Active Directory Domain Services (AD DS) is the traditional, on-premises domain service offered by Microsoft. It is the core component and a server role in Active Directory (AD), the specialized, proprietary directory service in Windows operating system environments.
Consider an enterprise or a complex business set up with many connected network resources.
In order to ensure the effective management of these resources, IT administrators use AD and its components, including AD DS. AD is set up to centrally configure, group together, and manage a logical collection of network resources in an AD domain.
Unlike in a workgroup where network administrators have to individually identify and manage policies and permissions manually, AD provides a central database that facilitates administrators to set up appropriate access controls and permissions to use various network resources. AD also allows administrators to define security policies that govern who has access to what in the network.
Grouping network resources logically to form an AD domain is done by the administrator. All these domain objects may share the same central domain controller (DC). A Windows environment that has a DC with AD DS installed and functioning as the central authenticating and authorizing node is called a domain-controlled environment.
AD follows a client-server architecture with the DC being the central server that services the other connected network resources in the domain. The DC has complete domain authority and controls the authentication and modifications to all network resources contained within its domain.
Now, let us look at two of the most fundamental processes of an AD environment:
Authentication: Authentication is one of the core functionalities of AD through which the identity of any user that logs on to an AD domain is checked and access is either allowed or denied. The process of checking identities in very definitive terms forms the basis of the authentication process. Identities can be authenticated through any of the following three ways:
-
-
-
Something you know, like an email address, or a username and password combination
-
Something you have, like a soft token or a smart card
-
Something you are, like a fingerprint or other biometric
-
-
Authorization: Authorization is the other core functionality of AD, which successively follows the authentication process. Access and permissions to use appropriate network resources and other relevant data are granted to users through authorization. This process takes place with the generation of security tokens checked against a predefined set of rules unique to each user.
Authentication and authorization form the basis of identity and access management.
To further strengthen your understanding of AD, here are definitions of some of the most important AD properties:
-
Objects: AD stores data in the form of objects. Each element of the AD environment is an AD object.
-
User objects, or users: Objects that need authentication to join AD domains are called users. Users need to be authenticated, provided with permissions and privileges, and are often grouped within an AD domain into other AD objects called groups.
-
Computer objects, or computers: AD objects that represent the workstations or the member servers of the domain are called computers.
-
Container objects: Objects in AD that can contain or hold other objects are called container objects. There are both default and created container objects in AD.
-
Leaf objects: Leaf objects are objects in AD that cannot contain or have secondary objects within them, e.g., users.
-
-
Domain: A domain is the logical grouping of related objects, such as users, computers, or groups, or shared resources such as printers, files, or folders, all controlled or serviced by one or more DCs. All objects in a particular domain share the same AD database. Domains are usually identified by a name provided by the DNS, such as xxx.com.
-
Domain controller (DC): A DC is the server that has AD DS installed on it. Promoting a server to a DC enables it to centrally manage permissions, control the authentication of user identities, and authorize access to various resources including file storage, applications, and other networks.
-
Tree: For administrative purposes, AD domains are grouped into trees. The goal for administrators is to keep the number of domains minimal and to have them all logically grouped into trees. Domains and sub-domains are logically and hierarchically grouped together to resemble a tree structure.
-
Forest: The security boundaries of an AD environment are defined by forests, which are a collection of multiple trees. Two forests cannot interact unless a transitive trust authority is established between them. The overall forest represents one organization and is the highest level in terms of defining the AD architecture. In business scenarios such as mergers and acquisitions, multiple forests may be combined together for network administrators to have complete control over all the involved domains, DCs, and AD data. Each forest is identified by the first domain that was created, i.e., the root domain name.
-
Site: AD sites are physical groupings of subnets covering a range of IP addresses in every geographical location. Sites can have one or more DCs grouped together with the other network resources. One site typically covers one LAN. Servers on other networks (and thus, other sites) interact through site links. Sites are defined to help with the replication process for effective AD functioning.
-
Replication: AD is designed based on replication. The process of making changes to any AD object controlled by a particular DC gets reflected, or replicated, in all the other DCs of the forest. Replication happens in two ways: intrasite and intersite.
-
Group Policy: Group Policy manages the configuration and security policies of users and computers.
-
Group Policy Objects (GPOs): GPOs are groups of settings applied to users and computers in the domain. These may include the right to log on to certain machines or permission to access certain files and shared resources such as printers, scanners, and other shared storage devices.
Now that the basic concepts of the AD environment have been covered, let us dive into the purpose of having an AD set up in any business:
-
AD helps organize all users, computers, and other network resources and their associated accesses and permissions. This aids in resource allocation, management, and maintenance.
-
AD is essential for maintaining the security posture of an organization. Access to network resources is managed through security policies. As previously discussed, authentication and authorization are the core elements of an AD environment.
-
With clear, transparent, and centralized management of users and what they access, operation costs are reduced, and control over the network resources becomes more streamlined.
-
AD enables adherence to compliance regulations such as the GDPR, GLBA, and HIPAA. Compliance auditing involves management of security policies, regulations, and standards, which cover how sensitive information about users and groups is handled. AD ensures utmost granularity in the maintenance and reporting of such data. It provides invaluable information that is used by compliance auditors during organization-wide auditing.
-
AD allows for a customized approach to managing users and their associated privileges. This involves the grouping of all AD objects and their subsequent management as per enterprise needs and business goals.
-
AD provides the basis for a single access point or a single sign-on for accessing network resources that are located on any server in the AD-controlled environment.
-
Password policies and various other user and computer configuration settings allow efficient management of software delivery. Windows settings and administrative templates in AD can be used for better management of data and services.
-
Auto-updates and centralized device management with minimal manual intervention are possible because of AD. Network administrators use Group Policy to manage these configurations.
These are some of the basic yet critical concepts to grasp when beginning your study of AD. Follow this series to drill down deeper and strengthen your understanding of various other aspects of AD.
