Active Directory Domain Services (AD DS) is a key element
of the Windows SBS 2011 infrastructure, one that provides centralized
authentication and authorization services for the entire network. It is
important for Windows SBS administrators to understand the basic
architecture of AD DS, although in most cases it is not necessary to
delve into its vast complexities.
AD DS is, at its heart, a directory service;
that is, a database that functions as a repository for information
about your network. When Windows SBS network users sit down at their
workstations and log on, they are logging on to the directory service,
not to the individual workstations. Their user accounts and passwords
are stored in AD DS, and the directory service grants them access to
the network.
Two of the primary functions performed by AD DS are authentication and authorization. Authentication
is the process by which a system verifies a user’s identity. Computers
can authenticate a user’s identify by requiring that the user supply
any or all of the following:
-
Something the user knows, such as a password
-
Something the user has: a possession, such as a smart card
-
Something the user is: a physical attribute, such as a fingerprint
Authentication protocols, such as Kerberos, enable these processes to occur without endangering passwords by transmitting them over the network. Authorization
is the process by which a system grants a user access to specific
resources. Once AD DS has authenticated a user, it can grant access to
network resources by associating the user’s verified identity with the
access control system built into the resource. For example, every file
on the NTFS disks in your Windows SBS 2011 servers and workstations has
a list of the users who are permitted access to that file.
Without AD DS, users would require separate accounts and passwords
on every computer they need to access. Imagine how arduous your role as
an administrator would be if, each time a new employee joined the
company, you had to create 10 or 20 separate user accounts for the same
person, on 10 or 20 different computers. Imagine having to modify 10 or
20 separate accounts each time a user is required to change his or her
password (which, for security reasons, should be pretty frequently). AD
DS uses one centralized user account and password for all network
resources, greatly simplifying the administration process.
2. Domains and Domain Controllers
In AD DS, the fundamental administrative unit is the domain. An AD DS domain
is a logical grouping of computers, users, and other network resources.
By grouping elements into domains, administrators can create policies
and assign them to all or part of a network at once.
AD DS is a highly flexible directory service that is sufficiently
scalable to support networks of almost any size. A large enterprise
network can consist of multiple domains, grouped in a hierarchical
structure called a domain tree, and can even have multiple domain trees grouped in a structure called a forest.
However, Windows SBS 2011 supports the use of only a single domain,
which is more than sufficient to support the maximum of 75 workstations
you can connect to the network.
One of the most complex parts of a large-scale AD DS deployment is designing
the AD DS tree structure. Administrators of large networks must often
devote a great deal of time and effort to creating a domain hierarchy
that adequately represents their organizations. With Windows SBS 2011,
however, there is no need for this effort. All you have to do is supply
a name for your domain, and the Windows SBS setup program installs AD
DS, creates the domain, and configures your server to support it.
A Windows server with AD DS installed and configured is called a domain controller.
The domain controller contains a copy of the AD DS database, as well as
the various applications and services that enable AD DS to function.
When a user logs on to the domain, it is the domain controller that
authenticates the user’s identity. When a user on a Windows SBS
workstation accesses a server disk, the domain controller (which, in
this case, is the same computer) authenticates the user’s identity and
authorizes access to the files that the user requests. Even when a user
accesses resources on another workstation instead of a server, the
domain controller is involved in the authentication and authorization
processes. The computers on the network, therefore, require continual
access to the domain controller.
Larger networks usually have multiple domain
controllers for each domain, which replicate information back and forth
to keep them all updated and in the same state. Windows SBS 2011,
however, supports only one domain and one domain controller. This
simplifies the network design and eliminates the need for complex
replication systems, but it also makes the continued operation of the
Windows SBS domain controller all the more critical. It is strongly
recommended that you use fault-tolerance mechanisms, such as an
uninterruptible power supply (UPS) and regular server backups, to
prevent extended domain controller downtime.
3. Objects and Attributes
The AD DS database consists of objects,
which represent specific network resources, both physical and logical.
Every user, computer, and group on your network has an AD DS object
that represents it. Each object consists of a set of attributes,
which contain information about that object. For example, some of the
attributes of a user object are designed to hold the individual’s first
and last names, address information, and password. When you open the Properties sheet for a user account, as shown in Figure 1,
the properties that you can modify are actually attributes of the user
object. Group objects contain, as an attribute, a list of the other
objects that are members of the group.
The types of objects that you can create in the AD DS database, and the attributes of each object type, are specified in the AD DS schema.
Applications can modify the schema to add object types to the AD DS
implementation, or add attributes to existing object types. For
example, Microsoft Exchange modifies the schema to add specialized
attributes to every user object in the directory.
It is also possible for administrators to modify the schema
manually, using tools provided with Windows Server 2008 R2. However,
the average Windows SBS 2011 administrator should not have reason to do
this.
Caution
Modifying the AD
DS schema is similar to modifying a Windows computer’s registry, in
that a minor mistake can have a profound effect on the functionality of
the system. Do not make any manual changes to the schema (or to the
registry, for that matter), unless you know precisely what you are
doing, and why.
In addition to objects that represent network resources, the AD DS
has objects that represent logical divisions in the network, which you
can use for organizational functions. The domain is such an object, as
is a forest. Within a domain, you can also create objects called organizational units (OUs)
to subdivide the domain in various ways. Unlike domains, which you can
create only by installing a new domain controller, you can create as
many OUs as you want, at any time.
OUs are known as container objects
because other objects can be subordinate to them. You can create user,
group, and computer objects in an OU, or even other OUs. Objects that
cannot contain other objects, such as user and computer objects, are
known as leaf objects.
Note
Four container objects appear in every domain by default: Built-in, Computers, ForeignSecurityPrincipals, and Users. These are not OUs; the name of their object type is container.
You cannot create new objects using the container type, but you can
create objects, such as OUs, that are containers (in the generic sense).
The default domain for your Windows SBS 2011 network has a number of OUs in addition to the Domain Controllers OU found in every AD DS domain. The MyBusiness OU has four OUs beneath it, called Computers, Distribution Groups, Security Groups, and Users, as shown in Figure 2. The Computers OU has two subordinate OUs of its own, called SBSComputers and SBSServers, and the Users OU has a subordinate OU called SBSUsers.
Note
Group objects are a special case because while they have a list of
other objects that are members of the group as an attribute, they do
not contain those objects in the AD DS sense. Groups are therefore not
considered container objects, as domains or OUs are.
The function of these OUs is to separate the leaf objects that
Windows SBS 2011 creates in your domain by their functions; users go in
one OU, computers in another, and so forth. Here again, Windows SBS
2011 has made the AD DS design decisions for you. It includes
specialized tools that are based on this default design. To manage AD
DS user, group, and computer objects using the Windows SBS Console, the
objects must be located in the appropriate OUs. You can conceivably
redesign the domain hierarchy by creating your own OUs and moving the objects into them, using any organizational
paradigm you want, such as the geographical locations of your company’s
branch offices. To do so, however, you would then have to use the
standard Windows Server 2008 R2 tools to manage them instead of the
Windows SBS Console. You would also have to reconfigure the default
Windows SBS 2011 Group Policy objects (GPOs), which are designed around the default OU hierarchy.
Caution
It is strongly recommended that you do not modify the default AD DS hierarchy, at least at first, until you fully understand the ramifications of your actions.
