Learning Domain Controller and Active Directory
Windows Server 2012 requires configuration of roles and services, none of which are “activated” by default on first installation and setup. All you’re really given is the backbone of the server and it is up to the user themselves to configure all of the necessary services such as Active Directory(AD), DHCP, DNS servers and a variety of other staple and well known ones.
Active Directory-Directory Services
(AD-DS, let’s use AD for short though) is the security service, it allows us to create users, groups, organizational units (meant for administrative purposes), as well as create the policies that can limit and permit utilization of resources. In a sense, it could be equated as the Linux version of chmod or access control lists. This is useful because it is used to authenticate and authorize users based on policy as well as LDAP for modification and queries. Now LDAP is not just for active directory, however it is one of the reasons why an AD is such a powerful tool. Standing for Lightweight Directory Access Protocol, it is a network protocol or a method of communication that transmits over TCP/IP and its strengths consists of object representation, attributes, hierarchical access, and its overall flexible and extensible information model. In addition, LDAP is fast, efficient and a scalable way to store, manage, search, and retrieve data, which can be efficiently replicated as well!
Just a little bit more information about organizational units because they’re the ones that are different and not as intuitive as users, groups, and policies. Although it could be another “group” in a sense, it is an oversight privilege position that gives a certain user more administrative tasks within the organizational units. So it could be managers and team leaders of a marketing and accounting group, but also requires elevated privileges then they would be placed in the respective group and organizational units.
Whenever people try to explain what Active Directory is (or isn’t), they invariably use the analogy, “Active Directory is like a phone book.” That’s a perfectly valid analogy. After all, phone books are used to store relevant information about people, businesses, government organizations, and other entities. Likewise, Active Directory is used to store relevant information about users, computers, printers, and other entities. Compare the ability to quickly and easily look up information in a phone book with the ability to quickly and easily look up information in Active Directory, and you have a very handy – and very appropriate – metaphor.
Of course, an equally valid analogy would be to say that “Active Directory is like the file system.” The file system is composed of securable objects: you can control, to a very fine degree, the files and folders users can access, and what type of access each user is allowed. If you want to block a group of users from accessing a folder and its contents you can do so. If you want to give another group of users read-only access to that folder, you can do that as well. You can even allow User A unlimited access to the folder … well, except for this file, which User A is allowed to read, but not to modify. All of these access permissions are managed using the security descriptor attached to each file and folder.
Active Directory operates in a similar fashion. Objects stored in Active Directory – user accounts, computer accounts, what-have-you – are all securable objects: you can control, to a very fine degree, the objects users can access, and what type of access each user is allowed. Active Directory objects all have a security descriptor very similar to the security descriptor attached to files and folders.
Domain Name Server (DNS)
maps the fully qualified domain names (FQDN) to its IP addresses. The DNS will convert the name “server” into 192.168.1.1, however it’s not needed to set up your own DNS services but it is always recommended for people starting out to just use the default Windows Server DNS service and same applies to the Windows DHCP service as well.
Dynamic Host Configuration Protocol (DHCP)
is the service that assigns out the dynamic network configuration, primarily IP addresses for interfaces and services. For the clients and users, they should typically be put until a dynamic IP address but for services and servers those should always be put on a static IP address for easier maintenance and configuration.
All of these services are under the umbrella term, domain controller (DC) which is running the Windows Server OS. So in my case, since I am running Windows Server 2012 R2 in a VM on my home computer, the domain controller would be that VM and by extension my home computer. By setting up an active directory, it allows me to control and manage users, computers, and groups within the network. In my case, I’m really going through the steps just to familiarize myself with the service although I could create dummy accounts and place them into group policies, I felt that was more hassle than learning. Because the domain controller is the physical or logical machine running the Windows Server OS, it requires utmost security because taking over the domain controller will give the attacker control of the entire Windows infrastructure. In a sense, it would be like corrupting and hacking into the root certificate authority, you destroy all trust with the certificate authority and all is lost. ALL OF IT.
Now going through with the installation process, you’ll have to add additional server roles, so the Active Directory Domain Services, DHCP Server, and DNS Server. When I was adding the additional features to validate the services and roles that are being added, I ran into a couple of problems and errors basically saying that I had no “static IP” address found on the computer, the reason for that is with these services they need a static IP to be queried and contacted with and so if the IP address is dynamic, then there is the possibility that the connected hosts and clients to the server cannot correctly query for an IP address or respond with a DNS request. When the services are completed it’ll ask that you complete a series of steps such as promoting the server to a domain controller and completing DHCP and DNS configuration.
Regarding the server promotion into a domain controller, it’ll ask whether or not the new AD will join an existing domain, forest or create a new forest. Now, a forest is essentially a “workgroup” of sorts where the AD/DC and the necessary services will be within. Sometimes there will be no forest and there is complete isolation of the servers and the AD/DC configuration; another configuration is an isolated forest where each of the services and their domains will be separated with no means of communication; there is the forest that utilizes a Read-Only Domain Controller, so it combines the two or more domain forests, however only one of the DC’s are actually Read/Writable and all of the other ones are just read only for security purposes; lastly is the forest trust meaning there are not different forests for the different domain controllers but there is an “innate trust” that allows for communication between the two forests. With these domain controllers, you can cluster them together for fault tolerance and load balancing. By combining multiple servers into one cluster, the remaining domain controllers can distribute the resources and services to help stay synchronized through a replication strategy. I think of replication strategy as RAID levels and how the data can be copied and synchronized through various domain controllers, that way they can be authenticated and associated with all of those domain controllers without any problems.