AD
Active Directory
Active Directory is an administration framework used in organizations to manage a wide range of resources, including servers, workstations, users, and services. It provides a centralized and automated way to manage these resources, making it easier to enforce policies, control access, and monitor system activity.
Domain
To streamline the management of resources, Active Directory is organized into domains. A Windows domain is a group of users and computers that share a common security policy and access control settings. The primary goal is to centralize the administration of resources such as users and computers within a single system repository, called Active Directory (AD).
The server that runs Active Directory services is called a Domain Controller (DC). The Domain Controller is responsible for authenticating users, enforcing policies, and maintaining the database that holds all AD information.
Active Directory Structure
Active Directory stores information about various objects, each representing resources like users, computers, and security groups. These objects help organize and manage access to network resources in a consistent and secure manner.
Users
Users in Active Directory can represent individuals or services.
People: These are employees or individuals in the organization who need access to network resources (e.g., files, printers, applications).
Services: Some services in the organization run under a user account, and only the appropriate privileges should be assigned to those accounts to restrict their capabilities.
Users are often organized into Organizational Units (OUs), which are containers that can be used to group users based on department, role, or location.
Machines
Machine accounts, also known as service principals, represent devices like servers, workstations, printers, or domain controllers within the domain.
Like user accounts, machine accounts have passwords that should be automatically renewed at regular intervals.
The name of a machine account is typically the computer name followed by a dollar sign (e.g., ComputerName$).
Security groups
Security groups are used to easily assign rights and permissions to user and machine accounts.
By organizing accounts into security groups, it becomes easier to assign or revoke permissions based on the group, rather than on individual accounts.
Group membership can be assigned based on inheritance, meaning that members of a group will automatically inherit the permissions and policies assigned to that group.
Domain Admins
Users of this group have administrative privileges over the entire domain. By default, they can administer any computer on the domain, including the DCs.
Server Operators
Users in this group can administer Domain Controllers. They cannot change any administrative group memberships.
Backup Operators
Users in this group are allowed to access any file, ignoring their permissions. They are used to perform backups of data on computers.
Account Operators
Users in this group can create or modify other accounts in the domain.
Domain Users
Includes all existing user accounts in the domain.
Domain Computers
Includes all existing computers in the domain.
Domain Controllers
Includes all existing DCs on the domain.
GPO
Accounts can be added, deleted, or delegated specific administrative permissions within their respective OUs.
A Group Policy Object (GPO) is a set of policies that can be applied to an Organizational Unit (OU) in Active Directory.
GPOs allow administrators to enforce security settings, configure user profiles, and deploy software across the network.
Policies applied via GPOs can control everything from password complexity to software restrictions, ensuring consistent and secure management of resources.
Authentication
They are two authentication mechanisms: Kerberos and NetNTLM.
Kerberos
The default authentication protocol in modern Windows environments. Kerberos is a ticket-based authentication system, which enhances security by using time-limited tickets for authentication. Kerberos Authentication Process:
The client authenticates to the Key Distribution Center (KDC) and requests a Ticket Granting Ticket (TGT).
The client then uses the TGT to request a Ticket Granting Service (TGS), which grants access to specific network resources (services).
The client uses the TGS to authenticate and access the requested service.
NetNTLM
An older authentication protocol, used for backward compatibility with legacy systems. It is a challenge-response protocol, where the client sends a hashed password to the server in response to a challenge. While still supported, Kerberos is preferred in modern Windows versions for its greater security.
Domain aggreation
Active Directory can be extended and combined across multiple domains when necessary, particularly in large organizations or following mergers and acquisitions (M&A). There are two main ways to organize AD across multiple domains:
Trees: Multiple domains can be combined into a tree, where all domains share the same namespace (e.g.,
example.com,sales.example.com).Forests: A forest is a collection of one or more trees, where each tree can have its own namespace (e.g.,
example.comandexample.org). The forest is the top-level container in AD, and trees within the forest are linked together for authentication and resource sharing.
Trust Relationships: Active Directory also supports trust relationships between domains. These trusts allow users in one domain to access resources in another domain.
One-Way Trust: One domain trusts another, but not the other way around (e.g., Domain A trusts Domain B, but Domain B does not trust Domain A).
Two-Way Trust: Both domains trust each other, allowing users from both domains to access resources in the other domain.
Last updated