Updated 05-May-2020.
Mondo shtuff from around the internet, all about ACTIVE DIRECTORY!
My botty best at summarizing from Wikipedia: Active Directory (AD) is a directory service developed by Microsoft for Windows domain networks . Active Directory became umbrella title for a broad range of directory-based identity-related services . server running Active Directory Domain Service (AD DS Active Directory authenticates and authorizes all users and computers in a Windows domain type network . it checks the submitted password and determines whether the user is a system administrator or normal user . Active Directory uses Lightweight Directory Access Protocol X.500 directories and the Organizational Unit preceded the Active Directory concept . LDAP concept began to emerge even before the founding of Microsoft in April 1975 . Microsoft previewed Active Directory in 1999 . in Windows Server 2008, additional services were added to Active Directory . “Active Directory” became umbrella title of a broader range of directory-based services . everything related to identity was brought under Active Directory’s banner . Active Directory Domain Services, commonly abbreviated as AD DS or simply AD, stores information about members of the domain . the server running this service is called a domain controller . other Active Directory services and most of Microsoft server AD LDS shares the code base with AD DS and provides the same functionality . it does not require the creation of domains or domain controllers . multiple instances can run on the same server . AD CS predates Windows Server 2008, but its name was simply Certificate Services.AD CS requires an AD DS infrastructure . AD FS’s purpose is an extension of that of ADDS: the latter enables users AD FS requires an AD DS infrastructure, although its federation partner may not . the executable part, known as Directory System Agent, is a collection of Windows services and processes that run on windows 2000 and later. Objects in Active Directory databases can be accessed via LDAP, ADSI, messaging API and Security Accounts Manager services . the objects fall into two broad categories: resources (e.g., printers) and the schema object lets administrators extend or modify the schema when necessary . deactivating or changing these objects can fundamentally change or disrupt a deployment . once created, an object can only be deactivated—not deleted. the forest, tree, and domain are the logical divisions in an Active Directory network . within a deployment, objects are grouped into domains . domains are identified by their DNS name structure, the namespace. a tree is a collection of one or more domains and domain trees in a contiguous namespace . at the top of the structure is the forest . the forest represents the security boundary within which users, computers, Microsoft recommends using OUs rather than domains for structure and administration . OU is recommended level at which to apply group policies . delegation can be performed on individual objects or attributes as well . for compatibility with Legacy NetBios implementations, user accounts with identical sAMAccountName are not allowed within the same domain . two users in different OUs can have the same common name (CN) “staff-ou disallowing duplicate object names in the directory is a violation of LDAP RFCs . conventions such as “first initial, middle initial, last name” fail for common family names . workarounds include adding a duplicate usernames cannot exist within a domain . account name generation is a design limitation specific to Active Directory . other competing directories such as Novell NDS are able to assign access privileges through object placement within an a common workaround for an Active Directory administrator is to write a custom script to automatically create and maintain a user group for each OU in their directory . the scripts are run periodically to update the group to match the there are no built-in server methods or console snap-ins for managing shadow groups . Microsoft often refers to these partitions as ‘naming contexts’. the ‘Domain’ partition holds all objects created in that domain and replicates only within its domain . AD also holds the definitions of connections, distinguishing low-speed (e.g., WAN, VPN) from Site definitions are independent of the domain and OU structure and are common across the forest . Sites are used to control network traffic generated by replication and also to refer clients to the nearest domain controllers (DCs) Microsoft Exchange Server Servers joined to Active Directory that are not domain controllers are called Member Servers . global catalog servers provide a global listing of all objects in the Forest . Global Catalog servers replicate to themselves all objects from all domains – only selected attributes of each object are replicated to minimize replication traffic . this is called the partial attribute set (PAS) PAS can be modified by modifying the schema and marking attributes . the DNS server must support SRV resource records, also known as service records . Replication by default is ‘pull’ rather than ‘push’, meaning that replicas pull changes from the server where the change was each link can have a ‘cost’ and the KCC alters the site link topology accordingly . site-to-site replication can be configured to occur between a bridgehead server in each site, which then replicates Replication of Active Directory uses Remote Procedure Calls over IP (RPC/IP) between Sites SMTP can be used for replication, but only for changes in the Schema, Configuration, or Partial Attribut Microsoft recommends not running multiple virtualized domain controllers on the same physical hardware . Microsoft has created NTDS databases with more than 2 billion objects . Windows Server 2003 added a third main table for security descriptor single instancing . Programs may access features of Active Directory via the COM interfaces provided by Active Directory Service Interfaces . Explicit trust A trust that an admin creates. It is not transitive and is one way only . Cross-link trust between domains in different trees or in the same tree . Shortcut Joins two domains in different trees, transitive, one- or two-way . Realm Can be transitive or nontransitive (intransitive), one-, two-ways . External Connect third-party solutions extend administration and management capabilities . third parties offer Active Directory integration for Unix-like platforms . schema additions shipped with Windows Server 2003 R2 include attributes that map closely enough to RFC 2307 to be generally default schema for group membership complies with RFC 2307bis (proposed) Windows Server 2003 R2 includes a Microsoft Management Console snap-in that creates and edits the attributes . an alternative option is to use another Amazon AWS integrates with Microsoft Active Directory . the integration provides a “deflected” integration .