Active Directory is a component that provides directory services in a Windows Server 2003 domain
environment. Directory services have been introduced on Microsoft platforms since Windows Server
2000 , so we can understand that Active Directory is an implementation of directory services on
Microsoft platforms. Of course, directory services are implemented on non-Microsoft platforms.
Windows Server 2003 has two network environments: workgroup and domain. The default is the
workgroup network environment. As shown below
The workgroup network is also called a “peer-to-peer” network. Because the status of each computer in
the network is equal, their resources and management are scattered on each computer. Therefore, the
workgroup environment is characterized by decentralized management. Each computer in the
workgroup environment has its own “local security account database”, called the SAM database. What
does this SAM database do? In fact, when we log in to the computer, when we enter the account and
password, we will go to this SAM database to verify. If the account we entered is stored in the SAM
database and the password is correct, the SAM database will notify the system to let us log in. . This
SAM database is stored in the C: \ WINDOWS \ system32 \ config folder by default. This is the login
authentication process in the workgroup environment.
If we have such an application scenario: a company with 200 computers, we hope that the account Bob
on a certain computer can access the resources in each computer or can log in on each computer. Then
in the workgroup environment, we must create Bob account in each SAM database of these 200
computers. Once Bob wants to change his password, he has to change it 200 times ! I guess the
administrators of this company are enough. Now it is a company with only 200 computers. If it is a
company with 5,000 computers or tens of thousands of computers, it is estimated that the
administrator will be crazy. This is the application scenario of the domain environment.
Everyone who works on the Microsoft platform, whether it is the system direction or development
direction or IT practitioners, I think everyone has heard of the domain environment more than once, but
many friends are relatively new to the domain environment, do not know how to start, or even the
domain The importance of the environment on the Microsoft platform. I can make an analogy: if
someone asks me, why would your company buy Windows Server 2003/2008 ? I will tell him that I am
going to the Active Directory. In fact, Microsoft’s server-level products, such as MOSS and Exchange , all
need Active Directory support. At present, the UC platform that Microsoft is promoting is inseparable
from Active Directory support.
The biggest difference between the Windows Server 2003 domain environment and the workgroup
environment is that all computers in the domain share a centralized directory database (also known as
Active Directory database), which contains objects (user accounts, computer accounts, printers) , Shared
files, etc.) and security information, etc., while Active Directory is responsible for adding, modifying,
updating and deleting the directory database. So we want to implement a domain environment on
Windows Server 2003 , in fact, we need to install Active Directory. Active Directory implements directory
services for us, providing centralized management of the corporate network environment. For example,
in the previous example, in a domain environment, you only need to create a Bob account in Active
Directory once, then you can log in to Bob on any of 200 computers. If you want to change the password
for a Bob account, you only need to log in to Active Directory You can change it once.
Second, concepts related to Active Directory
A namespace is a well-defined area. For example, if we think of a phonebook as a “namespace “, then
we can find the phone number, address, and Company name and other information. And Windows
Server 2003 Active Directory is a namespace, we can find the information related to this object by the
name of the object in Active Directory. The “namespace” of Active Directory uses the structure of DNS ,
so the domain name of Active Directory is named in DNS format. We can name the domain names
contoso.com, abc.com, etc.
2, Domains, domain trees, forests, and organizational units
The logical structure package of Active Directory: Domain ( Domain ), Domain Tree ( Forest Tree) , Forest
( Forest ) and Organization Unit ( Organization Unit ). As shown below
A domain is a logical grouping, exactly an environment, and a domain is the smallest boundary of
security. The domain environment can centrally and uniformly manage the resources in the network. To
implement the domain environment, you must install Active Directory on the computer.
A domain tree is made up of a set of domains with a continuous namespace. As shown below
The top-level domain name is contoso.com . This domain is the root domain of this domain tree. Below
this root domain is
There are 2 subdomains, gsd.contoso.com and ged.contoso.com . From the figure we can see that their
namespace is continuous. For example, the suffix of the domain gsd.contoso.com contains the domain
name contoso.com of the parent domain. In fact, the subdomains gsd.contoso.com and
ged.contoso.com can also have their own subdomains, which I have not given in the picture.
All domains in the domain tree share an Active Directory , and the data in this Active Directory is
distributed in various domains, and each domain only stores data in the domain, such as user accounts
and computer accounts in the domain. Windows Server 2003 collectively refers to objects stored in
various domains as Active Directory .
A forest is made up of one or more domain trees. Each domain tree has a unique continuous
namespace. There is no namespace continuity between different domain trees. The root domain of the
first domain tree in the forest is also the root domain of the entire forest, and it is also the name of the
An organizational unit ( OU ) is a container that can contain objects (user accounts, computer accounts,
etc.) and other organizational units ( OUs ).
3, Domain controllers and sites
The physical structure of Active Directory consists of domain controllers and sites.
The domain controller ( Domain Controller ) is where the Active Directory is stored, that is, the Active
Directory is stored in the domain controller. The computer where Active Directory is installed is called a
domain controller. In fact, when you first install Active Directory, the computer where you install Active
Directory becomes a domain controller. A domain can have one or more domain controllers. The most
classic approach is to make a primary and secondary domain controller. Oh, these concepts sound a bit
To explain again, a domain is a logical organization form, which can uniformly manage resources in the
network, just like a workgroup environment for distributed management of the network. To implement
a domain, you must install Active Directory on a computer. The computer on which Active Directory is
installed is called a domain controller ( DC ).
When changes are made to the Active Directory database of one domain controller, the changed data
will be copied to the Active Directory databases of other domain controllers.
Site ( Site ) generally corresponds to geographic location. It consists of one or several physical subnets.
The site was created to optimize replication between DCs . Active Directory allows a site to have
multiple domains, and a domain can belong to multiple sites.
How to install active directory in windows server 2016 .
1. The first thing we should do is choose a name for the server that is appropriate, and a fixed IP, we
will also add that IP as the first DNS server in the network interface.
Then we launch the server administrator, and select «Add Roles and Features».
2. From there, we select «Installation based on features or roles».
Next we select our server and click on «Next»:
3. And we select the “Active Directory Domain Services”, and by checking it we will agree to add all the
features required for those services.
4. In the next screen it is not necessary to add any additional components.
On the next screen we also click on «Next».
5. And on the last screen we confirm the installation of the selected components and choose whether or
not to restart the server if necessary.
6. Once finished, we will click on the warning that appears in the server administration panel, and we
will promote the server to a domain controller.
7. In our case, being a new domain, we will select “Add a new forest” and the name we want to give our
8. And now we will write the directory services restore password (DSRM). IT IS VERY IMPORTANT, DO
9. Being a new domain you cannot create a delegation for the DNS server, click on “Next”.
10.And we suggest a NetBIOS domain name, click on «Next»:
11. On the next screen the folders with the information of AD appear, click on «Next»
12. And finally it shows some warnings, regarding the delegation of DNS that already appeared before,
and about the compatibility with NT4.0 domains, click on “Install”
And at the next login we will start as a domain administrator.