AD Lingo

4 minute read

Basic overview and some terminology for Active Directory.

What is Active Directory?

Active Directory, commonly abbreviated AD, is a directory service used to manage Windows networks.

Active Directory stores information about objects on the network and makes this information easy for administrators and users to find and use. Active Directory uses a structured data store as the basis for a logical, hierarchical organization of directory information.

AD provides Windows environments with centralised management, interoperability and security for different types of objects, with the ability to span a LAN, MAN or WAN.

Active Directory Services

AD provides multiple services, each with a different purpose within their operational environment. The services are as follows:

  • AD Domain Services (AD DS)
    • Data storage, communication management
  • AD Lightweight Directory Services (AD LDS)
    • LDAP support for cross-platform services
  • AD Certificate Services (AD CS)
    • Digital certificates and signatures
  • AD Federation Services (AD FS)
    • SSO authentication
  • AD Rights Management Services (AD RMS)
    • Information/data rights and policies

Active Directory FSMO roles

A FSMO role is defined as a set of objects that can be updated in only one NC replica at any given time. The DC that hosts this NC replica is the owner for that FSMO role.

I’ve linked the Microsoft documentation for each of the five roles:

  • Schema Master - one per forest, performs updates to directory schema then replicates to all other DCs.
  • Domain Naming Master - one per forest, makes changes to forest-wide domain name space of directory and partitions container, add/remove domain/application NC from directory, only this role can write to partitions container or its children.
  • RID Master - one per domain, processes RID pool requests from all DCs within domain, moves an object from one domain to another during interdomain object move.
  • PDC Emulator - one per domain, password changes by other DCs in domain replicated to the PDC emulator, used in authentication, account lockout processing, netlogon remote protocol.
  • Infrastructure - one per domain, updates cross-domain object references if moved, renamed, or deleted.

naming context (NC): An NC is a set of objects organized as a tree. It is referenced by a DSName. The DN of the DSName is the distinguishedName attribute of the tree root. The GUID of the DSName is the objectGUID attribute of the tree root. The security identifier (SID) of the DSName, if present, is the objectSid attribute of the tree root; for Active Directory Domain Services (AD DS), the SID is present if and only if the NC is a domain naming context (domain NC). Active Directory supports organizing several NCs into a tree structure.

primary domain controller (PDC): A domain controller (DC) designated to track changes made to the accounts of all computers on a domain. It is the only computer to receive these changes directly, and is specialized so as to ensure consistency and to eliminate the potential for conflicting entries in the Active Directory database. A domain has only one PDC.

relative identifier (RID): The last item in the series of SubAuthority values in a security identifier (SID). It distinguishes one account or group from all other accounts and groups in the domain. No two accounts or groups in any domain share the same RID.

Active Directory Objects

Objects are at the core of AD’s existence. They simply represent something on a network. Listed below are some common examples of objects you’ll find in an AD environment and their associated attributes/properties:

  • Windows Users
    • Account Information
    • Privileges
    • Profiles
    • Policy
  • Windows Severs
    • Management Profile
    • Network Information
    • Printers
    • File Shares
    • Policy
  • Windows Clients
    • Management Profiles
    • Network Information
    • Policy
  • Network Devices
    • Configuration
    • Quality of Service (QoS) Policy
    • Security Policy
  • Firewall Services
    • Configuration
    • Security Policy
    • VPN Policy
  • Applications
    • Server Configuration
    • Single Sign-On (SSO)
    • Application Specific Directory Information Policy
  • E-mail Servers
    • Mailbox Information
    • Address Book
  • Other NDS
    • User Registry
    • Security
    • Policy
  • Other Directories
    • White Pages
    • E-Commerce

Active Directory Components

Schema - Defines objects and their attributes.

Global Catalog - Contains information about every object in the directory.

Group Policy - Ability to manage and configure changes easily and centrally in an AD environment. Security settings, registry-based policy settings, group policy preferences and software installation can all be configured through Group Policy.

Group Policy Object - GPO, A set of Group Policy configurations.

Organisational Units - OUs, grouped objects within a domain.

Query and Index Mechanisms - Provides searching capabilities for objects and their properties.

Sites - Represents the network’s physical structure (topology). AD stores this information as ‘site’ and ‘site link’ objects in order to build an efficient replication topology.

Site Links - Establish links between different sites.

Replication Service - Distributes information across Domain Controllers (DCs).

Replication Topology - The route replication traffic travels through the network.

DNS - The Domain Name System helps in locating resources and services throughout the network. It also allows clients to locate DCs and for DCs to communicate with one another.

LDAP - Lightweight Directory Access Protocol allows clients and servers to communicate with one another within the environment.

Active Directory Structure

Domains - Collection of objects within an AD network.

Trees - Collection of domains within an AD network.

Forests - Security boundary, may contain one or more domains, each domain may contain multiple Organisational Units (OUs).