Sunday, January 6, 2019

Windows Server: Logical Component - Domain and Tree


What is a domain?

A domain is a logical grouping.
An AD DS domain is a logical grouping of user, computer, and group objects for the purposes of management and security. All of these objects are stored in an AD DS database, and a copy of this database is stored on every domain controller in the AD DS domain. A domain is created when you promote a server to a domain controller.
There is always at least one domain, but you could have more
Most organizations could deploy only a single domain and ensure that all domain controllers contain all the domain information. However, organizations that have decentralized administrative structures, or that are distributed across multiple locations, might consider implementing multiple domains in the same forest to accommodate the administrative needs of their environment.
NOTE: A single domain can contain approximately 2 billion objects, so most organizations do not need to deploy multiple domains due to object limitations. Organizations that have decentralized administrative structures, or that are distributed across multiple locations, might instead implement multiple domains in the same forest.

 A domain is a replication, administrative, and authentication boundary

Visual representation of the three boundaries: replication, administrative, and authentication.
A domain is a replication boundary
When changes are made to any object in the domain, the domain controller where the change was made replicates that information to other domain controllers in the domain. This is referred to as a multi-master replication model and allows every domain controller in the domain to make changes to objects in the domain.
The domain is an administrative boundary
The domain contains an Administrator account and a Domain Admins group. By default, the Administrator account is a member of the Domain Admins group, and the Domain Admins group is a member of every local Administrators group of domain-joined computers. Also, by default, the Domain Admins group members have full control over every object in the domain. 
The domain is an authentication boundary
An AD DS domain is an administrative center. It contains an Administrator account and a Domain Admins group, which both have full control over every object in the domain. Unless they are in the forest root domain, however, their range of control is limited to the domain. Password and account rules are managed at the domain level by default. The AD DS domain also provides an authentication center. All user accounts and computer accounts in the domain are stored in the domain database, and users and computers must connect to a domain controller to authenticate.
NOTE: Domains do not provide security boundaries, because all domains in the forest trust each other.

What is a domain tree?

A domain tree is contiguous
A domain tree is a collection of one or more domains that share a contiguous name space and have a parent/child relationship. A tree can be a single tree or it can be multiple trees. The idea is that a tree is the fully qualified domain name (FQDN) of the domain and all its children. A tree serves no administrative purpose. In other words, there is no tree administrator as there is for a forest or domain.
Visual representation of a domain tree showing adatum.com with two domain trees.

What are the flexible single master operation (FSMO) roles for the domain?
Visual representation of the three FSMO roles: RID, Infrastructure, and PDC Emulator.
Only one domain controller in the domain performs each role. By default, the first domain controller in a domain fulfills all of these roles. Optionally, you can change the role holder to another domain controller within the same domain.
Relative ID (RID) Master role
The RID master plays an integral part in the generation of SIDs for security principals such as users, groups, and computers. The SID of a security principal must be unique. Because any domain controller can create accounts, SIDs, a mechanism is necessary to ensure that the SIDs generated by a domain controller are unique. Active Directory domain controllers generate SIDs by appending a unique RID to the domain SID. The RID master for the domain allocates pools of unique RIDs to each domain controller in the domain. Therefore, each domain controller can be confident that the SIDs that it generates are unique.




Infrastructure Master role
In a multiple domain environment, it is common for an object to reference objects in other domains. For example, a group can include members from another domain. Its multivalued member attribute contains the distinguished names of each member. If the member in the other domain is moved or renamed, the infrastructure master of the group’s domain updates the references


PDC Emulator role
The PDC Emulator role performs the following crucial functions for a domain:
·         Participates in special password update handling for the domain. When a user's password is reset or changed, the domain controller that makes the change replicates the change immediately to the PDC Emulator. This special replication ensures that the domain controllers know about the new password as quickly as possible.
·         Manages Group Policy updates within a domain. If you modify a GPO on two domain controllers at approximately the same time, there could be conflicts between the two versions that could not be reconciled as the GPO replicates. To avoid this situation, the PDC Emulator acts as the default focal point for all Group Policy changes.
·         Provides a master time source for the domain. Many Windows components and technologies rely on time stamps, so synchronizing time across all systems in a domain is crucial. By default, the PDC Emulator in the forest root domain is the time master for the entire forest. The PDC Emulator in each domain synchronizes its time with the forest root PDC Emulator. Other domain controllers in the domain synchronize their clocks against that domain’s PDC Emulator. All other domain members synchronize their time with their preferred domain controller.
·         Acts as the domain master browser. When you open the network node in File Explorer, you see a list of workgroups and domains, and when you open a workgroup or domain, you see a list of computers. The browser service creates these two lists, called browse lists. In each network segment, a master browser creates the browse list: the lists of workgroups, domains, and servers in that segment. The domain master browser serves to merge the lists of each master browser so that browse clients can retrieve a comprehensive browse list.

Domains - Overview of Active Directory domains.


No comments:

Post a Comment