Active Directory Domain Services Overview
Updated: August 7, 2013
Applies To: Windows Server 2012
Did you know that Microsoft Azure provides similar functionality in the cloud? Learn more about Microsoft Azure identity solutions.
Create a hybrid identity solution in Microsoft Azure:
By using the Active Directory® Domain Services (AD DS) server role, you can create a scalable, secure, and manageable infrastructure for user and resource management, and provide support for directory-enabled applications such as Microsoft® Exchange Server.
The rest of this topic explains a high-level overview of the AD DS server role. For more information about new features in AD DS in Windows Server 2012, see What’s New in Active Directory Domain Services (AD DS).
AD DS provides a distributed database that stores and manages information about network resources and application-specific data from directory-enabled applications. A server that is running AD DS is called a domain controller. Administrators can use AD DS to organize elements of a network, such as users, computers, and other devices, into a hierarchical containment structure. The hierarchical containment structure includes the Active Directory forest, domains in the forest, and organizational units (OUs) in each domain.
Organizing network elements into a hierarchical containment structure provides the following benefits:
The forest acts as a security boundary for an organization and defines the scope of authority for administrators. By default, a forest contains a single domain, which is known as the forest root domain.
Additional domains can be created in the forest to provide partitioning of AD DS data, which enables organizations to replicate data only where it is needed. This makes it possible for AD DS to scale globally over a network that has limited available bandwidth. An Active Directory domain also supports a number of other core functions that are related to administration, including network-wide user identity, authentication, and trust relationships.
OUs simplify the delegation of authority to facilitate the management of large numbers of objects. Through delegation, owners can transfer full or limited authority over objects to other users or groups. Delegation is important because it helps to distribute the management of large numbers of objects to a number of people who are trusted to perform management tasks.
Security is integrated with AD DS through logon authentication and access control to resources in the directory. With a single network logon, administrators can manage directory data and organization throughout their network. Authorized network users can also use a single network logon to access resources anywhere in the network. Policy-based administration eases the management of even the most complex network.
Additional AD DS features include the following:
A set of rules, the schema, that defines the classes of objects and attributes that are contained in the directory, the constraints and limits on instances of these objects, and the format of their names.
A global catalog that contains information about every object in the directory. Users and administrators can use the global catalog to find directory information, regardless of which domain in the directory actually contains the data.
A query and index mechanism, so that objects and their properties can be published and found by network users or applications.
A replication service that distributes directory data across a network. All writable domain controllers in a domain participate in replication and contain a complete copy of all directory information for their domain. Any change to directory data is replicated to all domain controllers in the domain.
Operations master roles (also known as flexible single master operations or FSMO). Domain controllers that hold operations master roles are designated to perform specific tasks to ensure consistency and eliminate conflicting entries in the directory.
What hardware, software, or settings configurations are required for running this feature? What prerequisites are there for running the role? Does this role/feature require special hardware?
Configure appropriate TCP/IP and DNS server addresses.
The drives that store the database, log files, and SYSVOL folder for Active Directory Domain Services (AD DS) must be placed on a local fixed volume. SYSVOL must be placed on a volume that is formatted with the NTFS file system. For security purposes, the Active Directory database and log files should be placed on a volume that is formatted with NTFS.
To install a new AD DS forest, you need to be local Administrator on the server. To install an additional domain controller in an existing domain, you need to be a member of the Domain Admins group.
Domain Name System (DNS) infrastructure
Verify that a DNS infrastructure is in place. When you install AD DS, you can include DNS server installation, if it is needed.
When you create a new domain, a DNS delegation is created automatically during the installation process. Creating a DNS delegation requires credentials that have permissions to update the parent DNS zones.
For more information, see DNS Options wizard page.
To add the first domain controller that runs Windows Server 2012 to an existing Active Directory, adprep.exe commands run automatically as needed. These commands have additional credential and connectivity requirements.
For more information, see Running Adprep.exe.
Read-only domain controllers (RODCs)
Additional requirements to install RODCs:
For more information, see Prerequisites for Deploying an RODC.
With the exception of DNS server, domain controllers generally should not host other server roles.
For step-by-step instructions for how to install and configure AD DS by using the ADDSDeployment module for Windows PowerShell® command-line interface, see Active Directory Domain Services Deployment Guide (http://go.microsoft.com/fwlink/?LinkId=222597).
AD DS is a distributed service that is designed to run on multiple domain controllers. For step-by-step instructions for how to install and configure AD DS on multiple domain controllers, see Active Directory Domain Services Deployment Guide (http://go.microsoft.com/fwlink/?LinkId=222597).
AD DS in Windows Server 2012 includes safeguards for running on virtual machines to ensure safety and consistency of virtualized AD DS environments. For more information about how to run AD DS on virtual machines, see Running Domain Controllers in Hyper-V (http://go.microsoft.com/fwlink/?LinkID=213293).
After installation, AD DS is designed to be secure by default. For more information about default security settings for domain controllers, risks, and how to operate domain controllers securely, see Best Practice Guide for Securing Active Directory Installations.
To manage AD DS remotely, install the Remote Server Administration Tools (RSAT). There is a 32-bit version and a 64-bit version of RSAT. For more information, see Remote Server Administration Tools (http://go.microsoft.com/fwlink/?LinkId=222628).
AD DS can be installed on a Server Core installation or a server with a Minimal Server Interface, and is recommended in cases where reducing the footprint of the operating system installation is advantageous, such as for a dedicated server role in a datacenter, for virtualization guests, or RODCs in remote offices. Beginning with Windows Server 2012, a domain controller that runs on a Server Core installation can be converted to server installation with a GUI (also known as a full installation) and vice versa.
Upgrade from a Server Core installation running on a previous version of Windows Server is supported, but there is no way to upgrade directly from a Server Core installation of a previous version of Windows Server to a server installation with a GUI or directly from a server installation with a GUI to a Server Core installation. In this case, you need to upgrade directly to the same installation type on Windows Server 2012 and then convert to a different installation after the upgrade as needed.
For more information, see Windows Server Installation Options.
Identity Management for UNIX is a role service of AD DS that can be installed only on domain controllers. Two Identity Management for UNIX technologies, Server for NIS and Password Synchronization, make it easier to integrate computers running Windows® into your existing UNIX enterprise. AD DS administrators can use Server for NIS to manage Network Information Service (NIS) domains. Password Synchronization automatically synchronizes passwords between Windows and UNIX operating systems.
Role service technologies
Role service description
Server for NIS
Enables a Microsoft Windows–based Active Directory domain controller to administer UNIX Network Information Service (NIS) networks. For more information, see Overview of Server for NIS (http://go.microsoft.com/fwlink/?LinkId=222677).
Helps integrate Windows and UNIX networks by simplifying the process of maintaining secure passwords in both environments. For more information, see Overview of Password Synchronization (http://go.microsoft.com/fwlink/?LinkId=222676).