Active Directory Domain Services (AD DS) is a core component of Active Directory that provides authentication of users and determines access to network resources using security certificates, LDAP, and rights management. It stores identity data in a directory on domain controllers that is replicated across domains. Administrative policies can be centrally configured and applied to objects like users, groups, and organizational units stored in the Active Directory data store.

1. Active Directory Domain Services
(AD DS)

2. Active Directory
• Active Directory (AD) is a directory service that
runs on Microsoft Windows Server. The main
function of Active Directory is to enable
administrators to manage permissions and
control access to network resources. In Active
Directory, data is stored as objects, which
include users, groups, applications, and
devices, and these objects are categorized
according to their name and attributes.

3. Active Directory Domain Services
• Active Directory Domain Services (AD DS) are
a core component of Active Directory and
provide the primary mechanism for
authenticating users and determining which
network resources they can access. AD DS also
provides additional features such as Single
Sign-On (SSO), security certificates, LDAP, and
access rights management.

4. Schema
• A set of rules that defines the classes of
objects and attributes that can be contained in
the directory.
– e.g. the fact that AD has user objects that include
a user name and password is because the schema
defines the user object class that, the two
attributes, and the association between the object
class and attributes.

5. Policy-based administration
• Provides a single point at which to configure
settings that are then deployed to multiple
systems.
• Such policies include;
– Group policy
– Audit policies
– Fine-grained password policies

6. Replication Services
• Distribute directory data across a network
– This includes both the data store itself as well as
data required to implement policies and
configuration, including logon scripts.

7. Global Catalog
• Enables you to query AD and locate objects in
the data store.
• Contains information about every object in
the directory.
• Can be used by programmatic interfaces such
as Active Directory Services Interface (ADSI)
and Lightweight Directory Access Protocol
(LDAP).

8. Components/Objects of an AD
Infrastructure
• Activity Directory data store
• Domain controller
• Domain
• Forest
• Tree
• Functional level
• Organizational unit (OU)
• Sites

9. Active Directory Data Store
• AD DS stores its identities in the directory – a
data store on domain controllers
• The directory is a single file named Ntds.dit
• that is located in the %SystemRoot%Ntds
folder on a domain controller
• The database is divided into several partitions,
including the schema, configuration, global
catalog, and the domain naming context.

10. Domain Controller (DC)
• The DCs are servers that perform the AD DC
role.
• The DCs also run the Kerberos Key Distribution
Center (KDC) service.

11. Domain
• Requires one or more DCs
• DCs replicate the domain’s partition of the
data store so that any DC can authenticate any
identity in the domain.
• Is a scope of administrative policies such as
password complexity and account lockout
policies.

12. Forest
• A collection of one or more AD domains.
• The first domain installed in a forest is called the
forest root domain.
• A forest contains a single definition of network
configuration and a single instance of the
directory schema.
• A forest is a single instance of the directory – no
data is replicated by AD outside the boundaries
of the forest.
• A forest defies a security boundary.

13. Tree
• The DNS namespace of domains in a forest
creates trees within the forest.
• If a domain is a subdomain of another
domain, the two domains are considered a
tree.
• The domains must constitute a contiguous
portion of the DNS namespace.
• Trees are the result of the DNS names chosen
for the domains in a forest.

14. Functional Level
• The functionality available in an AD domain or
forest depends on its functional level.
• The three domain functional levels are:
– Windows 2000 native
– Windows Server 2003
– Windows Server 2008
• The functional level determines the versions
of Windows permitted on domain controllers.

15. Organization Units (OU)
• OUs provide a container for objects, and
provide a scope with which to manage objects.
• OUs can have Group Policy Objects (GPOs)
linked to them.
• GPOs can contain configuration settings that
will then be applied automatically by users or
computers in an OU.

16. Sites
• An AD site is an object that represents a portion of the
enterprise within which network connectivity is good.
• A site creates a boundary of replication and service
usage.
• DCs within a site replicate changes within seconds.
• Changes are replicated between sites on a controlled
basis with the assumption that intersite connections
are slow, expensive, or unreliable compared to the
connections within a site.
• Clients will prefer to use distributed services provided
by servers in their site or in the closest site.