Learn Microsoft Active Directory (ADDS) in 30mins

00:02

[Music] Right now with the cloud everybody wants

00:09

to know azure active directory but taking a trip back can be really useful

00:15

so what i'm going to do in this session is take a look at active directory

00:19

domain services from windows server how does it work what does it do and can i

00:25

do a deep dive in 30 minutes let's find out

00:31

[Music]

00:44

Greetings my fellow YouTubers welcome back to the channel i really appreciate

00:48

you stopping by Andy Malone Microsoft MVP as well as a Microsoft certified Trainer

00:54

In this episode i'm going to take a look at active directory domain

00:58

services and i know what you're thinking you're thinking andy that's old stuff

01:02

we should be learning azure active directory i know i've done plenty of

01:06

videos of that on this channel but active directory domain services is such

01:11

an important skill especially if you want to move your it career forward so

01:17

in this session what i thought i'd do is just take 20 to 30 minutes and really go

01:22

deep on exactly what you need to know about active directory so we're going to

01:27

talk about the logical approach to it so the structure of it

01:32

we'll talk about the physical aspects of it for example replication how it works

01:37

how it's structured and really it's going to be a busy session so as they

01:42

say buckle up and get ready to learn now if you've not subscribed to the session

01:47

please go ahead click on that subscribe button ring that bell and you won't miss

01:51

out on the good stuff in the future and as always i love your comments your

01:55

questions and your feedback so just get them down below there and i'll do my

01:59

best for you all right so i think without any more jibber jabber i think

02:04

it's about time we get into some demos let's go

02:12

so let's see if we can do active directory for beginners in 30 minutes

02:18

so who am i just a quick reminder i'm a

02:21

microsoft certified trainer as well as a microsoft mvp

02:26

now um

02:28

when we talk about active directory of course it's an identity

02:32

platform and an identity platform obviously involves

02:36

i walking up to a desk in a building so this is our analogy so you're getting

02:41

into the computer system so we walk up to the desk we present our credentials

02:46

or our username and our method of authentication so

02:51

whether that be a password whether it be some kind of card entry

02:56

biometrics once you get added once you get admitted

03:00

uh you're in the door now once in the building of course you

03:04

can then be further scrutinized and given permissions to certain resources

03:10

depending on the role that you play in the organization

03:13

or the permissions that you have so when we talk about a directory

03:18

service um active directory actually goes back

03:22

to about windows 2000 back in the early days that's quite a few years ago now

03:29

before that though the first kind of microsoft directory service was actually

03:35

a product called windows nt so in 2000 we had windows 2000 and

03:42

really active directory really took form then so what is a directory service well

03:48

in essence it's a database it's a database of objects so users groups

03:54

computers and so on now to be honest it's

03:58

advanced over the years and this is windows server active

04:03

directory and the two ways to look at it you can

04:06

look at it from a logical perspective so the structure how you've laid it out

04:13

and also a physical precipice perspective as well

04:17

so from the physical perspective we look at it from the actual

04:22

database so how do we back up the database how do we replicate the

04:27

database to another server because of course if you just have it installed on

04:32

one server then potentially if something went wrong with that server you would

04:38

lose all your users and everything so again we don't want that you want to

04:42

replicate that so in essence what we have is active

04:46

directory domain services this is the directory services of windows server

04:51

both 2016 2019 and now 2022 as well if you for example were using windows

04:59

explorer and you can see that this does actually look a little bit like that

05:04

so organizing your users we don't put them in folders we actually arrange them

05:09

into something called organizational units and you can organize

05:14

organizational units by location by department

05:19

function and so on so i can create my users computers

05:25

groups and i can organize them in there now of course i said that active

05:31

directory is a database and databases have objects so a user object a group

05:37

object and a device object and objects have attributes so a user's

05:42

first name last name email address and so on

05:46

the complete set of object types in active directory we refer to it as the

05:52

schema okay

05:55

and you can as i said organize your users into these organizational units

06:00

and i'm going to be doing some demos in a moment

06:04

okay so that's the first thing that we have then all right

06:08

now from the physical side

06:11

of active directory and again i'm going to give you a nice demo of this in a

06:15

moment in this example we have obviously dc1

06:21

and dc1 contains a master copy of our account directory

06:27

so obviously you don't just want to store active directory database on dc1

06:35

so you want to replicate that now you can replicate it

06:39

for a number of reasons you can replicate it for disaster recovery

06:43

reasons and you can also replicate it for performance reasons or

06:48

load balancing so as i said in this example we have two

06:52

sites we've got site a let's say london and we've got site b in new york

06:59

so inside a i've got three servers that have installed active directory on and

07:06

these are replicating copies of the database and we refer to these machines

07:12

as dc's or domain controllers and within a site you can see that we

07:19

have something called intra site replication

07:22

now intra site replication basically means that these replicate automatically

07:30

for example we don't you don't need to schedule these so it assumes that you

07:35

have a very high speed bandwidth however if you have remote sights and

07:41

you don't have a high speed bandwidth then we can use

07:46

something called inter-site replication now in the slide here it talks about rpc

07:53

or smtp connections remote procedure calls now this doesn't

07:58

exist anymore and because obviously since this slide was written we'd now

08:03

have the delights of broadband and super fast

08:06

connections which make things easier but the principle just remember the

08:11

principle if it's within a site it's called intra site and if it's between

08:16

sites it's called intersight replication now again with windows server active

08:23

directory um you can have

08:27

a number of companies so you can see here that we've got a

08:32

company called akaim.com and depending on the size of your

08:36

companies you might want to create different or what we call child domains

08:42

and a child domain might be for a very large corporation and let's say you've

08:48

got offices all around the world and you want to have

08:52

an it team dedicated to that particular domain

08:57

but also you might want to mask um for example for security reasons you might

09:02

not for example want the sales team to have access to the engineering

09:07

components and so on so moving right up to date um one of the

09:12

reasons why i wanted to show you this presentation was obviously we're all

09:17

learning about this this is microsoft's azure active directory and this is

09:23

microsoft's identity as a service platform

09:26

so rather than having the database on your domain controllers installed on

09:32

premises what we now have is we have the databases stored in azure and azure

09:39

microsoft maintain all the databases they structure it they manage it for us

09:46

so you don't need to worry about all of that

09:50

um we don't have ou's as such but the thing about

09:54

azure is it's a little bit like again file explorer so think about the c drive

10:00

on your computer as being azure active directory

10:05

well in this case you can see that you have your own tenant or folder so all

10:11

your users all your management features are managed within your own individual

10:18

tenant and again you can create users groups devices and so on and like before

10:25

these devices also give you access to multiple resources and again they have

10:32

attributes first names last names and email addresses and so on

10:38

and the nice thing about azure is you can have multiple customers so you

10:43

can have multiple accounts different tenants and you can share resources

10:49

between those tenants now this particular session i'm going to

10:53

focus on active directory if you want to see my sessions on azure

10:59

then please have a look i've already recorded some of these on my youtube

11:04

channel

11:10

so to understand active directory we start here in our windows server now

11:16

this particular machine has got active directory already pre-installed so what

11:21

i'm going to do is i'm going to click up here and i'm going to go into server

11:25

manager and server manager is our main portal that manages kind of all our

11:30

features and functionality now just to let you know that when you

11:34

if you purchase windows server or you download it

11:39

it actually comes in with no roles or no features installed on it

11:45

so one of the first things that you're going to do is you're going to go ahead

11:48

and obviously install the features and functionality that you want and to do

11:52

that essentially we go up here and to tools to manage all the features that

11:59

are currently installed but also if you go into manage this is where you can add

12:05

roles and features now adding roles are the major functions

12:10

of the computer so things like active directory domain services your domain

12:16

name services and various other features like that and you can see it's asking me

12:21

which server do i want to go ahead and install add-on so you can set this up on

12:27

a server if you have a pool of servers so

12:32

mult you can have manage multiple servers here or you can install it on a

12:36

particular virtual hard disk for the purpose of this demo i'm just going to

12:40

click on next here and you can see here at the moment we've

12:44

got dns and we've got active directory domain services installed now how did i

12:50

install that i'm going to leave that for another video because obviously not

12:54

enough time here but i'll certainly go through that in in a future session

12:59

so here you can see that i've got all the different roles that you can install

13:05

on the windows server now i'll be honest with you windows hasn't

13:09

really changed that much in a number of years so if you're familiar with it from

13:14

the likes of windows server 2012 then coming to this in windows server 2019 or

13:20

2022 i'll be honest it's not going to be hugely different for you

13:25

if you click on next it now asks you if you want to install features and the

13:30

features are they're important features but they're not as big as the roles so

13:36

once you select those features click on install and off it goes and it will

13:41

install the role so to manage the role as i mentioned we

13:45

can go up here into tools and really you've got a number of tools

13:50

that you can manage you see once active directory is installed you've now got a

13:56

number of dedicated active directory tools and the first of those the most

14:01

primary tool i would say is probably active directory users and computers

14:07

and this is where we manage the logical aspects of active directory logical

14:13

aspects i mean the oh just general design of how it looks

14:19

now you can see here if you're familiar with windows file manager for example or

14:24

file explorer as it's now known you'll see that it looks somewhat similar so up

14:30

here at the top we've got our domain name and my domain name here is called

14:35

adatum.com and

14:38

adatum.com you can see contains a number of built-in

14:43

groups and features here

14:46

now the yellow folders here we actually call these

14:50

organizational units and you can pretty much guess what that means

14:54

so if i didn't use organizational units i

14:59

could just have a big default folder called users

15:03

and you could put basically everything in there and it's not very organized so

15:08

probably one of the thing things that you probably want to do is you probably

15:12

want to create organizational units based on location

15:17

or based on department needs or things like that

15:22

so for example here i'm going to create a new organizational unit just by either

15:28

right clicking on the right hand mouse menu here or there's also buttons here

15:33

on the toolbar that will do the same thing

15:36

so i'm going to go up i'm going to create new and i'm going to create a new

15:41

organizational unit and in here just pull that over slightly i'm going to

15:46

call this operations okay so i'm going to call this operations now

15:51

you can see here protect the container from accidental deletion and it's

15:57

actually switched on so if you want that on or off you can go ahead and switch

16:01

that so i've now created an ou

16:05

and the next thing i'll probably want to do is create some users in here so i'm

16:10

going to create a new user account in here

16:13

so i can create a new user and this user i'm going to call this i'm

16:19

a bit of a trekkie as anybody knows so i'm going to call this guy sean luke and

16:24

i'm going to call him jean-luc picard so i'm going to give him a username of

16:29

picard j now just a tip about usernames you

16:34

wouldn't call the user robert or karen or something like that because you could

16:39

have a company that's got many users called john or karen or bob so it's a

16:45

good idea to use the surname followed by an initial and you can see that this is

16:51

giving this user a logon name now you'll notice that there's two types of logon

16:56

name here um so picard.j at

17:00

company.com and a datum slash

17:05

picard.j so this is kind of uh this is typically windows like a

17:10

windows type login but if you're moving to the cloud for example into microsoft

17:16

365 you'll be familiar with this type of login format this is called um a

17:23

upn a user principal name type login so i'm going to click next

17:28

and of course i'm going to put in a password for captain picard here so i'm

17:33

going to just put that password in here and again you can see the user can

17:39

change their password at next log on user can not change their password the

17:44

password never expires you might use these um if it's for example a service

17:49

account or something like that and of course if you're ready if you're not

17:53

ready for jean-luc to join the organization yet you can actually go

17:57

ahead and disable the account so i've created the account off it goes

18:03

and it now creates jean-luc's account now so that's the first thing

18:09

so creating a user account really really easy like i said creating new

18:15

and user and the rest is pretty self-explanatory as well

18:19

now another type of thing that you might want to create is a group

18:23

so a group of course allows you to manage multiple users hey you know what

18:29

i'm going to do i'm actually going to create another user just so that

18:33

jean-luc's got some company so this time i'm going to create a user called james

18:38

kirk and of course james cook will have a

18:42

username of corp j and i'll click next and again i'm going

18:48

to put in a password for the user and i'm going to say that the user can

18:54

change their own password at their next login and i'm going to finish and you

18:59

can see i've now got a couple of users in here now

19:03

um again i'm going to now go into new and

19:07

this time instead of creating a user i'm going to go in i'm going to create

19:13

a group okay now we've got

19:17

a number of different types of groups in windows server

19:22

i'm going to call this my managers group i'm going to call this in fact you know

19:28

just to differentiate it i'm just going to call it ops managers okay

19:32

so this is my ops managers and is it a domain local or is it a global to be

19:38

honest in this case i've only got one domain so it's not really a problem if i

19:43

had multiple domains you would you could create global groups

19:49

and you could create domain local groups that are specific to a local domain but

19:54

as i say in this case it really doesn't matter because i've only got one domain

20:00

that i'm working with okay so i'm going to click on here and

20:04

what i can now do with these users um i can now of course add these users

20:10

to a group and i'm just going to call this

20:14

ops and as i start to type i can click on check name and you can see it says

20:19

yes this name exists already and i'm going to click ok

20:24

and i've now added those users to a group now

20:27

why would i do that because it's easier to assign permissions to resources to

20:32

groups rather than individual users okay

20:37

so again my whistle stop tour of active directory i'm now going to go into the

20:43

properties of my user and let's have a look at some of the

20:49

resources in here that we can see so first of all

20:53

you'll notice that we have a number of tabs

20:56

active directory of course is a database and a database has

21:01

objects so jean-luc is an object in my database he's a user in my database we

21:08

can also have groups we can have devices and so on

21:12

so you can see that every object has attributes so our first name last name

21:18

email address and so on okay so i can go in and and fill that in if i want to and

21:25

there's a couple of tabs here that you can do that

21:28

um member of shows me if the user is a member of some groups

21:34

um dial in i can take a trip back to the 1990s if i want to

21:39

but i'm not going to bother with that this time

21:41

um and again here um if you wanted the uh you can do an uh an environment thing

21:48

so when the user logs in start this program and so on which is it might be

21:52

quite useful um again if you click onto the sessions

21:57

you can set timeouts for the user sessions here

22:02

again depending on you might work in a call center or something like that that

22:07

might be quite useful all right

22:11

um remote control enable remote control so if you're using uh remote control or

22:17

remote desktop um and it's switched on here you'll be able to go in and help

22:22

the user if they're having problems all right other useful things here the most

22:28

useful one is probably the account tab so the account tab here you can do

22:34

things like i can click on to log on hours

22:38

and you might say okay from midnight to 6 a.m i don't want the user to log on

22:45

because that's when you might do backups for example

22:49

uh and i could then say okay from eight let's say to midnight again

22:55

i don't want to the user to log in now you would do this for every user

23:00

possibly okay and you can you can um this is quite useful to do that

23:06

okay um other things here again

23:09

log on to so again do you want the user to log on to all computers or only these

23:15

computers so again quite useful we've got some password options here so

23:21

things like user cannot change the password never expires and this is a

23:26

useful one by the way if you uh bring in for example contractors so if you're

23:32

bringing in contractors you can expire their user account after a certain

23:37

amount of time again very very useful

23:41

um again the other thing that we've got here is the profile so user profiles

23:47

here so if you've got a shared folder i think i did a session on this recently

23:53

actually so go ahead and check out that okay so that's creating a user

24:01

and creating a group so as i've mentioned this is pretty much the

24:06

logical aspects of active directory

24:15

for the next part we want to take a look at the physical side of active directory

24:21

now just to understand what i mentioned i said that active directory is actually

24:27

a database and you can see the database by going into the windows folder on your

24:33

domain controller's c drive if you scroll down

24:38

you'll see a folder here called ntds nt directory services

24:44

so if i click into here this is the golden ticket ntds.dit

24:52

this is your active directory database and the other things that we've got here

24:58

are essentially log files and check files

25:02

so in essence what happens is like every most databases

25:08

when a user is performing transactions in active

25:13

directory users are logging on logging off you're doing maintenance

25:18

those operations are taking place in memory

25:21

once they've been in memory they then get written to a log file

25:27

and then after the log file reaches a certain size so for example

25:33

what i don't know five gigs let's say those transactions are then written to

25:40

active directory or to the database so that's that's what it is so active

25:44

directory is a physical database to understand now

25:49

of course the problems with that are obvious if i

25:53

install one active directory domain controller

25:57

then that's a single point of failure so one of the great things about active

26:02

directory is that you can have multiple domain controllers now in my demo here

26:07

i've only got one domain controller in my environment but um let me show you

26:14

what you would do so i'm going to go up into tools here

26:19

and for this with there are a couple of tools for the

26:22

physical side so the first one is active directory sites and services

26:29

now in our little organization here you can see that if i go into sites here

26:36

and we have got a default first site okay so this is my default first site

26:42

name i can double click this and in here you can see that it says ntds

26:49

settings again i can double click that and we can have a look at it so at the

26:54

moment my domain controller is dc1 and it's actually in my default first

27:00

site okay and we can see that you've got various

27:04

options for caching group membership for example which will obviously improve

27:09

things like performance and so on um so that's the first thing that's

27:14

where the

27:18

domain controller goes now you'll remember from the slide at the beginning

27:22

of this presentation that i talked about intra site replication and intra site

27:29

replication so basically if i had multiple domain

27:33

controllers within this site and you can see it says servers and at the moment

27:39

i've only got dc1 so if there were other servers in here it would replicate

27:46

copies of the active directory database and if i double click this you can see

27:52

this is the actual settings for that individual domain controller okay and as

27:58

i said at the moment there's nothing here because to be honest there's only

28:02

one domain controller all right now if i just click into the ntds

28:08

settings and if i go into properties on that

28:11

setting you can see that

28:15

one thing that you'll notice about active directory is that active

28:19

directory like azure active directory objects are sometimes represented by

28:25

what we call a grid a globally unique id which is this big long hexadecimal

28:31

number now it shows me the connection detail so

28:37

um within a site of course it uses interest site so in other words um any

28:44

if you've got multiple domain controllers um they're constantly

28:48

updating each other and to be honest you can't control

28:52

the uh when and how it actually

28:56

replicates because it's interest site now if you have multiple sites within

29:03

your organization so depending on the size of your company you may want to

29:08

create another site so i can come down here and if i just click into sites here

29:15

for example and i can come down i can say hey i want

29:20

to go and create a new site and i'll call this oslo okay so i'll

29:25

call it my oslo site all right

29:29

and it's saying do you want to use this site link i'll say yes that's fine

29:35

now if you don't have this site link at the moment you you can create

29:40

different links now remember that active directory was written for a different

29:45

time um so back in the 1990s we didn't have

29:50

the scalability and we didn't have the network speeds that we do now but

29:54

fortunately now we do so i'm just going to go ahead i'm going

29:58

to click on to that and you can see it's now created this oslo site

30:04

and i've got cert and it's got a little folder for servers so again what i could

30:08

do is if i've got multiple servers here i could easily move those servers

30:14

into this site so i've got multi i've got two sites by the way you can

30:20

rename that default site if you want to call it something else as well

30:25

okay so that's the first thing from a physical perspective so as i said it's a

30:31

physical database and you can control

30:35

the replication by organizing your

30:40

domain controllers into sites where they're located

30:45

and here you can see that this is now inter site

30:49

so that being the case one of the things you might want to

30:53

control is how the

30:56

how the replication between the domain controllers actually works and to be

31:01

honest we've got two choices you can use ip which is super fast

31:07

because the chances are you're using broadband or you can use an older

31:11

protocol for example smtp which is actually an email protocol

31:17

and that can be scheduled so for example if you happen to have a very slow link

31:23

you could potentially schedule that all right

31:28

now i mentioned that that's so that's the basics as i said of

31:34

um inter-site

31:36

and interest site okay so that's the first thing there now the other tool

31:41

that i just wanted to show you was active directory domains and trusts

31:47

now in this example we only have one domain that we're dealing with here and

31:54

if i just click into here you can see that this is to do with your domains or

32:00

your uh forests now when we talk about a

32:04

forest is if i installed active directory

32:09

another cop install of active directory it could

32:13

say do you want to join this forest or do you want to create what we call a

32:18

branch so for example you might create a child domain so us.adatum.com

32:26

india dot and so on so we can create those here

32:33

all right now um if i go into properties um you

32:38

can see that if i have you this is where you can actually

32:44

create relationships between other forests so if you were working with

32:50

business partners for example or you were let's say a group of companies you

32:55

could establish trust relationships between

33:00

those organizations and i'm going to cover this in a future session all right

33:07

now one really important aspect of active

33:11

directory ladies and gentlemen is if i go back into

33:16

users and computers you'll see that in users and computers

33:20

here i've got a series of organizational units and here's the one i created

33:27

earlier now if i click into view

33:31

and go into let's say advanced features you'll now notice that i can see an

33:38

awful lot more and i'm now actually seeing

33:41

hidden objects and one of those hidden objects is lost

33:46

and found now if you delete something

33:50

in active directory

33:53

obviously it goes to a recycle bin well actually it doesn't because you need to

34:00

actually switch this feature on and you can either switch the feature on

34:05

via powershell or you can go into tools and if you go

34:10

into the active directory admin center here and i've mentioned this previously

34:16

on one of my videos for um deploying azure ad connect

34:22

so in essence what we do is i click into my local domain here

34:27

and again this is just the admin center is just another viewing

34:32

tool and i can manage the various nodes and the various features but the key

34:37

thing here is we have this enable recycle bin here and you can go in and

34:43

you can switch that on and the idea of this is if you accidentally now delete

34:47

any objects they will go to that recycle bin and you

34:52

can restore your users okay

34:56

so there we go just a little look at the logical aspect of active directory

35:04

we created some users we created a group and we looked at the physical side of

35:10

active directory so there you have it active directory

35:14

windows server to be honest it's a product that's not really changed in

35:18

many years but again like i said at the beginning it's so important at the

35:23

moment especially if you're learning cloud computing especially if you're

35:26

going to be learning a hybrid especially the security aspects of it well hey look

35:31

i really appreciate you stopping by if you've enjoyed the video give me a big

35:35

thumbs up it really does help my channel and of course if you've not subscribed

35:39

go ahead click on that subscribe button ring the bell and you won't miss out on

35:43

future tutorials and as always i love comments your questions and any feedback

35:48

about this or any of my other videos all right so that's it for this week you

35:53

stay safe and i'll see you next time around take care

36:06

hey thanks so much for dropping by today here's a couple of videos that you may

36:10

enjoy and while you're here go ahead click on the subscribe button and you

36:14

won't miss out

36:19

[Music]