What is Active Directory and How Does It Work?

Active Directory is used by organisations of all sizes all over the world to help manage permissions and restrict access to important network resources. But what exactly is it, and how might it benefit you and your business?

What is Active Directory?

Active Directory (AD) is a Microsoft Windows Server directory service. Active Directory’s major function is to allow administrators to manage permissions and restrict access to network resources. Data is stored in Active Directory as objects, which include people, groups, applications, and devices, and these objects are classified based on their name and properties.

What Is the Purpose of Active Directory Domain Services?

Active Directory Domain Services (AD DS) are an essential part of Active Directory that serve as the primary mechanism for authenticating users and determining which network resources they have access to. Additional features of AD DS include Single Sign-On (SSO), security certificates, LDAP, and access rights management.

The following are the major Active Directory functions.

1. Centralized Authentication and Authorization: Active Directory provides a centralized platform to authenticate and authorize users, groups, and computers in a network. It stores user credentials, passwords, and other related information in a secure database.
2. Group Policy: Active Directory allows administrators to implement Group Policy Objects (GPOs). GPOs can be used to control user accounts, apply software configurations, and manage security settings.
3. Network Management: Active Directory enables administrators to manage a network from a single console. It can be used to create, delete, and modify computers, users, and other objects in a network.
4. DNS Integration: Active Directory is tightly integrated with the Domain Name System (DNS). This allows administrators to create and manage DNS records, such as hostnames and IP addresses.
5. Security: Active Directory provides enhanced security through access control lists, Kerberos authentication, encryption, and other features. This ensures that only authenticated and authorized users can access network resources.

Active Directory Domain Services’ Hierarchical Structure.

As seen below, AD DS structures data in a hierarchical structure consisting of domains, trees, and forests.

Domains: A domain is a collection of objects that share the same AD database, such as users, groups, and devices. Consider a domain to be a branch in a tree. A domain consists of regular domains and sub-domains, such as activedirectory.local and mail.activedirectory.local .

Trees: A tree is a collection of one or more domains organised in a logical structure. Domains in a tree are said to “trust” each other since they are linked.

Forest: A forest is the highest level of organisation within AD and consists of a collection of trees. A forest’s trees may trust one another to share directory schemas, catalogues, application information, and domain configurations.

Organisational Units (OUs): An OU is a type of organisational unit that is used to organise users, groups, computers, and other organisational units.

Containers: A container is comparable to an OU, but unlike an OU, a Group Policy Object (GPO) cannot be linked to a generic Active Directory container.

Active Directory database?

The Active Directory database stores all objects information in NTDS.DIT. Users, computers, group policies, printers, and shared folders are examples of AD objects.

Some of the benefits of Active Directory Domain Services include a hierarchical organizational structure, multi master authentication to create fault tolerance and redundancy, a single point of access to network resources, and the ability to create trust relationships with external networks running previous versions of Active Directory and even UNIX.

It also provides centralized resources and security administration, single logon for access to global resources, fault tolerance and redundancy, and simplified resource location.

Other Services Provided by Active Directory

Apart from Active Directory Domain Services, AD provides a number of additional essential features. Some of these services are as follows:

Lightweight Directory Services: AD LDS is a directory service that uses the Lightweight Directory Access Protocol (LDAP). It only provides a subset of AD DS functionality, making it flexible in terms of where it may be worked. It can, for example, be used as a stand-alone directory service without requiring integration with a full Active Directory implementation.

Certificate Services: Certificate Services allow you to produce, manage, and share encryption certificates, which enable users to safely communicate information over the internet.

Active Directory Federation Services:

Active Directory Federation Services: ADFS is an AD Single Sign-On (SSO) solution that allows users to access numerous apps with a single set of credentials, simplifying the user experience.

Rights administration Services: ADRMS is a set of tools that help in the administration of security technologies that assist organisations in keeping their data safe. Encryption, certificates, and authentication are examples of such technologies, which are used in a number of applications and content types such as emails and Word documents.

A domain controller (DC) is the server that hosts AD DS. A domain controller may also be used to authenticate with Microsoft products including Exchange Server, SharePoint Server, SQL Server, File Server, and others.

What is Azure Active Directory

Given that more businesses have migrated their operations to the cloud, Microsoft has released Azure Active Directory (Azure AD), a cloud-based version of Windows AD that can also sync with on-premise AD solutions. The backbone of Office 365 and other Azure products is stated to be Azure AD; however, it may also be connected with other cloud services and platforms. The following are some of the differences between Windows and Azure AD.

Communication: As previously stated, Azure AD uses a REST API, whereas Windows AD uses LDAP.

Authentication: For authentication, Windows AD uses Kerberos and NTLM, whereas Azure AD uses its own built-in web-based authentication protocols.

Structure: Unlike Windows AD, which is structured by OUs, trees, forests, and domains, Azure AD is structured by users and groups in a flat structure.

Device Management: Unlike Windows Active Directory, Azure Active Directory may be administered from mobile devices. Group Policy Objects (GPOs) are not used by Azure AD to identify which devices and servers can join to the network.

If you’re reading an article about Active Directory, chances are you’re not already using it. In such situation, you may be better suited starting with Azure AD rather than Windows AD. One of the primary reasons you might want to utilise Windows AD is if you have a team of competent IT experts overseeing your cybersecurity programme and are keeping big volumes of critical data.

What’s new in Active Directory Domain Services for Windows Server 2016

The following new features in Active Directory Domain Services (AD DS) improve the ability for organizations to secure Active Directory environments and help them migrate to cloud-only deployments and hybrid deployments, where some applications and services are hosted in the cloud and others are hosted on premises. The improvements include:

• Privileged access management
• Extending cloud capabilities to Windows 10 devices through Azure Active Directory Join
• Connecting domain-joined devices to Azure AD for Windows 10 experiences
• Enable Windows Hello for Business in your organization
• Deprecation of File Replication Service (FRS) and Windows Server 2003 functional levels

Privileged access management

Privileged access management (PAM) helps mitigate security concerns for Active Directory environments that are caused by credential theft techniques such pass-the-hash, spear phishing, and similar types of attacks. It provides a new administrative access solution that is configured by using Microsoft Identity Manager (MIM). PAM introduces:

• A new bastion Active Directory forest, which is provisioned by MIM. The bastion forest has a special PAM trust with an existing forest. It provides a new Active Directory environment that is known to be free of any malicious activity, and isolation from an existing forest for the use of privileged accounts.
• New processes in MIM to request administrative privileges, along with new workflows based on the approval of requests.
• New shadow security principals (groups) that are provisioned in the bastion forest by MIM in response to administrative privilege requests. The shadow security principals have an attribute that references the SID of an administrative group in an existing forest. This allows the shadow group to access resources in an existing forest without changing any access control lists (ACLs).
• An expiring links feature, which enables time-bound membership in a shadow group. A user can be added to the group for just enough time required to perform an administrative task. The time-bound membership is expressed by a time-to-live (TTL) value that is propagated to a Kerberos ticket lifetime. NoteExpiring links are available on all linked attributes. But the member/memberOf linked attribute relationship between a group and a user is the only example where a complete solution such as PAM is preconfigured to use the expiring links feature.
• KDC enhancements are built in to Active Directory domain controllers to restrict Kerberos ticket lifetime to the lowest possible time-to-live (TTL) value in cases where a user has multiple time-bound memberships in administrative groups. For example, if you are added to a time-bound group A, then when you log on, the Kerberos ticket-granting ticket (TGT) lifetime is equal to the time you have remaining in group A. If you are also a member of another time-bound group B, which has a lower TTL than group A, then the TGT lifetime is equal to the time you have remaining in group B.
• New monitoring capabilities to help you easily identify who requested access, what access was granted, and what activities were performed.

Requirements for Privileged access management

• Microsoft Identity Manager
• Active Directory forest functional level of Windows Server 2012 R2 or higher.

Azure AD Join

Azure Active Directory Join enhances identity experiences for enterprise, business and EDU customers- with improved capabilities for corporate and personal devices.

Benefits:

• Availability of Modern Settings on corp-owned Windows devices. Oxygen Services no longer require a personal Microsoft account: they now run off users’ existing work accounts to ensure compliance. Oxygen Services will work on PCs that are joined to an on-premises Windows domain, and PCs and devices that are “joined” to your Azure AD tenant (“cloud domain”). These settings include:
  • Roaming or personalization, accessibility settings and credentials
  • Backup and Restore
  • Access to Microsoft Store with work account
  • Live tiles and notifications
• Access organizational resources on mobile devices (phones, tablets) that can’t be joined to a Windows Domain, whether they are corp-owned or BYOD.
• Single-Sign On to Office 365 and other organizational apps, websites, and resources.
• On BYOD devices, add a work account (from an on-premises domain or Azure AD) to a personally owned device and enjoy SSO to work resources, via apps and on the web, in a way that helps ensure compliance with new capabilities such as Conditional Account Control and Device Health attestation.
• MDM integration lets you auto-enroll devices to your MDM (Intune or third-party).
• Set up “kiosk” mode and shared devices for multiple users in your organization.
• Developer experience lets you build apps that cater to both enterprise and personal contexts with a shared programing stack.
• Imaging option lets you choose between imaging and allowing your users to configure corp-owned devices directly during the first-run experience.

Windows Hello for Business

Windows Hello for Business is a key-based authentication approach for organizations and consumers that goes beyond passwords. This form of authentication relies on breach, theft, and phish-resistant credentials.

The user logs on to the device with a biometric or PIN logon information that is linked to a certificate or an asymmetrical key pair. The Identity Providers (IDPs) validate the user by mapping the public key of the user to IDLocker and provides log on information through One Time Password (OTP), Phone or a different notification mechanism.

Deprecation of File Replication Service (FRS) and Windows Server 2003 functional levels

Although File Replication Service (FRS) and the Windows Server 2003 functional levels were deprecated in previous versions of Windows Server, it bears repeating that the Windows Server 2003 operating system is no longer supported. As a result, any domain controller that runs Windows Server 2003 should be removed from the domain.

The domain and forest functional level should be raised to at least Windows Server 2008 to prevent a domain controller that runs an earlier version of Windows Server from being added to the environment.

At the Windows Server 2008 and higher domain functional levels, Distributed File Service (DFS) Replication is used to replicate SYSVOL folder contents between domain controllers. If you create a new domain at the Windows Server 2008 domain functional level or higher, DFS Replication is automatically used to replicate the SYSVOL folder.

If you created the domain at a lower functional level, you will need to migrate from using FRS to DFS replication for the SYSVOL folder.

The Windows Server 2003 domain and forest functional levels continue to be supported, but organizations should raise the functional level to Windows Server 2008 (or higher if possible) to ensure SYSVOL replication compatibility and support in the future. In addition, there are many other benefits and features available at the higher functional levels higher. For more information, see the following resources:

• Understanding Active Directory Domain Services (AD DS) Functional Levels
• Raise the Domain Functional Level
• Raise the Forest Functional Level

So, that’s all in this blog. I will meet you soon with next stuff .Have a nice day !!!

Guys please don’t forget to like and share the post.Also join our Active Directory page where you can post your queries/doubts and our experts will address them .

You can also share the feedback on below ActiveDirectory email id.

If you have any questions feel free to contact us on admin@activedirectory.in also follow us on facebook page to get updates about new blog posts.