Microsoft Active Directory

Active Directory provides identity, secure access and centralised management of services for a Microsoft Windows network. Active Directory operates on servers called Domain Controllers (DCs). It provides a database of all the user account and computer account information on the domain.

It includes:

  • Active Directory Domain Services (DS)

Internal accounts, authorisation and authentication, including:

    • Windows user - account information, their privileges profiles and policies
    • Windows Server – Management profile, network information printers and shares
    • Widows client – management profile, network info and policies
    • Network devices – Config, QoS and security policy
    • Applications – server config, SSO, app specific directory info
    • Email Servers – mailbox information and address book – closely supports Exchange Server
  • Active Directory Certificate Services

Issues and Manages digital certificates to support identity and non-repudiation for services, clients, servers and for user identification and verification. This is the Microsoft implementation of Public Key Infrastructure (PKI). This is the capability to create, manage, store and revoke certificates for hardware, software and people. This includes Enrolment x509 certificate retrieval, revocation. It also includes the ability to retrieve the revocation list.

Certificates are managed using the following tools Certification Authority CA Web Enrolment, Online responders, Network Device enrolment (NDES), Certificate enrolment web service, certificate enrolment policy web service

  • Active Directory Federation Services (ADFS or FS)

Network access for external resources – resource access across traditional boundaries e.g. for external partners to gain access your systems. It creates a federation trust. Provides a seamless way of doing this using credentials from the user’s home organisation. The user is authorised because a trust is set up between the organisation. It provides Web single sign on (SSO) capabilities. It can extend authentication and control to the Internet, so is ideal where you are trying to connect to external cloud resources.

SAML 2 set up. Cloud resource sets up a login redirect to home AD and a cookie is passed back to authenticate. This is controlled by certificates. This is used extensively with SaaS applications such as Salesforce.

ADFS is set up under roles and features in Active Directory - Server Manager. ADFS servers are normally protected via a proxy server.

AD FS Web Agent sits on a web server and allows applications to honour requests using tokens provided by ADFS. The ‘Account Federation Server’ uses AD DS to authenticate. To authenticate the user that wants to access the ‘Resource Federation Server’ at the third party sends a request.

  • Active Directory Rights Management Services (RMS)

RMS is an information protection technology providing content security and control working with applications. Example of RMS aware applications are Outlook or Word. It set what can be done with the data once it has been created. e.g. to prevent print, copy forward if an email of a document. This can be particularly helpful for sensitive documents access and usage can be restricted wherever the information is held.

  • Active Directory Lightweight Directory Services (LDS)

This is basically DS in an empty form, it is a structured information store and service. The difference is that it does not have the domain related restrictions of DS.


Active Directory Domain Services in More Detail

You can add multiple domain controllers to the domain so if one fails or there are too many users then another domain controller takes over. This provides fault tolerance and load balancing, this is called clustering. These domain controllers use replication to keep in synch with one another. Domain Controllers are clustered into Sites, an example would be a ‘Head Office’ site.

For remote sites it makes sense for these sites to have their own domain controllers to reduce the level of traffic to the main site which can get quite high. These domain controllers then synch with the other domain controllers based on a replication strategy to minimise impact e.g. this could be hourly or overnight depending on what you decide. The connections between sites are called ‘Site Links’. Connection failure is mitigated via what is called a ‘Site Link Bridge Head’. This allows rerouting of replication if a connection fails by potentially rerouting via another external site.

Thing to consider is that from a security perspective remote sites are the weak link.

Users who log in will be directed to a domain controller to be authenticated and gain access to resources. To mitigate this you can create read only domain controllers at the remote offices so users can log in but no changes can be made to the controllers.

Global catalogues are indexes of all of the information within the domain controllers which ensure speedy access.

To the DC are added user accounts and computer accounts database referred to as a schema. An important aspect of this is the concept of groups to which computers and users can be members of. This gives them the rights assigned to the group.  An example is an Accounting department which has all of he permission that accounting staff might need.

A domain with sub domains is referred to as a tree. Where there are more than one of these connected to one another this is referred to as a forest. They rely on trust between domains to operate. This trust relationship means it is possible to provide permission to users on other networks without having to create new user accounts. This means these users can use resources from the other network. An example of where this might be useful is when one company acquires another. A one-way explicit trust would allow the acquirer company access to the acquired company. A two way trust means that the trust between the two companies is mutual.

Other Important Components

Microsoft Domain Name Services (DNS) – handles DNS mapping of names to IP addresses for your networks, but also provides reverse DNS mapping that maps IP addresses to the domain names. Dynamic DNS handles DHCP (dynamic IP addresses) and automatically updates DNS. In reality Microsoft DNS and DHCP is closely tied into AD so it is best to use this rather than other DNS or DHCP solutions.


Domain Services - Administration

Create new users - enter user details create a password for initial log on, typically the default setting of ‘user must change password at next logon’ is used. The properties are then set which typically involves setting more user details such as telephone numbers etc. The user then needs to be made a ‘Member Of’ various groups by adding them e.g. web dev or security team group. The Domain Users group will already be defaulted. You can then search via ‘Check Names’ and select additional groups e.g. Domain Admin.

Reset Passwords – search using Find Users Contacts and Groups and confirm the user. Options are to unlock so they can try again which can be done in the user properties or reset password which is a user option and the account can be unlocked at the same time.

Delete User – Just select delete option and confirm.

Create User Groups – Select the scope e.g. Domain local which is restricted just to the current domain, Global which makes it accessible to domains in the forest or global to the whole forest. Then set the Group Type to Security Group granting access to files or applications or Distribution Group which is used for email list.

Once created this is organised on the AD within an Organisational group folder by moving the group into the appropriate organisational group. Organisational groups can have nested organisational groups organised as sub-folders. These folders can be protected from accidental deletion, which is good practice, because there is no undo option.

A group can be allocated members using the ‘members tab’. This can also be done in reverse from the member themselves. A group can also be a part of another group itself and this is done by searching and allocating in the Members Of tab. This means that any user added to the group will have the rights of the added group. When searching only domains within the scope of the group specified earlier can be found.

File shares – Add this as a new ‘Shared Folder’ and set the name and specified network path. The specific folder will of course need to be shared first under ‘File Sharing’ by allocating various user groups and setting read/write properties as appropriate before it can be selected. This can then be mapped to group policy which means users within a group will automatically have access to the shared folder.

Printers – set the network path of the printer which include the domain and the name of the printer e.g. \\domain01\printer01. Again these can be associated to a group. If the user then searches for a printer to connect to it will list all the printers associated to one of the groups which they are a ‘Member Of’.