Print Friendly and PDF

Active Directory

Active Directory Domain Services is an extensible and scalable directory service you can use to efficiently manage network resources.

Active Directory building blocks

Active Directory has a logical and a physical structure for network components.The logical structures help you organize directory objects and manage network accounts and shared resources. Components of the logical structure are: Organizational units: A subgroup of domains.

Domains: A group of computers that share a common directory database.

Domain trees: One or more domains that share a contiguous namespace.

Domain forests: One or more domain trees that share common directory information. The physical structure is used to facilitate network communication and to set physical boundaries around the network resources. Includes the following:

Subnets: A network group with a specific IP address range and network mask.

Sites: One or more subnets. Sites are used to configure directory access and replication.

The Active Directory Structure

Directory data is made available to users and computers through data stores and global catalogs. Most Active Directory tasks affect the data store but the global catalogs are also important because they are used during logon and for information searches. If the global catalog is unavailable, standard users can not log on to the domain. The only way to change this behavior is to cache universal group membership locally.

Active Directory Replication

Replication is necessary to ensure that updates to data are distributed to domain controllers. Active Directory uses multimaster replication to distribute updates,but some changes to data can be handled only by individual domain controllers called operations masters. A new feature of Windows Server 2008 and later called application directory partitions also changes the way multimaster replication works. With application directory partitions, enterprise administrators can create replication partitions in the domain forest. These partitions are logical structures used to control the replication of data within a domain forest.

The Data Store

The data store contains information about objects, such as accounts, shared resources, OUs, and group policies. Domain controllers store the directory in a file called Ntds.dit. The location of the file is set when Active Directory is installed, and it should be on an NTFS file system drive formatted for use with Windows Server 2008 or later. Domain controllers replicate most changes to the data store in multimaster fashion, not all directory data is replicated, only public information that falls into one of the following categories is replicated:

Domain data: Contains information about objects within a domain.

Configuration data: Describes the directorys topology.

Schema data: Describes all objects and data types that can be stored in the directory.

Restartable AD DS

In Active Directory in the Windows 2000 Server and Windows Server 2003 operating system, offline defragmentation of the database required a restart of the domain controller in Directory Services Restore Mode.In Windows Server 2008,administrators can stop and restart AD DS.This makes it possible to perform offline AD DS operations more quickly. You cannot perform a system state restore of a domain controller while AD DS is stopped. To do this you need to start in DSRM. You can however perform an authoritative restore of Active Directory objects while AD DS is stopped by using Ntdsutil.exe.

New in Windows Server 2012

Microsoft added a number of new features and enhancements to Active Directory in Windows Server 2012. Some of the enhancements include:

Virtualizing domain controllers in previous versions of Windows Server sometimes resulted in problems with the logical clocks used by domain controllers to determine relative levels of convergence. Beginning with Windows Server 2012,virtual domain controllers employed a unique identifier called the virtual machine GenerationID. Starting with Windows Server 2012, organizations were able to deploy replica virtual domain controllers by cloning existing virtual domain controllers. The process involved creating a copy of the existing source virtual domain controller, authorizing the source domain controller in Active Directory, and using Windows PowerShell to create a configuration file for performing the domain controller promotion. The process for deploying domain controllers was also made simpler,faster and more flexible in Windows Server 2012. The Dcpromo.exe wizard of previous versions of Windows Server was replaced with a new Active Directory Domain Services Configuration Wizard built entirely upon Windows PowerShell. You can also install the binaries on multiple servers at the same time. Adprep.exe is also integrated into the Active Directory installation process to make it easier to prepare your existing Active Directory environment for upgrading to Windows Server 2012,and the Active Directory Domain Services Configuration Wizard performs validation to ensure that the necessary prerequisites have been met before promoting a server to a domain controller.

New in Active Directory in Windows Server 2012 R2.

Workplace Join

One of the key Active Directory enhancements in Windows Server 2012 R2 is called Workplace Join. This means is that companies can now provide an SSO experience for all workplace-joined devices, which at present includes Windows and iOS devices. The way it works is that users join their personal devices to their workplace by making their devices known to the companys Active Directory. Workplace Join associates the device with the user and enables a better user experience by providing a seamless second factor authentication. This provides both the user and the company with some major benefits in the areas of usability and security.