Active Directory Flashcards
What is an Active Directory?
Active Directory (AD) is an essential component for managing network systems within many business environments.
Simple Explanation:
Active Directory (AD) is like the control center for a company’s IT network.
Imagine a company with hundreds of employees, computers, and printers. Instead of managing them one by one, AD acts like a centralized system that:
✔ Controls user accounts (who can log in and what they can access)
✔ Manages devices (computers, printers, servers, etc.)
✔ Handles security (password rules, access permissions, authentication)
Why is AD Important?
Without AD, IT admins would have to manually create accounts and set permissions on each individual computer, which would be a nightmare in large organizations.
AD makes everything easier by allowing administrators to:
Manage all users and computers from one place
Enforce security policies across the network
Ensure employees can access the right resources without hassle
Bottom Line:
Active Directory is like a digital manager for a company’s IT systems, making sure everything runs smoothly and securely!
How do you describe AD at its core?
At its core, AD provides a centralized platform for organizing, managing, and securing network resources, including computers, user accounts, and other assets.
Why AD is a cornerstone for Windows Networks?
Developed by Microsoft, AD is a cornerstone of many enterprise-level Windows networks, offering a range of features that facilitate efficient administration of IT resources.
Why do I need to study AD?
Understanding AD is crucial for anyone aspiring to work in network administration, System admin or IT support
Why Active Directory is called a “directory service”
Imagine a big phonebook that has all the names, phone numbers, and addresses of everyone in your school. But instead of just students, it also includes teachers, classrooms, computers, and even rules about who can enter certain rooms.
Active Directory is like that phonebook, but for a company’s computers and users. It keeps track of who can log in, what they can access, and helps computers find each other on the network. Since it organizes and “serves” this information like a directory, it’s called a directory service.
As a directory service, it serves as a centralized database that stores information about objects within the network, such as users, groups, computers, and printers.
Why AD allows administrators to manage permissions and access to network resources effectively if it’s only like a phone book?
If Active Directory were just a simple phonebook, it would only store information. But it’s actually more than a phonebook—it’s like a smartphone contacts app that also lets you control who can call, text, or access certain apps.
Active Directory doesn’t just list users and devices; it also manages them. Administrators can set rules (called Group Policies) that control what users can do, like:
Who can log into which computer
Which files or apps a user can access
When a user’s password should expire
So, while it works like a directory for storing information, it also acts as a gatekeeper, ensuring only the right people get access to the right things.
Why one of the significant advantages of using AD is its ability to streamline the management of a large number of resources and users?
Imagine a school with 1,000 students and 100 teachers. If every teacher had to manually approve each student’s access to classrooms, computers, and books, it would be a nightmare!
Active Directory (AD) makes managing a large number of users and resources easier by:
- Centralized Control – Instead of setting permissions on each computer separately, admins can control everything from one place.
- Group Policies – Rules can be applied to groups of users instead of one by one (e.g., all employees in HR get access to HR files).
- Automation – When a new employee joins, AD can automatically give them the right access based on their role.
Imagine a school with 1,000 students and 100 teachers. If every teacher had to manually approve each student’s access to classrooms, computers, and books, it would be a nightmare!
Active Directory (AD) makes managing a large number of users and resources easier by:
- Centralized Control – Instead of setting permissions on each computer separately, admins can control everything from one place.
- Group Policies – Rules can be applied to groups of users instead of one by one (e.g., all employees in HR get access to HR files).
- Automation – When a new employee joins, AD can automatically give them the right access based on their role.
Without AD, managing thousands of users would require too much manual work, increasing errors and security risks.
Administrators can do what on AD?
Administrators can create and manage user accounts, assign and enforce security policies, and automate tedious administrative tasks.
What other things Admins can do on AD?
Here are more things administrators can do in Active Directory (AD):
Organize users and devices – Use Organizational Units (OUs) to group users, computers, and other resources logically.
Manage computers and servers – Join computers to the domain, apply security policies, and control remote access.
Control access to network resources – Set permissions for shared folders, printers, and applications so only authorized users can access them.
Enable Single Sign-On (SSO) – Allow users to log in once and access multiple systems without needing separate passwords.
Monitor and audit activity – Track user logins, failed access attempts, and security events for compliance and troubleshooting.
Integrate with cloud services – Sync users with Azure AD for cloud-based authentication and hybrid environments.
AD is like a central control hub for IT teams to manage everything related to users, devices, and security in a company.
How can AD’s hierarchical structure makes it scalable, suitable for organizations of various sizes, from small businesses to large corporations?
Let’s break it down with a simple analogy.
Imagine Active Directory (AD) is like a company’s filing system, and the company is growing. If it only had 10 employees, it could keep everything in one filing cabinet. But as it grows to thousands of employees across different locations, a hierarchical structure helps keep everything organized and scalable.
- Organizational Units (OUs) – Filing Drawers
Think of OUs as filing drawers. Each department (HR, IT, Sales) gets its own drawer, making it easy to apply specific rules to them.
A small company might have one drawer (just one OU).
A large corporation can have many drawers (multiple OUs) with different rules.
- Domains – Filing Cabinets
A domain is like a filing cabinet that holds all the drawers (OUs).
A small business might need only one cabinet (one domain).
A large company with offices in different countries might have multiple cabinets (multiple domains) for better organization.
- Trees and Forests – A Whole Room of Cabinets
Now, imagine the company expands even more and has multiple filing rooms, each with cabinets for different departments or locations.
A tree is a group of related domains (filing cabinets).
A forest is a collection of multiple trees (multiple rooms full of cabinets), all connected under one system.
Why This Makes AD Scalable
A small business can start with one cabinet (domain) and one drawer (OU).
As the company grows, it can add more drawers (OUs), cabinets (domains), or entire filing rooms (forests) without breaking the system.
AD allows centralized management, so no matter how big the company gets, admins can still control everything efficiently.
This structured approach keeps things organized, secure, and easy to manage, no matter the size of the company.
What is an “object”?
Like “ AD stores information about objects on the network and makes this information easy for administrators and users to find and use. “
In Active Directory (AD), an object is any item that is stored in the directory. Think of an object as a single entry in a database that represents something in the network.
Examples of AD Objects:
Users – Employee accounts (e.g., John Doe, HR Manager).
Computers – Workstations or servers (e.g., HR-Computer-01).
Groups – Collections of users with shared permissions (e.g., IT Admins).
Printers – Network printers (e.g., Office-Printer-01).
Shared Folders – File locations accessible by multiple users.
Why Objects Matter
Each object has attributes (details about it). For example:
A user object has a username, email, department, and password.
A computer object has a name, IP address, and OS version.
AD stores, organizes, and manages these objects, making it easy for admins to control access, enforce security, and automate tasks in a network.
What is a Domain?
In Active Directory (AD), a domain is a collection of users, computers, and resources that are managed under a single network.
Think of a Domain Like a School
Imagine a school where:
Students (users) and teachers (admins) belong to the same school.
There are rules about who can access certain classrooms and computers.
Everything is managed centrally by the school’s administration.
A domain in AD works the same way:
It groups users, computers, and resources under one management system.
Admins can set policies and security rules for everyone in the domain.
Users can log in once and access shared files, printers, or applications across the network (Single Sign-On).
Example of a Domain Name:
If a company is called TechCorp, its domain could be TechCorp.com.
A user’s login might be JohnD@TechCorp.com.
A computer in the network might be named Workstation1.TechCorp.com.
Why Domains Are Useful
Centralized Management – One place to manage users, computers, and permissions.
Security & Access Control – Only authorized users can access resources.
Scalability – A small company can start with one domain, while a global company can have multiple interconnected domains.
So, a domain is like a secure boundary where everything inside is controlled by AD policies.
What is a Domain Controller?
A Domain Controller (DC) is a server that runs Active Directory and manages the domain. It is the brain of the domain, responsible for handling logins, security policies, and directory lookups.
Think of a Domain Controller Like a School Principal
In a school:
The principal (DC) decides who can enter the school.
Students and teachers (users) must check in with the principal to get permission to access classrooms, books, or computers.
The principal enforces school rules (security policies).
In a domain:
The DC verifies user logins (checks usernames and passwords).
It stores and manages Active Directory objects (users, computers, groups, etc.).
It enforces security policies (e.g., password rules, access permissions).
Key Functions of a Domain Controller:
✔ Authentication – Checks if a user’s login details are correct.
✔ Authorization – Decides what resources (files, printers, apps) a user can access.
✔ Replication – If there are multiple DCs, they share data to stay updated.
✔ Policy Enforcement – Applies Group Policies (e.g., password rules, software restrictions).
Why a Domain Controller is Important
Without a DC, users wouldn’t be able to log in to the network.
If there’s only one DC and it fails, the whole domain stops working—which is why large companies have multiple DCs for redundancy.
So, a Domain Controller is the heart of an Active Directory domain, making sure everything runs smoothly and securely.
What is an Organizational Unit?
An Organizational Unit (OU) is a container inside a domain that groups users, computers, and other objects for easier management.
Think of an OU Like a Folder in a Filing Cabinet
Imagine a company as a filing cabinet (domain), and inside, there are separate folders for different departments:
HR (users and computers related to HR)
IT (users, computers, and servers for IT staff)
Sales (salespeople and their devices)
Each folder represents an OU, helping administrators:
✔ Organize users and devices logically (instead of having everything in one big list).
✔ Apply different security policies to each department (e.g., only IT can install software).
✔ Delegate control (e.g., HR managers can reset passwords for HR employees without affecting IT).
Why OUs Are Useful
Simplifies administration – No need to manage each user one by one.
Scalable – A small company might have a few OUs, while a large one can have many.
Better security – Different policies for different groups (e.g., stronger password rules for executives).
So, an OU helps keep an Active Directory domain structured and manageable as a company grows.
What is a Global Catalog?
A Global Catalog (GC) is a special database in Active Directory that contains a partial, read-only copy of all objects across the entire forest.
Think of the Global Catalog Like a Phonebook for a Big Company
Imagine a company with offices in different countries (domains). Each office has its own employee directory (domain controller).
If you work in the US office and need to find someone in the UK office, you don’t need the entire UK directory.
Instead, you check a company-wide phonebook (Global Catalog) that has basic details about all employees across all offices.
What the Global Catalog Does:
✔ Speeds up searches – Users can find people, computers, and resources across multiple domains.
✔ Helps with logins – If a user from one domain tries to log into another, the GC helps verify their identity.
✔ Stores essential information – It doesn’t keep every detail about each object, just the most commonly used attributes (e.g., usernames, email addresses).
Where is the Global Catalog Stored?
It is stored on Global Catalog Servers, which are Domain Controllers (DCs) with the GC role enabled.
By default, the first DC in a forest is a Global Catalog Server, but more can be added for redundancy.
Why is the Global Catalog Important?
Without it, cross-domain searches and logins would be slow or impossible in a multi-domain environment.
What is a Schema?
In Active Directory (AD), a schema is the blueprint that defines what types of objects (users, computers, groups, etc.) can exist and what attributes they must have.
Think of the Schema Like a Form Template
Imagine a company’s HR department has a template for employee records.
Every employee record must have a name, job title, and email.
Optional fields might include phone number or department.
You can’t add random fields like “Favorite Movie” unless HR updates the template.
Similarly, in Active Directory:
The schema defines what objects exist (users, computers, printers, etc.).
It also defines what attributes each object must or can have (e.g., a user must have a username and password, but an email address is optional).
What Does the Schema Contain?
✔ Classes – Define object types (e.g., “User,” “Computer,” “Group”).
✔ Attributes – Define the properties of objects (e.g., “Username,” “Email,” “Last Login Time”).
Why is the Schema Important?
Consistency – Ensures all objects follow the same structure.
Customization – Admins can extend the schema to add new object types or attributes (e.g., adding “Employee ID” to user accounts).
Compatibility – Applications like Exchange Server or SharePoint sometimes modify the schema to add attributes they need.
Can You Change the Schema?
Yes, but it’s risky because schema changes affect the entire AD forest permanently. That’s why only Schema Admins (a special admin group) can modify it.
So, the AD schema is like a rulebook that ensures all directory objects are structured and managed properly!
What the hell is schema?
The schema in Active Directory (AD) is like a rulebook that defines what types of objects (users, computers, groups) can exist and what attributes (name, email, password) they must have.
Think of the Schema Like a Form Template
Imagine your company’s HR department has a standard employee form:
Every employee must have a Name, Job Title, and Email.
Optional fields might include Phone Number or Department.
You can’t add random fields like “Favorite Movie” unless HR updates the template.
Similarly, the Active Directory schema:
Defines what objects exist (Users, Computers, Printers, etc.).
Defines what attributes those objects must or can have (A User must have a username, but an email is optional).
What’s Inside the Schema?
✔ Classes – Define object types (e.g., “User,” “Computer,” “Group”).
✔ Attributes – Define properties of objects (e.g., “Username,” “Email,” “Last Login Time”).
Why Does the Schema Matter?
Ensures consistency – All objects follow the same structure.
Allows customization – Admins can extend the schema (e.g., adding “Employee ID” to users).
Critical for applications – Apps like Exchange or SharePoint modify the schema to add new attributes they need.
Can You Change the Schema?
Yes, but it’s risky because schema changes affect the entire AD forest permanently. Only Schema Admins (a special admin group) can modify it.
Bottom Line
The AD Schema is the master definition that controls what kind of data can be stored in Active Directory and how it’s structured. Without it, AD wouldn’t know how to handle users, computers, or any other objects!
How the hell would you explain this ?
Lightweight Directory Access Protocol (LDAP) for directory services and Kerberos and NTLM for authentication protocols. These protocols are essential for ensuring secure and efficient communication within the network.
Alright, let’s break it down simply:
LDAP vs. Kerberos vs. NTLM – What’s the Difference?
LDAP = Finding stuff in Active Directory (like a phonebook search).
Kerberos & NTLM = Proving your identity (like showing an ID to enter a building).
LDAP (Lightweight Directory Access Protocol)
Think of LDAP as a search tool that helps computers, apps, and users find information inside Active Directory (AD).
Need to find a user’s email? LDAP helps.
Need to check what groups a user belongs to? LDAP helps.
Need to find a printer on the network? LDAP helps.
But LDAP is not responsible for authentication (logging in). That’s where Kerberos and NTLM come in.
Kerberos & NTLM – Authentication Protocols
These are used to verify user identities when logging into a computer or service.
- Kerberos (Modern, Secure)
Uses a “ticket” system (like getting a movie ticket that proves you paid).
When you log in, you get a ticket that proves who you are.
That ticket lets you access network resources without entering your password again.
- NTLM (Older, Less Secure)
Uses a challenge-response system (like answering security questions).
Still used as a backup if Kerberos fails.
Not as secure as Kerberos because it’s vulnerable to attacks.
Why Do These Matter?
These protocols ensure that:
✔ LDAP helps find user info in AD.
✔ Kerberos & NTLM securely verify who you are when logging in.
✔ The network stays secure and efficient by controlling access properly.
Real-World Example
When you log into your work laptop, Kerberos or NTLM authenticates you.
When you search for a coworker’s email in Outlook, LDAP fetches the info.
When you access a shared drive, Kerberos checks your permissions before letting you in.
Bottom line: LDAP finds, Kerberos and NTLM verify!
What is Lightweight Directory Access Protocol (LDAP)
Lightweight Directory Access Protocol (LDAP) is a protocol used to access and manage directory services like Active Directory (AD).
Think of LDAP Like a Phonebook Search System
Imagine you’re calling a company and asking for an employee’s phone number.
You don’t ask the CEO directly—you use the company’s automated directory system.
You say, “Find me John Doe’s number,” and the system quickly gives it to you.
LDAP works the same way:
Instead of searching manually, applications and users can use LDAP to query AD and get information like usernames, emails, or group memberships.
It’s a standardized way for different systems to communicate with a directory service.
What Does LDAP Do in AD?
✔ Authentication – Helps verify usernames and passwords during login.
✔ Directory Queries – Allows apps to search for users, groups, or devices in AD.
✔ Integration – Used by email servers, VPNs, and cloud apps to pull user data from AD.
Example of an LDAP Query:
Say an application needs to find all IT employees in a company. It can send an LDAP query like:
(&(objectClass=user)(department=IT))
This tells AD: “Find all objects that are users and belong to the IT department.”
Why is LDAP Important?
Standardized – Works with many directory services, not just AD (e.g., OpenLDAP).
Lightweight & Fast – Optimized for quick lookups and authentication.
Cross-Platform – Used in Windows, Linux, macOS, and cloud services.
So, LDAP is the language that lets applications talk to directory services like Active Directory to retrieve or verify user data!
Why nine times out of ten, when someone says “Open Active Directory”, they really mean open the Active Directory Users and Computers console as shown in the image below:
Nine times out of ten, when someone says “Open Active Directory,” they actually mean opening the Active Directory Users and Computers (ADUC) console because:
- ADUC is the Most Commonly Used AD Tool
AD is a complex system with multiple management tools, but ADUC is the go-to interface for everyday tasks like:
✔ Creating and managing user accounts
✔ Resetting passwords
✔ Adding/removing users from groups
✔ Managing computers and organizational units
- People Use “Active Directory” as a Catch-All Term
Active Directory itself is a service, not a program you “open.”
Since ADUC is the most visible and frequently used tool for AD management, people just say “Open AD” when they mean “Open ADUC.”
- It’s the Default Tool for Admins
Most IT admins and helpdesk staff interact with AD primarily through ADUC rather than other tools like:
Active Directory Domains and Trusts (for managing multiple domains)
Active Directory Sites and Services (for replication and site settings)
AD PowerShell (for automation)
So, when people say “Open Active Directory,” they almost always mean “Open ADUC” because that’s where most user and computer management happens!
Why is Active Directory considered to handle networks? Isn’t it that it only handles computers and accounts?
Active Directory (AD) does handle networks, but not in the same way as a router or switch. It manages the logical structure of a network, not the physical connections.
Why is AD Considered a Network Management Tool?
- Controls Who Can Access the Network
AD manages user authentication with Kerberos or NTLM.
If you’re not in AD, you can’t log in to company systems.
- Manages Network Resources
AD organizes computers, servers, printers, and shared drives into a structured directory.
It controls who can access what (e.g., certain users can access a shared folder, while others cannot).
- Applies Security & Policies Across the Network
Group Policies allow admins to enforce security settings, such as:
✔ Disabling USB ports
✔ Setting password policies
✔ Restricting software installations
- Supports Domain-Based Networking
AD centralizes network management across multiple computers.
Users can log into any company device with the same credentials.
So, While AD Doesn’t Handle Physical Networking (Like a Router), It Handles:
✔ Who can access the network
✔ What they can access
✔ How security policies are enforced across devices
That’s why Active Directory is essential for managing networks at an organizational level!
