Understanding Active Directory

What is Directory Service?

  • A directory service is a container that provides a hierarchical structure and allows to store objects for quick and easy access and manipulation. A directory service is like an electronic phone directory that lets you search for Name and retrieve the phone number, address, or other information without knowing where that person lives.
  • Before directory services, If you needed a file, you needed to know the name of the file, the name of the server on which it is stored and its folder path. Now this works well on small network, but as the network grows it becomes challenging.
  • Directory service is the means by which users and administrators can locate resources regardless of where those resources are located.

What is Active Directory?

  • Active Directory is Microsoft?s answer to directory services and it does a lot more than just locating resources.
  • Active Directory take care of this by using Kerberos Authentication and Single Sign-On (SSO). SSO means ability of Kerberos to provide a user with one set of credentials and grant them access across a range of resources and services with that same set of credentials. Kerberos authenticates the credentials and issues the user a ticket with which the user gains access to the resources and services that support Kerberos.
  • Active Directory also makes user management more easier as it acts as a single repository for all of this user and computer related information.

History of Directory Services?

  • Earlier to today?s directory services is X.500 specification that emerged from the International Telecommunications Union (ITU), formerly the CCITT (Comit Consultatif International Tlphonique et Tlgraphique).
  • X.500 sits at the Application layer in the OSI model. X.500 contain several component databases that work together as a single entity.
  • The primary database is the Directory Information Base (DIB), which stores information about the objects. Major limitation was its lack of integration with Internet Protocol (IP).
  • Protocol it used was Directory Access Protocol, or DAP. DAP offered more functionality than that is required for implementing directory services, so a scaled down version called Lightweight Directory Access Protocol (LDAP) was made. Later it was considered as a standard by Internet Engineering Task Force (IETF).

Advantages of LDAP:

  • LDAP relies on the TCP/IP stack rather than the OSI stack
  • Integrate with IP and enable IP clients to use LDAP to query directory services.
  • LDAP can perform hyper-searches. Giving one directory the ability to defer to another to provide requested data.
  • LDAP?s API is C-based
  • Like X.500, LDAP uses an inverted-tree hierarchical structure
  • LDAP supports Kerberos authentication, Simple Authentication Security Layer (SASL), and Secure Sockets Layer (SSL)
  • Simple Authentication and Security Layer (SASL) is a framework for authentication and data security in Internet protocols.

Back to Active Directory

  • LDAP relies on the TCP/IP stack rather than the OSI stack
  • Integrate with IP and enable IP clients to use LDAP to query directory services.
  • LDAP can perform hyper-searches. Giving one directory the ability to defer to another to provide requested data.
  • LDAP?s API is C-based
  • Like X.500, LDAP uses an inverted-tree hierarchical structure
  • LDAP supports Kerberos authentication, Simple Authentication Security Layer (SASL), and Secure Sockets Layer (SSL)
  • Simple Authentication and Security Layer (SASL) is a framework for authentication and data security in Internet protocols.

Naming Conventions

  • AD contains information about objects in your enterprise.
  • These objects can be computers, users, printers etc.
  • AD is a container with nested containers holding other containers or objects.
  • And we name these container and objects so that its easy to query or search.

AD supports several Naming Conventions.

  • User Principal Names, or UPN
  • LDAP names also known as Distinguished Name

Domains:

  • A domain is a partition in an Active Directory forest. Partitioning data enables organizations to replicate data only to where it is needed. In this way, the directory can scale globally over a network that has limited available bandwidth. Domains are logical directory components that you create to manage the administrative requirements of your organization. Domains can also be defined as:
  • Containers within a forest
  • Units of Policy
  • Units of Replication
  • Authentication and Authorization Boundaries
  • Units of Trust

Domain, Tree and Forest

  • Objects that are made on AD are grouped into domains.
  • The objects for a single domain are stored in a single database (which can be replicated).
  • A tree is a collection of one or more domains
  • A forest is a collection of trees that share a common global catalog, directory schema, logical structure, and directory configuration.

What is a Domain Controller?

  • A domain controller is a server that is running a version of the Windows Server operating system and has Active Directory Domain Services installed.
  • On Microsoft Servers, a domain controller (DC) is a server computer[1][2] that responds to security authentication requests (logging in, checking permissions, etc.) within a Windows domain.[3][4] A domain is a concept introduced in Windows NT whereby a user may be granted access to a number of computer resources with the use of a single username and password combination.

*In Windows Server 2003 and Microsoft Windows 2000 Server, the directory service is named Active Directory. In Windows Server 2008 R2 and Windows Server 2008, the directory service is named Active Directory Domain Services.

19