What is Active Directory (AD)?
Active Directory is a directory service from Microsoft that saves relevant data on the system and makes this metadata simple for individuals and organizations to access and use.
It offers a standardized file system as the foundation for a logical, hierarchical structuring of data on the network. Think of it as a contact list for objects and systems on a network system.
Active Directory handles most of the operations in the IT network. It ensures each entity is who they represent (verification), usually by authenticating the user ID and password input and enabling them to access only that data they’re authorized to use (authorization).
What is Active Directory Domain Controller (AD-DC)?
A directory is a structured system that includes details of the objects on the networks. A directory service, such as Active Directory Domain Services (AD DS), offers tools for storing domain data by making this data accessible to computer system administrators.
The server running AD DS is called a domain controller (DC). A domain controller can also log in with other Microsoft products, such as Exchange Server and SQL Server.
AD DS is a critical element of Active Directory. It provides the primary method for password authentication and defining which system resources they have access to. AD DS also delivers extra features like Single Sign-On (SSO), security certificates, LDAP, and access control management.
List of Objects in Active Directory
User object: A user object in AD represents a genuine person part of a company’s AD network. It is a branch object, which indicates it can’t include other AD objects. Also, there are various predefined user accounts and groups in this container. It contains security groups for domain and forest management activities. You may also alter the default OU for users and groups using the command:”OU=COMPANY, DC=SECURDI, DC=COM.”
Contact object: A contact object in AD portrays genuine contact information that is not a part of the company but is related to it.
Printer object: A printer object in AD refers to a genuine printer in the AD network. It is a branch object, which implies it can’t include other AD objects in itself. A printer object is not a part of security, and hence it primarily has a GUID.
Computers: By default, computer profiles are established using the Computer Properties dialogue after joining Windows to the domain. A computer object in AD describes a computer part of a company’s AD network. The user may relate with any of the employees in the business.
Shared folder: A shared folder object in AD is a reference that directs towards the shared folder on the machine where a folder is kept.
Group: A group object in AD is an object that may include other AD objects such as groups, users, and computers. Therefore, a group object is a container object.
Organizational Unit (OU): Organizational Unit (OU) is a container in the Active Directory domain that could contain multiple objects of the same AD domain: other containers, groups, user and machine accounts. An Active Directory OU is a simple administrative body inside a domain on which an admin may link Group Policy objects and provide access to other users/groups.
Suppose a company has branches internationally in different States and cities. It would be sensible to build other containers for each State at the top level of the domain and then establish separate containers inside the State for the city. You may create distinct OUs for administrators, groups, computers, servers, and users within each location.
If required, you may add more layers to the structure (buildings, departments, etc.)
In such an Active Directory structure, you may easily assign AD permissions and link GPOs
Structure of Active Directory Domain Services
AD DS classifies the data in a centralized structure consisting of organizational units, domains, forests, and trees.
Organizational Units: An OU is used to manage users, groups, workstations, and other functional units.
Containers: A container is identical to an OU, but apart from an OU, it is not allowed to attach a Group Policy Object (GPO) to a standard Active Directory container.
Domains: A domain defines a list of objects like users, groups, and endpoints which hold the same AD record. You might consider a domain as a branch in a tree. A domain has the same structure as regular domains and subdomains, e.g., securdi.com and sales.securdi.com.
Forest: A forest is a structure within AD that includes a collection of trees. The trees in a forest may also acknowledge each other and share domain hierarchies, catalogs, application data, and domain settings.
Trees: A tree is one or more domains arranged together in a structured form. Since domains in a tree are connected, they are said to “acknowledge” each other.
Other Active Directory services
Active Directory Federation Services: AD FS increases the ability to implement single sign-on features that are accessible within every security or company perimeter to Web services to allow clients, associates, and vendors a simplified UI when accessing the application services of a corporation.
Lightweight Directory Services: AD LDS is a Lightweight Directory Access Protocol (LDAP) service. It offers a subcategory of the AD DS functionalities, which helps to make it more flexible. It could be run as a stand-alone directory service without requiring it to be integrated with a full version of Active Directory.
Certificate Services: It allows to develop, administer and distribute encryption certificates, which enable users to transmit information safely over the web.
Rights Management Services: AD RMS is a suite of solutions that aids with the control of security tools that enable companies to preserve their data safely. Such solutions include encryption, certificates, and authentication and have various applications and information kinds, such as emails and documents.
How Active Directory aids IT
There are various advantages for IT professionals in adopting AD DS in your organization:
You may pick how to arrange your data throughout many types of users and roles in your firm.
You may operate AD DS from any node on the network if required.
AD DS offers built-in replication and redundancy: if one domain controller (DC) fails, another DC takes up the load.
A company might choose to administer Active Directory by logically grouping the users as per departments wherein they work, their location, or a combo of these attributes.
Active Directory employs a single sign-on to access network resources hosted on any server inside the domain.
Active Directory enhances resource location by letting files and print resources be published on the network. Providing an object enables users to safely access network resources by searching the Active Directory database for the requested resource.
What is Azure Active Directory?
With more enterprises gradually migrating their business activities to the cloud, Microsoft has released Azure Active Directory (Azure AD), their cloud-based version of Windows AD, which can also link up with on-premise AD solutions.
Azure AD is claimed to be the foundation of Microsoft 365 and other Microsoft products. A few differences between Windows and Azure AD are as follows:
Communication: Azure AD employs a REST API, while Windows AD uses LDAP.
Identity management: Windows AD employs Kerberos and NTLM for authentication, while Azure AD uses its built-in web-based authentication mechanism.
Architecture: Unlike Windows AD, which is structured by OUs, trees, forests, and domains, Azure AD has a simple structure of users and groups.
Why Azure Active Directory (AAD)?
Azure Active Directory (Azure AD, or AAD) is the next generation of IAM services for the cloud. Microsoft launched AD DS in Windows 2000 to allow enterprises to manage numerous on-premises network systems and components using a single identity.
Azure AD takes this strategy to the next level by offering enterprises an Identity as a Service (IDaaS) solution for all their applications over cloud and on-premises.
-Authored by Rohan Gupta