Tag Archives: 70-742

Active Directory (AD) Components

Microsoft Windows Server, , , , ,

AD

AD Components Overview

In this post, we examine the key concepts that make up Windows Server Active Directory (AD). This is a continuing series here at the blog as we get excited for my 70-742 Identity in Windows Server 2016 to get fired up at CBT Nuggets.

Domains

The key element of AD is the domain. This is how we organize the structure in an enterprise. A domain consists of:

  • An X.500 (LDAP) based hierarchical structure of containers and objects
  • A DNS domain name
  • A security service
  • Policies
  • A Domain Controller (DC) that is authoritative for the domain (you should have more than one DC!)

Note that you can string domains together in your enterprise to create a domain tree. Perhaps we have cbtnuggetlabs.com as our first domain, then we create eugene.cbtnuggetlabs.com as our next domain. Note that these domains in a tree explicitly trust each other in a transitive way.

Forests

What a perfect name for our next component. A forest is a collection of domain trees! The first domain you create is called the forest root domain. This forest root domain could be renamed later on, but it cannot be removed. Once you have multiple domain trees in a forest,  trust relationships permit resource sharing.

You can even create forest trust relationships if your forest must access resources in another separate forest.

While it is cool that we can create a forest of multiple domain trees, it is almost always correct to keep things as simple as possible and create a single domain forest.

Organizational Units

What most of us think of when we envision AD is Organization Units (OUs). These are containers we create to fill with objects like users and groups and printers and then we assign policy to these units using Group Policy. Do not confuse OUs with another type of container object in AD called – a container. While there are some default containers in Windows Server, we tend to use OUs all the time as we are building our hierarchy.

When you install AD, some default containers and OUs get created for you. For example, there is a Domain Controllers OU.

The Global Catalog (GC)

Need to search a forest for something? The Global Catalog (GC) server comes to the rescue. The attributes you can search on are inside the GC and we call this a partial attribute set (PAS). There are tools you can use to manipulate what attributes make it into the GC.

I hope you found this post informative, and I would like to thank you for reading. Next up, we will examine the Flexible Single Master Operator (FSMO) Roles in AD.
Pearson Education (InformIT)

Identifying Objects in Microsoft Active Directory

Microsoft Windows Server, , , ,

Identity

GUIDs

To be able to uniquely identify objects in Active Directory, Microsoft uses a 128-bit Globally Unique Identifier or GUID. You should note that if you move an object in your AD tree, or even if you rename the object inside of Active Directory, this GUID remains unchanged. There is one important exception to this, and that would be a move across a forest to another forest using something like the Active Directory Migration Tool (ADMT). This situation does not preserve the GUID.

Distinguished Names

We humans are certainly not going to work with GUIDs to identify objects in AD. Fortunately, there is another method of identification called distinguished names (DN). This approach is actually referenced in the LDAP specifications. The DN provides a nice hierarchical path to the object in addition to names. For example, we might have a domain of labs.cbtnuggets.com. The DN would be:

dc=labs,dc=cbtnuggets,dc=com

We also have relative distinguished names (RDN) to identify the object in a parent container. For example, consider this DN:

cn=Admin,cn=Users,dc=cbtnuggets,dc=com

The RDN would be:

cn=Admin

Attribute Types

Notice from our examples above there is an Attribute Type as part of the DN. Here is a list of these Attribute Types:

  • CN = Common Name
  • L = Locality Name
  • ST = State or Province Name
  • O = Organization Name
  • OU = Organizational Unit Name
  • C = Country Name
  • STREET = Street Address
  • DC = Domain Component
  • UID = User ID

AD uses CN, L, O, OU, C, and DC.
Pearson Education (InformIT)