Learn Microsoft Active Directory (ADDS) in 30mins

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] right now with the cloud everybody wants to know azure active directory but taking a trip back can be really useful so what i'm going to do in this session is take a look at active directory domain services from windows server how does it work what does it do and can i do a deep dive in 30 minutes let's find out [Music] greetings my fellow youtubers welcome back to the channel i really appreciate you stopping by andy malone microsoft mvp as well as a microsoft certified trainer in this episode i'm going to take a look at active directory domain services and i know what you're thinking you're thinking andy that's old stuff we should be learning azure active directory i know i've done plenty of videos of that on this channel but active directory domain services is such an important skill especially if you want to move your it career forward so in this session what i thought i'd do is just take 20 to 30 minutes and really go deep on exactly what you need to know about active directory so we're going to talk about the logical approach to it so the structure of it we'll talk about the physical aspects of it for example replication how it works how it's structured and really it's going to be a busy session so as they say buckle up and get ready to learn now if you've not subscribed to the session please go ahead click on that subscribe button ring that bell and you won't miss out on the good stuff in the future and as always i love your comments your questions and your feedback so just get them down below there and i'll do my best for you all right so i think without any more jibber jabber i think it's about time we get into some demos let's go so let's see if we can do active directory for beginners in 30 minutes so who am i just a quick reminder i'm a microsoft certified trainer as well as a microsoft mvp now um when we talk about active directory of course it's an identity platform and an identity platform obviously involves i walking up to a desk in a building so this is our analogy so you're getting into the computer system so we walk up to the desk we present our credentials or our username and our method of authentication so whether that be a password whether it be some kind of card entry biometrics once you get added once you get admitted uh you're in the door now once in the building of course you can then be further scrutinized and given permissions to certain resources depending on the role that you play in the organization or the permissions that you have so when we talk about a directory service um active directory actually goes back to about windows 2000 back in the early days that's quite a few years ago now before that though the first kind of microsoft directory service was actually a product called windows nt so in 2000 we had windows 2000 and really active directory really took form then so what is a directory service well in essence it's a database it's a database of objects so users groups computers and so on now to be honest it's advanced over the years and this is windows server active directory and the two ways to look at it you can look at it from a logical perspective so the structure how you've laid it out and also a physical precipice perspective as well so from the physical perspective we look at it from the actual database so how do we back up the database how do we replicate the database to another server because of course if you just have it installed on one server then potentially if something went wrong with that server you would lose all your users and everything so again we don't want that you want to replicate that so in essence what we have is active directory domain services this is the directory services of windows server both 2016 2019 and now 2022 as well if you for example were using windows explorer and you can see that this does actually look a little bit like that so organizing your users we don't put them in folders we actually arrange them into something called organizational units and you can organize organizational units by location by department function and so on so i can create my users computers groups and i can organize them in there now of course i said that active directory is a database and databases have objects so a user object a group object and a device object and objects have attributes so a user's first name last name email address and so on the complete set of object types in active directory we refer to it as the schema okay and you can as i said organize your users into these organizational units and i'm going to be doing some demos in a moment okay so that's the first thing that we have then all right now from the physical side of active directory and again i'm going to give you a nice demo of this in a moment in this example we have obviously dc1 and dc1 contains a master copy of our account directory so obviously you don't just want to store active directory database on dc1 so you want to replicate that now you can replicate it for a number of reasons you can replicate it for disaster recovery reasons and you can also replicate it for performance reasons or load balancing so as i said in this example we have two sites we've got site a let's say london and we've got site b in new york so inside a i've got three servers that have installed active directory on and these are replicating copies of the database and we refer to these machines as dc's or domain controllers and within a site you can see that we have something called intra site replication now intra site replication basically means that these replicate automatically for example we don't you don't need to schedule these so it assumes that you have a very high speed bandwidth however if you have remote sights and you don't have a high speed bandwidth then we can use something called inter-site replication now in the slide here it talks about rpc or smtp connections remote procedure calls now this doesn't exist anymore and because obviously since this slide was written we'd now have the delights of broadband and super fast connections which make things easier but the principle just remember the principle if it's within a site it's called intra site and if it's between sites it's called intersight replication now again with windows server active directory um you can have a number of companies so you can see here that we've got a company called akaim.com and depending on the size of your companies you might want to create different or what we call child domains and a child domain might be for a very large corporation and let's say you've got offices all around the world and you want to have an it team dedicated to that particular domain but also you might want to mask um for example for security reasons you might not for example want the sales team to have access to the engineering components and so on so moving right up to date um one of the reasons why i wanted to show you this presentation was obviously we're all learning about this this is microsoft's azure active directory and this is microsoft's identity as a service platform so rather than having the database on your domain controllers installed on premises what we now have is we have the databases stored in azure and azure microsoft maintain all the databases they structure it they manage it for us so you don't need to worry about all of that um we don't have ou's as such but the thing about azure is it's a little bit like again file explorer so think about the c drive on your computer as being azure active directory well in this case you can see that you have your own tenant or folder so all your users all your management features are managed within your own individual tenant and again you can create users groups devices and so on and like before these devices also give you access to multiple resources and again they have attributes first names last names and email addresses and so on and the nice thing about azure is you can have multiple customers so you can have multiple accounts different tenants and you can share resources between those tenants now this particular session i'm going to focus on active directory if you want to see my sessions on azure then please have a look i've already recorded some of these on my youtube channel so to understand active directory we start here in our windows server now this particular machine has got active directory already pre-installed so what i'm going to do is i'm going to click up here and i'm going to go into server manager and server manager is our main portal that manages kind of all our features and functionality now just to let you know that when you if you purchase windows server or you download it it actually comes in with no roles or no features installed on it so one of the first things that you're going to do is you're going to go ahead and obviously install the features and functionality that you want and to do that essentially we go up here and to tools to manage all the features that are currently installed but also if you go into manage this is where you can add roles and features now adding roles are the major functions of the computer so things like active directory domain services your domain name services and various other features like that and you can see it's asking me which server do i want to go ahead and install add-on so you can set this up on a server if you have a pool of servers so mult you can have manage multiple servers here or you can install it on a particular virtual hard disk for the purpose of this demo i'm just going to click on next here and you can see here at the moment we've got dns and we've got active directory domain services installed now how did i install that i'm going to leave that for another video because obviously not enough time here but i'll certainly go through that in in a future session so here you can see that i've got all the different roles that you can install on the windows server now i'll be honest with you windows hasn't really changed that much in a number of years so if you're familiar with it from the likes of windows server 2012 then coming to this in windows server 2019 or 2022 i'll be honest it's not going to be hugely different for you if you click on next it now asks you if you want to install features and the features are they're important features but they're not as big as the roles so once you select those features click on install and off it goes and it will install the role so to manage the role as i mentioned we can go up here into tools and really you've got a number of tools that you can manage you see once active directory is installed you've now got a number of dedicated active directory tools and the first of those the most primary tool i would say is probably active directory users and computers and this is where we manage the logical aspects of active directory logical aspects i mean the oh just general design of how it looks now you can see here if you're familiar with windows file manager for example or file explorer as it's now known you'll see that it looks somewhat similar so up here at the top we've got our domain name and my domain name here is called adatum.com and adatum.com you can see contains a number of built-in groups and features here now the yellow folders here we actually call these organizational units and you can pretty much guess what that means so if i didn't use organizational units i could just have a big default folder called users and you could put basically everything in there and it's not very organized so probably one of the thing things that you probably want to do is you probably want to create organizational units based on location or based on department needs or things like that so for example here i'm going to create a new organizational unit just by either right clicking on the right hand mouse menu here or there's also buttons here on the toolbar that will do the same thing so i'm going to go up i'm going to create new and i'm going to create a new organizational unit and in here just pull that over slightly i'm going to call this operations okay so i'm going to call this operations now you can see here protect the container from accidental deletion and it's actually switched on so if you want that on or off you can go ahead and switch that so i've now created an ou and the next thing i'll probably want to do is create some users in here so i'm going to create a new user account in here so i can create a new user and this user i'm going to call this i'm a bit of a trekkie as anybody knows so i'm going to call this guy sean luke and i'm going to call him jean-luc picard so i'm going to give him a username of picard j now just a tip about usernames you wouldn't call the user robert or karen or something like that because you could have a company that's got many users called john or karen or bob so it's a good idea to use the surname followed by an initial and you can see that this is giving this user a logon name now you'll notice that there's two types of logon name here um so picard.j at company.com and a datum slash picard.j so this is kind of uh this is typically windows like a windows type login but if you're moving to the cloud for example into microsoft 365 you'll be familiar with this type of login format this is called um a upn a user principal name type login so i'm going to click next and of course i'm going to put in a password for captain picard here so i'm going to just put that password in here and again you can see the user can change their password at next log on user can not change their password the password never expires you might use these um if it's for example a service account or something like that and of course if you're ready if you're not ready for jean-luc to join the organization yet you can actually go ahead and disable the account so i've created the account off it goes and it now creates jean-luc's account now so that's the first thing so creating a user account really really easy like i said creating new and user and the rest is pretty self-explanatory as well now another type of thing that you might want to create is a group so a group of course allows you to manage multiple users hey you know what i'm going to do i'm actually going to create another user just so that jean-luc's got some company so this time i'm going to create a user called james kirk and of course james cook will have a username of corp j and i'll click next and again i'm going to put in a password for the user and i'm going to say that the user can change their own password at their next login and i'm going to finish and you can see i've now got a couple of users in here now um again i'm going to now go into new and this time instead of creating a user i'm going to go in i'm going to create a group okay now we've got a number of different types of groups in windows server i'm going to call this my managers group i'm going to call this in fact you know just to differentiate it i'm just going to call it ops managers okay so this is my ops managers and is it a domain local or is it a global to be honest in this case i've only got one domain so it's not really a problem if i had multiple domains you would you could create global groups and you could create domain local groups that are specific to a local domain but as i say in this case it really doesn't matter because i've only got one domain that i'm working with okay so i'm going to click on here and what i can now do with these users um i can now of course add these users to a group and i'm just going to call this ops and as i start to type i can click on check name and you can see it says yes this name exists already and i'm going to click ok and i've now added those users to a group now why would i do that because it's easier to assign permissions to resources to groups rather than individual users okay so again my whistle stop tour of active directory i'm now going to go into the properties of my user and let's have a look at some of the resources in here that we can see so first of all you'll notice that we have a number of tabs active directory of course is a database and a database has objects so jean-luc is an object in my database he's a user in my database we can also have groups we can have devices and so on so you can see that every object has attributes so our first name last name email address and so on okay so i can go in and and fill that in if i want to and there's a couple of tabs here that you can do that um member of shows me if the user is a member of some groups um dial in i can take a trip back to the 1990s if i want to but i'm not going to bother with that this time um and again here um if you wanted the uh you can do an uh an environment thing so when the user logs in start this program and so on which is it might be quite useful um again if you click onto the sessions you can set timeouts for the user sessions here again depending on you might work in a call center or something like that that might be quite useful all right um remote control enable remote control so if you're using uh remote control or remote desktop um and it's switched on here you'll be able to go in and help the user if they're having problems all right other useful things here the most useful one is probably the account tab so the account tab here you can do things like i can click on to log on hours and you might say okay from midnight to 6 a.m i don't want the user to log on because that's when you might do backups for example uh and i could then say okay from eight let's say to midnight again i don't want to the user to log in now you would do this for every user possibly okay and you can you can um this is quite useful to do that okay um other things here again log on to so again do you want the user to log on to all computers or only these computers so again quite useful we've got some password options here so things like user cannot change the password never expires and this is a useful one by the way if you uh bring in for example contractors so if you're bringing in contractors you can expire their user account after a certain amount of time again very very useful um again the other thing that we've got here is the profile so user profiles here so if you've got a shared folder i think i did a session on this recently actually so go ahead and check out that okay so that's creating a user and creating a group so as i've mentioned this is pretty much the logical aspects of active directory for the next part we want to take a look at the physical side of active directory now just to understand what i mentioned i said that active directory is actually a database and you can see the database by going into the windows folder on your domain controller's c drive if you scroll down you'll see a folder here called ntds nt directory services so if i click into here this is the golden ticket ntds.dit this is your active directory database and the other things that we've got here are essentially log files and check files so in essence what happens is like every most databases when a user is performing transactions in active directory users are logging on logging off you're doing maintenance those operations are taking place in memory once they've been in memory they then get written to a log file and then after the log file reaches a certain size so for example what i don't know five gigs let's say those transactions are then written to active directory or to the database so that's that's what it is so active directory is a physical database to understand now of course the problems with that are obvious if i install one active directory domain controller then that's a single point of failure so one of the great things about active directory is that you can have multiple domain controllers now in my demo here i've only got one domain controller in my environment but um let me show you what you would do so i'm going to go up into tools here and for this with there are a couple of tools for the physical side so the first one is active directory sites and services now in our little organization here you can see that if i go into sites here and we have got a default first site okay so this is my default first site name i can double click this and in here you can see that it says ntds settings again i can double click that and we can have a look at it so at the moment my domain controller is dc1 and it's actually in my default first site okay and we can see that you've got various options for caching group membership for example which will obviously improve things like performance and so on um so that's the first thing that's where the domain controller goes now you'll remember from the slide at the beginning of this presentation that i talked about intra site replication and intra site replication so basically if i had multiple domain controllers within this site and you can see it says servers and at the moment i've only got dc1 so if there were other servers in here it would replicate copies of the active directory database and if i double click this you can see this is the actual settings for that individual domain controller okay and as i said at the moment there's nothing here because to be honest there's only one domain controller all right now if i just click into the ntds settings and if i go into properties on that setting you can see that one thing that you'll notice about active directory is that active directory like azure active directory objects are sometimes represented by what we call a grid a globally unique id which is this big long hexadecimal number now it shows me the connection detail so um within a site of course it uses interest site so in other words um any if you've got multiple domain controllers um they're constantly updating each other and to be honest you can't control the uh when and how it actually replicates because it's interest site now if you have multiple sites within your organization so depending on the size of your company you may want to create another site so i can come down here and if i just click into sites here for example and i can come down i can say hey i want to go and create a new site and i'll call this oslo okay so i'll call it my oslo site all right and it's saying do you want to use this site link i'll say yes that's fine now if you don't have this site link at the moment you you can create different links now remember that active directory was written for a different time um so back in the 1990s we didn't have the scalability and we didn't have the network speeds that we do now but fortunately now we do so i'm just going to go ahead i'm going to click on to that and you can see it's now created this oslo site and i've got cert and it's got a little folder for servers so again what i could do is if i've got multiple servers here i could easily move those servers into this site so i've got multi i've got two sites by the way you can rename that default site if you want to call it something else as well okay so that's the first thing from a physical perspective so as i said it's a physical database and you can control the replication by organizing your domain controllers into sites where they're located and here you can see that this is now inter site so that being the case one of the things you might want to control is how the how the replication between the domain controllers actually works and to be honest we've got two choices you can use ip which is super fast because the chances are you're using broadband or you can use an older protocol for example smtp which is actually an email protocol and that can be scheduled so for example if you happen to have a very slow link you could potentially schedule that all right now i mentioned that that's so that's the basics as i said of um inter-site and interest site okay so that's the first thing there now the other tool that i just wanted to show you was active directory domains and trusts now in this example we only have one domain that we're dealing with here and if i just click into here you can see that this is to do with your domains or your uh forests now when we talk about a forest is if i installed active directory another cop install of active directory it could say do you want to join this forest or do you want to create what we call a branch so for example you might create a child domain so us.adatum.com india dot and so on so we can create those here all right now um if i go into properties um you can see that if i have you this is where you can actually create relationships between other forests so if you were working with business partners for example or you were let's say a group of companies you could establish trust relationships between those organizations and i'm going to cover this in a future session all right now one really important aspect of active directory ladies and gentlemen is if i go back into users and computers you'll see that in users and computers here i've got a series of organizational units and here's the one i created earlier now if i click into view and go into let's say advanced features you'll now notice that i can see an awful lot more and i'm now actually seeing hidden objects and one of those hidden objects is lost and found now if you delete something in active directory obviously it goes to a recycle bin well actually it doesn't because you need to actually switch this feature on and you can either switch the feature on via powershell or you can go into tools and if you go into the active directory admin center here and i've mentioned this previously on one of my videos for um deploying azure ad connect so in essence what we do is i click into my local domain here and again this is just the admin center is just another viewing tool and i can manage the various nodes and the various features but the key thing here is we have this enable recycle bin here and you can go in and you can switch that on and the idea of this is if you accidentally now delete any objects they will go to that recycle bin and you can restore your users okay so there we go just a little look at the logical aspect of active directory we created some users we created a group and we looked at the physical side of active directory so there you have it active directory windows server to be honest it's a product that's not really changed in many years but again like i said at the beginning it's so important at the moment especially if you're learning cloud computing especially if you're going to be learning a hybrid especially the security aspects of it well hey look i really appreciate you stopping by if you've enjoyed the video give me a big thumbs up it really does help my channel and of course if you've not subscribed go ahead click on that subscribe button ring the bell and you won't miss out on future tutorials and as always i love comments your questions and any feedback about this or any of my other videos all right so that's it for this week you stay safe and i'll see you next time around take care hey thanks so much for dropping by today here's a couple of videos that you may enjoy and while you're here go ahead click on the subscribe button and you won't miss out [Music]

Info

Channel: Andy Malone MVP

Views: 532,247

Rating: undefined out of 5

Keywords:

Id: 85-bp7XxWDQ

Channel Id: undefined

Length: 36min 25sec (2185 seconds)

Published: Sat Mar 19 2022