What is AD Administrative Center?

Active Directory Administrative Center provides administrators with an enhanced Active Directory data management experience and a rich graphical user interface (GUI). Administrators can use Active Directory Administrative Center to perform common Active Directory object management tasks (such as user, computer, group, and organization units management) through both data-driven and task-oriented navigation.

Administrators can use the enhanced Active Directory Administrative Center GUI to customize Active Directory Administrative Center to suite their particular directory service administering requirements.

What is the Active Directory Management Gateway Service?

Windows Server 2008 R2 introduces a web service interface for application accessibility to Active Directory (AD), and the Windows Server 2008 R2 AD PowerShell cmdlets use this service.

ADMGS provides this web service interface for Windows Server 2003 SP2 and Windows Server 2008 domain controllers (DCs). The service lets Server 2008 R2 AD PowerShell cmdlets and other applications work against the DCs with ADMGS installed.

What is Active Directory Federation Services?

Active Directory Federation Services (AD FS) simplifies access to systems and applications using a claims-based access (CBA) authorization mechanism to maintain application security. AD FS supports Web single-sign-on (SSO) technologies that help information technology (IT) organizations collaborate across organizational boundaries.

AD FS 2.0 is a downloadable Windows Server 2008 update that is the successor to AD FS 1.0, which was first delivered in Windows Server 2003 R2, and AD FS 1.1, which was made available as a server role in Windows Server 2008 and Windows Server 2008 R2. Previous versions of AD FS are referred to collectively as AD FS 1.x.

What is AD Certificate Services?

Active Directory Certificate Services (AD CS) provides customizable services for issuing and managing public key certificates used in software security systems that employ public key technologies.

What is SPN?

A service principal name (SPN) is the name by which a client uniquely identifies an instance of a service. If you install multiple instances of a service on computers throughout a forest, each instance must have its own SPN. A given service instance can have multiple SPNs if there are multiple names that clients might use for authentication. For example, an SPN always includes the name of the host computer on which the service instance is running, so a service instance might register an SPN for each name or alias of its host. services.

What is Native Mode?

When all the domain controllers in a given domain are running Windows 2000 Server. This mode allows organizations to take advantage of new Active Directory features such as Universal groups, nested group membership, and inter-domain group membership.

What is Mixed Mode?

Allows domain controllers running both Windows 2000 and earlier versions of Windows NT to co-exist in the domain. In mixed mode, the domain features from previous versions of Windows NT Server are still enabled, while some Windows 2000 features are disabled. Windows 2000 Server domains are installed in mixed mode by default. In mixed mode the domain may have Windows NT 4.0 backup domain controllers present. Nested groups are not supported in mixed mode.

What is RSOP?

One challenge of Group Policy administration is to understand the cumulative effect of a number of Group Policy objects (GPOs) on any given computer or user, or how changes to Group Policy, such as reordering the precedence of GPOs or moving a computer or user to a different organizational unit (OU) in the directory, might affect the network. The Resultant Set of Policy (RSoP) snap-in offers administrators one solution. Administrators use the RSoP snap-in to see how multiple Group Policy objects affect various combinations of users and computers, or to predict the effect of Group Policy settings on the network.

What do you understand by Trust in Active Directory?

To allow users in one domain to access resources in another, Active Directory uses trusts. Trusts inside a forest are automatically created when domains are created.

The forest sets the default boundaries of trust, not the domain, and implicit, transitive trust is automatic for all domains within a forest. As well as two-way transitive trust, AD trusts can be a shortcut (joins two domains in different trees, transitive, one- or two-way), forest (transitive, one- or two-way), realm (transitive or nontransitive, one- or two-way), or external (nontransitive, one- or two-way) in order to connect to other forests or non-AD domains.

Trusts in Windows 2000 (native mode)

• One-way trust: One domain allows access to users on another domain, but the other domain does not allow access to users on the first domain.
• Two-way trust: Two domains allow access to users on both domains.
• Trusting domain: The domain that allows access to users from a trusted domain.
• Trusted domain: The domain that is trusted; whose users have access to the trusting domain.
• Transitive trust: A trust that can extend beyond two domains to other trusted domains in the forest.
• Intransitive trust: A one way trust that does not extend beyond two domains.
• Explicit trust: A trust that an admin creates. It is not transitive and is one way only.
• Cross-link trust: An explicit trust between domains in different trees or in the same tree when a descendant/ancestor (child/parent) relationship does not exist between the two domains.

Windows 2000 Server supports the following types of trusts:

• Two-way transitive trusts.
• One-way intransitive trusts.

Additional trusts can be created by administrators. These trusts can be shortcut.

Windows Server 2003 offers a new trust type - the forest root trust. This type of trust can be used to connect Windows Server 2003 forests if they are operating at the 2003 forest functional level. Authentication across this type of trust is Kerberos based (as opposed to NTLM). Forest trusts are also transitive for all the domains in the forests that are trusted. Forest trusts, however, are not transitive.

What do you understand by Group Scope in Active Directory?

Domain Local Group: Use this scope to grant permissions to domain resources that are located in the same domain in which you created the domain local group. Domain local groups can exist in all mixed, native and interim functional level of domains and forests. Domain local group memberships are not limited as you can add members as user accounts, universal and global groups from any domain. Just to remember, nesting cannot be done in domain local group. A domain local group will not be a member of another Domain Local or any other groups in the same domain.

Can contain users, computers, global groups and universal groups from any domain in the forest and any trusted domain, and domain local groups from the same domain. Can be a member of any domain local group in the same domain.

Global Group: Users with similar function can be grouped under global scope and can be given permission to access a resource (like a printer or shared folder and files) available in local or another domain in same forest. To say in simple words, Global groups can be used to grant permissions to gain access to resources which are located in any domain but in a single forest as their memberships are limited. User accounts and global groups can be added only from the domain in which global group is created. Nesting is possible in Global groups within other groups as you can add a global group into another global group from any domain. Finally to provide permission to domain specific resources (like printers and published folder), they can be members of a Domain Local group. Global groups exist in all mixed, native and interim functional level of domains and forests.

Can contain users, computers and groups from same domain but NOT universal groups. Can be a member of global groups of the same domain, domain local groups or universal groups of any domain in the forest or trusted domains.

Universal Group: These groups are precisely used for email distribution and can be granted access to resources in all trusted domain as these groups can only be used as a security principal (security group type) in a windows 2000 native or windows server 2003 domain functional level domain. Universal group memberships are not limited like global groups. All domain user accounts and groups can be a member of universal group. Universal groups can be nested under a global or Domain Local group in any domain.

Can contain users and groups (global and universal) from any domain in the forest. Universal groups do not care about trust. Universal groups can be a member of domain local groups or other universal groups but NOT global groups.