Active Directory Domain Services Overview

Applies To: Windows Server 2008, Windows Server 2008 R2

By using the Active Directory® Domain Services (AD DS) server role, you can create a scalable, secure, and manageable infrastructure for user and resource management, and you can provide support for directory-enabled applications, such as Microsoft® Exchange Server.

In the following sections, learn more about AD DS, features in AD DS, and software and hardware considerations. For more information about planning, deploying, and operating the AD DS server role, see Active Directory Domain Services (https://go.microsoft.com/fwlink/?LinkID=48547).

What is the AD DS server role?

AD DS provides a distributed database that stores and manages information about network resources and application-specific data from directory-enabled applications. Administrators can use AD DS to organize elements of a network, such as users, computers, and other devices, into a hierarchical containment structure. The hierarchical containment structure includes the Active Directory forest, domains in the forest, and organizational units (OUs) in each domain. A server that is running AD DS is called a domain controller.

Organizing network elements into a hierarchical containment structure provides the following benefits:

  • The forest acts as a security boundary for an organization and defines the scope of authority for administrators. By default, a forest contains a single domain, which is known as the forest root domain.

  • Additional domains can be created in the forest to provide partitioning of AD DS data, which enables organizations to replicate data only where it is needed. This makes it possible for AD DS to scale globally over a network that has limited available bandwidth. An Active Directory domain also supports a number of other core functions that are related to administration, including network-wide user identity, authentication, and trust relationships.

  • OUs simplify the delegation of authority to facilitate the management of large numbers of objects. Through delegation, owners can transfer full or limited authority over objects to other users or groups. Delegation is important because it helps to distribute the management of large numbers of objects to a number of people who are trusted to perform management tasks.

Features in AD DS

Security is integrated with AD DS through logon authentication and access control to resources in the directory. With a single network logon, administrators can manage directory data and organization throughout their network. Authorized network users can also use a single network logon to access resources anywhere in the network. Policy-based administration eases the management of even the most complex network.

Additional AD DS features include the following:

  • A set of rules, the schema, that defines the classes of objects and attributes that are contained in the directory, the constraints and limits on instances of these objects, and the format of their names.

  • A global catalog that contains information about every object in the directory. Users and administrators can use the global catalog to find directory information, regardless of which domain in the directory actually contains the data.

  • A query and index mechanism, so that objects and their properties can be published and found by network users or applications.

  • A replication service that distributes directory data across a network. All writable domain controllers in a domain participate in replication and contain a complete copy of all directory information for their domain. Any change to directory data is replicated to all domain controllers in the domain.

  • Operations master roles (also known as flexible single master operations or FSMO). Domain controllers that hold operations master roles are designated to perform specific tasks to ensure consistency and eliminate conflicting entries in the directory.

Identity Management for UNIX

Identity Management for UNIX is a role service of AD DS that can be installed only on domain controllers. Two Identity Management for UNIX technologies, Server for NIS and Password Synchronization, make it easier to integrate computers running Microsoft Windows® into your existing UNIX enterprise. AD DS administrators can use Server for NIS to manage Network Information Service (NIS) domains. Password Synchronization automatically synchronizes passwords between Windows and UNIX operating systems.

New AD DS features in this version of Windows Server 2008

This version of Windows Server includes the new AD DS features that are described in the following table.

Feature Description

Active Directory Administrative Center

Active Directory Administrative Center provides users and network administrators with an improved data management experience and a rich graphical user interface (GUI) to perform common Active Directory object management tasks. Built on Windows PowerShell™ technology, Active Directory Administrative Center makes it possible for users and network administrators to administer directory service objects through both data-driven navigation and task-oriented navigation.

Active Directory module for Windows PowerShell

The Active Directory module for Windows PowerShell is a command-line interface that administrators can use to configure and diagnose all instances of Active Directory Domain Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS) in their environments.

This feature includes a set of Windows PowerShell cmdlets and a provider. The provider exposes the Active Directory database through a hierarchical navigation system, which is very similar to the file system. As with drives in a file system (C:, D:), you can connect Windows PowerShell drives to Active Directory domains and AD LDS instances, as well as Active Directory snapshots.

Active Directory Recycle Bin

Active Directory Recycle Bin minimizes directory service downtime by improving the ability to preserve and restore accidentally deleted Active Directory objects without having to restore Active Directory data from backups, restart AD DS, or restart domain controllers. When Active Directory Recycle Bin is enabled, all link-valued and non-link-valued attributes of the deleted objects are preserved and the objects are restored in their entirety to the same consistent logical state that they were in immediately before deletion. For example, restored user accounts automatically regain all group memberships and corresponding access rights that they had within and across domains immediately before deletion. Active Directory Recycle Bin is functional for both AD DS and AD LDS environments.

Active Directory Recycle Bin requires the Windows Server 2008 R2 forest functional level, and it is disabled by default. To enable it, you can use Ldp.exe or the Windows PowerShell Enable-ADOptionalFeature cmdlet.

Active Directory Web Services (ADWS)

ADWS is a Windows service that provides a Web service interface to AD DS and AD LDS directory service instances and to Active Directory snapshots that are running on the same Windows Server 2008 R2 server as ADWS. ADWS is installed automatically when you add the AD DS or AD LDS server roles to your Windows Server 2008 R2 server.

Authentication Mechanism Assurance

Authentication Mechanism Assurance packages information about the type of logon method (smart card or user name/password) that is used to authenticate domain users inside each user’s Kerberos token. When this feature is enabled in a network environment that has deployed a federated identity management infrastructure, such as Active Directory Federation Services (AD FS), the information in the token can then be extracted whenever a user attempts to access any claims-aware application that has been developed to determine authorization based on a user’s logon method.

Authentication Mechanism Assurance requires the Windows Server 2008 R2 domain functional level.

Offline domain join

An offline domain join is a new process that computers running Windows® 7 or Windows Server 2008 R2 can use to join a domain. The offline domain join process can complete the domain join operation without network connectivity.

Installing the AD DS server role

After you finish installing the operating system, you can use Initial Configuration Tasks or Server Manager to install server roles. To install the AD DS server role, click Add roles to start the Add Roles Wizard, and then click Active Directory Domain Services. Follow the steps in the Add Roles Wizard to install the files for the AD DS server role. After you complete the Add Roles Wizard, click the link to start the Active Directory Domain Services Installation Wizard.

Follow the steps in the Active Directory Domain Services Installation Wizard to complete the installation and configuration of your domain controller. Most wizard pages have a Help link for more information about the settings that you can configure.

To automate domain controller installations, you can use an answer file or you can specify unattended installation parameters at the command line. For more information about installing AD DS, see the AD DS Installation and Removal Step-by-Step Guide (https://go.microsoft.com/fwlink/?LinkId=110897).

Managing the AD DS server role

You can manage server roles with Microsoft Management Console (MMC) snap-ins. To manage a domain controller (that is, a server that is running AD DS), click Start, click Control Panel, click Administrative Tools, and then double-click the appropriate snap-in:

  • To manage Active Directory objects by using the newest GUI tool, with improved options for viewing and managing Active Directory data, click Active Directory Administrative Center.

  • To manage Active Directory objects by using a predefined set of Windows PowerShell cmdlets and a provider, click Active Directory Module for Windows PowerShell.

  • To manage user and computer accounts, click Active Directory Users and Computers.

  • To manage Active Directory trusts, functional levels, and forest-wide operations master roles, click Active Directory Domains and Trusts.

  • To manage Active Directory sites and site links, click Active Directory Sites and Services.

As an alternative, you can double-click the appropriate snap-in on the Active Directory Domain Services page in Server Manager.

Experienced programmers and system administrators can manage the Active Directory schema, but the Active Directory Schema snap-in is not installed by default. In addition, the Schmmgmt.dll file must be registered before the snap-in can be installed.

To install the Active Directory Schema snap-in

  1. Click Start, right-click Command Prompt, and then click Run as administrator.

    If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes.

  2. At the command prompt, type the following command, and then press ENTER:

    regsvr32 schmmgmt.dll

  3. Click OK to close the dialog box that confirms that the operation succeeded.

  4. Click Start, click Run, type mmc, and then click OK.

    If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes.

  5. On the File menu, click Add/Remove Snap-in.

  6. Under Available snap-ins, click Active Directory Schema, click Add, and then click OK.

  7. To save this console, on the File menu, click Save.

  8. In the Save As dialog box, do one of the following:

    • To place the snap-in on the Administrative Tools menu, in File name, type a name for the snap-in, and then click Save.

    • To save the snap-in to a location other than the Administrative Tools folder, in Save in, navigate to a location for the snap-in. In File name, type a name for the snap-in, and then click Save.

Warning

Modifying the schema is an advanced operation that is best performed by experienced programmers and system administrators. For detailed information about modifying the schema, see Active Directory Schema (https://go.microsoft.com/fwlink/?LinkId=8273).

For more information

To learn more about the AD DS server role, you can view the Help on your server. To do this, open one of the snap-ins that are described in the previous section and then press F1, or search for and then double-click the appropriate Help file:

  • For information about the Active Directory Users and Computers snap-in, see Domadmin.chm.

  • For information about the Active Directory Domains and Trusts snap-in, see Dsadmin.chm.

  • For information about the Active Directory Sites and Services snap-in, see Dssite.chm.

  • For information about the Active Directory Schema snap-in, see Schmmgmt.chm.

For more information about the AD DS server role, see topics for Windows Server 2008 on the Web: