Welcome To My Journey

I have created this blog to record the things I learn as I progress in my studies of the Windows Operating System. My focus will primarily be the latest Operating System offerings by Microsoft, but much of the content below may also apply to earlier versions. I invite you to join me as I explore and learn about Microsoft Windows!

Thursday, July 21, 2011

Terminology for Active Directory

Before I post any videos about how to do things in AD DS, it’s important to establish the basic terminology that we’ll be working with.  As we move forward, I’ll try to reference this post for the basic definitions of terms.  And, of course, there are far more terms that apply to AD DS than are listed below.  But these basic definitions should get your started.

If you want a more full-bodied discussion of AD DS concepts, I’ve listed a few book recommendations at the end of this post.

  • Authentication – the process by which Active Directory verifies that a security principle is who they claim to be.
  • Authorization – the process by which Active Directory determines the level of permissions (i.e. what it’s allowed to do and what it is restricted from doing) a security principles has over the resources it wishes to access.
  • Domain – a partition within an Active Directory Forest that allows the setting of administrative boundaries, limits replication of objects, and enables the setting of security parameters via Group Policy
  • Domain Controller (DC) – a special Windows server that stores the Active Directory database and provides directory functionality.
  • Domain Naming System (DNS) – the name resolution system used by Active Directory (may be integrated with Active Directory, or maintained separately).
  • Forest – this represents a single instance of Active Directory.  It will contain at least one Domain and possibly many domains.  Directory partitions (configuration, schema, domain, and application) combine to define the Active Directory Forest.
  • Global Catalog – a special type of Domain Controller that contains a writable copy of all directory objects that exist within the same domain as the GC, along with a read-only thumbnail of all objects from every other domain within the Forest.
  • Group Policy – allows for automated management of Active Directory objects (users, computers, and groups).  Group Policies can be configured to impact local machines, sites, domains, or organizational units
  • Kerberos – the standard authentication protocol used by Active Directory.  For a complete discussion of the Kerberos protocol, refer to RFC 4120 available at http://www.ietf.org/rfc/rfc4120.txt
  • LDAP – the lightweight directory access protocol used to access information and services available within Active Directory
  • Organizational Unit (OU) – the standard container within Active Directory contains objects such as users, groups and computers.  Organizational units can be used to apply Group Policy settings to the objects housed within the OU and potentially its child OUs.
  • Operations Masters - specialty roles within Active Directory that ensure the health of the directory throughout the forest.  These roles are either unique to a domain (i.e. each domain will have one of them) or a forest (there will be only one in an entire forest).  They are:
    • Schema Master (forest-wide): maintains and updates the AD DS Schema
    • Domain Naming Master (forest-wide): manages the addition/removal/modification of domains within AD DS
    • RID Master (domain-wide): hands out relational IDs (RIDs) used by a domain controller when creating unique objects in AD.  When a new object is created in AD DS, the domain controller adds a RID to the domain SID (security identifier) to produce a unique identifier for that object within the domain
    • PDC Emulator (domain-wide): this DC functions as the primary domain controller for clients that are not Active Directory aware (such as Windows NT 4).  It also manages password changes for a domain
    • Infrastructure Master (domain-wide): keeps track of object changes in other domains and updates object references in its domain that point to the objects which have been changed in other domains
  • Partial Attribute Set (PAS) – this is the list of attributes that will be replicated to the Global Catalog as part of the thumbnail of each object in the directory
  • Partition – AD DS has 3 essential partitions and one optional partition.  These groupings of objects are broken out by purpose and in order to minimize replication throughout the forest.  The partitions are:
    • Configuration (replicated forest-wide): contains all objects used for the configuration and maintenance of Active Directory
    • Domain (replicated domain-wide): contains all objects specific to a domain, such as users and computers
    • Schema (replicated forest-wide): contains the objects and properties allowed within Active Directory
    • Application (optional): this partition can be replicated to any domain controllers specified and can contain objects determined by the application using this partition.  For example, when DNS is integrated with Active Directory it can be replicated to any domain controller of your choosing.
  • Replication – the process of replication allows the information within Active Directory to be housed in multiple locations via the multi-master model of AD.  Replication occurs per partition and happens as follows:
    • Configuration: information is replicated forest-wide
    • Schema: information is replicated forest-wide
    • Domain: information is replicated domain-wide with certain information replicated forest-wide via Global Catalogs
    • Application: information is replicated based on the requirements of the application
  • Security Principle – an object that can authenticate against Active Directory
  • Schema – the schema contains the definitions for the various objects (and properties that those objects can have) that exist within the Active Directory structure
  • Site – a well-connected group of Domain Controllers, servers and clients with high-speed connectivity
  • Trust – allows users in one domain to authenticate to external environments (other domains, forests, or non-Active Directory environments) in order to gain access to the resources located in those environments

One caveat…AD DS is big.  It’s quite complex, and the list above is in no way a complete list of terms necessary for you to become an AD expert (in fact, the best description of the list above is “woefully inadequate”!).  These terms are offered only because they are the absolute minimum information that needs to be understood when working with Active Directory.

As we move forward, I’ll mention other terms as they become relevant.  For now, these should get you started.

Posted by at