Active Directory Domain Services Computer Science Essay

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

In this work I will focus on services, Active Directory Domain Services (AD DS) in Windows Server 2008, which include several enhancements and new features compared to Windows Server 2003.

What is Active Directory? 

Active Directory (AD) is a directory service, which makes it possible to manage your domain. AD is a service that significantly improves the daily work of network administration. 

AD allows you from one place - the server (called a Domain Controller) for configuration of computers, users, printers, deployment, and many others.

Active Directory Domain Services

New features in Active Directory Domain Services Windows Server 2008:

Active Directory Domain Services - Read-Only Domain Controllers

Active Directory Domain Services - Restartable Active Directory Domain Services

Active Directory Domain Services - Fine-Grained Password Policies


Old and new changes made ​​on the objects attributes can be recorded as log.

Fine-Grained Passwords

A new feature in Windows Server 2008 AD DS is the ability to define with Fine Grained Password Policy and Account lockout for different users on the same domain.

Fine-Grained Password Policies allow the following settings:

Password Policy:

Enforce password history 

Maximum password age 

Minimum password age 

Minimum password length 

Passwords must meet complexity Requirements 

Store passwords using reversible encryption

Account lockout:

Account lockout duration 

Account lockout threshold 

Reset account lockout after 

Fine-Grained Password Policies can be applied to objects "user" and "global security groups. " It is not possible for them to apply for the units.

To use the Fine-Grained Password Policies, the domain functional level must be set to Windows Server 2008.

Read-Only Domain Controller

RODC holds read-only copy of Active Directory database with all objects and attributes.

Active Directory Read-Only Domain Controller (RODC) is a new type of domain controller in Windows Server 2008. 

With an RODC, organizations can easily deploy a domain controller for locations where physical security cannot be guaranteed.

Principal purpose is to improve safety RODC in branch offices. The branch office is difficult to ensure the safety required for the IT infrastructure, especially for domain controllers that contain confidential data.

Domain Controllers are often hidden in the office. If someone has physical access to Domain Controller, it will not be hard to manipulate the system and get to the data. RODC solves these problems.

Fundamental elements of the RODC is:

Read-Only Domain Controller

Administrative Role Separation

Credential Caching

Read-Only DNS

Restartable Active Directory Domain Services

In Windows Server 2008 Active Directory Domain Services (AD DS), you can now stop and restart. This means that you can stop AD DS when performing manual tasks, and as in previous versions of Windows Server required you to restart the system in Directory Services Restore Mode (DSRM). It is a great feature for scripting and automating these tasks.

Possible states of AD DS:

AD DS - started

AD DS - stopped 

AD DS Restore Mode (DSRM)

Database Mounting Tool

AD Database Mounting Tool allows you to use the Active Directory snapshot, mount it in read-only mode.

Main components

In Active Directory resources are organized in a logical structure - the structure reflects the organizational model - using: 


Organizational Units (OU), 



Logical grouping of resources, it is easy to search using the name, not remembering their physical location. 

The relationship of Active Directory domains, OUs, trees, and forests


Domain is one of the major units of the logical structure in Active Directory. Domain allows you to store objects.

Objects stored in the domain are those that we consider necessary in our network. Objects are items that support functioning of the organization: 



Email addresses



Other resources

All facilities are within the domain, and each domain stores information only about the objects it contains.

Active Directory consists of one or more domains. Domain can be extended to more than one physical location.

Organization Unit (OU)

Organization Unit is a component used to organize the objects in the domain of logical administrative group.

OU is helpful in performing everyday administrative tasks, such as administering user accounts.

OU is the smallest area to which we can assign the administrative authority.

OU can contain user accounts, groups, computer accounts, printers, applications, shared files, and other organizational units within the same domain.

OU hierarchy, which we'll use the domain hierarchy is independent of the OU in another domain - each domain can have its own independent hierarchies OU.

Active Directory Administrator is responsible for creating a hierarchy corresponding to the need for the company.


Tree is called the grouping or hierarchical arrangement of one or more domains that we get by adding one or more sub-domains (Child Domain) to an existing parent domain.

Domains in the hierarchical tree structure are divided into naming.

In accordance with the standards of the DNS Domain name refers to the child domain to parent domain name. 

For example, for the parent domain child domains are:

In addition, a child domain for a domain: can be: 

Through the use of trees can be safe and assign the administration of individual organizational units and individual domains to different administrators.

The tree structure can be easily changed to meet business needs.

The person responsible for creating the structure meets the company's foundation is an administrator.


Forest is a group or hierarchical arrangement of one or more completely independent domain trees. Forest has the following characteristics:

All domains in a forest share a common schema

All domains in a forest share a common global directory

Trees in the forest have a different naming structure, in accordance with the domain

The domains in the forest work independently, but allow the forest in the area of â€‹â€‹communication throughout the organization

All domains in the forest are connected

Recommendations for the administration of Active Directory Windows Server 2008


The main requirements on the server side and client:

Server - running Windows Server 2008 / 2008 R2, which will assume the role domain controller

Client - Windows XP / Vista / 7 to the minimum or Business Professional. Important: Systems in the Home version does not have the capability to connect it to a domain. Such systems can benefit from shared files on domain controllers or member servers, but you cannot manage them from DC.

Security for user accounts

Every user who wants to use computer resources must first be authenticated in the domain. It receives from the administrator user name and password, which will serve him to log into the system.

The password should be strong and known only by the user and not given to others, because only on this basis, it is verified and given access to only those resources for which the user is entitled.

Using Kerberos for authentication. Kerberos is the default authentication protocol when you log into the Active Directory Domain Services for clients running Windows 2000 or later.

It is based on the assumption that traffic between the client and the server is sent over an insecure network. This means that the user's password is never transmitted in clear text, which is readable to all types of network sniffers.


Is it worth to implement Active Directory?

Certainly many novice administrators and IT professionals within their companies ask themselves this question.

Most depends on how large and complex is our environment. If it is only a few or several computers, you may consider whether the cost of such implementation will not be too high for us.

However, when the number of hosts is counted in tens, then the choice is obvious.

In this way we are able to more effectively manage the settings of computers, users, groups, printers, shared folders and it's all in one place.

We have the assurance that each computer is configured according to a specified schema.

Tasks of the administrator in case of preparation of the new jobs are kept to a minimum. Group Policy Object is responsible for everything.

Benefits of using Active Directory can be summarized as follows:

Centralized management of IT infrastructure

Automatic installation and update software in the company

Single authentication - the user at login, enter only once a user name and password, then given access to all data, which has permissions, without having to enter credentials each time, making it possible to increase employee productivity

Reducing the cost of managing accounts

Reducing the number of reports of failures and problems