What is Active Directory and how does it work?

                                             

              Understanding Active Directory

Active Directory is a kind of centralized database of the network. Through which we can manage the whole database and security policies of the network.

Active Directory (AD) is a Microsoft Windows Server integrated service that consists of several services that run on Windows Server (2k3, 2k8, 2k12, 2k16) to manage permissions and access to network resources.

Active Directory stores database for objects. An object is a type of shared resources running under an AD.

• Active Directory is Microsoft’s answer to directory services and it does a lot more than just locating resources.
• Active Directory take care of this by using Kerberos Authentication and Single Sign-On (SSO). SSO means ability of Kerberos to provide a user with one set of credentials and grant them access across a range of resources and services with that same set of credentials. Kerberos authenticates the credentials and issues the user a ticket with which the user gains access to the resources and services that support Kerberos.
• Active Directory also makes user management more easier as it acts as a single repository for all of this user and computer related information.

What's a directory service?

# Directory service is a container that provides a hierarchical structure and allowed to store objects for quick and easy access and manipulation. A directory service is like an electronic phone directory that lets you search for name and retrieve the phone number, address, or other information without knowing where that person lives.

# Before directory services, if you needed a file, you needed to know the name of the file, the name of the server on which it is stored and its folder path. Now this works well on small network, but as the network grows it becomes challenging.

# Directory services is the means by which user and administrators can locate resources regardless of where those resources are located.


 History of Directory Service

• Earlier to today’s directory services is X.500 specification that emerged from the International Telecommunications Union (ITU), formerly the CCITT (Comité Consultatif International Téléphonique et Télégraphique).
• X.500 sits at the Application layer in the OSI model. X.500 contain several component databases that work together as a single entity.
• The primary database is the Directory Information Base (DIB), which stores information about the objects. Major limitation was its lack of integration with Internet Protocol (IP).
• Protocol it used was Directory Access Protocol, or DAP. DAP offered more functionality than that is required for implementing directory services, so a scaled down version called Lightweight Directory Access Protocol (LDAP) was made. Later it was considered as a standard by Internet Engineering Task Force (IETF).

Advantage of  LDAP ( lightweight directory access protocol)

# LDAP relies on the TCP/IP stack rather then the OSI stack

# Integrated with IP and enable IP clients to use LDAP to query directory services.

# LDAP can perform hyper-searches. Giving one directory the ability to defer to another         to provide requested data.

# LDAP support Kerberos authentication.

# Like X.500, LDAP uses an inverted tree hierarchical structure

Back to Active Directory

# AD directory services and it does a lot more than just locating resources.

# AD uses LDAP as it's access protocol.

# AD relies on DNS as it's locator service, enabling clients to locate domain controllers     through DNS queries.

# Let's Understand Active Directory in more detail

Naming Conventions

# AD contains information about objects in your enterprise.

# These objects can be computers, users, printers etc.

# AD is a container with nested containers holding other containers or objects.

# Ans we name these container and objects so that it's easy to query or search.

AD support several Naming Conventions

# User Principal Name, or UPN

# LDAP names also known as Distinguished Name

User Principal Names, or UPN

# This one you'll probably find most familiar, is as per RFC 822 specification.

# This has the same format as your email address; Like shailendra@msft.com

# They take the form user@domain

# If you have a user named A1 under Active Directory domain Antero.in, the UPN will be A1@Antero.in 

# We will discuss more about AD domain later.

LDAP name also known as Distinguished Name

# Typically it has this format

Cn=common name

Ou= organization unit

Dc= domain

For eg. cn=Shailendra, ou=Trainer, dc=Antero

# And query should look like this for the

LDAP://pc1.antero.in/cm=Shailendra,ou=Trainer,dc=antero,dc=in

Pc1.antero.in is the FQDN of the Domain Controller.

Requirement of DNS

# DNS Server must support

# Service resource (SRV) records

# Dynamic update protocol specified by RFC

# AD relies on DNS as it's primary locator service, although its not the only mechanism for locating domain controllers (DCs).

# Domain controller is the server which has Active Directory Installed.

# When a domain controller starts.

# It registers both its DNS name and NetBIOS name. More on NetBIOS name later.

# It also add Kerberos authentication protocol specific SRV record to enable clients to locate servers running the Kerberos Key Distribution Center (KDC) service.

# Also each DC also adds an A record that enables clients that don't support SRV records to locate that DC through a simple host record lookup.


   Active Directory Objects

Ø  Objects in AD can be either containers for other objects or they can be leaf objects, which do not serve as containers.

Ø  Objects in AD have attributes, and these attributes not only define the object but also store data. This defines the character of that Object.

Ø  Some attributes and optional and some are mandatory.

Ø  Optional : Phone Number

Ø  Mandatory: Username

Ø  When an Object is created AD assigns a GUID, which is a 128-bit number and no two objects in AD have the same GUID.

Ø  And If an object is moved from AD, it doesn't delete its GUID.

Ø  Objects in AD are protected by Access Control Lists (ACLs).

Ø  More on Security later.

Active Directory Database

    

• The ESE comprises of tables that define the structure of the directory.
• The Database Layer has three partition that define the contents of AD with an optional 4th table or partition.

Schema Partition

• This stores Active Directory Schema.
• Active Directory Schema defines what are the types of objects that can be created in the directory
• How are those objects relate to one another, and what are the mandatory and optional attributes of each object.
• And how can one create such objects.