Active Directory (AD)
In this article
- What is Active Directory?
- Key components of Active Directory
- What is a directory service?
- Functionalities of Active Directory
- Hierarchical Structure of Active Directory
- Simplified terms for Active Directory
- Trust relationships in Active Directory
- Managing Active Directory
- Active Directory vs Azure Active Directory
What is Active Directory?
Active Directory (AD) is a directory service developed by Microsoft for Windows domain networks. It is included in most Windows Server operating systems as a set of processes and services. Initially, Active Directory was solely responsible for centralised domain management. However, over time, Active Directory has expanded into an overarching term encompassing a broad array of directory-based identity-related services.
Key components of Active Directory
- Domain services (AD DS): Provides methods for storing directory data and makes this data accessible to network users and administrators. For instance, AD DS stores information about user accounts, such as names, passwords, phone numbers, etc., and enables other network services to use this information.
- Lightweight directory services (AD LDS): Offers a light, flexible directory service that can be used for directory-enabled applications. Unlike AD DS, AD LDS does not need to be implemented on a domain controller and does not need to store Windows domain information.
- Certificate services (AD CS): Provides a framework for creating and managing identity and access solutions. This includes public key infrastructure (PKI) capabilities to enable secure email, web-based SSL certificates, and more.
- Federation services (AD FS): Enables secure sharing of identity information between trusted business partners (known as a federation) across an extranet or the internet.
- Rights management services (AD RMS): Allows organisations to protect digital information from unauthorised use. This includes safeguarding sensitive data such as financial reports, product specifications, customer details, and email messages.
What is a directory service?
Imagine a telephone book. It contains the names, addresses, and telephone numbers of people in a city. Such a telephone directory is a directory service: it stores information and makes it accessible to others.
In a network, a directory service is a service that stores information about all connected devices and users. This includes names, IP addresses, group memberships, and security settings.
Much like a telephone directory, a directory service allows other network services to access this information. This enables computers and printers to locate each other, and users to log into their computers and access network shares.
Functionalities of Active Directory
- Centralised resource and security management: Provides a single point from which administrators can manage network resources and their associated security objects.
- Scalable, secure, and manageable authentication and authorisation services: AD uses domain controllers to authenticate users and devices in a Windows domain.
- Directory services: Stores information, organises it, and provides access to information in a directory.
- Group policy: Helps administrators efficiently manage and configure operating systems, applications, and user settings in an Active Directory environment.
- Replication: Ensures that changes made at one domain controller are automatically replicated to other domain controllers within the domain.
Hierarchical Structure of Active Directory
The architecture of Active Directory is designed as a hierarchical framework to provide a scalable, organised, and secure directory service. This structure includes forests, domain trees, domains, and organisational units (OUs), which are essential for effectively managing and securing Active Directory objects.
- Forests: A forest is the highest level in the Active Directory structure. It comprises one or more domains that share a common schema, global catalogue, and directory configuration. The forest acts as a security boundary within Active Directory, within which all domains trust each other.
- Domain trees: A domain tree is an assembly of domains arranged hierarchically. This arrangement provides a logical method to group and manage domains based on factors like geographical location or function.
- Domains: A domain acts as a subdivision within a forest, defining both security and administrative boundaries. It groups and manages objects such as users, computers, and other resources, all sharing a common directory database. Every domain within a forest is interconnected by trust relationships, streamlining the sharing of resources and management across the forest.
- Organisational units (OUs): OUs function as containers within a domain, structuring directory objects into logical administrative groups. This allows administrators to delegate authorities by assigning specific rights to users or groups for particular OUs, enabling a decentralised management model. OUs can also be employed to apply Group Policy Objects (GPOs) for precise configuration and security settings across the network.
- Directory objects: Active Directory objects are the fundamental building blocks of the directory. They represent all resources managed within an Active Directory network, such as users, computers, groups, devices, services, and contacts. Each object has a set of attributes that contain information about the object. Administrators can assign group policy objects (GPOs) to objects to determine configuration and security settings.
- Group policy objects (GPOs): GPOs are a powerful tool for managing the configuration and behaviour of directory objects. GPOs enable the centralised application of policies and settings to users and computers within an Active Directory. Through GPOs, administrators can impose strict password policies, set uniform desktop backgrounds or screensavers, or restrict printer use to black-and-white printing only.
Simplified terms for Active DirectoryTo better understand the hierarchical structure of Active Directory, we can compare its various elements to everyday concepts:
|
Trust relationships in Active Directory
Trust relationships in Active Directory are crucial mechanisms that enable users in one domain to access resources in another. These relationships are vital for ensuring users can seamlessly access the resources they need, no matter which domain or forest those resources are in. They play a critical role in navigating the complexities of network security and resource management across various domains and forests.
Key types of trust:
- Two-way trust: The standard within a forest, allowing mutual access between domains.
- One-way trust: Allows access from one trusted domain to another trusting domain, but not the reverse.
- External trust: For connecting domains outside the forest, useful for collaboration with external entities.
- Forest trust: Connects two forests, allowing resources to be shared while keeping the forests distinct.
- Shortcut trust: Optimises authentication paths within a forest to speed up access.
- Realm trust: Bridges an Active Directory domain with non-Windows Kerberos realms, enabling cross-platform interoperability.
Trust direction and transitivity:
- Direction: Specifies whether a trust permits one-way or mutual access between domains.
- Transitivity: Enables trust relationships to extend beyond two domains, simplifying access to resources across the network.
Managing Active Directory
Without a comprehensive IAM solution like HelloID, ADUC becomes essential for daily administrative tasks in Active Directory. ADUC facilitates direct, manual management of user identities, access rights, and the organisational hierarchy.
Although this manual approach is effective for smaller organisations or specific administrative needs, it can become cumbersome and prone to errors in larger, more dynamic environments. The hierarchical structure of Active Directory, with its forests, domains, and organisational units (OUs), allows IT administrators to efficiently organise and secure their network resources.
However, the complexity of managing these entities escalates with the size and scope of the organisation. IAM solutions enhance Active Directory by automating identity management and access control processes, thereby improving security, reducing administrative overhead, and enhancing the user experience.
Active Directory vs Azure Active Directory
Active Directory (AD) is an on-premises directory service from Microsoft used to manage users, computers, and other resources in a Windows network. Azure Active Directory (Azure AD) is its cloud-based counterpart that offers similar functionalities but focuses on managing identities and access rights for Microsoft’s cloud services. Azure AD can be linked to on-premises AD, allowing for synchronisation of user identities between the two systems. This linkage ensures users have seamless access to both on-premises and cloud-based resources. As more organisations transition to the cloud, Azure AD is becoming increasingly vital. We are already seeing many organisations moving away from their traditional on-premise Active Directory and fully transitioning to Azure AD. However, migrating from AD to Azure AD can be complex and is not yet feasible for everyone, especially for organisations with large and complex IT infrastructures.