Active Directory

Active Directory is the centralized authorization, authentication, and information store infrastructure for Windows platforms. If you’ve been managing an Active Directory infrastructure before, you might you might be happy to know that the basic concepts and Active Directory architecture have not changed much for Windows Server 2012.

Beginning with Windows Server 2008 there are 5 services in Active Directory “Active Directory Service”. You have available these 5 services as “Role” that you can add (install) if you need then.

As we could see in the figure, the Active Directory services include:
Active Directory Certificate Services (AD CS)
Active Directory Domain Services (AD DS)
Active Directory Federation Services (AD FS)
Active Directory Lightweight Directory Services (AD LDS)
Active Directory Rights Management Services (AD RMS).

Among the 5 Active Directory services, for the test purposes we will focus more on the most basic Active Directory Domain Services (AD DS).

Active Directory Domain Services (AD DS)

AD DS is a server role in Active Directory that allows administrators to manage and store information about network resources, as well as application data, in a distributed database. Administrators can use AD DS to organize elements of a network (such as computers and end users) into a hierarchical containment structure.

This hierarchical structure includes the Active Directory forest, domains in the forest, and organizational units (OUs) in each domain. A server that is running AD DS is called a domain controller.

Key terms that you should remember include:
-Domain and Domain Controller
-Domain tree
-Global Catalog
-Operation master
-Functional Level

-Domain and Domain Controller (DC)
A domain is the core structural unit of Active Directory, it is defined as a logical group of network objects (computers, users, devices) that share the same Active Directory database.

A domain controller (DC) is basically a server that responds to security authentication requests (such as logging in, checking permissions, etc.) in a Windows domain. A domain controller is the centerpiece of the Windows Active Directory service. It authenticates users, stores user account information and enforces security policy for a Windows domain.

In Windows server 2012, as you install the Active Directory Domain Services role, you will be prompted to upgrade your server to a Domain Controller (I will show this steps in the next blog).

It is possible to have more than one Domain Controller in one Domain. In this case, objects can be updated from any Domain Controller (Multi Master).

Multi-master replication is a method of database replication which allows data to be stored by a group of computers, and updated by any member of the group. Each change made in one DC is replicated to the others DCs in the domain, this is called Multi-Master Replication.

-Domain tree
Domain trees are collections of domains grouped together in hierarchical structures. If you add a new domain to a tree, this new domain becomes a child of the tree root domain. The domain to which a child domain is attached is called the parent domain.

A child domain can also have its own child domain, and the name of a child domain is combined with the name of its parent domain to form its own unique Domain Name System (DNS) name such as In this manner, a tree has a contiguous namespace. In the figure below, you will see two domain trees, in the first tree, the parent domain is, the child domain is

In the figure you might have notice that a two-way trust relationship is created between parent and child. This is because each domain has a direct trust link with its parent and each of its children.

A forest is a complete instance of Active Directory (AD). A forest is like a top-level container that houses all domain for that particular AD instance as shown in the figure below. A forest can contain one or more domains, all domains in a forest are sharing a common logical structure, global catalog, directory schema, and directory configuration.

The first domain in the forest is called the root domain. The name of that domain refers to the forest, such as By default, information in AD is shared only within the forest. So, the forest is like a security boundary for the information contained in that AD.

Sites are a representation of the physical topology of your network (network topology), it can defined as the physical location or network. For example, if your companies have more than one location (different cities, of countries). In this scenery, if you want all locations to be part of the same domain, Active Directory sites are the solution. The figure below might give you an idea of the Site concept.

Replication of updates to domain data occurs between multiple domain controllers to keep replicas synchronized. Multiple domains are common in large organizations, as are multiple sites in disparate locations. In addition, domain controllers for the same domain are commonly placed in more than one site.

When you install Active Directory on the first domain controller in the site, an object named Default-First-Site-Name is created in the Sites container. The first domain controller is necessarily installed into this site.

Therefore, replication must often occur both within sites and between sites to keep domain and forest data consistent among domain controllers that store the same directory partitions.

-Global Catalog
A Global Catalog (GC) is a domain controller that stores a copy of all Active Directory objects in a forest. The global catalog stores a full copy of all objects in the directory for its host domain and a partial copy of all objects for all other domains in the forest. A global catalog is created automatically on the first domain controller in the forest. Optionally, other domain controllers can be configured to serve as global catalogs.

To configure a DC as a Global Catalog server you can do it on the NTDS setting of the server:

  1. In the server manager go to Tools and select Active Directory Sites and Services
  2. In the Console tree of the Active Directory Sites and Services window select the site name (default-first-site-name if you haven’t change it), then go to Servers and finally the Domain Controller.
  3. In the details pane, right click to NTDS Settings and select Properties.
  4. In the NTDS Settings Properties window, select the Global Catalog check box to enable the global catalog, or clear the check box to disable the global catalog.

You can also access to the NTDS Settings Properties through Active Directory Users and Computers, in the console tree select the Domain Name/Domain Controllers. In the details pane, right click the DC and select properties.

In the Domain Controller properties window click the button NTDS Settings… and the NTDS Setting properties window shown two figures above will open.

-Operation Master
Active Directory has five operations master roles otherwise known as Flexible Single Master Operation (FSMO) roles. These roles are assigned to ONE Domain Controller to ensure changes happen in only one location at a time. Therefore ensuring that the Active Directory database is kept consistent. There are five operations master roles defined in AD: At the forest level, there is the Schema Master and Domain Naming Master. At the domain level, the 3 other operational roles are Infrastructure Master, PDC Emulator and RID Master.

You can use the Netdom Query FSMO command to determine in which DC is which Master Role.


  1. Schema Master (Forest Wide)
    The Schema Master determines the structure and therefore determines what can be stored in Active Directory. It contains details of every object that can be created and the attributes for that object. For example, if you want to add an attribute to every user in the forest (such as a field with the user’s pay grade in it), you would add an attribute to the schema to accommodate this change. It is important to think carefully before making changes to the schema as changes to the schema can’t be reversed but they can be disabled. If you want to test changes to the schema, create a new forest and make your changes there so the production environment is not affected.
    There are few ways to transfer the schema master role, see the following page for more information:
  2. Domain Naming Master (Forest Wide)
    The Domain Naming Master is responsible for ensuring that two domains in the forest do not have the same name. The Domain Naming Master is required when domains are added or removed from the forest. It does require Global Catalog calls when domains are added or removed. For this reason it is recommended to make it a Global Catalog Server. However, this will not affect operations if it is not.
    To transfer the Domain Naming master, go to Active Directory Domains and Trusts, right click the Active Directory Domains and Trusts and select Operation Masters. The Operation Masters window will open.
  3. Relative ID Master (RID Master) (Domain Level)
    This master role allocates RID pools. A RID is a sequential number that is added to the end of a SID (Security Identifier). A SID, is required for every Active Directory object. An example of a SID is shown here:
    S-1-<identifier authority>-<sub1>-<sub2>-…-<subn>-<rid>
    Where S and 1 are literal strings, identifier authority is the 6-byte value, sub1 through subn are the sub-authority values, and the last part rid is the RID, in this case 1040.The RID Master allocates a pool or block of RIDs to a Domain Controller. The Domain Controller uses the RID pool when Active Directory objects are created. The Domain Controller will request a new RID pool before it runs out. If you create a lot of Active Directory objects at once, the RID Master will need to be online to allocate new RID pools. If the Domain Controller runs out of RIDs and can’t contact the RID Master, no objects in Active Directory can be created on that Domain Controller.
  4. PDC (Primary Domain Controller) Emulator (Domain Level)
    The PDC Emulator has the final say on authentication. For this reason the PDC Emulator will generally be placed on the network with the most users.When a user enters in a wrong password, the PDC Emulator may be contacted to find out if this password is in fact an updated password. Password changes are replicated to the PDC Emulator first and thus it is considered the final authority on correct and incorrect passwords.The PDC Emulator is contacted when changes to DFS (Distributed File System) are made. This can be switched off if the load on the PDC Emulator becomes too great.
  5. Infrastructure Master (Domain Level)The Infrastructure Master is responsible for ensuring that objects that use multiple domain references are kept up to date and consistent. When you are in a single domain you don’t need to worry about this. In a multi-domain environment the role of the Infrastructure Master becomes more important. The choice of whether to make this a Global Catalog Server or not can affect its ability to keep cross domain reference up to date. Unless there is only one DC in a domain the Infrastructure role should not be on the DC that is hosting the global catalogue. If they are on the same server the infrastructure master will not function, it will never find data that is out of date and so will never replicate changes to other DCs in a domain. If all DCs in a domain also host a global catalogue then it does not matter which DC has the infrastructure master role as all DCs will be up to date due to the global catalogue.
    To transfer the three Domain Level Operation Masters to different DCs. Go to Active Directory Users and Computers, right click the Domain Name and select Operation Masters.
    AD13The Operation Masters window will open.

-Functional Levels
Functional levels determine the capabilities of the domain or Forest in AD DS according to the version of each Domain Controller. They can determine for example which Windows Server operating systems you can run on domain controllers in the domain or forest. It is recommended that when deploying AD DS, to set the domain and forest functional levels to the highest value that your environment can support. This way, you can use as many AD DS features as possible.

When you deploy a new forest, you are prompted to set the forest functional level and then set the domain functional level. You cannot set the domain functional level to a value that is lower than the forest functional level, but you can set it to a value that is higher than the forest functional level. For example, if you set the forest functional level to Windows Server 2008, you can set the domain functional level to Windows Server 2008 or higher (2008 R2, 2012, 2012 R2).

The following two figures show the features available at different domain and forest functional levels.



One thought on “Active Directory

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s