Summary of "Active Directory Domain Service Deep Dive"

This video provides a comprehensive technical overview of Active Directory Domain Services (AD DS), focusing on its architecture, core components, protocols, and operational features. It contrasts AD DS with Azure AD and explains key concepts, practical configurations, and troubleshooting tools.

Key Technological Concepts and Features

Active Directory Domain Services (AD DS) Overview
- AD DS is the core service typically referred to as "Active Directory," introduced in Windows 2000 to replace NT-style primary/backup Domain Controllers with a centralized identity store.
- It manages domains, users, groups, computers, and policies centrally, enabling machines to join a domain and authenticate using domain credentials.
Directory Structure and Schema
- AD DS uses an X.500 hierarchical structure with Organizational Units (OUs) to organize objects like users, groups, and computers.
- Each object has a unique Distinguished Name (DN) reflecting its position in the hierarchy.
- The schema defines object classes and attributes (blueprint of AD), is forest-wide, extensible but protected, and can be managed via the Active Directory Schema MMC snap-in.
Protocols for Access and Authentication
- LDAP (Lightweight Directory Access Protocol) is used for querying and modifying directory data. AD supports LDAP v3 and backward compatibility with v2.
- DNS is critical for locating Domain Controllers and services via SRV records and dynamic updates, often hosted on Domain Controllers themselves.
- Authentication uses Kerberos (preferred) and legacy NTLM protocols. Kerberos involves ticket granting by Domain Controllers for secure access to resources.
Group Policy and Delegation
- Group Policy Objects (GPOs) are linked at domain or OU levels to enforce or configure settings on users and computers.
- OUs enable delegation of administrative rights, allowing granular control over subsets of objects.
Domain Controllers (DCs) and Replication
- DCs are Windows Servers running AD DS role, holding full writable copies of the domain database (ntds.dit).
- Multiple DCs provide scalability, resiliency, and performance, especially across physical locations.
- Replication is multi-master and bi-directional, managed by the Knowledge Consistency Checker (KCC), using a least-cost spanning tree topology for efficiency.
Flexible Single Master Operations (FSMO) Roles
- Certain critical tasks are handled by specific FSMO roles (3 per domain: PDC Emulator, RID Master, Infrastructure Master; 2 per forest: Schema Master, Domain Naming Master).
- Roles can be transferred between DCs for maintenance or failure scenarios.
Read-Only Domain Controllers (RODCs)
- RODCs replicate data uni-directionally and store a subset of credentials, designed for less secure or branch office environments.
- They prevent write operations and limit exposure if compromised.
Global Catalog (GC)
- GCs hold a full copy of their domain plus a partial attribute set of all other domains in the forest, enabling efficient cross-domain searches and logons.
- Typically, one GC per site enhances performance for users.
Domains, Trees, and Forests
- A domain is a replication boundary with its own database.
- A tree is a contiguous namespace of domains with transitive trusts.
- A forest is a collection of one or more trees with a shared schema and configuration partition, also transitive trusts across trees.
Partitions in AD
- AD data is stored in three main partitions:
  - Domain partition (per domain)
  - Configuration partition (forest-wide, includes sites and replication topology)
  - Schema partition (forest-wide blueprint)
Sites, Subnets, and Replication Topology
- Sites represent physical or logical locations defined by IP subnets.
- Site links define replication paths with associated costs and schedules, influencing replication efficiency and client DC affinity.
Domain and Forest Functional Levels
- Functional levels control available AD features and depend on the minimum Windows Server version running on DCs.
- Raising functional levels unlocks new features (e.g., AD Recycle Bin).
Tools and Monitoring
- Tools like ADSI Edit, dcdiag, repadmin, and DNS Manager help manage and troubleshoot AD.
- Microsoft Defender for Identity and Azure AD Connect Health provide security monitoring and health insights for on-premises AD and Azure AD sync environments.