Active Directory (AD)
What is Active Directory?
Active Directory (AD) is a directory service developed by Microsoft for Windows domain networks. It is included in most Windows Server operating systems as a set of processes and services. Initially, Active Directory was only responsible for the centralized management of domains. Over time, however, it has grown into an umbrella term for a broad range of directory-based identity-related services.
Key Components of Active Directory
Domain Services (AD DS): Provides methods for storing directory data and makes that data available to network users and administrators. For example, AD DS stores information about user accounts, such as names, passwords, phone numbers, and so on, and enables other network services to use this information.
Lightweight Directory Services (AD LDS): Provides a lightweight, flexible directory service that you can use for directory-enabled applications. Unlike AD DS, AD LDS does not need to be installed on a domain controller or store Windows domain information.
Certificate Services (AD CS): Provides a framework for creating and managing identity and access solutions. This includes public key infrastructure (PKI) capabilities to enable secure email, web-based SSL certificates, and more.
Federation Services (AD FS): Enables the secure sharing of identity information between trusted business partners, known as a federation, through an extranet or the internet.
Rights Management Services (AD RMS): Enables organizations to protect digital information from unauthorized use. This includes protecting sensitive data such as financial reports, product specifications, customer data, and email messages.
What is a directory service?
Imagine a phone book. It contains the names, addresses, and phone numbers of people in a city. A phone book is a directory service: it stores information and makes it accessible to others.
In a network, a directory service is a service that stores information about all connected devices and users. Think of names, IP addresses, group memberships, and security settings.
Just like a phone book, a directory service makes this information accessible to other network services. Computers and printers can find each other, and users can sign in to their computers and network shares.
Capabilities of Active Directory
Centralized management of resources and security: Provides a single point for administrators to manage network resources and their associated security objects.
Scalable, secure, and manageable authentication and authorization services: AD uses domain controllers to authenticate users and devices in a Windows domain.
Directory Services: Stores, organizes, and provides access to information in a directory.
Group Policy: Helps administrators efficiently manage and configure operating systems, applications, and user settings in an Active Directory environment.
Replication: Ensures that changes made on one domain controller are automatically replicated to other domain controllers within the domain.
Hierarchical structure of Active Directory
The architecture of Active Directory is designed as a hierarchical framework to provide a scalable, organized, and secure directory service. This structure includes forests, domain trees, domains, and organizational units (OUs), which are essential for effectively managing and securing Active Directory objects.
Forests: A forest is the highest level in the Active Directory structure. It contains one or more domains that share a common schema, global catalog, and directory configuration. The forest acts as a security boundary within Active Directory, within which all domains trust each other.
Domain Trees: A domain tree is a hierarchical collection of domains. It provides a logical way to group and manage domains based on geographic location, function, or other criteria.
Domains: A domain is a subdivision within a forest and represents a security and administrative boundary. It groups and manages objects such as users, computers, and other resources that share a common directory database. All domains in a forest share a trust relationship, which makes it easy to share resources and administration across the forest.
Organizational Units (OUs): OUs are containers within a domain that organize directory objects into logical administrative groups. Administrators can delegate authority by assigning permissions to users or groups within specific OUs, enabling a decentralized management model. OUs can also be used to apply Group Policy Objects (GPOs) to target configuration and security settings across the network.
Directory Objects: Active Directory objects are the fundamental building blocks of the directory. They represent all resources managed in an Active Directory network, such as users, computers, groups, devices, services, and contacts. Each object has a set of attributes that contain information about the object. Administrators can assign Group Policy Objects (GPOs) to objects to define configuration and security settings.
Group Policy Objects (GPOs): GPOs are a powerful tool for managing the configuration and behavior of directory objects. GPOs make it possible to apply centralized policies and settings to users and computers within Active Directory. Through GPOs, administrators can, for example, enforce a strict password policy, set uniform desktop backgrounds or screen savers, or restrict printer use to black-and-white printing.
Simplified terms for Active Directory
To better understand the hierarchical structure of Active Directory, we can compare the different elements to everyday concepts:
Forest: Comparable to a country.
Domain tree: Comparable to a state or region.
Domain: Comparable to a city or municipality.
OU: Comparable to a district or neighborhood.
Directory object: Comparable to a resident.
GPO: Comparable to a law or rule.
Trust Relationships in Active Directory
Trust relationships in Active Directory are essential mechanisms that enable users in one domain to access resources in another domain. They are critical to ensure that users have seamless access to the resources they need, regardless of the domain or forest where those resources reside. These relationships are critical when navigating the complexities of network security and resource management across different domains and forests.
Key Trust Types:
Bidirectional (Two-Way Trust): The default within a forest, which allows mutual access between domains.
One-way Trust: Allows access from a trusted domain to a trusting domain, but not the other way around.
External Trust: Used to connect domains outside the forest, useful for collaboration with external entities.
Forest Trust: Connects two forests, which allows resources to be shared while the forests remain distinct.
Shortcut Trust: Optimizes authentication paths within a forest to accelerate access.
Realm Trust: Bridges an Active Directory domain with non-Windows Kerberos realms, which enables cross-platform interoperability.
Trust Direction and Transitivity:
Direction: Indicates whether a trust allows one-way or mutual access between domains.
Transitivity: Allows trust relationships to extend beyond two domains, which simplifies access to resources across a network.
Managing Active Directory
In the absence of a comprehensive IAM solution such as HelloID, ADUC becomes critical for daily administrative tasks in Active Directory. ADUC enables direct, manual management of user identities, access rights, and the organizational hierarchy.
While effective for smaller organizations or specific administrative needs, this manual approach can become cumbersome and error-prone in larger, more dynamic environments. The hierarchical structure of Active Directory, with its forests, domains, and OUs, enables IT administrators to organize and secure their network resources.
However, the complexity of managing these entities increases with the size and scope of the organization. IAM solutions complement Active Directory by automating identity management and access control processes, thereby improving security, reducing administrative overhead, and enhancing the user experience.
Active Directory vs Azure Active Directory
Active Directory (AD) is an on-premises directory service from Microsoft that is used to manage users, computers, and other resources in a Windows network. Azure Active Directory (Azure AD) is a cloud-based counterpart that offers similar capabilities, but focuses on managing identities and access rights for Microsoft cloud services. Azure AD can be connected to on-premises AD. This synchronizes user identities across both systems, enabling users to access on-premises and cloud-based resources seamlessly. As more organizations migrate to the cloud, Azure AD is becoming increasingly important. We already see more and more organizations phasing out their traditional on-premises Active Directory and moving fully to Azure AD. However, migrating from AD to Azure AD can be complex and is not yet possible for everyone, especially for organizations with a large and complex IT infrastructure.
Related Articles
- Glossaries
- More secure login with FIDO2?
- How do you prevent credential phishing?
- 9 best practices for identity and access management (IAM)
- Onboarding checklist
- Access Management: Troubleshooting and Best Practices
- RBAC best practices for effective access management
- Access Management: Logging and Auditing
- Connector team, specialists in smart integrations
- Access Management: Self-service Password Reset