Active Directory

What is Active Directory?

What is Active Directory

Active Directory is a directory service developed by Microsoft for Windows domain networks. It is included in most Windows Server operating systems as a set of processes and services. It runs on Windows Server and enables administrators to manage permissions and access to network resources. Active Directory stores data as objects. An object is a single element, such as a user, group, application or device such as a printer.

Active Directory Domain Services

The Active Directory Domain Services (AD DS) service in Windows Server 2008 provides a centralized authentication service for Microsoft networks. Some of the benefits of Active Directory DS include a hierarchical organizational structure, multi master authentication to create fault tolerance and redundancy, a single point of access to network resources, and the ability to create trust relationships with external networks running previous versions of Active Directory and even UNIX.

Windows Server 2008 includes a number of new features to improve Active Directory. Including  the introduction of the Read-only Domain controller (RODS), fine-grained password policies, an improved graphical user interface (GUI), improved auditing of Active Directory modification and deletions, the ability to start and stop Active Directory as a service without needing to completely restart the domain controller for maintenance, and the introduction of Server Core, a minimal installation of Windows Server 2008 that has a greatly reduced attack footprint relative to a full install of the server operating system.

Benefits of Active Directory

1. Centralized Network Administration: Active Directory provides centralized network administration, allowing administrators to manage users, groups, and resources from a single location. This makes managing large networks much easier and more efficient.

2. Security: Active Directory provides robust security features, such as user authentication, group policies, and access control lists. This ensures that data is secure and only authorized users have access to the network and its resources.

3. Improved User Experience: Active Directory simplifies the user experience by allowing users to access resources on the network quickly and easily. It also provides single sign-on capabilities, so users only need to log in once to access multiple applications and resources.

4. Automation: Active Directory provides automation capabilities, such as automated software updates, automated user provisioning, and automated user authentication. This helps reduce manual labor and increases efficiency.

5. Scalability: Active Directory is designed to be highly scalable, allowing it to easily accommodate large numbers of users and objects. This makes it ideal for large organizations with complex networks.

The primary Active Directory functions are listed below.

1. Centralized Authentication and Authorization: Active Directory provides a centralized platform to authenticate and authorize users, groups, and computers in a network. It stores user credentials, passwords, and other related information in a secure database.

2. Group Policy: Active Directory allows administrators to implement Group Policy Objects (GPOs). GPOs can be used to control user accounts, apply software configurations, and manage security settings.

3. Network Management: Active Directory enables administrators to manage a network from a single console. It can be used to create, delete, and modify computers, users, and other objects in a network.

4. DNS Integration: Active Directory is tightly integrated with the Domain Name System (DNS). This allows administrators to create and manage DNS records, such as hostnames and IP addresses.

5. Security: Active Directory provides enhanced security through access control lists, Kerberos authentication, encryption, and other features. This ensures that only authenticated and authorized users can access network resources.

Active Directory replication

Active Directory replication is the process by which changes that are made to Active Directory objects, such as user accounts, computer accounts, and group policy settings, are replicated to other domain controllers in the network. This ensures that all domain controllers have the same information and are up-to-date. Replication is accomplished using a multi-master replication model, where any domain controller can initiate replication and synchronize information with any other domain controller.

Consider a small network with three domain controller: DC1, DC2, and DC3. A user changes her password, updating the ntds.dit database in DC1. DC1 must then replicate this change to DC2 and DC3. Domain controllers automatically replicate with other domain controllers in the same domain to ensure that the Active Directory database is consistent. Windows Server 2008 relies on one or more domain controllers to manage access to network services.

Active Directory is designed to enable scalability by handling organizations of any size, from small businesses to global enterprises. In fact, Active Directory is theoretically scalable to holding 4,294,967,041 (232 -235) separate objects. From a practical standpoint, this means that the maximum size of an Active Directory database is really only limited by the processing power of the hardware that has been deployed into domain controller.

Benefits of Active Directory

  • Centralized resources and security administration
  • Single logon for access to global resources
  • Fault tolerance and redundancy
  • Simplified resource location

How is Active Directory hierarchical structure

Active Directory is organized in a hierarchical structure. At the top of the structure is the forest, which is a logical collection of all objects in a single Active Directory. Beneath the forest is the domain, which is a collection of objects related to a single security policy. Below the domain is the organizational unit, which is a container for a group of user, computer, and other objects. Finally, at the bottom of the structure is the object, which is an entity such as a user, computer, printer, or group.

What’s in the Active Directory database?

The Active Directory database stores all objects information in NTDS.DIT. Users, computers, group policies, printers, and shared folders are examples of AD objects.

Some of the benefits of Active Directory DS include a hierarchical organizational structure, multi master authentication to create fault tolerance and redundancy, a single point of access to network resources, and the ability to create trust relationships with external networks running previous versions of Active Directory and even UNIX. It also provides centralized resources and security administration, single logon for access to global resources, fault tolerance and redundancy, and simplified resource location.

Trusting terminology

When it comes to trusting terminology in Active Directory, it is important to understand the different types of trusts and what they mean. Trusts are used to establish a trust relationship between two domains. A trust relationship allows users from one domain to access resources in another domain. There are several types of trusts available in Active Directory, including external, forest, shortcut, realm, and external one-way trusts. It is important to understand the meaning of each type of trust and how they are used in order to trust terminology in Active Directory.

History and development of Active Directory

Active Directory is a directory service created by Microsoft for Windows domain networks. It is included in most Windows Server operating systems as a set of processes and services. Initially released in 1999, it has been enhanced with each version of Windows Server. Active Directory allows administrators of an organization’s network to create and manage domains, users, and objects within a network.

Active Directory is based on technology originally created by the Microsoft-owned company, Novell, and is the successor to the Novell Directory Services (NDS) product. Microsoft integrated and extended NDS to create Active Directory.

Active Directory is the foundation of Microsoft’s identity management solutions, and it provides the core services that control and secure access to resources such as computers, networks, applications, and files. It also provides the framework for authentication and authorization of users, and for enforcing security policies throughout the network.

Active Directory is built upon multiple technologies, including Lightweight Directory Access Protocol (LDAP), Kerberos, DNS, and the Windows Server operating system. It is a hierarchical database that stores information about objects in the network, such as user accounts, computers, printers, and groups.

Active Directory is used to control and manage the network environment, and it is the foundation for other enterprise-level technologies such as Microsoft Exchange Server and Microsoft SharePoint Server. It is also integrated with Azure Active Directory, Microsoft’s cloud-based identity and access management service.

Active Directory has evolved over the years to meet the changing needs of organizations, and it is now considered a critical component of the IT infrastructure. It is used by organizations of all sizes, from small businesses to large enterprises.

Domains vs. workgroups

A domain is a collection of computers, users, and shared resources that are managed together and are located on the same network. Domains are typically managed by a central server, and users can access the resources within the domain from any computer on the network.

A workgroup is a group of computers that share resources on a local area network (LAN) without a centralized server. Workgroups are typically used in small or home office networks and are not as secure as domains.

What’s new in Active Directory Domain Services for Windows Server 2016

The following new features in Active Directory Domain Services (AD DS) improve the ability for organizations to secure Active Directory environments and help them migrate to cloud-only deployments and hybrid deployments, where some applications and services are hosted in the cloud and others are hosted on premises. The improvements include:

  • Privileged access management
  • Extending cloud capabilities to Windows 10 devices through Azure Active Directory Join
  • Connecting domain-joined devices to Azure AD for Windows 10 experiences
  • Enable Windows Hello for Business in your organization
  • Deprecation of File Replication Service (FRS) and Windows Server 2003 functional levels

PAM

Privileged access management (PAM) helps mitigate security concerns for Active Directory environments that are caused by credential theft techniques such pass-the-hash, spear phishing, and similar types of attacks. It provides a new administrative access solution that is configured by using Microsoft Identity Manager (MIM). PAM introduces:

  • A new bastion Active Directory forest, which is provisioned by MIM. The bastion forest has a special PAM trust with an existing forest. It provides a new Active Directory environment that is known to be free of any malicious activity, and isolation from an existing forest for the use of privileged accounts.
  • New processes in MIM to request administrative privileges, along with new workflows based on the approval of requests.
  • New shadow security principals (groups) that are provisioned in the bastion forest by MIM in response to administrative privilege requests. The shadow security principals have an attribute that references the SID of an administrative group in an existing forest. This allows the shadow group to access resources in an existing forest without changing any access control lists (ACLs).
  • An expiring links feature, which enables time-bound membership in a shadow group. A user can be added to the group for just enough time required to perform an administrative task. The time-bound membership is expressed by a time-to-live (TTL) value that is propagated to a Kerberos ticket lifetime. NoteExpiring links are available on all linked attributes. But the member/memberOf linked attribute relationship between a group and a user is the only example where a complete solution such as PAM is preconfigured to use the expiring links feature.
  • KDC enhancements are built in to Active Directory domain controllers to restrict Kerberos ticket lifetime to the lowest possible time-to-live (TTL) value in cases where a user has multiple time-bound memberships in administrative groups. For example, if you are added to a time-bound group A, then when you log on, the Kerberos ticket-granting ticket (TGT) lifetime is equal to the time you have remaining in group A. If you are also a member of another time-bound group B, which has a lower TTL than group A, then the TGT lifetime is equal to the time you have remaining in group B.
  • New monitoring capabilities to help you easily identify who requested access, what access was granted, and what activities were performed.

Requirements for Privileged access management

  • Microsoft Identity Manager
  • Active Directory forest functional level of Windows Server 2012 R2 or higher.

Azure AD Join

Azure Active Directory Join enhances identity experiences for enterprise, business and EDU customers- with improved capabilities for corporate and personal devices.

Benefits:

  • Availability of Modern Settings on corp-owned Windows devices. Oxygen Services no longer require a personal Microsoft account: they now run off users’ existing work accounts to ensure compliance. Oxygen Services will work on PCs that are joined to an on-premises Windows domain, and PCs and devices that are “joined” to your Azure AD tenant (“cloud domain”). These settings include:
    • Roaming or personalization, accessibility settings and credentials
    • Backup and Restore
    • Access to Microsoft Store with work account
    • Live tiles and notifications
  • Access organizational resources on mobile devices (phones, tablets) that can’t be joined to a Windows Domain, whether they are corp-owned or BYOD.
  • Single-Sign On to Office 365 and other organizational apps, websites, and resources.
  • On BYOD devices, add a work account (from an on-premises domain or Azure AD) to a personally owned device and enjoy SSO to work resources, via apps and on the web, in a way that helps ensure compliance with new capabilities such as Conditional Account Control and Device Health attestation.
  • MDM integration lets you auto-enroll devices to your MDM (Intune or third-party).
  • Set up “kiosk” mode and shared devices for multiple users in your organization.
  • Developer experience lets you build apps that cater to both enterprise and personal contexts with a shared programing stack.
  • Imaging option lets you choose between imaging and allowing your users to configure corp-owned devices directly during the first-run experience.

Windows Hello for Business

Windows Hello for Business is a key-based authentication approach for organizations and consumers that goes beyond passwords. This form of authentication relies on breach, theft, and phish-resistant credentials.

The user logs on to the device with a biometric or PIN logon information that is linked to a certificate or an asymmetrical key pair. The Identity Providers (IDPs) validate the user by mapping the public key of the user to IDLocker and provides log on information through One Time Password (OTP), Phone or a different notification mechanism.

For more information, see, Windows Hello for Business

Deprecation of File Replication Service (FRS) and Windows Server 2003 functional levels

Although File Replication Service (FRS) and the Windows Server 2003 functional levels were deprecated in previous versions of Windows Server, it bears repeating that the Windows Server 2003 operating system is no longer supported. As a result, any domain controller that runs Windows Server 2003 should be removed from the domain. The domain and forest functional level should be raised to at least Windows Server 2008 to prevent a domain controller that runs an earlier version of Windows Server from being added to the environment.

At the Windows Server 2008 and higher domain functional levels, Distributed File Service (DFS) Replication is used to replicate SYSVOL folder contents between domain controllers. If you create a new domain at the Windows Server 2008 domain functional level or higher, DFS Replication is automatically used to replicate the SYSVOL folder. If you created the domain at a lower functional level, you will need to migrate from using FRS to DFS replication for the SYSVOL folder. For migration steps, you can either follow these steps or you can refer to the streamlined set of steps on the Storage Team File Cabinet blog.

The Windows Server 2003 domain and forest functional levels continue to be supported, but organizations should raise the functional level to Windows Server 2008 (or higher if possible) to ensure SYSVOL replication compatibility and support in the future. In addition, there are many other benefits and features available at the higher functional levels higher. For more information, see the following resources:

  • Understanding Active Directory Domain Services (AD DS) Functional Levels
  • Raise the Domain Functional Level
  • Raise the Forest Functional Level

So, that’s all in this blog. I will meet you soon with next stuff .Have a nice day !!!

Guys please don’t forget to like and share the post.Also join our Active Directory page and where you can post your queries/doubts and our experts will address them .

You can also share the feedback on below ActiveDirectory email id.

If you have any questions feel free to contact us on admin@activedirectory.in also follow us on facebook page to get updates about new blog posts.

Vipan Kumar

He is an Active Directory Consultant. He has been working in IT industry for more than 10 years. He is dedicated and enthusiastic information technology expert who always ready to resolve any technical problem. If you guys need any further help on subject matters, feel free to contact us on admin@activedirectory.in. Please subscribe our Facebook page as well website for latest article.

Recent Posts

What are the steps to move the DC in production site after promotion?

Moving a domain controller (DC) to a production site after promotion involves several steps. Here's…

1 year ago

What are the staging and production sites in Active directory?

In Active Directory, staging and production sites refer to different environments used for testing and deploying changes…

1 year ago

If domain controller down for some time, is it good to move this to staging site? if yes then why?

If a domain controller (DC) has been down for an extended period of time, there…

1 year ago

What information contain netlogon logs?

Netlogon logs contain information related to the Netlogon service on a Windows Server, which is responsible for authenticating…

1 year ago

What are sites in Active directory? What are they used for?

In Active Directory, sites are a logical construct used to group together network resources (such as domain…

1 year ago

How we can redirect specific user’s subnet to get the authentication from particular AD site

You can redirect a specific subnet to authenticate from a particular Active Directory site by using site…

1 year ago