Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Free Learning
Arrow right icon
Arrow up icon
GO TO TOP
Administering Windows Server Hybrid Core Infrastructure AZ-800 Exam Guide

You're reading from   Administering Windows Server Hybrid Core Infrastructure AZ-800 Exam Guide Design, implement, and manage Windows Server core infrastructure on-premises and in the cloud

Arrow left icon
Product type Paperback
Published in Dec 2022
Publisher Packt
ISBN-13 9781803239200
Length 502 pages
Edition 1st Edition
Languages
Concepts
Arrow right icon
Author (1):
Arrow left icon
Steve Miles Steve Miles
Author Profile Icon Steve Miles
Steve Miles
Arrow right icon
View More author details
Toc

Table of Contents (22) Chapters Close

Preface 1. Part 1: Hybrid Identity
2. Chapter 1: Implementing and Managing Active Directory Domain Services FREE CHAPTER 3. Chapter 2: Implementing and Managing Azure Active Directory Domain Services 4. Chapter 3: Managing Users and Computers with Group Policy 5. Chapter 4: Implementing and Managing Hybrid Identities 6. Part 2: Hybrid Networking
7. Chapter 5: Implementing and Managing On-Premises Network Infrastructure 8. Chapter 6: Implementing and Managing Azure Network Infrastructure 9. Part 3: Hybrid Storage
10. Chapter 7: Implementing Windows Server Storage Services 11. Chapter 8: Implementing a Hybrid File Server Infrastructure 12. Part 4: Hybrid Compute
13. Chapter 9: Implementing and Managing Hyper-V on Windows Server 14. Chapter 10: Implementing and Managing Windows Server Containers 15. Chapter 11: Managing Windows Server Azure Virtual Machines 16. Chapter 12: Managing Windows Server in a Hybrid Environment 17. Chapter 13: Managing Windows Servers Using Azure Services 18. Part 5: Exam Prep
19. Chapter 14: Exam Preparation Practice Tests 20. Index 21. Other Books You May Enjoy

What is Active Directory Domain Services?

AD DS is organized as a distributed and searchable hierarchical directory that controls access to network resources and allows settings and configurations to be applied through policies.

AD DS is a server role installed on Windows Server and is included with the operating system (OS); no software needs to be downloaded. A server with an installed AD DS role is referred to as a domain controller (DC).

AD DS provides access to resources by authenticating and authorizing domain object resources.

Accessing domain resources is based on a two-stage concept that consists of authenticating and then authorizing; in a nutshell, it involves identifying who you are and determining what you can do:

  • Authentication, also referred to as AuthN, is the identity component; it is the process of establishing the identity of a person (or service) and proving they are who they say they are. This can be done by validating access credentials against stored or known identifying information.
  • Authorization, also referred to as AuthZ, is the access component; it is the process of establishing what level of access the authenticated person (or service) has to the resource, what they can access, and what actions they may take.

The concept of authenticating and authorizing is shown in the following diagram:

Figure 1.1 – Understanding authentication and authorization

Figure 1.1 – Understanding authentication and authorization

The terms Active Directory and Domain Services (abbreviated to their short forms of AD and DS) are often used interchangeably to mean the same thing. When people refer to AD, they often mean just the DS component, mainly since it is the most common and foundational identity and access management service component to be implemented.

For this book and the exam, we will refer to AD in the context of the DS component only; we will refer to it simply as AD DS for brevity. For additional learning content on the other services that are part of AD, please refer to the Further reading section at the end of this chapter.

AD DS contains a list of objects, such as user accounts, along with their attributes, such as passwords and their assigned access rights to resources. This list can be queried to validate the identity and access rights to a resource in the domain that is created as an object in the information store database. This is shown in the following diagram:

Figure 1.2 – Domain resource access

Figure 1.2 – Domain resource access

AD DS functions by classifying everything stored in its information store (database) as an object. Objects can be user accounts, computer accounts, groups (security principals), printers, network appliances, applications, or services. These objects are hierarchical, meaning that objects can contain other nested objects; these types of objects are called containers. We will look at these terms in more detail later in this chapter.

Each object stored in the database has a set of attributes that match the object’s context; this is defined in a schema. The directories information data store is a database structure with a schema that is extensible and can store attributes that suit the business requirement. Being a directory service means every object can be searched, queried, access controlled, managed, and configured in a centralized and policy-driven manner.

The foundation of identity and access management (IAM) is that access to objects is controlled through role-based access control (RBAC) and the principle and practice of least privilege. This means providing the proper scope of control. Just enough access is given to perform a required task without unnecessarily providing elevated access rights that may give a broader scope than required and privileged lateral access if an account were to be compromised. The control mechanism is a group policy and provides group scoping for identities.

AD DS comprises a logical structure that often maps to the organization’s operating model and a physical structure that should map to the network topology.

The following can be considered as the logical components:

  • Domain
  • Domain tree
  • Forest
  • OU
  • Partition
  • Schema
  • Container

The following can be considered as the physical components:

  • Data store
  • Global catalog
  • Domain controller
  • Read-only domain controller
  • Site
  • Subnet

These components will be covered in more detail later in this chapter.

This section introduced us to DS, one of AD’s services, which provides a centralized mechanism for authenticating and authorizing resources in a domain.

In summary, AD DS is built around a directory service that is a replicated information store (database) for all domain objects. It primarily provides authentication and authorization for accessing domain objects and configuration and management access.

You have been reading a chapter from
Administering Windows Server Hybrid Core Infrastructure AZ-800 Exam Guide
Published in: Dec 2022
Publisher: Packt
ISBN-13: 9781803239200
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at $19.99/month. Cancel anytime
Banner background image