Active Directory Complete Guide

Active Directory Complete Guide

Here I am sharing my knowledge on the complete Active Directory Guide in a single post and the topics covered here are listed below.

  • Active Directory Basics
  • Key Features of Active Directory
  • FSMO Roles
  • Active Directory Domain Controllers
  • Primary Domain Controller (PDC)
  • Additional Domain Controller (ADC)
  • Read Only Domain Controller (RODC)
  • Child Domain Controller (CDC)
  • Allow or Prevent Domain Users from Joining Workstations to Domain
  • Downgrade AD Domain And Forest Functional Level
  • Resetting the Directory Services Restore Mode (DSRM) Password
  • Remove Failed or Offline Domain Controller From Active Directory Manually
  • Security Groups
  • Group Policy Implementation

Apart from the above listed topics additionally will discuss about the Few Tips and Tricks in Windows.

Now let’s get into the topic one by one

What Is Active Directory

 

Active Directory is a database that keeps track of all the user accounts and passwords in your organization. It allows you to store your user accounts and passwords in one protected location, improving your organization’s security.

Active Directory (AD) is a directory service that was developed by Microsoft for Windows domain networks. It is included in most Windows Server operating systems as a set of processes and services. Initially, Active Directory was only in charge of centralized domain management.

A server running Active Directory Domain Services (AD DS) is called a domain controller which authenticates and authorizes all users and computers in a Windows domain type network by assigning and enforcing security policies for all computers and installing or updating software.

Key Features of Active Directory

 

  • AD as a namespace that is integrated with the Internet’s Domain Name System (DNS).
  • AD – A new directory service central to the Windows Server operating system, runs only on domain controllers.
  • Operating system directory services, such as AD, provide user, computer, and shared resource management.

What Is FSMO Roles

 

Flexible Single-Master Operations (FSMO) Roles Plays a very important role in the Active directory Environment.

Active Directory is a multi-master distributed database which means that any Domain Controller can assume the role of a master for some task and these roles are called FSMO Roles.

FSMO roles can classify into 2 categories.

Forest Wide Roles

  • Schema Master Role
  • Domain Naming Master

Domain Wide Roles

  • Primary Domain Controller (PDC) Role
  • Relative Identifier (RID) Role
  • Infrastructure Role

What is Domain Controller

 

Active Directory is essential to any Microsoft network built on the client-server network model–it allows you to have a central sever called a Domain Controller (DC) that does authentication for your entire network.

Instead of people logging on to the local machines they authenticate against your DC

Types of Domain Controller

 

In the above topic we have seen about what is DC and now will see about the various types Domain controllers are available and its installation and Implementations methods.

1.Primary Domain Controller (PDC)

Primary Domain Controller – PDCs are usually the first designated domain controller.

If there are any others that exist they are typically referred to as BDCs, Backup domain Controllers or Additional Domain Controller will see about that in upcoming topics.

How-to-Install-Active-Directory-on-Windows-Server-2008-R2

Read the Complete Article in below Link:

Here the complete article about Step by Step Installation and Configuration  of Primary Domain Controller – PDC

2. Additional Domain Controller (ADC)

Having a single Domain Controller can be quite risky because in case of any kind of hardware or some other technical failure, the entire network can be destroyed.

If we have an ADC means that in case your primary Domain fails, it takes over the functions of the Primary Domain and keeps the network functional.

How To Create Additional Domain Controller (ADC) In Windows Server 2008

Read the Complete Article in below Link:

Here the complete article about Step by Step Installation and Configuration  of Additional Domain Controller – ADC

3. Child Domain Controller (CDC)

There are times when you need to separate or delegate some parts of your Active Directory infrastructure, and the best way in those cases is to simply create a new child domain in the existing AD forest.

This way you don’t have to create trusts between the two domains; trusts are created automatically and are created in a two-way direction, meaning domain A automatically trusts domain B, and vice versa.

Creating a New Child Domain in Windows Server 2008 R2

Read the Complete Article in below Link:

Here the complete article about Step by Step Installation and Configuration  of Child Domain Controller – CDC

4. Read-Only Domain Controller (RODC)

Read-only domain controllers are ideal in remote location where system security cannot be guaranteed. They allow the remote site to have local authentication point, without storing vulnerable data about every object in the domain. The only information stored on a read-only domain controller is that of users and computers it has been authorized to authenticate. Any other object that is queried or authorized against is forwarded by the read-only DC to writable domain controller.

  • Unidirectional replication
  • Special krbtgt account
  • Password Replication Policy (PRP)
  • RODC filtered attribute set (FAS).

Here the complete article about Step by Step Installation and Configuration  of Child Domain Controller – CDC

Steps for Deploying & Installing an Read-Only Domain Controller (RODC)

 

Read the Complete Article in below Link:

These are the various types of Domain Controllers which we can implement on the Active Directory Environment.

Allow or Prevent Domain Users from Joining Workstations to Domain

 

By default, Active Directory allows members of the Authenticated Users group to join up to 10 computer accounts to the default Computers container.

If a user tries to add more than 10 workstations, they are likely to receive one of the following error messages:

  • “The machine account for this computer either does not exist or is unavailable.”
  • “Your computer could not be joined to the domain. You have exceeded the maximum number of computer accounts you are allowed to create in this domain. Contact your system administrator to have this limit reset or increased.”
  • “The following error occurred attempting to join the domain “domain.com”.

How to Allow or Prevent Domain Users from Join Workstations to Domain

Read the Complete Article in below Link:

Downgrade AD Domain And Forest Functional Level

In Windows Server 2008 R2 and Windows Server 2012, you can lower the Forest and Domain functional level from 2012 to 2008 R2, or from 2008 R2 to 2008. But you cannot lower it beyond 2008.

step-by-step-guide-to-lower-active-directory-functional-level

Read the Complete Article in below Link:

Also, this is not possible by GUI, you have to use PowerShell for doing this.

Resetting the Directory Services Restore Mode (DSRM) Password

 

Directory Services Restore Mode (DSRM) is a special boot mode for repairing or recovering Active Directory. It is used to log on to the computer when Active Directory has failed or needs to be restored.

The password is initially set when a server is promoted to a domain controller. It’s important that this password is well documented and stored in a secure location.

How to Reset Forgotten Directory Services Restore Mode Password in Active Directory

Here the complete article about Step by Step Procedure for Resetting DSRM Password.

Read the Complete Article in below Link:

If you forget the DSRM password, you can’t use the recovery console nor restore the Active Directory (AD) database.

Remove Failed or Offline Domain Controller From Active Directory Manually

 

In Active Directory infrastructure, if you want to remove a Domain Controller (DC) server the proper way is to run DCPROMO and remove it.

Read the Complete Article in below Link:

But there are situations such as server crash or failure of dcpromo option which will lead to manually remove the DC from the system (event of even recovery, repair option doesn’t work)

How To Remove Active Directory Server ManuallyClean Up Server Metadata

Security Groups

Windows Server introduced several new technologies designed to help protect privileged credentials, which includes the Active Directory Protected Users group

Protected Users Security Group in Active Directory

Read the Complete Article in below Link:

Group Policy

 

Group Policy is a hierarchical infrastructure that allows a network administrator in charge of Microsoft’s Active Directory to implement specific configurations for users and computers.

Group Policy can also be used to define user, security and networking policies at the machine level.

Below are the lists of very Important Group Policy Guide that Every Administrators Should know about.

 

I will keep updating this Complete Active Directory guide with various Topics and useful posts as they come in.

Also Read:

 

 

I have Shared my Knowledge and Spent so many Times for preparing this Post , if this Article found useful Don’t Forget to Like..!!! Share ..!!! Comment ..!!

 

About Balamurugan Murugesan

Bala, One of the Founder & CEO of DoubtsClear.Over 6 Years Of Experience in IT and An Expert in All Aspects of Windows, Linux, VMware, Server Management, Web Hosting Support, Data Recovery and Backup, Performance Optimizer, Migration and Load Balancing.

Check Also

How To Disable RDP Access For Domain Administrator & Domain User

Group Policy: How To Disable RDP Access For Domain Administrator & Domain User

In our Active Directory infrastructure sometimes we may need to Disable Remote Desktop (RDP) Access …

2 comments

  1. Crystal clear. Techie is a techie always

  2. It’s really helpful material.

    Thank you

Leave a Reply

Your email address will not be published. Required fields are marked *