What Does Microsoft AD DS Do?

Share

In this article, we’ll explain what Microsoft AD DS does and why it’s important to configure and manage it correctly if you want to ensure that your business network is efficient, reliable and secure.

 

Introduction to AD DS

Microsoft-based business networks can make use of various products and services, from Windows Server and client devices like Windows 10 and 11 (or even XP, 7, 8, 8.1, etc.), to applications servers like IIS or SQL Server. What most users forget about are the services that keep all these things interconnected, like AD DS.

In fact, Microsoft AD DS (Active Directory Domain Services) is possibly the most important service for a Microsoft-based business network. It’s a central service that connects everything together to keep the entire infrastructure functioning in a consistent way, ensuring that users have access to resourcesdatabases and software.

At the most basic level, Active Directory is just that, a directory service that catalogues all the elements and services that make up an organisation’s network. It’s essentially a big database that stores information about all objects on the business network and provides a way of organising these objects and controlling access to them.

These lists of objects are distributed throughout the network on special servers called Domain Controllers (DC), and AD DS’s structure makes it possible to manage millions of objects in a centralised way, keeping close control of any access, changes, updates, etc.

As well as authorising access to services and devices on the network for users, groups, devices and other services, AD DS is also an important element of network security. It’s also a globally available service, distributed across the entire IT infrastructure. This means that it needs to have a certain level of redundancy, and the servers that host AD DS are normally replicated, creating a cluster with multiple nodes so that the information stored in the directory is available at all times.

Ultimately, AD DS is like your organisation’s spinal column, connecting all your services together so that the infrastructure works correctly, and it’s also vital for other important services like DNS or DHCP.

Image - AD DS Server administration window
Image – AD DS Server administration window

 

AD DS structure

When talking about Active Directory, there can be quite a lot of jargon that could be confusing for beginners. So, below we’ve put together a list of important terms.

NOTE: These terms are all very closely linked to each other. We recommend that you read the list in full, as one definition might make reference to another term in the list.

  • Data store: This is store of all the network elements in a domain and how they relate to each other. It contains basic information about objects and their attributes, such as their security policy or configuration.
  • Tree: This a collection of domains grouped together in a logical hierarchy. The domains that make up a tree share the same namespace on the DNS.
  • Global catalog: This is a domain controller that contains read-only copies of all the objects in the forest. It’s main function is to allow users to search for objects more easily and quickly.
  • Domain controller: This is a server that contains a copy of the AD DS database. Entries in this database can be added, removed or modified if necessary. It also has the task of synchronising any changes with the organisation’s other domain controllers.
  • Domain: This is essentially a group of objects, such as users, groups and devices, that are organised in a hierarchy. It establishes a set of rules to ensure that each element in the organisation’s infrastructure functions correctly.
  • Schema: The schema is a set of rules established by the user to define classes of objects and their attributes. A copy of this schema is maintained across the entire forest.
  • Object: A basic unit of domain storage that includes users, devices or groups on the domain. They are grouped into classes that have their own rules to define the attributes for that class.

 

Image - Submitting a query regarding an AD DS forest using PowerShell
Image – Submitting a query regarding an AD DS forest using PowerShell

 

Database

AD DS consists of a database that contains all information about objects in the active directory and the way they are related. Based on the schema for a given domain, it can store users, devices, groups and services, such as applications printers and shared folders.

Just like any other database, domains have a set structure to determine which details to store and how objects are related. This design is the schema, which is controlled by the schema master for that domain. The schema master decides the formal definitions for each class of object that can be registered on the domain.

The schema is normally set by default based on a series of specifications, but its structure can be modified and adapted if the administrator wishes to do so.

NOTE: As always, before you touch the schema, we recommend planning carefully to avoid any unintended issues.

With this database, it’s important to remember that some objects are capable of containing other objects, and that means that they may inherit certain attributes based on their hierarchy.

Each object will have a set of attributes that determine how they behave on the network and how they can interact with other objects.

Typical object attributes include fields like name, password, organisation, department, e-mail, time of last session, the groups they belong to, etc., as well as other elements like their security ID (SID) and the global unique identifier (GUID).

 

Logging on or accessing resources

So far, we’ve talked about objects like users and devices and some of the rules that govern them. But you might now be starting to wonder how all this works in practice.

To try and link these concepts together, let’s take a look at the process for a user to access a device or other resource and how this is resolved on the domain.

Image - Process to log on or access a resource on AD DS
Image – Process to log on or access a resource on AD DS

When a user attempts to log on to a device belonging to a domain, the device that they’re using connects to the domain controller so that it can send a query. It finds the domain controller using the DNS service, which identifies servers using special records.

Once located, if authentication is required, the device will send the username and password to the domain controller for validation.

If this is successful, a token will be generated for the user that contains security identifiers and information about the user’s relationships with the groups they belong to.

The token is a unique chain called an SID (security identifier) that allows the user to access the resources that they have been granted access to according to the domain’s security rules.

NOTE: The SID is a chain that uniquely identifies the object on the domain.

At the end of this process, if the user has been authenticated successfully on the device and they then try to access another resource, such as a shared folder, they will be able to access it using the same token generated previously.

 

How to create a domain

At this point, you might be wondering how to create a domain. However, the answer will depend on how long you want to spend on the task itself. The best thing to do is to check out this article, How to Configure AD DS Server on Your Windows Server, where we have included a step-by-step explanation. You can also see an example below of the commands used to do it using PowerShell:

Import-Module ADDSDeployment
Install-ADDSForest `
-CreateDnsDelegation:$false `
-DatabasePath «C:\Windows\NTDS» `
-DomainMode «WinThreshold» `
-DomainName «NachoTest.int» `
-DomainNetbiosName «NachoTests» `
-ForestMode «WinThreshold» `
-InstallDns:$true `
-LogPath «C:\Windows\NTDS» `
-NoRebootOnCompletion:$false `
-SysvolPath «C:\Windows\SYSVOL» `
-Force:$true

 

Summary

In this article, we’ve explained what Microsoft AD DS does and why it’s so important for your organisation’s network.

Domain services and other related services make up the foundation of almost every business network, at least those based on Wintel platforms.

In essence, AD DS is a large database that contains objects that make up the domain, such as users, devices, servers or groups.

This database basically establishes a structure to organise these objects, making it possible perform searches for specific objects, as well as make changes, add new ones and remove old ones.

If you would like to learn more about AD DS, have a look at some of our other tutorials.

Thanks for reading!

Category:Cloud and Systems

Other posts that may interest you

9 de August de 2024
Choosing the right cloud service provider is a critical decision that can impact the quality of your software, customer
3 de July de 2024
Here at Jotelulu, we have designed our Disaster Recovery service specifically with SMEs in mind. But what arguments should
2 de July de 2024
In today’s article, we will explain some of the basic concepts that are important to understand about Jotelulu’s Disaster

Fill out the form and one of our Sales team will contact you soon.

growth@jotelulu.com  |  jotelulu.com 

You can unsubscribe from these communications at any time. For more information,  check our Privacy Policy.

 

We make the difficult easy

Existing Disaster Recovery tools often require advanced knowledge to manage, demanding expertise that is difficult to acquire.

Jotelulu’s Disaster Recovery aims to make the difficult easy and offers a very simple deployment based on a three-step configuration:

Origin (Primary Site)
Determine the origin location of the subscription on which the Disaster Recovery service will be established.

Destination (Recovery Site)
Set the destination location (availability zone) where you want the Recovery Site to be deployed.

Replication characteristics
Specify the data related to the number of copies to be kept and the frequency at which the replication will be performed.