Latest Posts

Active Directory and how it works

Posted on by Rishan Solutions

Loading

What is Active Directory(AD):

  • Active Directory (AD) is a Microsoft technology used to manage Computers and other devices on a network. It is a primary feature of Windows Server, an operating system that runs both local and Internet-based Servers.
  • Active Directory (AD) is a directory service that runs on Microsoft Windows Server. The main function of Active Directory is to enable administrators to manage permissions and control access to network resources. In Active Directory, data is stored as objects, which include users, groups, applications, and devices, and these objects are categorized according to their name and attributes.
  • In simple, not-technical terms, Active Directory (AD) is an application (database) that keeps track of company’s user accounts, passwords, and other user information (role, manager, etc). It is essentially a master source of all user accounts. Anytime employee joins or leaves the organization or changes a role, appropriate changes are made in AD first as a result. All the other systems (email access, login to company laptop, access to network folders) rely on AD. So for example, if you leave the organization, your AD account is deactivated and you will no longer be able to login to company’s PC or check work email.
  • Active Directory (AD) is a database and set of services that connect users with the network resources they need to get their work done.
  • The database (or directory) contains critical information about your environment, including what users and computers there are and who’s allowed to do what. For example, the database might list 100 user accounts with details like each person’s job title, phone number and password. It will also record their permissions.
  • The services control much of the activity that goes on in your IT environment. They make sure each person is who they claim to be (authentication), usually by checking the user ID and password they enter, and allow them to access only the data they’re allowed to use (authorization).

Benefits of Active Directory:

Active Directory simplifies life for administrators and ends users while enhancing security for organizations. Administrators enjoy centralized users and rights management, as well as centralized control over computer and user configurations through the AD Group Policy feature. Users can authenticate once and then seamlessly access any resources in the domain for which they are authorized(Single sign-on). Plus, files are stored in a central repository where they can be shared with other users to ease collaboration, and backed up properly by IT teams to ensure business continuity.

How does Active Directory work:

The main Active Directory service is Active Directory Domain Services (AD DS), which is part of the Windows server operating system. The servers that run AD DS are called domain controllers (DCs). Organizations normally have multiple DCs, and each one has a copy of the directory for the entire domain. Changes made to the directory on one domain controller — such as password update or the deletion of a user account — are replicated to the other DCs so they all stay up to date. A Global Catalogue server is a DC that stores a complete copy of all objects in the directory of its domain and a partial copy of all objects of all other domains in the forest; this enables users and applications to find objects in any domain of their forest. Desktops, laptops and other devices running Windows (rather than Windows Server) can be part of an Active Directory environment but they do not run AD DS. AD DS relies on several established protocols and standards, including LDAP (Lightweight Directory Access Protocol), Kerberos and DNS (Domain Name System).

  • It’s important to understand that Active Directory is only for on-premises Microsoft environments. Microsoft environments in the cloud use Azure Active Directory, which serves the same purposes as its on-prem namesake. AD and Azure AD are separate but can work together to some degree if your organization has both on-premises and cloud IT environments (a hybrid deployment).

How is Active Directory structured:

  • AD has three main tiers: domains, trees, and forests. A domain is a group of related users, computers, and other AD objects, such as all the AD objects for your company’s head office. Multiple domains can be combined into a tree, and multiple trees can be grouped into a forest.
  • Keep in mind that a domain is a management boundary. The objects for a given domain are stored in a single database and can be managed together. A forest is a security boundary. Objects in different forests are not able to interact with each other unless the administrators of each forest create a trust between them. For instance, if you have multiple disjointed business units, you probably want to create multiple forests.

What is in the Active Directory database:

  1. The Active Directory database (directory) contains information about the AD objects in the domain. Common types of AD objects include users, computers, applications, printers and shared folders. Some objects can contain other objects (which is why you’ll see AD described as “hierarchical”). Organizations often simplify administration by organizing AD objects into organizational units (OUs) and streamline security by putting users into groups. These OUs and groups are themselves objects stored in the directory.
  2. Objects have attributes. Some attributes are obvious and some are more behind the scenes. For example, a user object typically has attributes like the person’s name, password, department, and email address, but also attributes most people never see, such as its unique Globally Unique Identifier (GUID), Security Identifier (SID), last logon time and group membership.
  3. Databases are structured, which means there is a design that determines what types of data they store and how that data is organized. This design is called a schema. Active Directory is no exception: Its schema contains formal definitions of every object class that can be created in the Active Directory Forest and every attribute that can exist in an Active Directory object. AD comes with a default schema, but administrators can modify it to suit business needs. The key thing to know is that it is best to plan the schema carefully up front; because of the central role AD plays in authentication and authorizations, changing the schema of the AD database later can dramatically disrupt your business.
Active Directory Domain Services are:

Active Directory Domain Services (AD DS) are a core component of Active Directory and provide the primary mechanism for authenticating users and determining which network resources they can access. AD DS also provides additional features such as Single Sign-On (SSO), security certificates, LDAP, and access rights management.

The Hierarchical Structure of Active Directory Domain Services:

AD DS organizes data in a hierarchical structure consisting of domains, trees, and forests, as detailed below.

  1. Domains: A domain represents a group of objects such as users, groups, and devices, which share the same AD database. Consider domain as a branch in a tree. A domain has the same structure as standard domains and sub-domains, eg., yourdomain.com and sales.yourdomain.com.
  2. Trees: A tree is one or more domains grouped together in a logical hierarchy. Since domains in a tree are related, they are said to “trust” each other.
  3. Forest: A forest is the highest level of organization within AD and contains a group of trees. The trees in a forest can also trust each other, and will also share directory schemas, catalogues, application information, and domain configurations.
  4. Organizational Units: An OU is used to organize users, groups, computers, and other organizational units.
  5. Containers: A container is like an OU, however, unlike an OU, it is not possible to link a Group Policy Object (GPO) to a generic Active Directory container.

Other Active Directory Services:

Besides Active Directory Domain Services, there are a handful of other critical services that AD provides. Some of those services have been listed below:

  1. Lightweight Directory Services: AD LDS is a Lightweight Directory Access Protocol (LDAP) directory service. It provides only a subset of the AD DS features, which makes it more versatile in terms of where it can be run. For example, it can be run as a stand-alone directory service without needing to be integrated with a full implementation of Active Directory.
  2. Certificate Services: You can create, manage, and share encryption certificates, which allow users to exchange information securely over the internet.
  3. Active Directory Federation Services: ADFS is a Single Sign-On (SSO) solution for AD which allows employees to access multiple applications with a single set of credentials, thus simplifying the user experience.
  4. Rights Management Services: AD RMS is a set of tools that assists with the management of security technologies that will help organizations keep their data secure. Such technologies include encryption, certificates, and authentication, and cover a range of applications and content types, such as emails and Word documents.
  5. The server that hosts AD DS is called a Domain controller (DC). A domain controller can also be used to authenticate with other MS products, such as Exchange Server, SharePoint Server, SQL Server, File Server, and more.

Leave a Reply

Your email address will not be published. Required fields are marked *