Active Directory Fundamentals
Active Directory Fundamentals
Before Active Directory existed, if you needed to get a shared file in a network, you had
to know the name or IP of the server, the path of the file, and its name.
Although this solution works for small networks, it is not scalable as the network grows.
A directory service helps solve this problem by mapping all the names of network
resources such as shared files, folders, printers, servers, etc., to their particular
address.
Today, a directory service like Active Directory (AD) is of paramount importance to an
organization’s network, especially the large ones.
AD supports almost all of the mission-critical processes and applications like resource
provisioning, capacity planning, security, network services, resource management, and
more.
In this article, we made a list of the essential terms and concepts in the Active Directory
world.
If you are a beginner in Active Directory, this list can help you get a good foundation on
the key concepts.
It allows easy and quick storage, search, and management of resources within a
network.
What is not?
Whereas the database is the physical data store accessed and stored in a computer
system, the directory service uses the database to request and get the objects’
information.
It comes with any Windows Server that has the Active Directory Domain Services role
(AD DS) installed.
AD is primarily used to store, give permissions, and manage information about users
and their resources.
The primary function of a domain controller is to authenticate and authorize all users
and their resources into a Windows domain network.
The best example of AD is when a user signs in to a computer that is part of a Windows
domain.
AD checks the credentials against a database, if the username and password are valid,
the user can log into the computer.
It provides the syntax for applications and systems to interact with the directory
services.
In other words, LDAP provides a way to communicate with a directory service. Active
Directory uses LDAP version 2 and version 3 as access protocols.
To provide authentication, LDAP works with a client/server model and runs over the
TCP/IP stack.
It allows remote management of any local Active Directory domains, Active Directory
Lightweight Directory Services (ADLDS) instances, and Active Directory Database
Mounting Tool instances.
ADWS uses the WS protocol over port 9389, and it is not bounded to HTTP ports such
as 80 or 443.
This program, which is a collection of services and processes, gives access to the data
store and services that the LDAP requests.
The DSA is the one that provides access to a portion of a directory requested by a
Directory User Agent.
Active Directory Structure
Active Directory organizes all your networked resources in a logical structure.
In other words, AD is not concerned about the network topology or the number of
domain controllers; it just structures resources logically.
So rather than finding a resource by its physical location, AD allows users to find it by its
name.
Active Directory allows you to organize network elements like users or computers into
the hierarchical logical structure.
At the top of the hierarchy is the Forest, followed by Trees, which hold one or more
domains.
Each object represents a unique network entity such as a user or computer, and it is
described by a set of attributes.
For example, a user object can be specified by name, ID, address, telephone, and
more.
1. Resources
2. Security Principals
The objects within the resources category can be printers, computers, or other shared
devices.
Objects within the security principals category are users, passwords, groups, etc., or
any object that needs to be authenticated, or that can be given permissions.
The SID is used to allow or deny access to the object to the resources within a domain.
The Objects Supported by default by Active Directory:
Users:
These are the objects assigned to individuals who need access to the domain
resources. A user account has a user name and a password.
Computers:
It represents a workstation or server within the domain.
Contacts:
It contains information about third-party contacts. This object does not have a SID, so
it doesn’t belong to the domain.
Groups:
These objects represent a collection of user accounts, computers, or contacts. There
are two types: Security and Distribution groups. Groups ease the management of
many objects into a single unit.
Shared folder:
This object is mapped to a server share and is used to share files throughout the
entire network.
Printer:
This object corresponds to a shared printer within the domain.
Organizational Unit (OU):
This type of object is a container that can include other objects like users, computers,
or groups from the same domain. An OU is used to store similar objects and make
their management easier. It is also used to apply group policy settings and
permissions to the entire container.
Another distinction is that groups use SIDs, while OUs don’t use SIDs (they can’t be
placed into a group).
User Naming Attributes
Security in Active Directory can be improved using a set of user naming attributes to
help identify user objects like logon name or ID.
UserPrincipalName (UPN):
It is the primary logon name for the user. By convention, the UPN uses the email
address of the user.
ObjectGUID:
It is a unique identifier of the user. In AD, the ObjectGUID attribute name never
changes and remains unique even if the user is removed.
SAMAccountName:
It is a logon name that supports the previous version of Windows clients and servers.
ObjectSID:
This is the Security Identifier (SID) of the user. This attribute is used to identify a user
and its group membership during security interactions with the server.
SIDHistory:
This is the previous SIDs for the user object.
Domains
Domains are the core structural units of Active Directory.
They are a collection of objects formed by a database using the object ID information.
This model allows security as you can assign permissions from the domain (server) to
different users or groups (clients).
The domain controller uses security services that provide authentication and
authorization to specific resources.
Common Characteristics of an AD domain:
Trees
An AD Tree is a group of domains within the Active Directory network that share a
common DNS naming structure.
The “word” tree is used because each domain has precisely one parent, which creates
a structure with a form of a hierarchical tree.
It is the top container in the hierarchical structure and creates a logical separation
between trees.
It can consist of a single tree with one domain or several trees with multiple domains.
That means that all the contents within objects will be the same in all domains in the
forest.
Another characteristic of a forest is that its domains trust each other by default.
Groups
An Active Directory Group is a collection of objects, such as users, computers, or
contacts.
Instead of managing every single object individually, a manager can control all of them
as a whole.
Groups are frequently used for assigning permissions to objects within a domain.
Security Group:
It is used to give or deny access to specific resources within a domain.
Distribution Group:
It is used to distribute emails and messages to the entire group. This group is not
designed for providing access to resources.
Group Scopes
Either security or distribution object groups can fall into three different group scopes,
Universal, Global, or Domain Local.
The group scope defines the location within the network where the group can be used.
The scope is the level at which the group will be reaching throughout the domain, tree,
or forest. It can also help assign group members.
Global Groups:
Contains objects such as user and computer accounts in the local domain. These
groups can be used to grant access to local objects to another domain, tree, or
forest.
Domain Local Groups:
Can contain objects from any domain. The group members can only access
resources in the local domain.
Universal Groups:
It has objects from other group scopes and any domain in the tree or forest as group
members. The members of this group can access resources in any domain.
The schema is like a layout that defines the content and structure for these object
classes.
Every object created in Active Directory is an instance of an object class. For example,
the “User Object” is an instance of the “User Class.”
When a new user is created, it falls into the object class “User,” and it will require
mandatory or optional attributes, according to the schema.
Functional Levels
Active Directory Functional Levels are controls that determine which Active Directory
Domain Services features can be used in the domain or forest.
These levels can also specify the version of Windows Server OS that can run on
domain controllers.
As a best practice, when deploying the AD DS, set the functional levels for the domain
and forest to the maximum value to allow the latest and best features available in Active
Directory.
FSMO Roles
The Flexible Single Master Operation (FSMO) roles allow Domain Controllers (DC) to
keep authenticating users and giving permissions without any interruption.
1. Schema Master
An enterprise-level FSMO role. There is only one schema master in the entire forest,
which is capable of handling schema changes.
2. Domain Naming Master
An enterprise-level FSMO role. There is only one domain naming master, which is in
charge of managing domain names.
3. Primary Domain Controller Emulator:
The PDC Emulator is a domain-wide FSMO role. The DC with the PDC Emulator role
is, the DC with the highest authority within the domain. This role deals with
authentication requests, passwords changes, group policy objects, and also provides
the time.
4. Relative Identifier Master
The RID is a domain-level FSMO role. It is in charge of keeping blocks of SIDs and
assigning them to different DCs within the domain.
5. Infrastructure Master
It is a domain-level FSMO role that translates GUIDs, SIDs, and DNs between
domains. This role gets references from other objects in other domains.
This feature allows you to restore deleted objects and their attributes.
For example, if you accidentally removed the user accounts within a domain, the recycle
bin will allow you to restore them with group memberships, access rights, etc.
The primary purpose of RODC is to improve physical security in branch offices with the
following functionalities:
SYSVOL Folder
SYSVOL is a shared folder on each domain controller (DC).
It can store information from Active Directory and replicate it to other domain controllers.
SYSVOL provides the location where DCs replicate the data to each other.
The AD services available in Windows Server 2008 and Windows Server 2008 R2 are:
It is the directory service that provides the technology for storing directory data. It also
makes this data available and manageable for all end-users.
It provides Single-Sign-On (SSO) access control for web applications, web sites, or
multiple resources within a network.
The AD FS gives flexibility when accessing multiple resources. End-users only need to
remember a set of credentials to use them all across these resources.
When a user signs in to a workstation, the authentication claim can be used by third-
party applications on behalf of AD.
It protects documents like emails, Office docs, and web pages, using encryption. It can
also enforce data access policies.
The AD RMS can let you deny/permit access to specific users, modify/read-only
actions, limit certain operations, and more.
This tool helps you set roles and policies with the purpose of creating, managing,
distributing, using, storing, and revoking certificates and public keys.
You can also automate certificate provisioning.
With AD CS, you can use the existing identity data found Active Directory to register
new certificates. You can also set AD group policies to enforce specific certificates on
particular resources.
In other words, it is not bounded to Active Directory, its domains, and forests.
You can run this service on any stand-alone server. AD LDS provides its data store and
the services for accessing it.
To run your first domain controller, you’ll be required to install AD and the DNS role.
You’ll need DNS for the translation of hostnames into IP addresses within your domain.
All the clients in AD use DNS for finding the domain controllers, and the domain
controllers use it to talk to each other.
The DNS namespace is used across the Internet, but the Active Directory namespace is
used inside the private network.
DNS Zones
A DNS Zone is a section of the DNS namespace.
DNS Zones are composed of resource records, which are blocks of IP and name
information used to resolve DNS queries.
Some common resource types are A, AAA, CNAME, MX, NS, and more.
There are multiple zone types in AD; the most common is Active Directory-integrated
DNS zone.
The other zones are Primary, Secondary, Stub, Forward Lookup, Reverse Lookup
Zones, and Zone transfers.
Dynamic DNS
While DNS maps hostnames to static IP addresses, Dynamic DNS (DDNS) maps
names to dynamically assigned IP addresses, from services such as DHCP.
DDNS automatically updates the DNS server with new information when there are
changes in IP addressing.
Clients in an AD domain controller use DDNS to register and update their resource
records dynamically.
For example, if a client moves from one LAN to another, its IP address will likely
change, DDNS will automatically adjust the new configuration in the DNS.
SRV Records in Active Directory
The Service (SRV) record defines the location of servers that host particular services.
In Active Directory, when clients want to locate a domain controller for a given service,
they query the SRV records in DNS. When a new domain controller is created, its SRV
records registers in the DNS server.
DNS Forwarders
DNS Forwarders are servers that forward DNS queries for addresses that do not belong
to a zone or cannot be resolved locally.
These types of servers help send all queries of unknown Internet browsing or public
addresses to DNS outside the network.
Without a DNS forwarder, the DNS server would have to query the root DNS every time
there is an unknown address.
DNS aging and scavenging is a service that solves this problem. It performs automatic
cleanups and stale resource records removals from the DNS database.
Root Hints
Root Hints are DNS files kept on a server to provide a list of resource records that can
be used to resolve hostnames that the local DNS server cannot.
The roots hints file contain names and IP addresses of the authoritative DNS servers for
the root zone.
The difference between DNS forwarders, which also help resolve external hostnames,
is that Root Hints has a list of authoritative name servers while DNS forwarders only
have a list of DNS servers that can help resolve a query.
When a client using DHCP connects to a network, it instantly sends a DHCP discovery
to find the server, which in turn sends a DHCP offer with an available IP address.
DHCP Scope
The DHCP Scope is an IP address range that is available for distribution to computers,
or DHCP clients on a specific subnet.
IP Address Pools
The DHCP Scope, including exclusions, determines an IP address pool.
The DHCP server, with its already established DHCP scope, starts to assign IP
addresses from the pool.
When a DHCP client leaves the network, the IP address is returned to the pool. If a pool
is exhausted, the size of the IP address range must be expanded.
DHCP Reservations
A DHCP server can be configured to reserve and allocate permanent addresses to
specific clients.
The server reserves the address in the IP address pool and ensures that only the
defined client with a MAC address, receives it.
They are often used for printers, servers, VIP workstations, etc.
DHCP Filtering
DHCP filtering is a function of the server used for access control.
With this feature, you can explicitly allow and deny DHCP requests to specific clients
with MAC addresses.
DHCP filtering prevents unknown clients from being allocated a dynamic IP address by
the DHCP server.
DHCP Failover
DHCP failover is a Windows Server 2012 feature that ensures fault tolerance and load
balancing for DHCP requests.
In a DHCP failover scenario, two (or more) DHCP servers manage the same IP pool.
If one DHCP server fails, the load is automatically taken over by the other server.
In load balancing, the two (or more) servers share an entire load of DHCP client
requests, while also allowing fault tolerance.
Active Directory Replication
Replication in Active Directory is the process that helps ensure that the information
between domain controllers remains consistent. If a change is made in one domain
controller, the AD replication methods help the other DCs to synchronize in time.
Subnets
A subnet is a logical portion of a network that is usually connected by a router or switch.
Each subnet within the network has a different TCP/IP addressing scheme.
In Active Directory, subnets are used by clients and domain controllers for logon and
replication purposes. They help domain controllers to determine the best route between
them, during replication.
Within each AD site, there are domain controllers that are associated with connection
objects.
These sites help in the configuration of replication by taking into account the
accessibility of the network’s physical resources.
Connection Object
It is an AD object that serves as a replication connection between a source and a
destination domain controllers, within a site.
The Connection Object determines which domain controller replicates with which other,
specifies their schedule, and also their replication transport type.
KCC
The Knowledge Consistency Checker (KCC) is a directory service utility that guarantees
consistency in the directory database.
It runs on all domain controllers and creates the replication topology of the entire forest.
The KCC process can generate individual topologies if the replication is in a site or
between sites.
Site Link
Active Directory site links are logical paths created to connect sites and are used during
replication.
The site link allows the KCC to create connections between domain controllers.
A single site link object can represent a group of sites that can talk to each other using
the same network type.
Site Link Bridge
The Active Directory Site Link Bridge is an object that represents a logical connection
between site links.
It provides a transitive path between two and more disconnected site links.
A site link bridge can allow domain controllers that are not linked together to replicate
each other.
Global Catalog
The Global Catalog (GC) is a data storage service for a Domain Controller (DC). A DC
running the GC is known as the Global Catalog Server.
The GC server stores full copies of the objects within the directory of a domain. It can
also save a partial copy of all objects in the entire forest.
With this partial replica of the forest, users and applications can quickly search and find
objects within any domain.
The GC provides a catalog where users can search for objects in a multi-domain
environment.
Setting a CG at each site helps reduce replication traffic. There are two types of traffic.
Intra-site Replication:
When domain controllers are part of the same site, the replication of the AD database
can happen much faster.
Inter-site Replication:
When domain controllers belong to different sites. Optimizing this type of replication
can help to reduce the traffic between sites.
An SPN can be used to authenticate services to a client application when the service
account or user account is not being used.
NTLM
The NT LAN Manager (NTLM) is another authentication protocol that uses the
challenge/response mechanism.
Although NTLM is still supported on AD, Kerberos is the preferred choice for
authentication.
NTFS Permissions
NT File System (NTFS) Permissions are used to grant or deny access to files or folders
on Microsoft Windows NT systems.
Full Control
Modify
Read & Execute
Read
Write
Share Permissions
Share Permissions have the same function as NTFS Permissions, which is to prevent
unauthorized access.
But the main difference is that Share Permissions only manage access to files and
folders on shared resources.
These types of permissions can be used with FAT, FAT32, and NTFS.
The types of share permissions are:
Read
Change
Full Control
These lists can provide a set of permissions to help control access to network
resources.
Every object in Windows systems can be linked to an ACL. There are two types of ACLs
in Windows, Discretionary (DACL) and System (SACL).
ACLs are formed by Access Control Entries (ACEs), which are statements to allow or
deny access to a group or individual to resources.
The main difference between DACL and SACL is between their ACEs.
Group Policy
Group Policy (GP) is a Microsoft Windows tool that allows central management of user
and computer accounts, OS configuration, and apps/user settings.
Group policies are used within an Active Directory environment and can be used to set
password policies, lock screen, restrict access to certain portions in the system, force a
home page, even run specific scripts, among many more.
Once GPOs are applied to any user or computer object within Active Directory, GP will
automatically send all the settings to that object.
The client will receive the settings and put them on the computer.
The GPO can be divided into two parts the user settings and the computer
settings:
User Settings:
GPO that applies a configuration to user objects.
Computer Settings:
GPO that applies a configuration to computer objects
Once GPOs are applied to any user or computer object within Active Directory, GP will
automatically send all the settings to that object.
The client will receive the settings and put them on the computer.
Local policy
Site-level policies
Domain-level policies
OU-level policies
GPO Inheritance
GPOs can be associated local, to sites, domains, or OUs.
The GPO inheritance allows admins to configure a common set of policies to the site-
level, domain-level, and OU-level in the four-level hierarchy.
This GPO Inheritance can be broken with the Block Inheritance option. This option can
help administrators to change the inheritance behavior of GPOs within a domain or OU.
GPO Enforced
The GPO Enforced (or No Override) is a setting enforced on a GPO that prevents it
from being superseded by other GPOs.
This setting helps avoid conflicting GPOs with higher precedence in the four-level
hierarchy.
The RsoP is like a report that includes all the group policies within Active Directory
applied to all users and computers.
With these settings, administrators can configure and manage an extended number of
OS and application settings, such as install printers, scheduled tasks, configure registry,
set power settings, configure file/folder permissions, and more.
The templates are files, with extensions .ADM or .ADMX, which are used by Group
Policies to describe the registry keys that need to be updated.
When using administrative templates, you can modify machine and user portions of the
registry in computers.
MMC Snap-ins
The Microsoft Management Console (MMC) is used to create and open consoles, which
can help manage all the IT components within a Microsoft Windows network.
The MMC hosts the snap-ins, which are administrative tools that can be used from a
single interface.
Almost all Microsoft management tools can be implemented as MMC snap-ins. But
MMC also supports some third-party snap-ins using the MMC API.
It is used for day-to-day domain administration, including objects, OUs, and their
attributes.
The ADAC includes improved management features over ADUC, like Active Directory
Recycle Bin, Fine-Grained Password Policy, and Windows PowerShell History Viewer.
This console also helps you to raise the domain and forest functional levels and
manage UPN suffixes.
Active Directory Sites and Services (ADSS)
The ADSS is an MMC snap-in console that is mainly used for managing site replication
and other components such as topology objects, subnets, connection objects, the global
catalog, and universal group caching.
Active Directory Service Interfaces Editor (ADSI Edit)
The ADSI Edit is an advanced Active Directory object editor. It allows viewing,
modifying, and removing AD objects, and any of their attributes within a forest.
ADSI Edit is often compared to the Windows Registry Editor, due to its level of fine-
grain edition.
This tool is designed to access data that is usually not available in consoles such as
ADUC.
Local Users and Groups
Local Users and Groups is an MMC snap-in console (under Computer Management)
that allows AD administrators to manage and secure local computers.
It gives data access control through a set of permissions and rights for a local or group
account on the computer.
DHCP
The MMC snap-in console (dhcpmgmt.msc) that is used for DHCP management.
With this console, you can configure IP address range, lease time, DNS and WINS
server, etc.
DNS
The DNS MMC snap-in (dnsmgmt.msc) console allows you to manage DNS
configuration.
With this console, you can create, browse, and manage DNS zones and resource
records.
Group Policy Management Console
The Group Policy Management Console (GPMC) is an MMC tool (gpmc.msc) that
allows administrators to manage Group Policy Objects (GPOs) from a single console.
With GPMC, administrators can deploy, manage, view, and troubleshoot any GP
implementation.
Want to Learn More About Active Directoy?