Contacts
home

What is an asset directory. Introduction. How active directories work

What will help Active Directory specialists?

I will give a small list of "goodies" that can be obtained by deploying Active Directory:

  • a single user registration database, which is stored centrally on one or more servers; thus, when a new employee appears in the office, you will only need to create an account for him on the server and specify which workstations he can access;
  • since all domain resources are indexed, this enables simple and fast search for users; for example, if you need to find a color printer in a department;
  • the combination of applying NTFS permissions, group policies and delegation of control will allow you to fine-tune and distribute rights between domain members;
  • roaming user profiles allow you to store important information and configuration settings on the server; in fact, if a user with a roaming profile in the domain sits down to work on another computer and enters his username and password, he will see his desktop with his usual settings;
  • using group policies, you can change the settings of user operating systems, from allowing the user to set wallpaper on the desktop to security settings, as well as distribute software over the network, for example, Volume Shadow Copy client, etc.;
  • many programs (proxy servers, database servers, etc.) not only manufactured by Microsoft today have learned to use domain authentication, so you do not have to create another user database, but you can use an existing one;
  • the use of Remote Installation Services facilitates the installation of systems on the workstations, but, in turn, works only with the embedded directory service.

And This is not a complete list of features, but more on that later. Now I will try to tell the very logic of construction Active Directory, but again it’s worth finding out what our boys are made of what our boys are built from Active Directory are Domains, Trees, Forests, Organizational Units, User and Computer Groups.

Domains - This is the basic logical building unit. Compared to working groups AD domains are security groups that have a single registration base, while workgroups are just a logical grouping of machines. AD uses DNS (Domain Name Server) for naming and lookup services, not WINS (Windows Internet Name Service), as was the case in earlier versions of NT. Thus, computer names in a domain are, for example, buh.work.com, where buh is the name of a computer in the work.com domain (although this is not always the case).

Workgroups use NetBIOS names. To host a domain structure AD you may be using a non-Microsoft DNS server. But it must be compatible with BIND 8.1.2 or higher and support SRV() records as well as the Dynamic Registration Protocol (RFC 2136). Each domain has at least one domain controller that hosts the central database.

Trees - These are multi-domain structures. The root of this structure is the main domain for which you create child domains. In fact, Active Directory uses a hierarchical construction system similar to the structure of domains in DNS.

If we have a work.com domain (first-level domain) and create two child domains for it, first.work.com and second.work.com (here, first and second are second-level domains, not a computer in the domain, as in the case described above), then as a result we get a tree of domains.

Trees as a logical structure are used when you need to separate the branches of a company, for example, by geographical features, or for some other organizational reasons.

AD helps to automatically create trust relationships between each domain and its child domains.

Thus, the creation of the domain first.work.com leads to the automatic organization of a two-way trust relationship between the parent work.com and the child first.work.com (similarly for second.work.com). Therefore, permissions can be applied from the parent domain to the child domain, and vice versa. It is not difficult to assume that trust relationships will exist for child domains as well.

Another property of trust relationships is transitivity. We get - a trust relationship with the work.com domain is created for the net.first.work.com domain.

Forest - Just like trees, they are multi-domain structures. But Forest is a union of trees that have different root domains.

Suppose you decide to have multiple domains named work.com and home.net and create child domains for them, but because tld (top level domain) is not under your control, in this case you can organize a forest by selecting one of the first level domains is the root. The beauty of creating a forest in this case is the two-way trust relationship between these two domains and their child domains.

However, when working with forests and trees, remember the following:

  • you cannot add an existing domain to the tree
  • you cannot include an already existing tree in the forest
  • if domains are placed in a forest, they cannot be moved to another forest
  • you cannot delete a domain that has child domains

Organizational units - in principle can be called subdomains. allow you to group user accounts, user groups, computers, shared resources, printers, and other OUs (Organizational Units) in a domain. The practical benefit of using them is the ability to delegate rights to administer these units.

Simply put, it is possible to designate an administrator in a domain who can manage the OU, but not have the rights to administer the entire domain.

An important feature of OUs, unlike groups, is the ability to apply group policies to them. “Why can’t the original domain be split into multiple domains instead of using an OU?” - you ask.

Many experts advise having one domain whenever possible. The reason for this is the decentralization of administration when creating an additional domain, since the administrators of each such domain receive unlimited control (let me remind you that when delegating rights to OU administrators, you can limit their functionality).

In addition to this, to create a new domain (even a child one) you will need another controller. If you have two separate divisions connected by a slow communication channel, replication problems may arise. In this case, it would be more appropriate to have two domains.

There is also another nuance to applying group policies: policies that define password settings and account lockouts can only be applied to domains. For OUs, these policy settings are ignored.

Sites - This is a way to physically separate the directory service. By definition, a site is a group of computers connected by fast data links.

If you have several branches in different parts of the country, connected by low-speed communication lines, then you can create your own website for each branch. This is done to improve the reliability of directory replication.

Such a partition of AD does not affect the principles of logical construction, therefore, just as a site can contain several domains, and vice versa, a domain can contain several sites. But this directory service topology is fraught with a catch. As a rule, the Internet is used to communicate with branches - a very insecure environment. Many companies use security measures such as firewalls. The directory service in its work uses about one and a half dozen ports and services, the opening of which for AD traffic to pass through the firewall will actually expose it "outside". The solution to the problem is to use tunneling technology, as well as the presence of a domain controller in each site to speed up the processing of requests from AD clients.

The logic of nesting directory service components is presented. It can be seen that the forest contains two domain trees, in which the root domain of the tree, in turn, can contain OUs and groups of objects, as well as have child domains (in this case, one for each). Child domains can also contain object groups and OUs and have child domains (they are not shown in the figure). Etc. Let me remind you that OUs can contain OUs, objects, and groups of objects, and groups can contain other groups.

User and computer groups - are used for administrative purposes and have the same meaning as when used on local machines on a network. Unlike OUs, Group Policies cannot be applied to groups, but they can be delegated control. Within the framework of the Active Directory schema, there are two types of groups: security groups (used to differentiate access rights to network objects) and distribution groups (used mainly for sending mail messages, for example, in Microsoft Exchange Server).

They are classified according to their scope:

  • universal groups may include users within the forest as well as other universal groups or global groups from any domain in the forest
  • domain global groups may include domain users and other global groups of the same domain
  • domain local groups used to differentiate access rights, can include domain users, as well as universal groups and global groups of any domain in the forest
  • local computer groups– groups that the SAM (security account manager) of the local machine contains. Their scope is limited only to this machine, but they can include local groups of the domain in which the computer is located, as well as universal and global groups of their own domain or another that they trust. For example, you can include a user from the domain local group Users in the Administrators group of the local machine, thereby giving him administrative rights, but only for this computer

Every self-respecting computer user has had to connect a printer to a computer at least once in their life, maybe you don’t have your own, but neighbors or friends asked to do it. And you agreed, although you had never experienced this procedure before. On the physical level, you did everything right, but when you try to print something, the system gives an error "Active Directory Domain Services is currently unavailable." What to do in this situation, you probably do not know. This article is designed to help you do just that.

Reasons why the printer does not work

One of the most likely reasons is that a special service that applies only to the Active Directory printer, as well as its accompanying spooler, is not running. Sometimes, especially on older devices, this service has to be started manually. Another reason is the printer drivers, they may not be installed correctly due to which the corresponding services do not start.

It is important to pay attention to the operating system itself. For connected devices, it has some software that provides work with specific devices, in our case with a printer. And also check the computer itself and its USB ports for operability.

Correctly adding a printer

Few people read instructions on how to properly connect or install new equipment before doing so. Many try to cope with their intuition and overconfidence. And the instructions are usually resorted to already when, for example, the error “Active Directory Domain Services is currently unavailable” appears. Let's learn from the Windows OS vendor, Microsoft, how to properly add a printer to operating system devices.


Fixing the "Domain Services Unavailable" Error on the Printer

Before understanding the Active Directory error, make sure that the ports to which you connect the printer are in working order, as well as the wire with which the device is connected to the computer. You also need to make sure that the device itself is working. If you have the opportunity, connect another printer to your computer by borrowing it from a neighbor or friends. In any case, you must be 100% sure that the devices do not need repair and the problem is at the software level.


Enable Active Directory Services

To fix our "AD DS is currently unavailable" issue, you may need to enable or restart certain services in order for the printer to work. For this:

  1. Open the control panel (right-click on the "Start" icon and select from the list).
  2. Next, find the "Administration" section. Select "Services" from the list.
  3. Here, find in the list of services "Automatic configuration of network devices". Select it and if it is disabled, enable it, otherwise restart by clicking in the properties "Disable", "Enable".
  4. The same steps must be carried out for the following services: "Remote Access Automatic Connection Manager", "Local Device Manager", "Local Session Manager".

Setting up Active Directory is a fairly simple process and is covered in many resources on the Internet, including official ones. However, on my blog, I can't help touching on this point, since most of the following articles will be based in one way or another on the environment, which I plan to set up right now.

If you are interested in the Windows Server topic, I recommend that you refer to the tag on my blog. I also recommend that you read the main article on Active Directory -

I plan to deploy the AD role on two virtual servers (future domain controllers) in turn.

  1. The first step is to set the appropriate server names, for me it will be DC01 and DC02;
  2. Next, write static network settings(I will discuss this point in detail below);
  3. Install all system updates, especially security updates (for CD this is important as for any other role).

At this stage, you need to decide what domain name will you have. This is extremely important, because then changing the domain name will be a very big problem for you, although the renaming script is officially supported and implemented for a long time.

Note: n Some reasoning, as well as many links to useful material, you can find in my article. I recommend that you familiarize yourself with it, as well as with a list of sources used.

Since I will be using virtualized domain controllers, I need to change some virtual machine settings, namely disable time synchronization with hypervisor. Time in AD should be synchronized exclusively from external sources. The enabled time synchronization settings with the hypervisor can result in cyclic synchronization and, as a result, problems with the operation of the entire domain.

Note: disabling synchronization with the virtualization host is the easiest and fastest option. However, this is not best practic. According to Microsoft recommendations, you should only partially disable synchronization with the host. To understand the principle of work, read the official documentation, which in recent years has radically jumped up in terms of presentation of the material. .

In general, the approach to administering virtualized domain controllers differs due to some features of AD DS functioning:

Virtual environments present a particular challenge for distributed workflows that rely on time-based replication logic. For example, AD DS replication uses a uniformly incrementing value (called the USN, or Update Sequence Number) assigned to transactions in each domain controller. Each domain controller database instance also receives an identifier called InvocationID. The domain controller's invocationID and its update sequence number together serve as a unique identifier that is associated with each write transaction that occurs on each domain controller and must be unique within a forest.

This completes the basic steps to prepare the environment, proceed to the installation stage.

Installing Active Directory

Installation is done through Server Manager and there is nothing complicated in it, you can see all the installation steps in detail below:


The installation process itself has undergone some changes compared to previous versions of the OS:

Deploying Active Directory Domain Services (AD DS) in Windows Server 2012 is easier and faster than previous versions of Windows Server. AD DS installation is now based on Windows PowerShell and integrated with Server Manager. The number of steps required to introduce domain controllers into an existing Active Directory environment has been reduced.

You only need to select a role Active Directory Domain Services, no additional components need to be installed. The installation process takes a little time and you can immediately proceed to the setup.

When the role is installed, you will see an exclamation mark at the top right of Server Manager - post-deployment configuration is required. Click Promote this server to a domain controller.

Promoting a Server to a Domain Controller

The steps of the wizard are described in detail in the documentation. However, let's go through the basic steps.

Since we are deploying AD from scratch, we need to add a new forest. Be sure to store your Directory Services Restore Mode (DSRM) password securely. The location of the AD DS database can be left at the default (which is what is recommended. However, for variety in my test environment, I specified a different directory).

We are waiting for the installation.

The server will then reboot itself.

Create domain/enterprise administrator accounts

You will need to log in under the local administrator account, as before. Go to snap Active Directory Users and Computers, create the necessary accounts - at this point, this is the domain administrator.

Setting up DNS on a single DC in a domain

During the installation of AD, the AD DNS role was also installed, since I did not have other DNS servers in the infrastructure. For the service to work correctly, you need to change some settings. First you need to check your preferred DNS servers in the network adapter settings. You need to use only one DNS server with the address 127.0.0.1. Yes, it's localhost. By default, it should register itself.

After making sure that the settings are correct, open the DNS snap-in. Right-click on the server name and open its properties, go to the "Forwarder" tab. The DNS server address that was specified in the network settings before installing the AD DS role was automatically registered as the only forwarder:

It is necessary to delete it and create a new one, and it is highly desirable that it be the provider's server, but not a public address such as the well-known 8.8.8.8 and 8.8.4.4. For fault tolerance, register at least two servers. Do not uncheck the box to use root hints if there are no forwarders available. Root hints are a well-known pool of top-level DNS servers.

Adding a second DC to the domain

Since I originally talked about having two domain controllers, it's time to start setting up the second one. We also go through the installation wizard, promote the role to a domain controller, just select Add a domain controller to an existing domain:

Please note that in the network settings of this server, the main The first domain controller configured earlier must be selected as the DNS server! This is required, otherwise you will get an error.

After the necessary settings, log in to the server under the domain administrator account that was created earlier.

Setting up DNS on multiple DCs in a domain

To prevent problems with replication, you need to change the network settings again and you need to do this on each domain controller (and on the pre-existing ones too) and every time you add a new DC:

If you have more than three DCs in the domain, you need to register DNS servers through advanced settings in that order. You can read more about DNS in my article.

Time setting

This step is a must, especially if you're setting up a real environment in production. As you remember, earlier I disabled time synchronization through the hypervisor and now you need to configure it properly. The controller with the FSMO PDC emulator role is responsible for distributing the correct time to the entire domain (Do not know what this role is? Read the article). In my case, this is of course the first domain controller, which is the carrier of all FSMO roles from the very beginning.

We will configure the time on domain controllers using group policies. As a reminder, domain controller computer accounts are in a separate container and have a separate default group policy. You do not need to make changes to this policy, it is better to create a new one.

Name it as you see fit and how the object will be created, right-click - Change. Go to Computer Configuration\Policies\Administrative Templates\System\Windows Time Service\Time Providers. Activate policies Enable Windows NTP Client and Enable Windows NTP Server, go to the policy properties Configure Windows NTP Client and set the protocol type - NTP, do not touch the rest of the settings:

We are waiting for the policies to be applied (it took me about 5-8 minutes, despite running gpupdate / force and a couple of reboots), after which we get:

In general, it is necessary to make sure that only the PDC emulator synchronizes time from external sources, and not all domain controllers in a row, but this will be the case, since group policy is applied to all objects in the container. You need to redirect it to a specific object of the account of the computer that owns the PDC emulator role. This is also done through group policies - in the gpmc.msc console, left-click the desired policy and on the right you will see its settings. In the security filters, you need to add the account of the desired domain controller:

Read more about the principle of operation and setting up the time service in the official documentation.

This completes the time setting, and with it the initial configuration of Active Directory, is completed.

Active Directory (AD) is a utility designed for the Microsoft Server operating system. It was originally created as a lightweight algorithm for accessing user directories. Since the version of Windows Server 2008, integration with authorization services has appeared.

Gives you the ability to comply with a group policy that applies the same type of settings and software on all controlled PCs using System Center Configuration Manager.

If in simple words for beginners, this is a server role that allows you to manage all accesses and permissions on the local network from one place

Functions and purposes

Microsoft Active Directory - (the so-called directory) a package of tools that allows you to manipulate users and network data. the main goal Creation - Facilitate the work of system administrators in extensive networks.

Directories contain various information related to users, groups, network devices, file resources - in a word, objects. For example, user attributes that are stored in the directory should be the following: address, login, password, mobile phone number, etc. The directory is used as authentication points, with which you can find the necessary information about the user.

Basic concepts encountered in the course of work

There are a number of specialized concepts that apply when working with AD:

  1. The server is the computer that contains all the data.
  2. The controller is a server with the AD role that handles requests from people using the domain.
  3. An AD domain is a collection of devices united under one unique name that simultaneously use a common directory database.
  4. The data store is the part of the directory that is responsible for storing and retrieving data from any domain controller.

How active directories work

The main principles of work are:

  • Authorization, with which it becomes possible to use a PC on the network simply by entering a personal password. In this case, all information from the account is transferred.
  • security. Active Directory contains user recognition features. For any network object, you can remotely, from one device, set the necessary rights, which will depend on the categories and specific users.
  • Network administration from one point. While working with Active Directory, the system administrator does not need to re-configure all PCs if you need to change access rights, for example, to a printer. Changes are made remotely and globally.
  • Complete DNS integration. With its help, there is no confusion in AD, all devices are designated in the same way as in the World Wide Web.
  • large scale. A collection of servers can be controlled by a single Active Directory.
  • Search is made according to various parameters, for example, computer name, login.

Objects and Attributes

Object - a set of attributes, united under its own name, representing a network resource.

Attribute - characteristics of the object in the catalog. For example, these include the user's full name, his login. But the attributes of a PC account can be the name of this computer and its description.

“Employee” is an object that has the attributes “Name”, “Position” and “TabN”.

LDAP container and name

Container is a type of object that can consist of other objects. A domain, for example, may include account objects.

Their main purpose is object ordering by type of signs. Most often, containers are used to group objects with the same attributes.

Almost all containers map to a collection of objects, and resources map to a unique Active Directory object. One of the main types of AD containers is the organization unit, or OU (organizational unit). Objects that are placed in this container belong only to the domain in which they are created.

Lightweight Directory Access Protocol (LDAP) is the basic algorithm for TCP/IP connections. It was created to reduce the amount of nuance during access to directory services. Also, LDAP defines the actions used to query and edit directory data.

Tree and site

A domain tree is a structure, a collection of domains that share a common schema and configuration, form a common namespace and are linked by trust relationships.

A forest of domains is a collection of trees linked together.

Site - a collection of devices in IP subnets, representing the physical model of the network, the planning of which is performed regardless of the logical representation of its construction. Active Directory has the ability to create n sites or combine n domains under one site.

Installing and configuring Active Directory

Now let's go directly to setting up Active Directory using Windows Server 2008 as an example (on other versions, the procedure is identical):

Click on the “OK” button. Note that these values ​​are not required. You can use the IP address and DNS from your network.

  • Next, you need to go to the "Start" menu, select "Administrative Tools" and "".
  • Go to the “Roles” item, select the “ Add roles”.
  • Select "Active Directory Domain Services", click "Next" twice, and then "Install".
  • Wait for the installation to finish.
  • Open Start Menu -“ Run". Enter dcpromo.exe in the field.
  • Click "Next".
  • Select item “ Create a new domain in a new forest” and click “Next” again.
  • In the next window, enter a name, click "Next".
  • Select Compatibility Mode(Windows Server 2008).
  • In the next window, leave everything as default.
  • will start configuration windowDNS. Since it was not used on the server before, the delegation was not created.
  • Select a directory for installation.
  • After this step, you need to set administration password.

To be secure, the password must meet the following requirements:


After AD completes the component configuration process, you must restart the server.



The configuration is complete, the snap-in and the role are installed in the system. You can install AD only on Windows of the Server family, regular versions, such as 7 or 10, can only allow you to install the management console.

Administration in Active Directory

By default, in Windows Server, the Active Directory Users and Computers console works with the domain to which the computer belongs. You can access computer and user objects in this domain through the console tree or connect to another controller.

The same console tools allow you to view Extra options objects and search for them, you can create new users, groups and change from permissions.

By the way, there is 2 types of groups in Active Directory - security and distribution. Security groups are responsible for delimiting access rights to objects, they can be used as distribution groups.

Distribution groups cannot differentiate rights, but are used primarily to distribute messages on the network.

What is AD Delegation

Delegation itself is transfer of part of the permissions and control from the parent object to the other responsible party.

It is known that each organization has several system administrators in its headquarters. Different tasks should be assigned to different shoulders. In order to apply changes, you must have rights and permissions, which are divided into standard and special. Special - applicable to a specific object, and standard - a set of existing permissions that make certain functions available or unavailable.

Establishing Trust Relationships

There are two kinds of trust relationships in AD: "unidirectional" and "bidirectional". In the first case, one domain trusts another, but not vice versa, respectively, the first has access to the resources of the second, and the second does not have access. In the second form, trust is “mutual”. There are also "outgoing" and "incoming" relationships. In outbound, the first domain trusts the second, thus allowing users of the second to use the resources of the first.

During installation, the following procedures should be carried out:

  • Check network connections between controllers.
  • Check settings.
  • Tune name resolution for external domains.
  • Create connection from the trusting domain.
  • Create a connection from the side of the controller to which the trust is addressed.
  • Check the created one-way relationships.
  • If there is a need in the establishment of bilateral relations - to make the installation.

Global Directory

This is the domain controller that keeps copies of all objects in the forest. It gives users and programs the ability to search for objects in any domain in the current forest using attribute discoverers included in the global catalog.

The Global Catalog (GC) includes a limited set of attributes for every forest object in every domain. It receives data from all domain directory partitions in the forest and replicates it using the standard Active Directory replication process.

The schema determines whether the attribute will be copied. There is a possibility configuring additional features, which will be re-created in the global catalog using the “Active Directory Schema”. To add an attribute to the global catalog, you need to select the replication attribute and use the “Copy” option. This will create a replication of the attribute to the global catalog. Attribute parameter value isMemberOfPartialAttributeSet will become true.

In order to find out the location global directory, you need to enter on the command line:

Dsquery server –isgc

Data replication in Active Directory

Replication is a copying procedure that is carried out when it is necessary to store equally up-to-date information that exists on any controller.

It is produced without operator intervention. There are the following types of replica content:

  • Data replicas are created from all existing domains.
  • Data schema replicas. Because the data schema is the same for all objects in the Active Directory forest, its replicas are preserved across all domains.
  • configuration data. Shows building copies among controllers. The information applies to all domains in the forest.

The main types of replicas are intra-node and inter-node.

In the first case, after the changes, the system waits, then notifies the partner to create a replica to complete the changes. Even in the absence of changes, the replication process occurs after a certain period of time automatically. After applying breaking changes to directories, replication occurs immediately.

Replication procedure between nodes happens in between minimal load on the network, this avoids information loss.

In our previous articles, we have discussed common issues related to directory services and Active Directory. Now it's time to move on to practice. But do not rush to run to the server, before deploying a domain structure in your network, you need to plan it and have a clear idea of ​​​​the purpose of individual servers and the processes of interaction between them.

Before you create your first domain controller, you need to decide on the mode of its operation. The mode of operation determines the available options and depends on the version of the operating system being used. We will not consider all possible modes, except for those that are relevant at the moment. There are three such modes: Windows Server 2003, 2008 and 2008 R2.

Windows Server 2003 mode should be selected only when servers on this OS are already deployed in your infrastructure and you plan to use one or more of these servers as domain controllers. In other cases, you need to select the Windows Server 2008 or 2008 R2 mode, depending on the purchased licenses. It should be remembered that the domain operation mode can always be increased, but it will not be possible to lower it (except by restoring from a backup copy), so approach this issue carefully, taking into account possible extensions, licenses in branches, etc. etc.

We will not now consider in detail the process of creating a domain controller, we will return to this issue later, but now we want to draw your attention to the fact that in the full Active Directory structure of domain controllers there should be at least two. Otherwise, you are exposing yourself to unnecessary risk, because in the event of a failure of a single domain controller, your AD structure will completely destroyed. It’s good if there is an up-to-date backup and you can recover from it, in any case, all this time your network will be completely paralyzed.

Therefore, immediately after creating the first domain controller, you need to deploy a second one, regardless of the network size and budget. The second controller should be provided at the planning stage, and without it, the deployment of AD is not even worth undertaking. Also, do not combine the role of a domain controller with any other server roles, in order to ensure the reliability of operations with the AD database, write caching is disabled on the disk, which leads to a sharp drop in disk subsystem performance (this also explains the long loading of domain controllers).

As a result, our network should take the following form:

Contrary to popular belief, all controllers in a domain are equal; each controller contains complete information about all domain objects and can serve a client request. But this does not mean that the controllers are interchangeable, misunderstanding this point often leads to AD failures and downtime of the enterprise network. Why is this happening? It's time to remember about the role of FSMO.

When we create the first controller, it contains all available roles, and is also a global catalog, with the advent of the second controller, the roles of infrastructure master, RID master, and PDC emulator are transferred to it. What happens if the administrator decides to temporarily disable the DC1 server, for example, to clean it from dust? At first glance, it's okay, well, the domain will switch to "read-only" mode, but it will work. But we forgot about the global catalog, and if applications that require it, such as Exchange, are deployed on your network, then you will know about it before you remove the cover from the server. You learn from dissatisfied users, and the management is unlikely to be delighted.

From which the conclusion follows: there should be at least two global catalogs in the forest, and best of all, one in each domain. Since we have one domain in the forest, both servers must be global directories, this will allow you to take any of the servers for maintenance without any problems, the temporary absence of any FSMO roles does not lead to AD failure, but only makes it impossible to create new objects.

As a domain administrator, you must clearly understand how the FSMO roles are distributed between your servers and when decommissioning a server for an extended period, transfer these roles to other servers. And what will happen if the server containing the FSMO roles fails irreversibly? It's okay, as we already wrote, any domain controller contains all the necessary information, and if such a nuisance does occur, then you will need to capture the necessary roles by one of the controllers, this will restore the full operation of the directory service.

Time passes, your organization grows and it has a branch on the other side of the city and it becomes necessary to include their network in the overall infrastructure of the enterprise. At first glance, nothing complicated, you set up a communication channel between offices and place an additional controller in it. Everything would be fine, but there is one thing. You cannot control this server, and therefore unauthorized access to it is possible, and the local admin makes you doubt his qualifications. How to be in such a situation? For these purposes, there is a special type of controller specifically: read-only domain controller (RODC), this feature is available in domain functional modes from Windows Server 2008 and later.

A read-only domain controller contains a complete copy of all domain objects and can be a global catalog, but does not allow you to make any changes to the AD structure, it also allows you to appoint any user as a local administrator, which will allow him to fully serve this server, but again without access to AD services. In our case, this is what the doctor ordered.

We set up in the RODC branch, everything works, you are calm, but users begin to complain about the long login and traffic bills at the end of the month show an excess. What's happening? It's time to remember once again about the equivalence of domain controllers, the client can send his request to any domain controller, even located in another branch. Take into account the slow and, most likely, busy communication channel - this is the reason for the login delays.

The next factor that poisons our lives in this situation is replication. As you know, all changes made on one of the domain controllers are automatically propagated to others and this process is called replication, it allows you to have an up-to-date and consistent copy of the data on each controller. The replication service does not know about our branch and the slow communication channel, and therefore all changes in the office will immediately be replicated to the branch, loading the channel and increasing traffic consumption.

Here we come close to the concept of AD sites, which should not be confused with Internet sites. Active Directory Sites represent a way of physically dividing the structure of a directory service into areas separated from other areas by slow and/or unstable links. Sites are created on the basis of subnets and all client requests are sent first of all to the controllers of their site, it is also highly desirable to have a global catalog in each site. In our case, we need to create two sites: AD Site 1 for the central office and AD Site 2 for a branch, more precisely one, since by default the AD structure already contains a site, which includes all previously created objects. Now let's look at how replication occurs in a network with several sites.

We will assume that our organization has grown a little and the main office contains as many as four domain controllers, replication between controllers of one site is called intrasite and happens instantly. The replication topology is built according to the ring scheme with the condition that there are no more than three replication steps between any domain controllers. The ring scheme is saved up to 7 controllers inclusive, each controller establishes a connection with two nearest neighbors, with a larger number of controllers additional connections appear and the common ring, as it were, turns into a group of rings superimposed on each other.

Intersite replication occurs differently, in each domain one of the servers (bridgehead server) is automatically selected, which establishes a connection with a similar server of another site. By default, replication occurs once every 3 hours (180 minutes), however, we can set our own replication schedule and to save traffic, all data is transferred in a compressed form. If there is only an RODC in a site, replication occurs unidirectionally.

Of course, the topics we touched on are very deep, and in this material we only touched on them slightly, but this is the necessary minimum knowledge that you need to have before the practical implementation of Active Directory in the enterprise infrastructure. This will avoid silly mistakes during deployment and emergency situations during maintenance and expansion of the structure, and each of the topics raised will be discussed in more detail.

Liked the article? Share it
Recommended related articles
Where are the boundaries between these categories of consumers?Where are the boundaries between these categories of consumers?
What is an asset directoryWhat is an asset directory
Free programs for Windows free downloadFree programs for Windows free download
Visitors are now discussing
Realtek Audio Driver (Realtek HD Audio)Realtek Audio Driver (Realtek HD Audio) Walls and ceiling
Realtek Audio Driver (Realtek HD Audio)Realtek Audio Driver (Realtek HD Audio) Adjoining buildings
RK account not found what to doRK account not found what to do Water supply and sewerage
Does ureaplasma pass by itself (can it pass on its own)?Does ureaplasma pass by itself (can it pass on its own)? Windows and doors