Active Directory Domain Services (AD DS) is Microsoft's directory service that provides identity and access management technologies. It stores identity information and authenticates users and computers. The Active Directory data store contains objects like users, groups, computers and policies. Domain controllers host the data store and authenticate access. AD DS supports features like authentication, authorization, single sign-on, certificate services, information protection and more through technologies like Active Directory, Active Directory Lightweight Directory Services, Active Directory Certificate Services, Active Directory Rights Management Services, and Active Directory Federation Services.

1. Active Directory Domain Services
(AD DS)

2. Identity and Access (IDA)
– An IDA infrastructure should:
• Store information about users, groups, computers and other
identities.
• An identity is representation of an entity that will perform actions on
a server.
• A component of the IDA is the identity store that contains properties
that uniquely identify the object such as:
– User name
– Security identifier (SID)
– password
– The Active Directory (AD) data store is an identity store.
– The directory itself is hosted on and managed by a domain
controller – a server performing the Activity Directory
Domain Services (AD DS) role.

3. IDA responsibilities
• Authentication
– AD uses Kerberos Authentication
• Access Control
– Maintains an Access Control List (ACL)
– Reflects a security policy composed of permissions
that specify access levels for particular identities.
• Audit Trail
– Allows monitoring of changes and activities within
the IDA infrastructure

4. IDA Technologies
supported by AD
• Identity
• Applications
• Trust
• Integrity
• Partnership

5. Identity
• Active Directory Domain Services (AC DC)
– A central repository for identity management.
– Provides authentication and authorization services
through Group Policy.
– Provides information management and sharing
services enabling users to find any component by
searching the directory.

6. Applications
• Application Directory Lightweight Directory
Services (AD LDS)
– Essentially a standalone version of AD
– Stores and replicates only application related
information.
– Commonly used by applications that require a
directory store but do not require information to be
replicated as widely as to all domain controllers.
– Allows you to deploy a custom schema to support an
application without modifying the AD DS schema.
– Formally know as Active Directory Application Mode
(ADAM)

7. Trust
• Active Directory Certificate Services (AD CS)
– Used to set up a certificate authority for issuing
digital certificates as part of a public key
infrastructure (PKI) that binds the identity of a
person, device, or service to a corresponding
private key.
– If you use AD CS to provide these services to
external communities then AD CS should be linked
with an external renowned CA.

8. Integrity
• Active Directory Rights Management Services
(AD RMS)
• An information-protection technology that
enable you to implement persistent usage
policy templates that define allowed and
unauthorized used
– e.g. you could configure a template that allows
users to read a document but not to print or copy
its contents.

9. Partnership
• Active Directory Federation Services (AD FS)
– Enables an organization to extend IDA across
multiple platforms including both Windows and
non-Windows environments.
– Projects identity and access rights across security
boundaries to trusted partners.
– Supports single sign-on (SSO)

10. Beyond IDA
• AD delivers more than IDA solutions
• AD provides the mechanisms to support,
manage, and configure resources in a
distributed network environment.
– Schema
– Policy-based administration
– Replication services

11. Schema
• A set of rules that defines the classes of
objects and attributes that can be contained in
the directory.
– e.g. the fact that AD has user objects that include
a user name and password is because the schema
defines the user object class that, the two
attributes, and the association between the object
class and attributes.

12. Policy-based administration
• Provides a single point at which to configure
settings that are then deployed to multiple
systems.
• Such policies include;
– Group policy
– Audit policies
– Fine-grained password policies

13. Replication Services
• Distribute directory data across a network
– This includes both the data store itself as well as
data required to implement policies and
configuration, including logon scripts.

14. Global Catalog
• Enables you to query AD and locate objects in
the data store.
• Contains information about every object in
the directory.
• Can be used by programmatic interfaces such
as Active Directory Services Interface (ADSI)
and Lightweight Directory Access Protocol
(LDAP).

15. Components of an AD Infrastructure
• Activity Directory data store
• Domain controller
• Domain
• Forest
• Tree
• Functional level
• Organizational unit (OU)
• Sites

16. Active Directory Data Store
• AD DS stores its identities in the directory – a
data store on domain controllers
• The directory is a single file named Ntds.dit
• that is located in the %SystemRoot%Ntds
folder on a domain controller
• The database is divided into several partitions,
including the schema, configuration, global
catalog, and the domain naming context.

17. Domain Controller (DC)
• The DCs are servers that perform the AD DC
role.
• The DCs also run the Kerberos Key Distribution
Center (KDC) service.

18. Domain
• Requires one or more DCs
• DCs replicate the domain’s partition of the
data store so that any DC can authenticate any
identity in the domain.
• Is a scope of administrative policies such as
password complexity and account lockout
policies.

19. Forest
• A collection of one or more AD domains.
• The first domain installed in a forest is called the
forest root domain.
• A forest contains a single definition of network
configuration and a single instance of the
directory schema.
• A forest is a single instance of the directory – no
data is replicated by AD outside the boundaries
of the forest.
• A forest defies a security boundary.

20. Tree
• The DNS namespace of domains in a forest
creates trees within the forest.
• If a domain is a subdomain of another
domain, the two domains are considered a
tree.
• The domains must constitute a contiguous
portion of the DNS namespace.
• Trees are the result of the DNS names chosen
for the domains in a forest.

21. Functional Level
• The functionality available in an AD domain or
forest depends on its functional level.
• The three domain functional levels are:
– Windows 2000 native
– Windows Server 2003
– Windows Server 2008
• The functional level determines the versions
of Windows permitted on domain controllers.

22. Organization Units (OU)
• OUs provide a container for objects, and
• provide a scope with which to manage
objects.
• OUs can have Group Policy Objects (GPOs)
linked to them.
• GPOs can contain configuration settings that
will then be applied automatically by users or
computers in an OU.

23. Sites
• An AD site is an object that represents a portion of the
enterprise within which network connectivity is good.
• A site creates a boundary of replication and service
usage.
• DCs within a site replicate changes within seconds.
• Changes are replicated between sites on a controlled
basis with the assumption that intersite connections
are slow, expensive, or unreliable compared to the
connections within a site.
• Clients will prefer to use distributed services provided
by servers in their site or in the closest site.