Comprehensive Guide To Active Directory Terms, Definitions And Basics
Active Directory Stores Information About Network Objects And, By Providing A Hierarchical Structure, Easily Organizes Domains And Resources. Microsoft First Introduced Active Directory Services, Along With Windows Server 2000, As The Primary Repository For Storing User Information, Computers, Services, And Other Resources On The Microsoft Network.
Although later versions of Active Directory, which came with Windows Server 2003, 2008, 2012, 2016, and 2019, introduced new security features and features, they still have similar functionality in some basic services by providing authentication processes.
Focused, integrated, and fully accurate access to organizations, large and small, allow management users and clients on the network as accurately as possible.
Before introducing Active Directory, if you wanted to get a shared file on the network, you should know the name or IP address of the server, the path of the file, and its name. Although this solution works for small networks, it can not be generalized as the network grows.
A directory service helps solve this problem by mapping all the names of network resources such as shared files, printers, servers, etc., and matching them to their own addresses. Today, an integrated service such as Active Directory is critical to large enterprise networks.
\Active Directory supports almost all essential processes and applications such as resource provisioning, capacity planning, security, network services, resource management, and more.
Active Directory Basics
Directory service
A directory service is a store of information stored on a hierarchical structure. This service allows you to store, search and manage resources easily and quickly within the network. Each network resource is considered an object. It is important to note that a directory service is more than just a database and is a service, as its name implies. A database is a physical storage resource accessible through a computer system, while a directory service uses a database to request and receive object information.
Active Directory
Active Directory (AD) Active Directory is a directory service for Windows domain networks with every Windows server with Active Directory Domain Services installed. Active Directory is primarily used to store, authorize, and manage information about users and their resources and can store information as an object. A resource in a network includes user accounts, passwords, computers, applications, printers, shared files and folders, security groups, and their permissions.
Windows Domain Controller (DC) Windows Domain Controller, which is the server on which Active Directory Domain Services rules are installed, consists of hardware and software that provides a set of AD services. The main task of a domain controller is to verify the credentials of all users and their resources in a Windows domain network (Figure 1).
The best example of AD is when a user logs into a computer part of a Windows domain. AD checks the identity information in the database, and the user can log in to the computer if the username and password are valid.
figure 1
Active Directory structure
Active Directory organizes all your network resources into one logical structure. This model is logically independent of the physical structure of the network. In other words, AD does not care about network topology or the number of domain controllers and only organizes resources logically. So AD allows users to find a resource by name instead of finding its source based on its physical location.
Active Directory allows you to organize network elements such as users or computers based on a hierarchical logical structure. At the top of this hierarchy is the forest, followed by the trees, which have one or more slopes. Within a domain are organizational units (OU) (Figure 2).
figure 2
Active Directory objects
A grouping of information forms the active directory structure called an object. Each object represents a unique network entity, such as a user or computer, a set of properties describes that.
For example, a user object can be identified by attributes such as name, ID, address, phone, and more. Objects are divided into two categories: resources and security priority. Objects within the resource category can include printers, computers, or other shared devices. The Objects within the security priority category also include users, passwords, groups, or any object that needs authentication.
AD assigns a unique security identifier (SID) to each of these security priorities. A security identifier is used to allow or deny object access to resources on a domain (Figure 3).
Objects that Active Directory supports by default include:
- Users: Objects are dedicated to people who need to access domain resources. An account has a username and a password. These include objects.
- Computers: Indicates a workstation or server in the domain.
- Contacts: Contains information about third parties. This object does not have a SID, so it does not belong to the domain.
- Groups: Indicates a set of user accounts, computers, or contacts and exists in two types: security and distribution. Groups make managing objects easier.
- Shared folder: refers to a shared server and is used to share files across the network.
- Printer: This object belongs to a printer shared on the domain.
- Organizational Unit (OU): This group object can include other objects such as users, computers, or groups within the same domain. An organizational unit is used to store similar objects and facilitate their management.
Figure 3
Domains
Domains are the main structural unit of an active directory. They are a collection of objects formed by a database using object ID information. An AD domain can have several subdomains called child domains. A domain uses the client-server connection model.
This model provides security because you can assign permissions from the domain (server) to different users or groups (clients). A domain controller uses security services that provide authentication and authorization for specific resources (Figure 4).
Figure 4
When you first configure an active directory, you must create a root domain name. An example of an Active Directory domain name could be ad-internal.company.com, where ad-internal is the name you use for the internal AD domain, and company.com refers to external sources.
Functional levels
Active Directory performance levels are controls that determine which domain services can be used on a domain. In addition, the above level can specify the version of the Windows Server operating system that runs on the domain controllers. For example, an ideal solution when implementing Active Directory Domain Services criteria is to set the domain performance levels to the maximum value to enable the latest and greatest features available in Active Directory (Figure 5).
Figure 5
Active Directory Security
Kerberos
Kerberos is an authentication protocol that uses encryption algorithms to ensure the security of client/server communication applications. It uses Kerberos to create authentication mechanisms between the server and the client. This will validate user authentication and grant access to a domain.
The three main elements in the Kerberos system are:
- Key Distribution Center (KDC): The KDC service is the core of the Kerberos server, which handles all tickets. This service runs on all Active Directory domain controllers. When the Active Directory client is authenticated with KDC, the protocol issues a TGT.
- Licensing Ticket (TGT): An authentication file that includes the user’s IP, a validation period, and a TGT session key. The TGT is encrypted during the Kerberos authentication process.
- Licensing Service (TGS): This service provides TGTs and another ticketing for systems (Figure 6).
Figure 6
The main letters of the service
Service Primary Name (SPN) The Service Primary Name is a unique identifier used in the Kerberos authentication process. The SPN connects an instance of a network controller service to a login account. SPN can authenticate services to a client application when no service or user account is used.
Active Directory Management Consoles
Its Management Consoles can be used to maintain and use it daily. Some of these consoles are Microsoft-specific, and others are third-party solutions that offer various management capabilities such as automation, reporting, integration with other services, and more.
MMC Snap-ins
Microsoft has integrated many management programs and tools into desktop and server operating systems into a Microsoft Management Console tool (MMC). MMC creates and opens consoles to help manage all the vital and functional components within a Windows-based network. MMC is responsible for hosting snap-ins, which are management tools that can be used from within a single interface. Almost all Microsoft management tools can be implemented as MMC snap-ins.
Active Directory (ADUC) Users and Computers
ADUC is the most popular MMC snap-in for its Management and is used to manage various objects. The ADUC console (dsa. MSC) is installed by default during the AD DS installation (Figure 7).
Figure 7
Active Directory Management Center (ADAC)
The ADAC console was introduced with Windows Server 2012. This console can set up and manage user accounts, computers, groups, and more. ADAC has more advanced management capabilities than ADUC, such as Active Directory Recycle Bin, Fine-Grained Password Policy, and Windows PowerShell History Viewer (Figure 8).
Figure 8
Third-party software for monitoring and troubleshooting Active Directory performance
Third-party software allows you to extend its capabilities and functionality. With tools like SolarWinds Server & Application Monitor, not only will you be able to monitor Active Directory performance and troubleshoot it, but you can also monitor all applications, servers, and operating systems within your IT infrastructure.
Figure 9 shows how Solarvins (SAM) analytics tools can provide comprehensive oversight to identify and troubleshoot Active Directory performance. SAM helps you monitor the status of each domain controller and identify problems between sites and domain controllers.
Important features of SAM include the following:
- View site details
- View Windows logs and events
- Track the status of domain controllers
- Review FSMO criteria
Figure 9
In addition, SAM has other functionalities related to it. Some of these features include a user-friendly dashboard, a reporting and alert system, and task automation scripts.
SolarWinds also offers a compact free software called the Free Admin Bundle for AD, which helps identify and delete inactive users and computers and add new users to the Active Directory.