So network engineers should have at least a basic level of understanding on the way it is structured to serve in an enterprise environment.
This post is just about the basic architecture concepts about ADDS.. Not an in detail explanation..
Domain Controllers
Like the Exchange servers which control email services, the Domain Controllers are the servers which control ADDS which sets security permissions in a Windows environment. Basically it is the server which the System Administrators configure to allow or block certain users or computers from accessing certain resources (emails, VPNs, applications, file servers, printers etc) in a network.
Accounts
There are 2 types of accounts in AD
1) User Accounts
2) Computer Accounts
You can set permissions / apply polices to individual Accounts or Groups.
Schema
The information regarding to User Accounts or Computer Accounts are stored in a structured way which is called a "Schema"..
Ex:- Schema for a User Account
username:
email address:
extension:
In Windows AD, this Schema is extensible / can be modified (fields can be added)..
Groups
Groups are used to apply security..
Administrators create Groups and Assign User Accounts / Computer Accounts to them and they fix policies for the Groups which effect the all members in that group.
There are 2 types of Groups.
1) Security Groups
2) Distribution Groups
Security Groups are normal Groups you will see day to day.. They are used to apply security policies.
Distribution Groups are primarily used by email applications..
Groups can be bundled and assign into some other Groups too..
Note that a same user can be in several Groups & individual Accounts can also be bundled with Groups..
These Local & Global are 2 scopes of Groups. Actually there are 3 scopes.
1) Global Groups
2) Local Groups
3) Universal Groups
Scopes are determined by 3 characteristics..
Replication - Where Group is created and where it is replicated..
Membership - What members the Group can have..
Availability - Where can the Group be used..
If you need more info about Group Scopes you can find them here.
Organizational Units (OU)
Organizational Units are Groups used to apply policy..
They are the Groups which are created for the Administrative purposes.
Which means there can be a delegated Administrator for that OU.
Domain & Sub Domains / Child Domains
Domain is all the users and all the computers which are tied to the Domain Controller's ADDS..
Sub domains / Child Domains are subsets of the parent domain. Actually a Sub Domain is a separate Domain in the same network with separate Domain Controllers but has the same Schema. Sub Domains can also have their own Sub Domains..
Ex:- google.com and it's sub domains like asia.google.com & europe.google.com
europe.google.com can have sub domains like east.europe.google.com & west.europe.google.com
Trust
When you create Sub Domains to Domains, automatically a 2-Way Trust happens.
And within those 2 Sub Domains a 2-Way Transitive Trust happens.
Which means;
google.com trusts asia.google.com and vice versa
google.com trusts europe.google.com and vice versa
Then asia.google.com trusts europe.google.com and vice versa which we call "Transitive Trust"
Trust simply means that the Admin of google.com can give permissions to a user account from asia.google.com to access resources of google.com and vice versa..
In a Transitive Trust the Admin of europe.google.com can give permissions to a user account from asia.google.com to access resources of europe.google.com and vice versa..
A user can access resources of another Domain using his username and password if the Admin of that Domain permits..
Tree
Because all Sub Domains share the same google.com name space, we call it is in a same Tree.
So a Tree is the entity you get when you add Sub Domains to a Domain.
Forest
A Forest is the entity you get when you add 2 or more Domains together with a Trust..
The difference of the Domains is the difference of the Schema..
Ex:- When google.com buys blogspot.com there is a Forest..
No comments:
Post a Comment