What is Active Directory Directory Services (ADDS)?
Active Directory is useful for managing enterprise's user information. It is used for storing and managing large volume of user credentials.
Active Directory directory Services (ADDS) is used for managing security policies for users and resources within the network.
AD is used for Single Sign On (SSO) allowing / denying access to users based on policy assigned by the system administrations. So which means the user can sign in once and can access network resources such as computer, printers, file shares, email, sharepoint etc.,
Administrators can centrally manage the entire network access/security policies from one place. Admins can provide/revoke access to users/individual resource from one location.
Servers that control active directories are called domain controllers (DC).
A domain controller is a server that is running a version of the Windows Server with Active Directory Directory System in it.
Security Policies are created in domain controllers and it gets propagated to all the machines in the network.
There are two primary type of accounts that are created in Domain Controller. They are
- User Accounts
- Computer Accounts
User accounts are used to add users into active directory and computer accounts are used to add computers/network resources as a member into the domain. Type of information stored for these type of accounts are described by the schema.
Schema is the attributes that the directory service uses to store data . Schema describes how data is stored about the user and computers in the database.
User accounts and computer accounts are added into the database in designed schema in domain controllers.
- user account schema can describe what information is stored for a user account like email address, username, password, department, role etc.
- For computer account it can have attributes like computer name, sid etc.
Schema's are expendable. Additional attributes can be added in later stage if required.
Groups are nothing but collection of user accounts and computer accounts. User accounts and computer accounts are added to Groups. Working with groups instead of with individual users helps simplify network maintenance and administration. Groups allows setting of permission to users as a whole instead of adding permissions to each individual users.
Example: if employees in accounting department should have access to a report files, then the employees in accounting department can be added to a group and the group can be given permission to the report files so everyone in the group gets access to the file. All other users can be blocked from accessing the report files.
Group Policy Object (GPO) is a collection of settings that define what a system will look like and how it will behave for a defined group of users.
Security policies can be granular. for example Admin can lock down a single user access to CD drive of the computer or stop user changing desktop background. Lock down what user can do on specific machines.
There are two types of groups in Active Directory:
- distribution groups Distribution groups are used for sending e-mail messages to groups of users. You cannot grant permissions to security groups. Even though security groups have all the capabilities of distribution groups, distribution groups still requires, because some applications can only read distribution groups.
- Security groups Use Security groups for granting permissions to gain access to resources. Sending an e-mail message to a group sends the message to all members of the group. Therefore security groups share the capabilities of distribution groups.
- Organizational units (OU) are containers in which users, groups, computers and other organization units can be added. OU are for administrative and organizing purposes. An OU is the smallest scope or unit to which you can assign Group Policy settings or delegate administrative authority. OU can be used to represent hierarchical and logical structures within the organization.
Example: An organizational unit can be created to manage the groups/users/computers in specific branch office and the OU can have an administrator who can administer only that specific OU.
Domain, Trees and Forest
Domain controllers create a domain. All the computers and users connected to a domain controller is said to be within a single domain.
A tree is a collection of domains within a Microsoft Active Directory network.
Top of the tree structure is called as the forest. Domain that links and controls all tree. An Active Directory forest is the highest level of organization within Active Directory. Each forest shares a single database, a single global address list and a security boundary. By default, a user or administrator in one forest cannot access another forest.
Communication between domains occurs through trusts. Trusts are authentication pipelines that must be present in order for users in one domain to access resources in another domain.
Trusted domain objects (TDOs) are objects that represent each trust relationship within a particular domain.
Sub domains of the forest roots have two way transitive trust established.Transitive trust is a two-way relationship automatically created between parent and child domains in a Microsoft Active Directory forest. When a new domain is created, it shares resources with its parent domain by default, enabling an authenticated user to access resources in both the child and parent.
Transitive trust allows a user of a sub domain, also access to resources on a different sub domain under the same forest root. This provides a seamless access to a user between different domains.
Explicit one way trust is used to enable trust between two Active directory forests. In which user from primary AD can access the other network but not vice vera. One way explict trust is established by secondary AD trusting the primary AD. So then the user from Primary AD can be added to secondary AD groups to access resources in secondary Domain.
Type of Trusts
There are 2 classification of trust. They are
- Default Trust
- Explicit Trust (Other Trust)
Two-way, transitive trusts are automatically created when a new domain is added to a domain tree or forest root domain
- Tree root trust is automatically/implicitly created when a new tree root domain is added to a forest. The trust relationship exists between two root domains within the same forest. For instance, if there is an existing forest root domain, and a new tree root domain is added to the same forest, tree root trust is formed between the new tree root domain and the existing forest root domain. Tree root trust is transitive and two way.
- Parent and child - when a new child domain is added to an existing domain tree, a new parent and child trust is established
Four other types of trusts can be created using the New Trust Wizard manually: external, realm, forest, and shortcut trusts.
External trust: An administrator explicitly defines the external trust to enable trust between domains that are located in different forests and to create trust between an Active Directory domain and a down-level Windows NT 4 domain. External trust is always non-transitive but can be either one-way trusts or two-way trusts. External trust is usually only created in Active Directory environments when users need to access network resources in a domain that resides in a different forest and forest trust cannot be created between the two domains. When external trust is created between an Active Directory domain and a down-level Windows NT 4 domain, it is a one-way, non-transitive trust relationship.
Forest trust: An Administrator explicitly created Forest trust to enable trust between two Active Directory forests. Forest trust is transitive in nature and can either be one-way or two-way. Because forest trust is created between two root domains of two forests, it can create two way trusts with each domain within the two forests. This basically means that users would be able to access Active Directory objects between all domains encompassed by the particular forest trust relationship.
Shortcut trust: An administrator explicitly creates a shortcut trust and is either a one way transitive trust or two way transitive trust. Shortcut trust is usually created when users want to speed up or enhance authentication performance between two domains in different trees but within the same forest. One way shortcut trust should be created when users in Domain1 need to access Active Directory objects in Domain2 but users in Domain2 do not need to access objects in Domain1. Two way shortcut trust should be created when users in each domain need to access objects in each other’s domain.
Realm trust: An administrator explicitly creates realm trust and it can be defined as either a transitive or non-transitive trust. It can also either be a one way or two way trust. Realm trust enables users to create a trust relationship between a Windows Server 2003 Active Directory domain and a non-Windows Kerberos version 5 realm. Realm trust therefore facilitates interoperability between a Windows Server 2003 domain and a realm used in Kerberos version 5 implementations.