Active Directory Domain Service (AD DS)

What is Active Directory?

Active Directory (AD) is a directory service for use in a Windows Server environment. It is a hierarchical, distributed database structure that shares infrastructure information to locate, protect, manage, and organize computer and network resources, such as files, users, groups, peripherals, and network devices.

Active Directory is Microsoft's proprietary directory service for use on Windows domain networks. It has authentication and authorization functions and provides a framework for other similar services. Basically, the directory consists of an LDAP database containing networked objects. Active Directory uses the Windows Server operating system.

When we talk about Active Directory, we are usually referring to Active Directory Domain Services, which provide integrated authentication and authorization services on a large scale.


Prior to Windows 2000, Microsoft's authentication and authorization model required dividing a network into domains and then linking them using a one- and two-way trust system that was complicated and sometimes unpredictable. Active Directory was introduced in Windows 2000 as a way to provide directory services to larger and more complex environments.

AD DS

Other Active Directory services:

Over time, Microsoft has added additional services under the Active Directory banner. Active Directory Lightweight Directory Services This lightweight version of domain services removes some complexity and some advanced features to offer only basic directory service functionality without a domain, forest, or domain controllers. It is typically used in small, individual network environments.

Active Directory Certificate Services:

Certificate services offer forms of digital certification and support public key infrastructure (PKI). This service can store, validate, create and revoke the public key credentials used for encryption instead of generating keys externally or locally.

Active Directory Federation Services:

Provides a web-based single sign-on authentication and authorization service for use primarily between organizations. In this way, a contractor can log into their own network and be authorized at the same time to access the customer's network.

Active Directory Rights Management Services:

It is a rights management service that breaks with the concept of authorization as a simple model of allowing or denying access and limits what a user can do with specific files or documents. The rights and restrictions are attached to the document, and not to the user. These rights are commonly used to prevent printing, copying, or screenshots of a document.

Active Directory Structure:

A key feature of the Active Directory structure is delegated authorization and efficient replication. Each part of the AD organizational structure limits authorization or replication within that particular subpart.

Forest
The forest is the highest level of the organization's hierarchy, and it is a security boundary within the organization. A forest allows the delegation of authority to be segregated in a limited way in a single environment. In this way, we can have an administrator with full access rights and permissions, but only to a specific subset of resources. It is also possible to use a single forest on the network. Forest information is stored on all domain controllers in all domains within the forest.

Tree
A tree is a group of domains. Domains within a tree share the same root namespace, but nevertheless, trees are not replication or security limits.

Domains
Each forest contains a root domain. Additional domains can be used to create more partitions within a forest. The purpose of a domain is to divide the directory into smaller parts so that replication can be controlled. A domain limits Active Directory replication only to the other domain controllers within it. For example: if we have two offices, one Oakland and one in Pittsburg, the first should not replicate the AD data from the second (and vice versa). In this way, we can save bandwidth and limit the damage caused by security breaches.

Each controller in a domain contains an identical copy of the Active Directory database for that domain. This keeps everything up-to-date through constant replication.

Despite the fact that domains were used in the previous model, based on Windows-NT, and still provide a security barrier, it is recommended that it is not only the domains that control replication but also that organizational units (OUs) to group and limit security permissions.

Organizational units (OU)
An organizational unit allows you to group authority over a subset of resources in a domain. An OU provides a security limit for high privileges and authorization but does not limit the replication of AD objects.


Organizational units are used to delegate control within functional groupings. Organizational units should be used to implement and limit security and roles between groups, while domains should be used to control Active Directory replication.

Domain controllers:

Domain controllers are Windows servers that contain the Active Directory database and perform AD related functions such as authentication and authorization. A domain controller is any Windows server that has the domain controller role installed.

Each domain controller stores a copy of the Active Directory database, which contains information about all the objects within the same domain. In addition, each domain controller stores the schema of the entire forest, as well as all the information about it. A domain controller will not store a copy of any forest schema or information from a different forest, even if they are on the same network.

Domain Controller Specialized Features
Specialized domain controller roles are used to perform specific operations that are not available on standard domain controllers. Although these master roles are assigned to the first controller created in each forest or domain, an administrator can reassign them manually.

Schema Master
There is only one schema master per forest. It contains the master copy of the schema used by all other domain controllers.

Domain Name Master
There is only one domain name master for each forest, and its role is to ensure that all object names are unique and, when necessary, to cross-reference objects stored in other directories.

Infrastructure Master
There is one infrastructure master per domain that maintains the list of deleted objects and tracks references to objects in other domains.

Relative identifier master
The relative identifier master tracks the allocation and creation of unique security identifiers (SIDs) across the domain, and there is one per domain.

Primary domain controller emulator

There is only one primary domain controller (PDC) emulator per domain. It is there to provide backward compatibility with older Windows NT-based domain systems, and it responds to requests made to a PDC as you would expect an older PDC to do.

Data warehouse

The data warehouse is responsible for the storage and retrieval of the information on any domain controller. The data warehouse is made up of three layers. The bottom layer is the database itself. The intermediate layer is made up of service components, the Directory System Agent (DSA), the database layer and the Extensible Storage Engine (ESE). At the top layer are the Directory Storage Service, Lightweight Directory Access Protocol (LDAP), Replication Interface, Messaging API (MAPI), and Security Account Manager (SAM).

Domain name system:

Although Active Directory contains location information about objects stored in the database, it uses the domain name system (DNS) to locate domain controllers.

Within Active Directory, each domain has a DNS domain name and each computer that is part of the domain has a DNS name within it.

Objects
Everything inside Active Directory is stored as an object. You could also say that the class is the "type" of an object within the schema. Attributes are the components of the object and are defined by their own class.

Objects must be defined within the schema so that the data can be stored in the directory. Once defined, the data is stored within the active directory as individual objects. Each object must be unique and represent a single thing, such as a user, a team, or a unique group of things (user groups, for example).


The two main types of objects are resources and security principles. Security principles are assigned security identifiers (SIDs), but resources are not.

Replication:

Active Directory uses multiple domain controllers for multiple reasons, including load balancing and fault tolerance. For this to work, each domain controller must have a complete copy of their domain's own Active Directory database. Replication is the process that ensures that each controller has an up-to-date copy of the database.

Replication is limited by domain. Domain controllers that are in different domains do not replicate with each other, even if they are within the same forest. Although previous versions of Windows had different types of domain controllers (primary and secondary), in Active Directory there is no such thing: all domain controllers are the same. Sometimes there can be some confusion about continuing to use the Active Directory name "domain controller" that was used in the old system, based on trust.

Replication works on a pull system, which means that one domain controller requests or "pull" information from another domain controller instead of each sending or "inserting" data to each other. By default, domain controllers request replication data every 15 seconds. Certain high-security events, such as locking an account, trigger an immediate replication event.

Only changes are replicated. To ensure fidelity in a multi-master system, each domain controller tracks changes and requests only the updates it needs since the last replication. Changes are replicated across the entire domain using a store-and-forward mechanism, so any changes are replicated when requested, even if that change did not originate from the domain controller that responds to the replication request.

This prevents excess traffic and can be configured to ensure that each domain controller requests its replication data from the most desirable server. For example, if a remote location has two connections to other sites with domain controllers, and one of them is fast while the other is slow, you can set a "cost" for each connection. In doing so, the replication request will always be made over the fastest connection.