An Introduction To Active Directory - Veeam Software

An introduction toActive Directoryin only 60 minutesSander BerkouwerMCSE, MCITP, MCT, MVP

AgendaUnder the hood of Active DirectoryOn objects, attributes, replication, multimaster and flexible single master operationsThe role of Active DirectoryOn network services and in the most basicof features towards end usersBest practicesWhen deploying Active Directory

Under the hoodOn objects, attributes, replication, multi-masterand flexible single master operations

Domain ControllersInstalled with Windows ServerPhysical hostsVirtual machinesConfigured with Server Roles and FeaturesActive Directory Domain Services roleActive Directory Domain Services management toolsTwo types of Domain Controllers exist*Read/write Domain ControllersRead-only Domain Controllers

Grouping of Domain ControllersActive Directory SitesGeographic sites with high-speed connectivitySites govern replication and authentication trafficActive Directory DomainsContainers of replicationIdentified by a DNS domain nameActive Directory ForestsCollection of one of more domainsForest shares a single Active Directory schema

The Active Directory databaseNTDS.dit and supporting filesDefinition of objectsConfiguration of objectsSchemaDefinition of object classes and relationsDefinition of behavior and rightsConfigurationObjects in Active Directory themselvesAttributes for objects

Inside the databaseObjectsUser objects, computer objects, etc.Identified with Security Identifiers (SIDs)ContainersContainersOrganizational UnitsAttributesProperties for objectsSingle valued vs. multi-valued attributes

Replication and High AvailabilityIntrasite replicationChange notifications with pull replicationTwo-way ring topologyIntersite replicationSchedule-based pull replicationBridgehead to bridgehead serverKnowledge Consistency Checker (KCC)Responsible for the replication topologyAlternatively, you can manually modify the topology

Unique Serial Number23 7 01Unique Serial Number45 0 10High watermark Table23 7 01 InvocationID Active Directory siteHigh watermark Table54 0 0 InvocationID

Multi-master and FSMO RolesEverything is awesome!Changes can be made on every Domain ControllerChanges are replicated to all Domain Controllers in scopeFlexible Single Master Operations (FSMO) RolesFSMO RoleScopePrimary Domain Controller emulatorDomainRID Pool masterDomainInfrastructure masterDomainSchema masterForestDomain naming masterForest

The role of Active DirectoryOn network services and in the most basic offeatures towards end users

Networking ServicesDomain Name System (DNS)DNS Domain names for domainsDNS Zones and recordsDynamic Host Configuration Protocol (DHCP)DHCP AuthorizationDHCP and Dynamic DNS3rd party servicesLDAPS for standards-based quering of Active DirectoryRADIUS for pre-authentication by routers, firewalls, etc.

Active DirectoryDevice-independent productivityOn-premises Single Sign-OnCloud Single Sign-OnCentralized Systems ManagementConsistent User ExperienceDistributed File System for optimized access to files

Best PracticesWhen deploying Active Directory

Best practices for planning Domain ControllersIntend to create at least 2 Domain Controllers per domain.Domain Controllers automatically offer High AvailabilityDomain Controller resiliency is easily achievedIntend to implement server role separation.Don’t misuse Domain Controllers as IIS Servers or SQL Servers.(unless it’s Windows Small Business Server)Use hardware and software still covered by the producers(extended) guarantee, support for the period in which youneed to rely on the Domain Controller.

Best practices for placing Domain ControllersProperly dimension the server’s hardware and software.Use RAID and separate spindles for storage of Active Directory data.Use the Infrastructure Planning & Design (IPD) GuideWhen the DC is a VM, have the correct procedures in place.Always run sysprep.exe when working with Windows Server templates.Don’t let virtualization admins ruin your Active DirectoryBefore you install Windows Server, run the MemoryDiagnostics from the Windows Server DVD.Possible memory corruption issues show early this way.

Best practices for promoting Domain ControllersDocument passwordsDocument the Directory Services Restore Mode passwordThe built-in Domain Admin passwordImplement information security measuresInstall and configure anti-malware, ups, monitoring agents, etc.Follow vendor’s best practices on exclusions and configurationTo promote Domain Controllers, use answer files.Write them, get them checked, signed off and then use them.Include them in your documentation after you’ve used them.

After you’ve promoted your Domain ControllersCheck the logsCheck C:\Windows\debug\dcpromo.logCheck C:\Windows\debug\dcpromoui.logRun Windows Update after promotion.You will only be offered Active Directory-specific updates, afterpromoting a Windows Server installation to a Domain ControllerRun the Active Directory Best Practices AnalyzerThe Best Practices Analyzer warns you for misconfigurations.Recommendations may protect you against 90% of data loss scenarios.

Concluding

ConcludingActive Directory consists of many componentsThese components make up an entire identity solutionHigh Availability is achieved through multi-master replicationActive Directory plays an important role in your infrastructureNetwork services like DNS and DHCP benefit from Active DirectoryColleagues benefit from device-independent SSO and managementBest Practices for Active DirectoryThink before you act.Don’t forget to document.

Questions?

Thank you!

Active Directory Domain Services management tools Two types of Domain Controllers exist* Read/write Domain Controllers Read-only Domain Controllers. Grouping of Domain Controllers Active Directory Sites Geographic sites with high-speed connectivity Sites govern replication and authentication traffic