How it will help Active Directory specialists?

Here is a small list of “goodies” that you can get by deploying Active Directory:

• a single user registration database, which is stored centrally on one or more servers; thus, when a new employee appears in the office, you will only need to create an account for him on the server and indicate which workstations he can access;
• since all domain resources are indexed, this makes it possible for users to search easily and quickly; for example, if you need to find a color printer in a department;
• the combination of applying NTFS permissions, group policies and delegation of control will allow you to fine-tune and distribute rights between domain members;
• roaming user profiles make it possible to store important information and configuration settings on the server; in fact, if a user with a roaming profile in a domain sits down to work at another computer and enters his username and password, he will see his desktop with the settings he is familiar with;
• using group policies, you can change the settings of user operating systems, from allowing the user to set wallpaper on the desktop to security settings, and also distribute software over the network, for example, Volume Shadow Copy client, etc.;
• Many programs (proxy servers, database servers, etc.) not only produced by Microsoft today have learned to use domain authentication, so you do not have to create another user database, but can use an existing one;
• Using Remote Installation Services makes it easier to install systems on workstations, but, in turn, only works if the directory service is implemented.

And This is not a complete list of possibilities, but more on that later. Now I will try to tell you the logic of construction Active Directory, but again it’s worth finding out what our boys are made of Active Directory- these are Domains, Trees, Forests, Organizational Units, User and Computer Groups.

Domains - This is the basic logical unit of construction. Compared to workgroups AD domains are security groups that have a single registration base, while workgroups are just a logical association of machines. AD uses DNS (Domain Name Server) for naming and search services, rather than WINS (Windows Internet Name Service), as was the case in earlier versions of NT. Thus, the names of computers in the domain look like, for example, buh.work.com, where buh is the name of the computer in the work.com domain (although this is not always the case).

Workgroups use NetBIOS names. To host a domain structure AD It is possible to use a non-Microsoft DNS server. But it must be compatible with BIND 8.1.2 or higher and support SRV() records as well as the Dynamic Registration Protocol (RFC 2136). Every domain has at least one domain controller that hosts the central database.

Trees - These are multi-domain structures. The root of this structure is the main domain for which you create child domains. In fact, Active Directory uses a hierarchical structure similar to the domain structure in DNS.

If we have a domain work.com (first-level domain) and create two child domains for it first.work.com and second.work.com (here first and second are second-level domains, and not a computer in the domain, as in the case , described above), we end up with a domain tree.

Trees as a logical structure are used when you need to divide the branches of a company, for example, by geography, or for some other organizational reasons.

AD helps to automatically create trust relationships between each domain and its child domains.

Thus, the creation of the first.work.com domain leads to the automatic establishment of a two-way trust relationship between the parent work.com and the child first.work.com (similarly for second.work.com). Therefore, permissions can be applied from the parent domain to the child, and vice versa. It is not difficult to assume that trust relationships will exist for child domains as well.

Another property of trust relationships is transitivity. We get that a trust relationship is created for the net.first.work.com domain with the work.com domain.

Forest - Just like trees, they are multi-domain structures. But forest is a union of trees that have different root domains.

Suppose you decide to have multiple domains named work.com and home.net and create child domains for them, but because the tld (top level domain) is not under your control, in this case you can organize a forest by selecting one of the first-level root domains. The beauty of creating a forest in this case is the two-way trust relationship between these two domains and their child domains.

However, when working with forests and trees, you must remember the following:

• you cannot add an existing domain to the tree
• You cannot include an existing tree in the forest
• Once domains are placed in a forest, they cannot be moved to another forest
• you cannot delete a domain that has child domains

Organizational units - In principle, they can be called subdomains. allow you to group user accounts, user groups, computers, shared resources, printers and other OUs (Organizational Units) in a domain. The practical benefit of their use is the possibility of delegating rights to administer these units.

Simply put, you can appoint an administrator in a domain who can manage the OU, but does not have rights to administer the entire domain.

An important feature of OUs, unlike groups, is the ability to apply group policies to them. “Why can’t you split the original domain into multiple domains instead of using an OU?” - you ask.

Many experts advise having one domain if possible. The reason for this is the decentralization of administration when creating an additional domain, since the administrators of each such domain receive unlimited control (let me remind you that when delegating rights to OU administrators, you can limit their functionality).

In addition to this, to create a new domain (even a child one) you will need another controller. If you have two separate departments connected by a slow communication channel, problems with replication may arise. In this case, it would be more appropriate to have two domains.

There is also one more nuance of using group policies: policies that define password settings and account lockouts can only be applied to domains. For OUs, these policy settings are ignored.

Websites - This is a way to physically separate a directory service. By definition, a site is a group of computers connected by fast data transfer channels.

If you have several branches in different parts of the country, connected by low-speed communication lines, then for each branch you can create your own website. This is done to increase the reliability of directory replication.

This division of AD does not affect the principles of logical construction, therefore, just as a site can contain several domains, and vice versa, a domain can contain several sites. But there is a catch to this directory service topology. As a rule, the Internet is used to communicate with branches - a very insecure environment. Many companies use security measures such as firewalls. The directory service uses about one and a half dozen ports and services in its work, the opening of which for AD traffic to pass through the firewall will actually expose it “outside”. The solution to the problem is to use tunneling technology, as well as the presence of a domain controller in each site to speed up the processing of AD client requests.

The logic of nesting of directory service components is presented. It can be seen that the forest contains two domain trees, in which the root domain of the tree, in turn, can contain OUs and groups of objects, and also have child domains (in this case, one for each). Child domains can also contain object groups and OUs and have child domains (not shown in the figure). And so on. Let me remind you that OUs can contain OUs, objects and groups of objects, and groups can contain other groups.

User and computer groups - are used for administrative purposes and have the same meaning as when used on local machines on the network. Unlike OUs, group policies cannot be applied to groups, but management can be delegated for them. Within the Active Directory scheme, there are two types of groups: security groups (used to differentiate access rights to network objects) and distribution groups (used mainly for distributing email messages, for example, in Microsoft Exchange Server).

They are divided by scope:

• universal groups may include users within the forest as well as other universal groups or global groups of any domain in the forest
• global domain groups may include domain users and other global groups of the same domain
• domain local groups used to differentiate access rights, can include domain users, as well as universal groups and global groups of any domain in the forest
• local computer groups– groups that contain SAM (security account manager) of the local machine. Their scope is limited only to a given machine, but they can include local groups of the domain in which the computer is located, as well as universal and global groups of their own domain or another that they trust. For example, you can include a user from the domain local Users group in the Administrators group of the local machine, thereby giving him administrator rights, but only for this computer

Active Directory is a Microsoft directory service for the Windows NT family of operating systems.

This service allows administrators to use group policies to ensure uniformity of user work environment settings, software installations, updates, etc.

What is the essence of Active Directory and what problems does it solve? Read on.

Principles of organizing peer-to-peer and multi-peer networks

But another problem arises, what if user2 on PC2 decides to change his password? Then if user1 changes the account password, user2 on PC1 will not be able to access the resource.

Another example: we have 20 workstations with 20 accounts to which we want to provide access to a certain . To do this, we must create 20 accounts on the file server and provide access to the required resource.

What if there are not 20 but 200 of them?

As you understand, network administration with this approach turns into absolute hell.

Therefore, the workgroup approach is suitable for small office networks with no more than 10 PCs.

If there are more than 10 workstations in the network, the approach in which one network node is delegated the rights to perform authentication and authorization becomes rationally justified.

This node is the domain controller - Active Directory.

Domain Controller

The controller stores a database of accounts, i.e. it stores accounts for both PC1 and PC2.

Now all accounts are registered once on the controller, and the need for local accounts becomes meaningless.

Now, when a user logs into a PC, entering his username and password, this data is transmitted in private form to the domain controller, which performs authentication and authorization procedures.

Afterwards, the controller issues the user who has logged in something like a passport, with which he subsequently works on the network and which he presents at the request of other network computers, servers to whose resources he wants to connect.

Important! A domain controller is a computer running Active Directory that controls user access to network resources. It stores resources (eg printers, shared folders), services (eg email), people (user and user group accounts), computers (computer accounts).

The number of such stored resources can reach millions of objects.

The following versions of MS Windows can act as a domain controller: Windows Server 2000/2003/2008/2012 except Web-Edition.

The domain controller, in addition to being the authentication center for the network, is also the control center for all computers.

Immediately after turning on, the computer begins to contact the domain controller, long before the authentication window appears.

Thus, not only the user entering the login and password is authenticated, but also the client computer is authenticated.

Installing Active Directory

Let's look at an example of installing Active Directory on Windows Server 2008 R2. So, to install the Active Directory role, go to “Server Manager”:

Add the role “Add Roles”:

Select the Active Directory Domain Services role:

And let's start the installation:

After which we receive a notification window about the installed role:

After installing the domain controller role, let's proceed to installing the controller itself.

Click “Start” in the program search field, enter the name of the DCPromo wizard, launch it and check the box for advanced installation settings:

Click “Next” and choose to create a new domain and forest from the options offered.

Enter the domain name, for example, example.net.

We write NetBIOS domain name, without zone:

Select the functional level of our domain:

Due to the peculiarities of the functioning of the domain controller, we also install a DNS server.

The locations of the database, log file, and system volume are left unchanged:

Enter the domain administrator password:

We check the correctness of filling and if everything is in order, click “Next”.

After this, the installation process will begin, at the end of which a window will appear informing you that the installation was successful:

Introduction to Active Directory

The report discusses two types of computer networks that can be created using Microsoft operating systems: workgroup and Active Directory domain.

Active Directory provides systems management services. They are a much better alternative to local groups and allow you to create computer networks with efficient management and reliable data protection.

If you have not previously encountered the concept of Active Directory and do not know how such services work, this article is for you. Let's figure out what this concept means, what are the advantages of such databases and how to create and configure them for initial use.

Active Directory is a very convenient way of system management. Using Active Directory, you can effectively manage your data.

These services allow you to create a single database managed by domain controllers. If you own a business, manage an office, or generally control the activities of many people who need to be united, such a domain will be useful to you.

It includes all objects - computers, printers, faxes, user accounts, etc. The sum of domains on which data is located is called a “forest”. The Active Directory database is a domain environment where the number of objects can be up to 2 billion. Can you imagine these scales?

That is, with the help of such a “forest” or database, you can connect a large number of employees and equipment in an office, and without being tied to a location - other users can also be connected in the services, for example, from a company office in another city.

In addition, within the framework of Active Directory services, several domains are created and combined - the larger the company, the more tools are needed to control its equipment within the database.

Further, when such a network is created, one controlling domain is determined, and even with the subsequent presence of other domains, the original one still remains “parent” - that is, only it has full access to information management.

Where is this data stored, and what ensures the existence of domains? To create Active Directory, controllers are used. Usually there are two of them - if something happens to one, the information will be saved on the second controller.

Another option for using the database is if, for example, your company cooperates with another, and you have to complete a common project. In this case, unauthorized persons may need access to domain files, and here you can set up a kind of “relationship” between two different “forests”, allowing access to the required information without risking the security of the remaining data.

In general, Active Directory is a tool for creating a database within a certain structure, regardless of its size. Users and all equipment are united into one “forest”, domains are created and placed on controllers.

It is also advisable to clarify that services can only operate on devices with Windows server systems. In addition, 3-4 DNS servers are created on the controllers. They serve the main zone of the domain, and if one of them fails, other servers replace it.

After a brief overview of Active Directory for Dummies, you are naturally interested in the question - why change a local group for an entire database? Naturally, the field of possibilities here is many times wider, and in order to find out other differences between these services for system management, let’s take a closer look at their advantages.

Benefits of Active Directory

The advantages of Active Directory are:

1. Using a single resource for authentication. In this situation, you need to add on each PC all accounts that require access to general information. The more users and equipment there are, the more difficult it is to synchronize this data between them.

And so, when using services with a database, accounts are stored in one point, and changes take effect immediately on all computers.

How it works? Each employee, coming to the office, launches the system and logs into his account. The login request will be automatically submitted to the server and authentication will take place through it.

As for a certain order in keeping records, you can always divide users into groups - “HR Department” or “Accounting”.

In this case, it is even easier to provide access to information - if you need to open a folder for employees from one department, you do this through the database. Together they gain access to the required folder with data, while for others the documents remain closed.

1. Control over each database participant.

If in a local group each member is independent and difficult to control from another computer, then in domains you can set certain rules that comply with company policy.

As a system administrator, you can set access settings and security settings, and then apply them to each user group. Naturally, depending on the hierarchy, some groups can be given more stringent settings, while others can be given access to other files and actions in the system.

In addition, when a new person joins the company, his computer will immediately receive the necessary set of settings, which includes components for work.

1. Versatility in software installation.

Speaking of components, using Active Directory you can assign printers, install the necessary programs for all employees at once, and set privacy settings. In general, creating a database will significantly optimize work, monitor security and unite users for maximum work efficiency.

And if a company operates a separate utility or special services, they can be synchronized with domains and simplified access to them. How? If you combine all the products used in the company, the employee will not need to enter different logins and passwords to enter each program - this information will be common.

Now that the benefits and meaning of using Active Directory become clear, let's look at the process of installing these services.

We use a database on Windows Server 2012

Installing and configuring Active Directory is not a difficult task, and is also easier than it seems at first glance.

To load services, you first need to do the following:

1. Change the computer name: click on “Start”, open Control Panel, select “System”. Select “Change settings” and in Properties, opposite the “Computer name” line, click “Change”, enter a new value for the main PC.
2. Reboot your PC as required.
3. Set the network settings like this:
   • Through the control panel, open the menu with networks and sharing.
   • Adjust the adapter settings. Right-click “Properties” and open the “Network” tab.
   • In the window from the list, click on Internet protocol number 4, again click on “Properties”.
   • Enter the required settings, for example: IP address - 192.168.10.252, subnet mask - 255.255.255.0, main gateway - 192.168.10.1.
   • In the “Preferred DNS server” line, specify the address of the local server, in “Alternative...” - other DNS server addresses.
   • Save your changes and close the windows.

Set up Active Directory roles like this:

1. Through Start, open Server Manager.
2. From the menu, select Add Roles and Features.
3. The wizard will launch, but you can skip the first window with a description.
4. Check the line “Installing roles and components”, proceed further.
5. Select your computer to install Active Directory on it.
6. From the list, select the role that needs to be loaded - in your case it is “Active Directory Domain Services”.
7. A small window will appear asking you to download the components required for the services - accept it.
8. You will then be prompted to install other components - if you don’t need them, just skip this step by clicking “Next”.
9. The setup wizard will display a window with descriptions of the services you are installing - read and move on.
10. A list of components that we are going to install will appear - check if everything is correct, and if so, press the appropriate button.
11. When the process is complete, close the window.
12. That's it - the services are downloaded to your computer.

Setting up Active Directory

To configure a domain service you need to do the following:

• Launch the setup wizard of the same name.
• Click on the yellow pointer at the top of the window and select “Promote the server to a domain controller.”
• Click on add a new forest and create a name for the root domain, then click Next.
• Specify the operating modes of the “forest” and the domain - most often they coincide.
• Create a password, but be sure to remember it. Continue further.
• After this, you may see a warning that the domain is not delegated and a prompt to check the domain name - you can skip these steps.
• In the next window you can change the path to the database directories - do this if they do not suit you.
• You'll now see all the options you're about to set - check to see if you've selected them correctly and move on.
• The application will check whether the prerequisites are met, and if there are no comments, or they are not critical, click “Install”.
• After installation is complete, the PC will reboot on its own.

You might also be wondering how to add a user to the database. To do this, use the "Active Directory Users or Computers" menu, which you will find in the "Administration" section in the control panel, or use the database settings menu.

To add a new user, right-click on the domain name, select “Create”, then “Division”. A window will appear in front of you where you need to enter the name of the new department - it serves as a folder where you can collect users from different departments. In the same way, you will later create several more divisions and correctly place all employees.

Next, when you have created a department name, right-click on it and select “Create”, then “User”. Now all that remains is to enter the necessary data and set the access settings for the user.

When the new profile is created, click on it by selecting the context menu and open “Properties”. In the “Account” tab, remove the checkbox next to “Block...”. That's all.

The general conclusion is that Active Directory is a powerful and useful system management tool that will help unite all employee computers into one team. Using services, you can create a secure database and significantly optimize the work and synchronization of information between all users. If your company or any other place of business is connected to electronic computers and networks, you need to consolidate accounts and monitor work and confidentiality, installing an Active Directory-based database will be an excellent solution.

Any novice user, faced with the abbreviation AD, wonders what Active Directory is? Active Directory is a directory service developed by Microsoft for Windows domain networks. Included in most Windows Server operating systems as a set of processes and services. Initially, the service dealt only with domains. However, starting with Windows Server 2008, AD became the name for a wide range of directory-based identity services. This makes Active Directory for beginners a better learning experience.

Basic definition

The server that runs Active Directory Domain Directory Services is called a domain controller. It authenticates and authorizes all users and computers in a Windows network domain, assigning and enforcing security policies for all PCs, and installing or updating software. For example, when a user logs on to a computer that is joined to a Windows domain, Active Directory checks the provided password and determines whether the subject is a system administrator or a standard user. It also enables information management and storage, provides authentication and authorization mechanisms, and establishes a framework for deploying other related services: certificate services, federated and lightweight directory services, and rights management.

Active Directory uses LDAP versions 2 and 3, Microsoft's version of Kerberos, and DNS.

Active Directory - what is it? In simple words about the complex

Monitoring network data is a time-consuming task. Even on small networks, users typically have difficulty finding network files and printers. Without some kind of directory, medium to large networks cannot be managed and often face difficulties in finding resources.

Previous versions of Microsoft Windows included services to help users and administrators find information. Network Neighborhood is useful in many environments, but the obvious disadvantage is the clunky interface and its unpredictability. WINS Manager and Server Manager can be used to view a list of systems, but they were not available to end users. Administrators used User Manager to add and remove data from an entirely different type of network object. These applications were found to be ineffective for large networks and begged the question, why do companies need Active Directory?

A directory, in the most general sense, is a complete list of objects. A phone book is a type of directory that stores information about people, businesses, and government organizations, andThey usually record names, addresses and telephone numbers. Wondering Active Directory - what is it, in simple words we can say that this technology is similar to a directory, but is much more flexible. AD stores information about organizations, sites, systems, users, shares, and any other network entity.

Introduction to Active Directory Concepts

Why does an organization need Active Directory? As mentioned in the introduction to Active Directory, the service stores information about network components. The Active Directory for Beginners guide explains that this Allows clients to find objects in their namespace. This t The term (also called the console tree) refers to the area in which a network component can be located. For example, a book's table of contents creates a namespace in which chapters can be assigned to page numbers.

DNS is a console tree that resolves hostnames to IP addresses, such asPhone books provide a namespace for resolving names for phone numbers. How does this happen in Active Directory? AD provides a console tree for resolving network object names to the objects themselves andcan resolve a wide range of entities, including users, systems, and services on a network.

Objects and Attributes

Anything that Active Directory tracks is considered an object. We can say in simple words that this is in Active Directory is any user, system, resource or service. A common term object is used because AD is capable of tracking many elements, and many objects can share common attributes. What does it mean?

Attributes describe objects in Active Directory, for example, all user objects share attributes to store the username. This also applies to their descriptions. Systems are also objects, but they have a separate set of attributes that include hostname, IP address, and location.

The set of attributes available for any particular type of object is called a schema. It makes object classes distinct from each other. The schema information is actually stored in Active Directory. That this security protocol behavior is very important is demonstrated by the fact that the design allows administrators to add attributes to object classes and distribute them across the network to all corners of the domain without restarting any domain controllers.

LDAP container and name

A container is a special type of object that is used to organize the operation of a service. It does not represent a physical entity like a user or a system. Instead, it is used to group other elements. Container objects can be nested within other containers.

Every element in AD has a name. These are not the ones you are used to, for example, Ivan or Olga. These are LDAP distinguished names. LDAP distinguished names are complex, but they allow you to uniquely identify any object within a directory, regardless of its type.

Tree of terms and website

A term tree is used to describe a set of objects in Active Directory. What is this? In simple words, this can be explained using a tree association. When containers and objects are combined hierarchically, they tend to form branches - hence the name. A related term is continuous subtree, which refers to the unbroken main trunk of a tree.

Continuing the metaphor, the term "forest" describes a collection that is not part of the same namespace, but shares a common schema, configuration, and global directory. Objects in these structures are available to all users if security allows. Organizations divided into multiple domains should group trees into a single forest.

A site is a geographic location defined in Active Directory. Sites correspond to logical IP subnets and, as such, can be used by applications to find the nearest server on the network. Using site information from Active Directory can significantly reduce traffic on WANs.

Active Directory Management

Active Directory Users snap-in component. This is the most convenient tool for administering Active Directory. It is directly accessible from the Administrative Tools program group in the Start menu. It replaces and improves upon the Server Manager and User Manager from Windows NT 4.0.

Safety

Active Directory plays an important role in the future of Windows networks. Administrators must be able to protect their directory from attackers and users while delegating tasks to other administrators. All of this is possible using the Active Directory security model, which associates an access control list (ACL) with every container and object attribute in the directory.

A high level of control allows the administrator to grant individual users and groups different levels of permissions on objects and their properties. They can even add attributes to objects and hide those attributes from certain user groups. For example, you can set an ACL so that only managers can view other users' home phones.

Delegated administration

A concept new to Windows 2000 Server is delegated administration. This allows you to assign tasks to other users without granting additional access rights. Delegated administration can be assigned through specific objects or contiguous directory subtrees. This is a much more efficient method of granting authority across networks.

IN the place where someone is assigned all global domain administrator rights, the user can only be given permissions within a specific subtree. Active Directory supports inheritance, so any new objects inherit the ACL of their container.

The term "fiduciary relationship"

The term "fiduciary relationship" is still used, but has different functionality. There is no distinction between one-way and two-way trusts. After all, all Active Directory trust relationships are bidirectional. Moreover, they are all transitive. So, if domain A trusts domain B, and B trusts C, then there is an automatic implicit trust relationship between domain A and domain C.

Auditing in Active Directory - what is it in simple words? This is a security feature that allows you to determine who is trying to access objects and how successful the attempt is.

Using DNS (Domain Name System)

The system, otherwise known as DNS, is necessary for any organization connected to the Internet. DNS provides name resolution between common names, such as mspress.microsoft.com, and raw IP addresses, which network layer components use for communication.

Active Directory makes extensive use of DNS technology to look up objects. This is a significant change from previous Windows operating systems, which require NetBIOS names to be resolved by IP addresses and rely on WINS or other NetBIOS name resolution techniques.

Active Directory works best when used with DNS servers running Windows 2000. Microsoft has made it easier for administrators to migrate to Windows 2000-based DNS servers by providing migration wizards that guide the administrator through the process.

Other DNS servers may be used. However, this will require administrators to spend more time managing DNS databases. What are the nuances? If you choose not to use DNS servers running Windows 2000, you must ensure that your DNS servers comply with the new DNS dynamic update protocol. Servers rely on dynamically updating their records to find domain controllers. It is not comfortable. After all, eIf dynamic updating is not supported, you must update the databases manually.

Windows domains and Internet domains are now fully compatible. For example, a name such as mspress.microsoft.com will identify the Active Directory domain controllers responsible for the domain, so any client with DNS access can find the domain controller.Customers can use DNS resolution to look up any number of services because Active Directory servers publish a list of addresses to DNS using new dynamic update features. This data is defined as a domain and published through service resource records. SRV RR follow the format service.protocol.domain.

Active Directory servers provide the LDAP service for object hosting, and LDAP uses TCP as the underlying transport layer protocol. Therefore, a client looking for an Active Directory server in the mspress.microsoft.com domain will look for the DNS entry for ldap.tcp.mspress.microsoft.com.

Global catalog

Active Directory provides a global catalog (GC) andprovides a single source for searching for any object on an organization's network.

The Global Catalog is a service in Windows 2000 Server that allows users to find any objects that have been shared. This functionality is far superior to the Find Computer application included in previous versions of Windows. After all, users can search for any object in Active Directory: servers, printers, users and applications.

Being well acquainted with small business from the inside, I have always been interested in the following questions. Explain why an employee should use the browser that the system administrator likes on his work computer? Or take any other software, for example, the same archiver, email client, instant messaging client... I am gently hinting at standardization, and not based on the personal sympathy of the system administrator, but on the basis of the sufficiency of functionality, cost of maintenance and support of these software products. Let's start considering IT as an exact science, and not as a craft, when everyone does as they please. Again, there are also a lot of problems with this in small businesses. Imagine that a company in a difficult time of crisis changes several of these administrators, what should poor users do in such a situation? Constantly retrain?

Let's look from the other side. Any manager should understand what is currently happening in his company (including in IT). This is necessary to monitor the current situation and to promptly respond to the emergence of various types of problems. But this understanding is more important for strategic planning. After all, having a strong and reliable foundation, we can build a house with 3 or 5 floors, make a roof of different shapes, make balconies or a winter garden. Similarly, in IT, we have a reliable foundation - we can further use more complex products and technologies to solve business problems.

The first article will talk about such a foundation - Active Directory services. They are designed to become a strong foundation for the IT infrastructure of a company of any size and any area of ​​activity. What it is? So let's talk about this...

Let's start the conversation with simple concepts - domain and Active Directory services.

Domain is the basic administrative unit in an enterprise's network infrastructure, which includes all network objects such as users, computers, printers, shares, and more. The collection of such domains is called a forest.

Active Directory Services (Active Directory Services) are a distributed database that contains all domain objects. The Active Directory domain environment provides a single point of authentication and authorization for users and applications across the enterprise. It is with the organization of a domain and the deployment of Active Directory services that the construction of an enterprise IT infrastructure begins.

The Active Directory database is stored on dedicated servers – domain controllers. Active Directory Services is a role of Microsoft Windows Server server operating systems. Active Directory Services is highly scalable. More than 2 billion objects can be created in an Active Directory forest, allowing the directory service to be implemented in companies with hundreds of thousands of computers and users. The hierarchical structure of domains allows you to flexibly scale the IT infrastructure to all branches and regional divisions of companies. For each branch or division of a company, a separate domain can be created, with its own policies, its own users and groups. For each child domain, administrative authority can be delegated to local system administrators. At the same time, child domains are still subordinate to their parents.

Additionally, Active Directory Services allows you to configure trust relationships between domain forests. Each company has its own forest of domains, each with its own resources. But sometimes you need to provide access to your corporate resources to employees of another company - working with common documents and applications as part of a joint project. To do this, trust relationships can be set up between organizational forests, which will allow employees of one organization to log in to the domain of another.

To ensure fault tolerance for Active Directory services, you must deploy two or more domain controllers in each domain. All changes are automatically replicated between domain controllers. If one of the domain controllers fails, the functionality of the network is not affected, because the remaining ones continue to work. An additional level of resiliency is provided by placing DNS servers on domain controllers in Active Directory, which allows each domain to have multiple DNS servers serving the domain's primary zone. And if one of the DNS servers fails, the others will continue to work. We will talk about the role and importance of DNS servers in the IT infrastructure in one of the articles in the series.

But these are all technical aspects of implementing and maintaining Active Directory services. Let's talk about the benefits a company gets by moving away from peer-to-peer networking and using workgroups.

1. Single point of authentication

In a workgroup, on each computer or server, you will have to manually add a complete list of users who require network access. If suddenly one of the employees wants to change his password, then it will need to be changed on all computers and servers. It's good if the network consists of 10 computers, but what if there are more? When using an Active Directory domain, all user accounts are stored in one database, and all computers look to it for authorization. All domain users are included in the appropriate groups, for example, “Accounting”, “Finance Department”. It is enough to set permissions for certain groups once, and all users will have appropriate access to documents and applications. If a new employee joins the company, an account is created for him, which is included in the appropriate group - the employee gets access to all network resources to which he should be allowed access. If an employee quits, then just block him and he will immediately lose access to all resources (computers, documents, applications).

2. Single point of policy management

In a workgroup, all computers have equal rights. None of the computers can control the other; it is impossible to monitor compliance with uniform policies and security rules. When using a single Active Directory, all users and computers are hierarchically distributed across organizational units, each of which is subject to the same group policies. Policies allow you to set uniform settings and security settings for a group of computers and users. When a new computer or user is added to a domain, it automatically receives settings that comply with accepted corporate standards. Using policies, you can centrally assign network printers to users, install the necessary applications, set browser security settings, and configure Microsoft Office applications.

3. Increased level of information security

Using Active Directory services significantly increases the level of network security. Firstly, it is a single and secure account storage. In a domain environment, all domain user passwords are stored on dedicated domain controller servers, which are usually protected from external access. Secondly, when using a domain environment, the Kerberos protocol is used for authentication, which is much more secure than NTLM, which is used in workgroups.

4. Integration with corporate applications and equipment

A big advantage of Active Directory services is its compliance with the LDAP standard, which is supported by other systems, for example, mail servers (Exchange Server), proxy servers (ISA Server, TMG). And these are not necessarily only Microsoft products. The advantage of such integration is that the user does not need to remember a large number of logins and passwords to access a particular application; in all applications the user has the same credentials - his authentication occurs in a single Active Directory. Windows Server provides the RADIUS protocol for integration with Active Directory, which is supported by a large number of network equipment. Thus, it is possible, for example, to ensure the authentication of domain users when connecting via VPN from outside, or the use of Wi-Fi access points in the company.

5. Unified application configuration storage

Some applications store their configuration in Active Directory, such as Exchange Server. Deployment of the Active Directory directory service is a prerequisite for these applications to work. Storing application configuration in a directory service offers flexibility and reliability benefits. For example, in the event of a complete failure of the Exchange server, its entire configuration will remain intact. To restore the functionality of corporate mail, it will be enough to reinstall Exchange Server in recovery mode.

To summarize, I would like to once again emphasize that Active Directory services are the heart of an enterprise’s IT infrastructure. In case of failure, the entire network, all servers, and the work of all users will be paralyzed. No one will be able to log into the computer or access their documents and applications. Therefore, the directory service must be carefully designed and deployed, taking into account all possible nuances, for example, the bandwidth of channels between branches or offices of the company (the speed of user login to the system, as well as data exchange between domain controllers, directly depends on this).