blog posts

Networks have numerous and efficient services, the use of which can lead to increased productivity in places of use such as organizations and companies. This article aims to familiarize with active directory and check its advantages and features. We examine the structure of active directory and active directory services and explain the difference between active directory and domain controller.

What is Active Directory?

Active Directory is a service consisting of several other services, i.e. several services work under the banner of Active Directory service: such as users defined in the network, access granted to these users, files and printers shared in the Network. Active Directory provides these services in a centralized manner, resulting in the easy and accurate organization and management of these services.

And Active Directory is Microsoft’s directory service that runs on Windows Server and allows administrators to manage permissions and access to network resources. The task of Active Directory is to manage and organize a large number of users in the form of subgroups and logical groups. It also controls the access to each level.

Administrators can manage and organize the data directory through the network with a simple login, authorized users in the network will have access to network resources from anywhere. Even managing complex networks is easily done with AD, and it is possible to develop Active Directory along with organizational growth.

Domains include controllers, one of which runs Windows Server. Whenever the network administrator makes a change in these controllers, all controllers are updated by Active Directory. The network administrator can manage each network resource with Active Directory and even enter the user’s computer.

active directory structure

Active Directory provides an easy organization of domains and resources by providing a hierarchical structure. In this way, users can easily find network resources such as files and printers.

Directory services such as ADDS or Active Directory Domain Services provide a way to store directory information and how administrators and network users can access this information. For example, ADDS stores user account information such as name and password, phone number, etc., allowing other authorized users in the same network to access this information. This stored information is called a directory.

Data is stored as objects. The object is the same user, group, program and device (such as a printer).
There are two types of objects: either resources such as printers and computers or security rules such as users and groups.

The active directory structure includes three levels, each of which can have specific connections and accesses:

Domains: Objects such as users and devices that all use the same database are grouped in a domain. A domain is a group of objects such as user and device that are located in an Active Directory database. Domains have a DNS – Domain Name System structure.

Trees: One or more domains can be placed in a group called a tree. There is a secure connection between two domains in the tree. The structure of the tree is hierarchical, that is, if domain 1 has a secure connection with domain 2, and domain 2 has a secure connection with domain 3, then domain 1 also has a secure connection with domain 3.

Forests: Several trees are grouped into a collection called a forest. The forest contains domain configuration, application information, directory layout and list of all objects. The directory scheme means the class and properties that the object has in the forest.

OUs or Organizational Units organize users, groups, and devices: for example, each object or user in the domain must be unique, and it is not possible to redefine an existing username. Active Directory management software can be used to manage Active Directory. But note that Active Directory security is provided by access control and authentication when logging in.

Active Directory Services

We said earlier that several services work under the banner of Active Directory Domain Service – ADDS.

Each of these services enhances directory management capabilities and includes:

Domain Services or AD DS: is responsible for centralized data storage and communication management between users and domains. It also performs authentication during login and search.

Certificate Services or AD CS: Creates, manages and shares secure certificates. The certificate uses encryption to move information securely over the Internet.

Lightweight Directory Services or AD LDS: supports directories and enables applications to use the LDAP protocol. LDAP is a protocol used to access and maintain directory services on the network. LDAP stores objects such as usernames and passwords in directory services (such as Active Directory) and shares them over the network.

Directory Federation Services or AD FS: Its task is verifying user access to applications across multiple networks. For this, it uses Single Sign On – SSO. Provides single-session SSO for user authentication across multiple applications. what does it mean? That is, SSO only requires the user to log in once, and not to perform authentication for each service.

Rights Management or AD RMS: Enforces copyright law to prevent unauthorized use and distribution of digital content. That is, it controls and manages information rights. How? By encrypting content on a server with limited access, such as Word documents or email.

Checking domain service – Domain Service

The main service in Active Directory is the domain service: AD DS. This service stores directory information and controls user interactions in the domain. AD DS checks access when a user connects to a device or tries to connect to a server on the network. AD DS controls which user has access to which resources, for example, an administrator has a different access level to data than a normal user.

Other Microsoft products such as Exchange Server and SharePoint Server rely on AD DS to provide access to resources. The server on which the Active Directory domain service is hosted is called a domain controller.

The difference between Active Directory and Domain Controller

Active Directory is a directory service on the network, the domain controller provides this service on the network. So the difference between Active Directory and Domain Controller is that one is a service and the other provides that service.

Let’s take an example to make it clearer. Telephone taxi is a service that cannot be implemented if there is no taxi or car involved. So, a car is a service provided by a telephone taxi.

Active Directory is like a phone book that has all the details about people, such as phone numbers and addresses. Active Directory has all the details about users and computers and devices connected to the network.

A Domain Controller is where Active Directory runs. DC is a physical concept and active directory is a logical concept.

History and versions of Active Directory

Microsoft first introduced Active Directory in 2000 with Windows Server 2000. Later, it provided new versions along with newer Windows servers. In Windows Server 2003, updates and forest were added, and the ability to edit and change domains in the forest was created. AD FS functionality was added in Windows Server 2008. AD DS was updated in Windows Server 2016 and Active Directory security and migration of AD environment to the cloud became possible.

Security updates in Windows Server 2016 include the addition of Privileged Access Management or PAM. PAM monitors object access, the type of access granted, and what the user does.

Directory services Red Hat Directory Server, Apache Directory, and OpenLDAP are competitors of Active Directory.

Advantages of Active Directory

1- Maintaining the information of users and network entities centrally:

Domain: All user information such as name, password, phone number, address, etc. are kept centrally, and for this reason, they have the ability to back up and access quickly and manage centrally.

Group: Information is scattered on each system, which, in addition to very weak security, makes backup very difficult and perhaps impossible, and does not have centralized management.

2- Scalability:

Domain: due to centralized information and management, it can accommodate and manage a large number of different objects.

Group: Due to the dispersion of information, it is recommended that the number of users of this type of network does not exceed 10 because it cannot be managed.

3- Extensibility:

Domain: You can define new objects (except those defined by default) and use them under the network.

Group: Only defined objects can be used.

4- Manageability:

Scope: Due to the centralization of information and management, moving the network towards a specific goal is easy. For example, in order to improve security, the network can be equipped with a new security feature every week.

Group: Due to the lack of concentration of information, management is done to the extent of maintaining the status quo. Management does not exist to achieve specific goals.

5- Integration with DNS

Domain: Due to coordination with the DNS system, accessing various services on the network is easy. Based on the nominal order in the branch mode, you can get the addresses of the lower ones from the higher ones.

Group: the ability to access other network objects is very weak unless the user knows his destination by name or IP address because there is no branch system and no service knows the address of other network objects.

6- The ability to centrally manage the activities of users and computers:

Domain: the level of activity and access of network entities can be defined centrally in the entire network.

Group: maximum user access can be defined in his own computer. This is not possible under the network.

7- policyability (Policy Based System):

Scope: It is possible to advance the network towards a specific goal by applying different policies under the network.

Group: The application of the policy is defined only at the limit of one computer and not within the network.

8-The ability to exchange information between servers at the level of large networks:

Domain: information is exchanged between different servers, so all servers are familiar with the latest changes in the network and the service is provided up-to-date. For example, a new user can be identified by all servers as soon as he enters, so he can use all services as soon as he enters.

Group: No data is transferred because basically there is no server. For this reason, the new user has to be introduced to that service by the network administrator to request any service.

9- Flexibility in security and identification of network entities:

Domain: It has the ability to identify any object anywhere in the network and can authenticate with different models and methods (Security Protocols).

Group: Each computer can only identify the entity that is defined in the same computer.

10- Comprehensive and integrated security:

Domain: By entering the domain, some security issues are applied by default, and then the administrator can increase the network security to an unimaginable level.

Group: Due to the lack of centralized management and information, the security capability is defined as basic and weak and unique to each computer (security at the home user level).

11- (security-comfort):

Domain: If you use a service or software that has the ability to integrate with Active Directory Partition, you can move the information of that software together with Active Directory information between servers very safely and quickly.

12- Ability to connect and communicate with other Active Directory:

Domain: Because Win 2003 Active Directory is written based on LDAP ver3 and NSPI, which are global standards, it can communicate with active directories written accordingly. Even if these active directories were written by a company other than Microsoft itself.

13- Digital marking of exchange information:

Domain: Information is transferred encrypted between servers, so it has a very good security.