Active Directory is a hierarchical database that holds information about the network’s resources such as computers, servers, users, groups and more. The main purpose of Active Directory is to provide central authentication and authorization services. Normal administrative tasks when working with Active Directory include creating, managing, moving, editing and sometimes – deleting – various objects such as user accounts, computer accounts, groups, contacts and other objects. The Active Directory database is stored on Domain Controllers (or DCs), in a file called NTDS.DIT.
Installing Active Directory is not all that difficult. However, once you get it installed, there is still plenty of work that needs to be done. The first stage of configuration of Active Directory is securing it. There are many areas that need attention and many settings that need to be altered to prepare it for secure action on your network. Let’s take a look at the initial settings that you should make to get Active Directory secure for your network before you dive into setting up the entire structure.
Active Directory Partitions
Installing Active Directory is not all that difficult. However, once you get it installed, there is still plenty of work that needs to be done. The first stage of configuration of Active Directory is securing it. There are many areas that need attention and many settings that need to be altered to prepare it for secure action on your network. Let’s take a look at the initial settings that you should make to get Active Directory secure for your network before you dive into setting up the entire structure.
- Create a second administrative account for regular use.
- Set a complex and long password for the Administrator account.
- Rename the default Administrator account to some deceptive name.
- Set Password Policy in Default Domain Policy.
- Set Account Lockout Policy in Default Domain Policy.
- Create Organizational Unit(s) for User and Computer Accounts.
- Configure DNS properly to Forward queries and enable only secure dynamic updates.
- Use Best Practice Analyzer (BPA) for every Server Role (available in Windows Server 2008 R2 and above).
The AD database is divided up into partitions for replication and administration. Each Domain Controller has a copy of the Active Directory database store in a file called NTDS.DIT. The data in this file is divided into partitions. The partition type determines how it will be replicated throughout the forest.
1. Domain Partition: This partition is replicated only to Domain Controllers in that domain. Active Directory Users and Computers obtains it data from this partition.
2. Global Catalog Partition: The partition contains a partial replica of all objects in the domain. It is replicated to all Global Catalog Servers in the forest. It is also referred to as Partial Attribute Set (PAS).
3. Schema Partition: Schema partition defines what can be stored in the Active Directory database. It essentially defines the layout of the database. The schema partition is replicated to all Domain Controllers in the forest.
4. Configuration Partition: This partition contains configuration information for the whole forest. For example, it contains information about sites in the forest and partition defined in the Active Directory database. This partition is replicated to all Domain Controllers in the forest.
5. Application Partition: The application partition is created by Applications to store their data. It is different from any other partition in that the application can choose which Domain Controller or Controllers to store the data on. The advantage for the application storing the data this way is that the application has access to the same replicate and fault tolerance used by the Domain Controllers. An example of an Application is DNS Integrated Active Directory Zones.
Read more about Windows Active Directory Domain Services
4. Configuration Partition: This partition contains configuration information for the whole forest. For example, it contains information about sites in the forest and partition defined in the Active Directory database. This partition is replicated to all Domain Controllers in the forest.
5. Application Partition: The application partition is created by Applications to store their data. It is different from any other partition in that the application can choose which Domain Controller or Controllers to store the data on. The advantage for the application storing the data this way is that the application has access to the same replicate and fault tolerance used by the Domain Controllers. An example of an Application is DNS Integrated Active Directory Zones.
Read more about Windows Active Directory Domain Services