1
00:00:00,640 --> 00:00:03,910
Active Directory has been around since Windows 2000 Server.

2
00:00:03,910 --> 00:00:07,460
Way back in 1999 Microsoft introduced this.

3
00:00:07,460 --> 00:00:12,380
Prior to Active Directory, we had the Windows NT flat domain space.

4
00:00:12,380 --> 00:00:16,220
Active Directory as an LDAP store just has so many advantages.

5
00:00:16,220 --> 00:00:20,640
We need to review now the logical and physical components of Active Directory.

6
00:00:20,640 --> 00:00:24,290
Logical components begin with the forest. This the outermost

7
00:00:24,290 --> 00:00:26,780
authentication boundary of your environment.

8
00:00:26,780 --> 00:00:31,160
Businesses that are truly siloed may decide to have multiple forests

9
00:00:31,160 --> 00:00:34,300
and optionally build trusts between those forests.

10
00:00:34,300 --> 00:00:36,630
This is, as I said, the topmost,

11
00:00:36,630 --> 00:00:39,860
outermost ring of the Active Directory ecosystem.

12
00:00:39,860 --> 00:00:45,150
The forest consists of one or more domain trees and individual domains.

13
00:00:45,150 --> 00:00:48,720
The domain, again, is a security boundary within the forest.

14
00:00:48,720 --> 00:00:51,760
And we'll see as we go on in this module and the next module,

15
00:00:51,760 --> 00:00:52,320
in particular,

16
00:00:52,320 --> 00:00:57,240
the trust relationships that are defined by default within a domain tree.

17
00:00:57,240 --> 00:01:01,510
The tree signifies a hierarchical structure, and that's absolutely true,

18
00:01:01,510 --> 00:01:02,420
as we'll see.

19
00:01:02,420 --> 00:01:07,990
The schema is a forest‑wide construct that refers to the specific rules

20
00:01:07,990 --> 00:01:11,180
and regulations of your forest in Active Directory,

21
00:01:11,180 --> 00:01:11,830
in particular.

22
00:01:11,830 --> 00:01:12,380
In other words,

23
00:01:12,380 --> 00:01:15,850
what are the allowed properties or attributes for all

24
00:01:15,850 --> 00:01:17,580
of your Active Directory objects.

25
00:01:17,580 --> 00:01:20,390
Your users all have a number of schema, properties,

26
00:01:20,390 --> 00:01:22,780
so do your groups, your computer accounts.

27
00:01:22,780 --> 00:01:26,380
We can extend the Active Directory schema in the forest,

28
00:01:26,380 --> 00:01:29,660
but we've never been able to delete the modified schema.

29
00:01:29,660 --> 00:01:33,600
You can deactivate a schema extension, but you can't remove it, so

30
00:01:33,600 --> 00:01:36,530
it's obviously a very highly privileged task,

31
00:01:36,530 --> 00:01:36,890
indeed.

32
00:01:36,890 --> 00:01:41,160
An Active Directory partition is a way to subdivide what is

33
00:01:41,160 --> 00:01:44,480
replicated among your Active Directory domain controllers.

34
00:01:44,480 --> 00:01:48,810
This isn't as big of an issue as it was, say, 15 years ago.

35
00:01:48,810 --> 00:01:52,060
Nowadays, high‑speed access, network access,

36
00:01:52,060 --> 00:01:54,670
both local area network, wide area network,

37
00:01:54,670 --> 00:01:56,740
and the internet is almost a given.

38
00:01:56,740 --> 00:02:00,490
But this used to be much more of an issue to where if you had

39
00:02:00,490 --> 00:02:03,850
multiple sites with domain controllers in each site,

40
00:02:03,850 --> 00:02:06,970
you might have low‑speed connectivity to some sites,

41
00:02:06,970 --> 00:02:11,030
so you'd want to modify the volume of data that's being replicated.

42
00:02:11,030 --> 00:02:14,820
We still do have that ability to control domain controller

43
00:02:14,820 --> 00:02:17,040
replication by using these built‑in,

44
00:02:17,040 --> 00:02:20,490
as well as administrator custom‑defined application

45
00:02:20,490 --> 00:02:23,280
partitions in the Active Directory database.

46
00:02:23,280 --> 00:02:26,570
The organizational unit represents a container that's

47
00:02:26,570 --> 00:02:29,190
used for organizational purposes, obviously,

48
00:02:29,190 --> 00:02:31,350
of your user, group, and computer accounts,

49
00:02:31,350 --> 00:02:34,670
but also it's central for delegated administration.

50
00:02:34,670 --> 00:02:36,790
You may want to give your support staff,

51
00:02:36,790 --> 00:02:40,250
for instance, or a delegated manager certain privileges,

52
00:02:40,250 --> 00:02:43,200
not to everybody in your Active Directory domain,

53
00:02:43,200 --> 00:02:46,040
but just a subset of users or groups.

54
00:02:46,040 --> 00:02:49,950
This could be done at the organizational unit, or OU level.

55
00:02:49,950 --> 00:02:54,670
A container is a parent object that normally we've got a couple.

56
00:02:54,670 --> 00:02:56,960
There's more than just users and computers,

57
00:02:56,960 --> 00:03:00,770
but those are the main ones that you cannot really do much with.

58
00:03:00,770 --> 00:03:04,090
They're just built‑in containers that serve as a default

59
00:03:04,090 --> 00:03:06,220
store for your user and computer accounts.

60
00:03:06,220 --> 00:03:09,420
But you'll absolutely want to create an organizational unit

61
00:03:09,420 --> 00:03:11,820
structure and move those accounts into those OUs.

62
00:03:11,820 --> 00:03:15,890
Another thing I almost forgot to mention is Group Policy‑based management,

63
00:03:15,890 --> 00:03:20,500
whereas we can link Group Policy Objects or GPOs to organizational units.

64
00:03:20,500 --> 00:03:24,340
We cannot do so on those containers.

65
00:03:24,340 --> 00:03:28,080
So that was the logical structure of Active Directory physically.

66
00:03:28,080 --> 00:03:31,560
The physical components would be your domain controllers.

67
00:03:31,560 --> 00:03:33,270
These don't have to be physical servers,

68
00:03:33,270 --> 00:03:36,210
they could be virtual machines, but you need to think physically

69
00:03:36,210 --> 00:03:40,040
about where those domain controllers are placed and the Ethernet

70
00:03:40,040 --> 00:03:42,060
networks and subnets they're on,

71
00:03:42,060 --> 00:03:45,350
as well as their connectivity throughout your local site,

72
00:03:45,350 --> 00:03:47,740
as well as other sites in your infrastructure.

73
00:03:47,740 --> 00:03:51,960
The Read‑Only Domain Controller, or RODC, or R‑O‑D‑C, is a

74
00:03:51,960 --> 00:03:55,550
specialized kind of domain controller that has a read‑only

75
00:03:55,550 --> 00:03:57,720
copy of the Active Directory database.

76
00:03:57,720 --> 00:04:00,240
We'll talk more about RODCs later.

77
00:04:00,240 --> 00:04:03,510
The global catalog is essentially a lookup service.

78
00:04:03,510 --> 00:04:07,070
Again, times have changed where nowadays it's recommended,

79
00:04:07,070 --> 00:04:11,290
Microsoft recommends that unless you have a compelling reason to not do it,

80
00:04:11,290 --> 00:04:14,940
you should have just a single domain in your forest and enable the

81
00:04:14,940 --> 00:04:17,890
global catalog on all of your domain controllers.

82
00:04:17,890 --> 00:04:22,420
The global catalog contains a partial attribute set of all

83
00:04:22,420 --> 00:04:24,990
of the objects across your entire forest.

84
00:04:24,990 --> 00:04:29,420
Global catalog is an important service because it needs to be available to

85
00:04:29,420 --> 00:04:33,950
process logons and to enumerate a user's group memberships.

86
00:04:33,950 --> 00:04:37,630
But if you're enabling the global catalog on every domain controller,

87
00:04:37,630 --> 00:04:39,100
you have that base covered.

88
00:04:39,100 --> 00:04:43,850
A data store refers to the sys file directory where you can replicate file

89
00:04:43,850 --> 00:04:47,690
system objects like logon scripts among domain controllers.

90
00:04:47,690 --> 00:04:51,840
A site refers to a physical collection of high‑speed links.

91
00:04:51,840 --> 00:04:54,250
So if your business is centered in Chicago,

92
00:04:54,250 --> 00:04:56,440
let's say, in the States, in one building,

93
00:04:56,440 --> 00:04:59,030
pretty easy. You've got one collection of subnets,

94
00:04:59,030 --> 00:05:01,590
but then you have a branch office in Los Angeles.

95
00:05:01,590 --> 00:05:05,150
Now, depending upon how you're connecting those offices together,

96
00:05:05,150 --> 00:05:08,260
there may be enough bandwidth to where you still could do a single

97
00:05:08,260 --> 00:05:11,710
site, but you have the ability in Active Directory to model the

98
00:05:11,710 --> 00:05:15,740
physical infrastructure of your network and then control the scope of

99
00:05:15,740 --> 00:05:17,920
replication that happens among those sites.

100
00:05:17,920 --> 00:05:19,260
Because we want to think about,

101
00:05:19,260 --> 00:05:22,170
as your domain controllers are working from day to day,

102
00:05:22,170 --> 00:05:24,750
you've got administrators creating, modifying,

103
00:05:24,750 --> 00:05:29,040
and deleting objects, your domain controllers need to be able to share those

104
00:05:29,040 --> 00:05:32,900
updates so that all of those DCs are in sync with each other.

105
00:05:32,900 --> 00:05:35,700
Lastly, within the site, we have our IP subnets.

106
00:05:35,700 --> 00:05:36,780
Now, don't worry,

107
00:05:36,780 --> 00:05:41,520
the AZ‑800 and 801 doesn't get into the weeds with IPv4 subnetting.

108
00:05:41,520 --> 00:05:42,930
That isn't the scope here.

109
00:05:42,930 --> 00:05:45,680
There is one certification now,

110
00:05:45,680 --> 00:05:50,200
AZ‑700 is the exam; it's the Azure Network Engineer certification.

111
00:05:50,200 --> 00:05:53,430
That one does deep dive into subnetting and IP,

112
00:05:53,430 --> 00:05:58,370
but here we're just concerned more from a higher‑level perspective.

113
00:05:58,370 --> 00:06:00,160
As I mentioned,

114
00:06:00,160 --> 00:06:02,660
the Active Directory forest is the outermost

115
00:06:02,660 --> 00:06:04,670
isolation layer in Active Directory.

116
00:06:04,670 --> 00:06:05,020
Now,

117
00:06:05,020 --> 00:06:08,570
some businesses that are siloed where they want to manage their own

118
00:06:08,570 --> 00:06:11,450
users and groups but still keep central administration,

119
00:06:11,450 --> 00:06:14,390
you might have a single forest with multiple domains.

120
00:06:14,390 --> 00:06:14,990
You see,

121
00:06:14,990 --> 00:06:19,030
for instance, on the left side of the slide we have a forest root domain.

122
00:06:19,030 --> 00:06:21,940
This is the first domain that's deployed in a new forest.

123
00:06:21,940 --> 00:06:26,880
And then we have a child domain, and notice the DNS‑like naming syntax.

124
00:06:26,880 --> 00:06:29,580
That was a big change that Microsoft gave us when

125
00:06:29,580 --> 00:06:33,510
they invented Active Directory, this using DNS for name resolution,

126
00:06:33,510 --> 00:06:36,790
and then you have this hierarchical structure with your domains.

127
00:06:36,790 --> 00:06:41,130
So the multi‑domain single forest model gives a certain level of

128
00:06:41,130 --> 00:06:44,780
isolation, but you still have that trust relationship between the

129
00:06:44,780 --> 00:06:47,370
child in the forest root domain, in this case.

130
00:06:47,370 --> 00:06:50,750
You might have a single forest with multiple domain trees.

131
00:06:50,750 --> 00:06:55,160
That happens a lot of times with migrations and domain consolidations.

132
00:06:55,160 --> 00:06:57,770
But Microsoft's official guidance nowadays,

133
00:06:57,770 --> 00:06:59,920
in 2021, 2022,

134
00:06:59,920 --> 00:07:03,120
is that because a single Active Directory domain can scale to

135
00:07:03,120 --> 00:07:05,150
billions of objects, or at least a billion,

136
00:07:05,150 --> 00:07:06,540
I think, at last check,

137
00:07:06,540 --> 00:07:10,700
unless you have hard and fast isolation and administration boundaries,

138
00:07:10,700 --> 00:07:13,840
you might just want to simplify and stay with a single domain,

139
00:07:13,840 --> 00:07:14,890
single forest.

140
00:07:14,890 --> 00:07:15,160
Now,

141
00:07:15,160 --> 00:07:19,500
it is certainly eminently possible to have multiple forests within a single

142
00:07:19,500 --> 00:07:23,330
organization and optionally build trust relationships between them for

143
00:07:23,330 --> 00:07:25,580
resource sharing and selective authentication,

144
00:07:25,580 --> 00:07:26,840
this kind of thing.

145
00:07:26,840 --> 00:07:32,290
Again, this is appropriate sometimes when a business has separate business units,

146
00:07:32,290 --> 00:07:35,490
maybe through an acquisition where the acquired company is

147
00:07:35,490 --> 00:07:38,200
going to keep or retain its existing forest,

148
00:07:38,200 --> 00:07:39,630
at least for the time being.

149
00:07:39,630 --> 00:07:42,840
There are tools available you can use to migrate domains

150
00:07:42,840 --> 00:07:49,000
out of one forest and into another, but 800 doesn't get into that, 801 does.