Upcoming Webinar - Why the CISO Needs to Take a Data-Centric View on Security         April 22 at 2 pm EDTRegister Now

What Is Active Directory and How Does It Work?

Jason Coggins by    Published On - 10.22.2020   General

Active Directory (AD) is a directory service that runs on Microsoft Windows Server. The main function of AD is to enable administrators to manage permissions and control access to network resources. In AD, data is stored as objects, which include users, groups, applications and devices, and these objects are categorized according to their name and attributes.

Domain Services (AD DS) are a core component of Active Directory and provide the primary mechanism for authenticating users and determining which network resources they can access. AD DS also provides additional features such as Single Sign-On (SSO), security certificates, LDAP, and access rights management.

Below is a more detailed description of the features available with AD DS.

Lightweight Directory Services: AD LDS is a Lightweight Directory Access Protocol (LDAP) directory service. It provides only a subset of the AD DS features, which makes it more versatile in terms of where it can be run. For example, it can be run as a stand-alone directory service without needing to be integrated with a full implementation of Active Directory.

Certificate Services: You can create, manage and share encryption certificates, which allow users to exchange information securely over the internet.

Active Directory Federation Services: ADFS is a Single Sign-On (SSO) solution for AD which allows employees to access multiple applications with a single set of credentials, thus simplifying the user experience.

Rights Management Services: AD RMS is a set of tools that assists with the management of security technologies that will help organizations keep their data secure. Such technologies include encryption, certificates, and authentication, and cover a range of applications and content types, such as emails and Word documents.

The server that hosts AD DS is called a domain controller (DC). A domain controller can also be used to authenticate with other MS products, such as Exchange Server, SharePoint Server, SQL Server, File Server, and more.

The Hierarchical Structure of Active Directory Domain Services

AD DS organizes data in a hierarchical structure consisting of domains, trees and forests, as detailed below.

Domains: A domain represents a group of objects such as users, groups and devices, which share the same AD database. You can think of a domain as a branch in a tree. A domain has the same structure to standard domains and sub-domains, e.g. yourdomain.com and sales.yourdomain.com.

Trees: A tree is one or more domains grouped together in a logical hierarchy. Since domains in a tree are related, they are said to “trust” each other.

Forest: A forest is the highest level of organization within AD and contains a group of trees. The trees in a forest can also trust each other, and will also share directory schemas, catalogs, application information and domain configurations.

Organizational Units: An OU is used to organize users, groups, computers, and other organizational units.

Containers: A container is similar to an OU, however, unlike an OU, it is not possible to link a Group Policy Object (GPO) to a generic Active Directory container.

Getting Started with Windows Active Directory

A comprehensive step-by-step guide to setting up Active Directory on Windows Server is beyond the scope of this article. Instead, I will provide a basic summary of the steps required to install AD, which should at least point you in the right direction. Assuming you already have Windows Server (2016) installed, you will need to…

  • Change your DNS settings so that your server IP address is the primary DNS server.
  • Open the Server Manager, which you can access via PowerShell by logging in as administrator and typing ServerManager.exe.
  • On the Server Manager window, click on Add roles and features, and the click the Next button to start the setup process.
  • On the window that says Select Server Roles, check the box that says Active Directory Domain Services. A pop-up box will appear. Click on Add Features, and then click Next to continue.
  • Keep clicking the Next button until you get to the final screen. Unless you know what you are doing, you are better off leaving the default settings as they are.
  • Once you have got to the end of the wizard, click Install, and wait for the installation process to complete.

Once you have Active Directory Domain Services installed, you will then need to configure your installation, which includes changing default passwords, setting up OUs, domains, trees and forests. As mentioned, a detailed explanation of setting up and configuring Active Directory is beyond the scope of this article. For detailed up-to-date instructions, you will need to consult the official documentation.

What is Azure Active Directory

Given that increasingly more organizations are shifting their business operations to the cloud, Microsoft have introduced Azure Active Directory (Azure AD), which is their cloud-based version of Windows AD, which can also sync with on-premise AD implementations. Azure AD is said to be the backbone of Office 365 and other Azure products; however, it can also be integrated with other cloud services and platforms. Some of the differences between Windows and Azure AD are as follows.

Communication: Azure AD uses a REST API, whereas Windows AD uses LDAP, as mentioned previously.

Authentication: Windows AD uses Kerberos and NTLM for authentication, whereas Azure AD uses it’s own built-in web-based authentication protocols.

Structure: Unlike Windows AD, which is organized by OUs, trees, forests and domains, Azure AD uses a flat structure of users and groups.

Device Management: Unlike Windows AD, Azure AD can be managed via mobile devices. Azure AD does not rely on Group Policy Objects (GPOs) to determine which devices and servers are able to connect to the network.

If you are reading an article about Active Directory, its more than likely that you are not already using it. In which case, you might be better off starting with Azure AD as opposed to Windows AD. One of the main reasons why you might want to use Windows AD is if you are storing large amounts of valuable data and have a team of experienced IT professionals managing your cyber security program.

If you would like to see how Lepide helps you to audit Active Directory and ensure AD security, schedule a demo with one of our engineers today.

Comments are closed.