Active Directory Features

Active Directory Features

So why the hell we need Active Directory? Can’t we just live a happy life without AD concepts and avoid the stress of reading all these Blogs, books, videos , certifications and etc. ? To be honest, AD is really very interesting topic and it has changed a lot of administration style, improved security, managed authentication. It can help you to take control over entire forest or domain just by a single click. You can immediately force a new security policy forest wide, change the functional level of your infrastructure, join and remove domains and many more.

As you work with Active Directory, you should understand the following concepts:





The Global Catalog (GC) is a database that contains a partial replica of every object from every domain within a forest. A server that holds a copy of the Global Catalog is a global catalog server. The Global Catalog facilitates faster searches because different domain controllers do not have to be referenced.


Master Roles

Operations master roles, also referred to as Flexible Single-Master Operation (FSMO) roles, are specialized domain controller tasks assigned to a domain controller in the domain or forest. Operations master roles are useful because certain domain and

enterprise-wide operations are not well suited for the multi-master replication performed by Active Directory to replicate objects and attributes. A domain controller that performs an operations master role is known as an operations master or operations master role owner.

The following roles are forest roles, meaning that one domain controller within the entire forest holds the role:

      The schema master maintains the Active Directory schema for the forest.

    The domain naming master adds new domains to and removes existing domains from the forest.

       The following roles are domain roles, meaning that one domain controller in each domain holds the role:

             The RID master allocates pools or blocks of numbers (called relative IDs or RIDs) that are used by the domain controller when creating new security principles            (such as user, group, or computer accounts).

      The PDC emulator acts like a Windows NT 4.0 Primary Domain Controller (PDC) and performs other tasks normally associated with NT domain controllers.

       The Infrastructure master is responsible for updating changes made to objects.

As you install or remove domain controllers, you will need to be aware of which domain controllers hold these roles.

Time Service

The Windows time service (w32tm.exe) provides network date and time synchronization for computers in an Active Directory domain. The Windows Time service:

    Is an essential component of Kerberos authentication, file timestamps, and data replication.

    Is installed by default in the %Systemroot%\System32 folder during operating system setup and installation.

    Uses the Network Time Protocol (NTP) to synchronize computer clocks on the network so that an accurate clock value, or time stamp, can be assigned to

network validation and resource access requests.

    Integrates NTP and time providers, making it reliable and scalable in an enterprise environment.

    Is backwards compatible with Simple Network Time Protocol (SNTP), which is an older protocol used in some versions of Windows.



A functional level is a set of operation constraints that determine the functions that can be performed by an Active Directory domain or forest. A functional level defines:

    Which Active Directory Domain Services (AD DS) features are available to the domain or forest.

    Which Windows Server operating systems can be run on domain controllers in the domain or forest. Functional levels do not affect which operating systems you can

run on workstations and servers that are joined to the domain or forest.

Windows Server 2008 or Windows Server 2008 R2 supports the following domain functional levels:

Windows 2000 Native

Windows Server 2003

Windows Server 2008

Windows Server 2008 R2 (limited to Windows Server 2008 R2)

Windows Server 2008 or Windows Server 2008 R2 supports the following forest functional levels:

Windows 2000

Windows Server 2003

Windows Server 2008

Windows Server 2008 R2 (Limited to Windows Server 2008 R2)

Note: You cannot have Windows NT domain controllers and Windows Server 2008 or

Windows Server 2008 R2 domain controllers in the same forest.

Group Policy

A policy is a set of configuration settings that must be applied to users or computers. Collections of policy settings are stored in a Group Policy object (GPO). The GPO is a collection of files that includes registry settings, scripts, templates, and software-specific configuration values.

Group Policy is an important component of Active Directory because through Group Policy you can centrally manage and enforce desktop and other settings for users and computers within your organization. For example, with Group Policy you can:

Enforce a common desktop for users

Remove desktop components, such as preventing access to the Control Panel

Restricting what actions users can perform, such as preventing users from shutting down the system

Automatically installing software

Dynamically set registry settings required by applications


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s