Programming

What exactly is Active Directory?

AD is a collective term for five server roles developed by Microsoft for Windows Server, namely 1 2: Active Directory Domain Services (AD DS) (simply called Active Directory before this became the umbrella name; this is why this term is used interchangeably with AD): Domain controller, responsible for authentication and authorization. Active Directory Lightweight Directory Services (AD LDS): a lightweight alternative to AD DS, providing a LDAP based directory service. Active Directory Federation Services (AD FS): Providing a Single Sign-on (SSO) service, so users can login to various applications with one password. Active Directory Rights Management Services (AD RMS): While AD DS can control whether a user has access to a document, it can’t control what the user does with the data in his possession. AD RMS can be used for securing sensitive information even better (e.g. by preventing a document from being emailed to an unauthorized user). Active Directory Certificate Services (AD CS): Providing a certification authority, that can issue public-key certificates (e.g., for authentication using smart cards or encrypting data). Also provides management of these certificates for easy renewal and revoking. The data stored in AD DS is structured in two ways: physically and logically. While the physical structure encompasses network configurations, devices, and bandwidth, the logical structure aligns AD with an organization’s workflow and administrative processes. The data stored in AD is structured hierarchically 2 3: A domain acts as a security boundary for managing user and resource policies. All users within a domain follow shared rules, such as password and account policies. Each domain has at least one domain controller that authenticates users. Domains in the same namespace can form a tree, with hierarchical parent-child relationships. A single domain is considered to be a tree as well. For broader organizational needs, multiple trees can interconnect to create a forest, enabling transitive trust relationships (meaning the relationship between two trusted domains is extend to any other domains trusted by them). Within a domain, Organizational Units (OUs) provide a way to group resources logically - such as users, printers, or applications - based on company structure or location. OUs can nest hierarchically and simplify delegation of administrative tasks without extending across domains. Physical aspects of the network are defined through sites, representing IP subnets connected by high-speed links. They control replication traffic and authentication by ensuring domain controllers are local to reduce latency and optimize bandwidth. Site links further manage communication between geographically dispersed sites, ensuring efficiency and minimizing network congestion. An object is any network component, such as a user, group, printer, or file share. Objects carry attributes that define their properties. For better understanding, the AD of a fictional company with offices across the United States, Europe and Asia is described as an example: A single forest, xyzcorp.com, is created to act as the namespace for all domains. Each continent operates under its own domain: us.xyzcorp.com for North America eu.xyzcorp.com for Europe asia.xyzcorp.com for Asia These domains form a tree under the primary namespace xyzcorp.com, ensuring trust and resource sharing between the continents. Within the us.xyzcorp.com domain, OUs are used to reflect the organizational hierarchy and geographic layout: Sales California Texas New York IT HR Therefore, the tree representation of the AD would look like this: xyzcorp.com + us.xyzcorp.com | + Sales | | + California | | | + John.Smith | | | + Jane.Doe | | | + Printer_CA1 | | + Texas | | | + Alice.Walker | | | + Printer_TX1 | | + New York | | + Bob.Brown | | + Printer_NY1 | + IT | | + Admins | | | + AdminUser1 | | | + AdminUser2 | | + Systems | | | + Server_NA1 | | | + Server_NA2 | + HR | | + Policies | | | + HRPolicy.docx (File Share) | | + Mary.Jones | | + Jane.Smith | + eu.xyzcorp.com | + ... | + asia.xyzcorp.com + ... Bundesamt für Sicherheit in der Informationstechnik, "APP.2.2 Active Directory Domain Services." Online ↩ S. Clines and M. Loughry, Active Directory for Dummies. Newark, United States: John Wiley & Sons, Incorporated, 2008. ↩ B. Desmond, J. Richards, R. Allen, and A. G. Lowe-Norris, Active Directory, 5th Edition. Online ↩

Mar 18, 2025 - 00:46
 0
What exactly is Active Directory?

AD is a collective term for five server roles developed by Microsoft for Windows Server, namely 1 2:

  • Active Directory Domain Services (AD DS) (simply called Active Directory before this became the umbrella name; this is why this term is used interchangeably with AD): Domain controller, responsible for authentication and authorization.
  • Active Directory Lightweight Directory Services (AD LDS): a lightweight alternative to AD DS, providing a LDAP based directory service.
  • Active Directory Federation Services (AD FS): Providing a Single Sign-on (SSO) service, so users can login to various applications with one password.
  • Active Directory Rights Management Services (AD RMS): While AD DS can control whether a user has access to a document, it can’t control what the user does with the data in his possession. AD RMS can be used for securing sensitive information even better (e.g. by preventing a document from being emailed to an unauthorized user).
  • Active Directory Certificate Services (AD CS): Providing a certification authority, that can issue public-key certificates (e.g., for authentication using smart cards or encrypting data). Also provides management of these certificates for easy renewal and revoking.

The data stored in AD DS is structured in two ways: physically and logically. While the physical structure encompasses network configurations, devices, and bandwidth, the logical structure aligns AD with an organization’s workflow and administrative processes. The data stored in AD is structured hierarchically 2 3:

  • A domain acts as a security boundary for managing user and resource policies. All users within a domain follow shared rules, such as password and account policies. Each domain has at least one domain controller that authenticates users.
  • Domains in the same namespace can form a tree, with hierarchical parent-child relationships. A single domain is considered to be a tree as well.
  • For broader organizational needs, multiple trees can interconnect to create a forest, enabling transitive trust relationships (meaning the relationship between two trusted domains is extend to any other domains trusted by them).
  • Within a domain, Organizational Units (OUs) provide a way to group resources logically - such as users, printers, or applications - based on company structure or location. OUs can nest hierarchically and simplify delegation of administrative tasks without extending across domains.
  • Physical aspects of the network are defined through sites, representing IP subnets connected by high-speed links. They control replication traffic and authentication by ensuring domain controllers are local to reduce latency and optimize bandwidth. Site links further manage communication between geographically dispersed sites, ensuring efficiency and minimizing network congestion.
  • An object is any network component, such as a user, group, printer, or file share. Objects carry attributes that define their properties.

For better understanding, the AD of a fictional company with offices across the United States, Europe and Asia is described as an example:

  1. A single forest, xyzcorp.com, is created to act as the namespace for all domains.

  2. Each continent operates under its own domain:

    • us.xyzcorp.com for North America
    • eu.xyzcorp.com for Europe
    • asia.xyzcorp.com for Asia

    These domains form a tree under the primary namespace xyzcorp.com, ensuring trust and resource sharing between the continents.

  3. Within the us.xyzcorp.com domain, OUs are used to reflect the organizational hierarchy and geographic layout:

    • Sales
      • California
      • Texas
      • New York
    • IT
    • HR

Therefore, the tree representation of the AD would look like this:

xyzcorp.com
+ us.xyzcorp.com
|  + Sales
|  |  + California
|  |  |  + John.Smith
|  |  |  + Jane.Doe
|  |  |  + Printer_CA1
|  |  + Texas
|  |  |  + Alice.Walker
|  |  |  + Printer_TX1
|  |  + New York
|  |     + Bob.Brown
|  |     + Printer_NY1
|  + IT
|  |  + Admins
|  |  |  + AdminUser1
|  |  |  + AdminUser2
|  |  + Systems
|  |  |  + Server_NA1
|  |  |  + Server_NA2
|  + HR
|  |  + Policies
|  |  |  + HRPolicy.docx (File Share)
|  |  + Mary.Jones
|  |  + Jane.Smith
|       
+ eu.xyzcorp.com
|  + ...
|
+ asia.xyzcorp.com
   + ...

  1. Bundesamt für Sicherheit in der Informationstechnik, "APP.2.2 Active Directory Domain Services." Online ↩

  2. S. Clines and M. Loughry, Active Directory for Dummies. Newark, United States: John Wiley & Sons, Incorporated, 2008. ↩

  3. B. Desmond, J. Richards, R. Allen, and A. G. Lowe-Norris, Active Directory, 5th Edition. Online ↩

Read More

Tags:

Previous Article

Programming Doesn’t Happen at the Keyboard — But It Also Does

Next Article

RootMe CTF

Related Posts

Capítulo 3.2 e 3.3: Criando Sua Própria Interface Funcional usando anotação

Capítulo 3.2 e 3.3: Criando Sua Própria Interface Funci...

Feb 22, 2025  0

GenAI hot takes and bad use cases

GenAI hot takes and bad use cases

Feb 28, 2025  0

Feb 22, 2025  0