Tuesday, June 13, 2017

Active Directory Directory Services (ADDS) Structure Essentials

Cisco equipment are what make the internet works while Windows Active Directory Domain Services (ADDS) are what makes businesses work.

So network engineers should have at least a basic level of understanding on the way it is structured to serve in an enterprise environment.

This post is just about the basic architecture concepts about ADDS.. Not an in detail explanation..

Domain Controllers

Like the Exchange servers which control email services, the Domain Controllers are the servers which control ADDS which sets security permissions in a Windows environment. Basically it is the server which the System Administrators configure to allow or block certain users or computers from accessing certain resources (emails, VPNs, applications, file servers, printers etc) in a network.


There are 2 types of accounts in AD
1) User Accounts
2) Computer Accounts

You can set permissions / apply polices to individual Accounts or Groups.


The information regarding to User Accounts or Computer Accounts are stored in a structured way which is called a "Schema"..

Ex:- Schema for a User Account
email address:

In Windows AD, this Schema is extensible / can be modified (fields can be added)..


Groups are used to apply security..
Administrators create Groups and Assign User Accounts / Computer Accounts to them and they fix policies for the Groups which effect the all members in that group.

There are 2 types of Groups.
1) Security Groups
2) Distribution Groups

Security Groups are normal Groups you will see day to day.. They are used to apply security policies.
Distribution Groups are primarily used by email applications..

Groups can be bundled and assign into some other Groups too..

Ex:- We have a Sales group and a HR group in our company. These Groups are called Global Groups and those Global Groups can be inserted in to a Local Group and apply a security policy at once which effects to all members in both Groups..

Note that a same user can be in several Groups & individual Accounts can also be bundled with Groups..

These Local & Global are 2 scopes of Groups. Actually there are 3 scopes.
1) Global Groups
2) Local Groups
3) Universal Groups

Scopes are determined by 3 characteristics..

Replication - Where Group is created and where it is replicated..
Membership - What members the Group can have..
Availability - Where can the Group be used..

If you need more info about Group Scopes you can find them here.

Organizational Units (OU)

Organizational Units are Groups used to apply policy..
They are the Groups which are created for the Administrative purposes.
Which means there can be a delegated Administrator for that OU.

Domain & Sub Domains / Child Domains

Domain is all the users and all the computers which are tied to the Domain Controller's ADDS..
Sub domains / Child Domains are subsets of the parent domain. Actually a Sub Domain is a separate Domain in the same network with separate Domain Controllers but has the same Schema. Sub Domains can also have their own Sub Domains..

Ex:- google.com and it's sub domains like asia.google.com & europe.google.com
europe.google.com can have sub domains like east.europe.google.com & west.europe.google.com


When you create Sub Domains to Domains, automatically a 2-Way Trust happens.
And within those 2 Sub Domains a 2-Way Transitive Trust happens.

Which means;
google.com trusts asia.google.com and vice versa
google.com trusts europe.google.com and vice versa

Then asia.google.com trusts europe.google.com and vice versa which we call "Transitive Trust"

Trust simply means that the Admin of google.com can give permissions to a user account from asia.google.com to access resources of google.com and vice versa..

In a Transitive Trust the Admin of europe.google.com can give permissions to a user account from asia.google.com to access resources of europe.google.com and vice versa..

A user can access resources of another Domain using his username and password if the Admin of that Domain permits..


Because all Sub Domains share the same google.com name space, we call it is in a same Tree.
So a Tree is the entity you get when you add Sub Domains to a Domain.


A Forest is the entity you get when you add 2 or more Domains together with a Trust..
The difference of the Domains is the difference of the Schema..

Ex:- When google.com buys blogspot.com there is a Forest..

When 2 Domains are trusted, 2 way trusts don't happen like in Domains and Sub Domains. Admins can do only a One-Way Trust. So if 2 Way Trusts are required, Admins should create 2 One-Way Trusts..

0 comments to “Active Directory Directory Services (ADDS) Structure Essentials”

Post a Comment