Active_Directory
ADs are arranged into many elements, but Domain controllers are one of the most important elements.
- Domain Controller – server that control active directory service. For example like exchange server control mail server. Domain Controller is an active directory server.
- DC database are arranged in schema (data-schemes).
- DC keep track of 2 kind of data – user data, computer data.
- User & computer data are arranged in schemas. User schema = contains attribute list, such as username, password, email, office, etc Computer schema = computer name, ip, etc
- schemas are extensible
DC are designed to scale security policy. This allows large scale security control management to hundreds of thousands of users over hundreds of thousands of machines. But it’s hard to manage granular security rules / access rules if we specify per resource – per user rules one by one. We encounter the same principle in controlling access in application, which is why many application have a layer of indirection called roles.
Groups are really like roles in application, it is a way to manage permissions. Different groups in different domain and OUs (see below) can be delegated different permissions to different resources.
OUs / Organizational Units
Groups represent permission-groups. But OUs represents ‘territorial’ groups. Usually used to divide subdivisions within a company, or even by geographical locations. For example, its possible to have OUs per cities, per branch. All sharing the same set of Groups.
Example: Sales Group, OU=City1, OU=City2. The city branch office may have slightly different security regulation so the Sales Group may have slightly different policies.
Domains, Trees, Forest & Trust
Domains are a way of dividing ‘worlds’. Contains:
- and Trust – which is a way of linking domains.
Notes on domain:
- Domains may contain subdomains. example domain = google.com subdomain = europe.google.com
Domains + Subdomain = TREE
- Why the separation of domain? because they can have different schema.
- Why the setup of domain & sub domain is useful: because there is a “2 way implicit transitive trust” between the subdomain and domain.
- Why Transitive = it means, one subdomain will trust the other subdomain that is part of the parent domain.
- A Trust means a one domain can refer to user account from a different domain.
- Example: google.com = domain,
motorola.com = domain
- when motorola and google domain are completely different tree – ( 2 entirely diff company )
- IF google buy motorola motorola.com could have EXPLICIT ONE WAY TRUST to google.com. What this means, is that it gives permission for google.com/bob on motorola network/domain/tree/etc. By associating the google.com/bob account into the Motorola Groups, or Organizational Units.’’
- When there DOMAIN trees trust each other it expands the tree into a FOREST.
Playing with ADDS
- Follow http://sharepointgeorge.com/2012/configuring-active-directory-ad-ds-in-windows-server-2012/
- I find that Active Directory domain, once setup, is hard to reset. I had to demote the domain (means: uninstalling the roles/feature) to reset it. Maybe there’s a more straighforward way to do this?