By: Divya Bora
June 17, 2021
Overview of Active Directory
By: Divya Bora
June 17, 2021
Active Directory (AD) was introduced as a part of Microsoft Windows Server 2000 in 1999. It is Microsoft’s proprietary directory service which is based on Lightweight Directory Access Protocol(LDAP). It enables the administrator access to manage permissions and access to network resources. AD stores data in the form of objects, and an object represents a single element like the user, group, device, or application. Objects, generally, are defined as resources like computers, printers, or security principles like groups or users. In addition, AD categorizes directory objects by their attributes and names.
AD makes use of a hierarchical structure to organize the data. The main components of this structure are:-
- A domain represents a group of objects like users, groups, or devices sharing the same AD database. It has a similar structure to standard domains and subdomains to be thought of as a branch in a tree. A domain is a partition in an AD forest, and partitions enable the user to replicate data where it is needed. Domains are also defined as logical directory components created to manage the administrative requirements of the organization.
- Trees are grouped domains. A contiguous namespace is used to gather the collection of domains in a logical hierarchy. They have a trust relationship as a secure connection is shared between two domains, and similarly, multiple domains within a tree trust each other. Due to the logical hierarchy, the first domain implicitly trusts the third domain, and no explicit trust is required.
- Forest is the highest level of organization within an AD and is defined as a group of trees. This consists of shared catalogs, global catalogs, application information, directory schemas, and domain configurations. The object class and attributes of the forest are defined in the schema, and the global catalog lists all the objects of a forest. The forest acts as the AD’s security boundary.
- Organizational Unit: This is used to organize the users, computers, and groups. Each domain can have a separate OU. OU’s are not allowed to have separate namespaces(a namespace is a set of signs used to refer to and identify various objects) as each object or user in a domain should be unique.
- Containers: are similar to OUs, but unlike them, it is impossible to link a Group Policy Object(GPO) to a generic AD container object.
TYPES OF AD
The various types of Active Directory are:-
1. Active Directory Domain Services (AD DS)
This is the most classic on-premise AD (which means that the authentication infrastructure is running on the in-house hardware) and is used to authenticate and authorize functions for the users/computers within an organization. Unfortunately, it relies upon computers permanently connected to a domain and protocols for directory querying and authentication, which is not suitable for the modern internet-centric environment.
2. Azure Active Directory(AAD)
This is a version of directory services in the cloud and is hosted on Microsoft Azure. It consists of distinct features and capabilities compared to Windows Server Active Directory(AD) as its AAD’s primary function is to manage the variety of users and devices used. In addition, AAD is capable of authenticating and authorizing mechanisms not only for Azure but also for Office 365, Intune, and numerous other third-party authentication systems.
3. Hybrid Azure AD(Hybrid AAD)
Hybrid Azure AD is used to achieve one identity when the user requires data synchronization between their Azure Active Directory and their local on-premise AD. So the user doesn’t need two sets of credentials; instead, they can add an “onsite” domain controller to replicate the Azure AD using Azure AD Connect. The company has two options:
a) To keep the “on-premise” domain controller within their physical location and use AD Connect to synchronize their users and passwords with Azure AD
b) To move the existing “on-premise” domain controller to an Azure virtual machine and use AD Connect with Azure AD to create a VPN connection between their organization and the Azure Datacenter(where the domain controller is hosted).
4. Azure Active Directory Domain Services(AAD-DS)
This standalone service enables a domain controller for Azure virtual machines instead of setting up a standalone server. It syncs users, groups, and passwords from Azure AD to the virtual machines that are a part of Azure’s network. Alternatively, one can use Active Directory Administrative Center or Active Directory PowerShell to administer domains with AAD-DS.
AD comprises multiple services, but the most prominent one is Domain Services. The various other services supported by AD are:
- Lightweight Directory Access Protocol(LDAP) is an application-level protocol used to access and maintain the directory services over the specified network. It enables storing objects like passwords and usernames in the directory services and sharing them across the network.
- Rights Management Services(RMS) are used to control the management and information rights. AD RMS limits access on the server by encrypting content sent over mails or Microsoft Word documents.
- Certificate Services are used to generate, manage and share certificates. The certificate is encrypted with a public key to ensure the secure exchange of information over the internet.
- Lightweight Directory Services(LDS) comprises a similar codebase as AD Domain Services(DS) and hence shares similar functionalities like the Application Program Interface(API). However, AD LDS can run multiple instances on a single server and contains directory data within a data store using LDAP.
- Active Directory Federation Services are used to authenticate user access to multiple applications even if they are on distinct networks using the Single Sign-On(SSO) functionality.
BENEFITS OF ACTIVE DIRECTORY
Some major benefits of Active Directory are:
- Centralized Data Repository: Active Directory consists of a multi-master database used to store the identity information of its users, applications, and resources. The database is in the form of a file, and it is known as ntds.dit. This AD database utilizes the Joint Engine Technology(JET) database engine and can store 2 billion objects. Alternative domain controllers can be used to modify the data stored in the ntds.dit database. Users can make use of the identity data stored in AD from anywhere in the network. Administrators can authenticate and authorize the organization’s identities from a centralized location.
- Querying and Indexing: This allows users and applications to query objects and retrieve accurate data.
- Single sign-on: Most application vendors support the integration with AD for authentication. Once the user authenticates on their system, the same session will authenticate other AD integrated applications.
- Replication of Data: Generally, organizations have multiple domain controllers, and each domain controller should be aware of the changes made to the AD database. There are two types of replications supported by Microsoft AD, i.e., inbound and outbound. When a domain controller accepts changes that neighboring domain controllers advertise, it is called inbound replication. When a domain controller accepts changes made on a particular domain controller to neighboring domain controllers, it is called outbound replication.
- Security: Data and identity security are crucial parts of modern-day businesses, and AD features help secure the identity infrastructures from any emerging threats. It enables the user to implement different authentication types, workflows, and group policies to protect the network resources and application data. Administrators can build various security rules based on their requirements, forcing individuals to abide by the organizational data and network security standards.
- High Availability: This is important for any critical business system in an organization and is implemented by domain controllers. They are built-in with fault tolerance capabilities, and so they do not require any additional software or hardware changes to implement high availability like other systems. A multi-master database followed by replicating domain controllers allows users to authenticate and authorize from any available domain controller anytime.
- Auditing Capabilities: Periodic audits help to understand the new security threats. AD allows the capturing and auditing of occurring events in the identity infrastructure.
- Schema Modification: The AD database has a schema that describes all its objects. It can be modified or extended. This is very important for integrated applications.
Microsoft AD Domain Service is a course specifically designed to strengthen the basics of AD for a beginner. An Overview of AD will provide a complete summary of AD and make the topics covered in this article clearer.
- What is Active Directory Domain Services? | JumpCloud Video (Image 1)