Active Directory [AD] is a directory service developed by Microsoft for Windows domain networks.
It is built into Windows Server operating systems and is responsible for managing various services
and processes that allow centralized control over network resources.
Originally, AD was designed solely for domain management but has since evolved to encompass a broader set of identity-related services.
Active Directory is based on protocols such as:
Lightweight Directory Access Protocol [LDAP]: AD supports LDAP versions 2 and 3.
Kerberos: Microsoft's version of the Kerberos protocol provides secure authentication.
DNS: Domain Name System [DNS] is used for locating network services.
A Domain Controller [DC] is a critical server within a network that handles security authentication requests and grants access to domain resources.
It stores user account data and enforces security policies for the domain.
In Windows environments, the DC is a central component of Active Directory. While AD is most common in Windows-based networks,
non-Windows domain controllers [e.g., Samba, Red Hat FreeIPA] are also available.
AD DS is the core service of Active Directory, managing user authentication and access to network resources.
A domain controller running AD DS assigns security policies, deploys or updates software, and verifies user credentials.
Active Directory Domain Services [AD DS] supports:
Authentication: Verifying user credentials during login.
Authorization: Defining the permissions of users and groups.
Centralized management: Facilitating control over resources and policies.
Examples of additional services that can be deployed with AD DS include:
Certificate Services [AD CS], Federation Services [AD FS],
Lightweight Directory Services [AD LDS], Rights Management Services [AD RMS]
Previously known as Active Directory Application Mode [ADAM], AD LDS is a flexible directory service that implements LDAP protocols.
Unlike AD DS, AD LDS does not require domain controllers and allows multiple directory instances on the same server.
AD LDS is often used in scenarios where organizations need lightweight directory services without creating domains.
AD CS provides a Public Key Infrastructure [PKI] for issuing and managing digital certificates within an organization.
These certificates can be used for:
File encryption [e.g., Encrypting File System]
Email security [e.g., S/MIME]
Network security [e.g., VPNs, TLS, IPSec]
AD CS enhances data security by issuing, validating, and revoking digital certificates.
AD FS provides a Single Sign-On [SSO] solution that allows users to access multiple web-based services or network resources with one set of credentials.
It uses widely accepted protocols, such as SAML, OAuth, and OpenID Connect, to securely pass authentication tokens.
AD FS is designed to extend the capability of AD DS by enabling cross-network authentication, facilitating secure identity federation.
AD RMS protects sensitive information through rights management controls, such as encryption and selective access restriction.
It governs user permissions on documents and files, allowing organizations to control who can view, edit, copy, or print content.
AD RMS is integral to securing corporate communications, emails, and sensitive documents by limiting access to authorized users.
AD’s logical structure comprises the Directory Service and the Directory Database.
The Directory System Agent [DSA] is responsible for managing communication between services and the database,
facilitating tasks such as object retrieval and updates. AD data can be accessed through several interfaces, including:
LDAP, Active Directory Service Interfaces [ADSI], Messaging APIs, Security Accounts Manager [SAM].
Objects in AD are divided into two main categories:
Resources [e.g., printers, shared folders], Security Principals [e.g., user accounts, computers, groups].
Each object is uniquely identified within the directory by a Security Identifier [SID] and is defined by a schema that outlines its attributes.
The AD schema is extensible, allowing administrators to add or modify attributes, though these changes should be carefully planned as they impact the entire AD deployment.
Some objects may even contain other objects within them.
Each object has a unique name, and its definition is a set of characteristics and information by a schema,
which determines the storage in the Active Directory.
Administrators can extend or modify the schema using the schema object when needed.
However, because each schema object is integral to the definition of Active Directory objects,
deactivating or changing them can fundamentally alter or disrupt a deployment.
Modifying the schema affects the entire system automatically, and new objects cannot be deleted, only deactivated.
Changing the schema usually requires planning.
Active Directory is organized into three hierarchical levels:
1. Domain - A domain contains network objects such as users, computers, and devices, all sharing the same AD database.
2. Tree - A collection of domains connected in a hierarchy.
3. Forest - The highest level, a collection of trees sharing a common schema and global catalog.
The forest is the security boundary for AD, controlling access to its resources.
Organizational Units [OUs] are containers within domains that group objects logically, simplifying administration and policy implementation.
OUs reflect organizational structures and are commonly used for delegation of administrative tasks and Group Policy Object [GPO] application.
For example, different departments in a company may each have their own OU, with specific policies applied.
It is recommended to use OUs rather than creating additional domains, as OUs are more manageable and provide greater flexibility.
However, note that within the same domain, duplicate SamAccountNames are not allowed, even if objects reside in different OUs.
The AD database is divided into partitions [also referred to as naming contexts], each with a specific role:
1. Schema Partition: Contains definitions of object classes and attributes for the entire forest.
2. Configuration Partition: Stores configuration information such as site topology, replicated across the forest.
3. Domain Partition: Stores objects specific to a domain, replicating only within that domain.
These partitions allow AD to manage and replicate data efficiently across the network, ensuring scalability and robustness.