Active Directory and its uses

Gavin Livingstone, Bryley Systems Inc.

Microsoft’s Active Directory (AD) is not well known, but it is a critical component in securing Windows Server-based networks.

Active Directory, introduced with Windows Server 2000, is included with most versions of Windows Server, but is also available as a service¹.  Its primary function is to facilitate authentication and authorization of users (members) and resources within an AD domain.  (An AD domain is a logical collection of users, computers, groups, and other objects; multiple domains can be created for different sites or groups, and trust relationships can be established between these domains.)

One of AD’s greatest strengths is to permit the centralized creation of user and group-based policies; it can then enforce these policies, ensuring that members comply with login and usage requirements.  Plus, it logs policy violations and login attempts, supporting the automation of error-log-checking solutions.

Basic AD services include:

• Domain Services (AD DS) – Stores and verifies member credentials
• Lightweight Directory Services (AD LDS) – A limited-feature version of AD DS
• Certificate Services (AD CS) – Public-key certificates supporting encryption
• Federation Services (AD FS) – Single sign-on functionality; AD and non-AD
• Rights Management Services (AD RMS) – Management of access rights

Single instances of AD DS run on a server; once AD DS is deployed, this server is known as a domain controller (DC).  Most Windows Server-based networks have two or more domain controllers; a primary DC and secondary DC(s) to provide failover directory (via replication) and location-based access to the directory.

During login, users authenticate to the primary DC or to a secondary DC.

Active Directory is managed through a series of tools; most are included within Windows Server, but third-party tools² exist that provide better control and automation, particularly for larger organizations managing complex environments.

Best practices for AD design include³:

• Build a logical structure based on a hierarchical, tree-like approach:
  • Forests – Top-level container (not always used)
  • Domains – Second-level containers within forests
  • Organizational units – Third-level containers within domains
• Construct a physical model to address location requirements/constraints:
  • Place at least one domain controller (preferably two) at each site
  • Determine placement of replicas of domain data
  • Describe network topology
  • Consider traffic limitations

AD design tips⁴ include:

• Keep it simple
• Match site topology to network topology
• Ensure you have at least two DNS servers
• Try to dedicate a server as a domain controller

Security best practices for AD include⁵:

• Rename or disable the Administrator account
• Physically secure domain controllers and servers
• Apply Group Policy settings to restrict users, group, and computer access

Basically, Active Directory forms the heart of any Windows Server-based network; it is a critical component, even when using Cloud-based resources.  (Cloud-based resources can often be integrated within AD through Federated Services.)

References

¹Active Directory as a service is available through Microsoft’s Azure Active Directory, Bryley Systems’ Hosted Cloud Server™, and other providers.

²10 Must-Have Active Directory Tools by Walker Rowe of Anturis, 4/14/15.

³Best Practice Active Directory Design for Managing Windows Networks and Best Practice Active Directory Deployment for Managing Windows Networks from the Microsoft Developer Network.  (These are dated, but extremely detailed.)

⁴10 Tips for effective Active Directory design by Brien Posey of TechRepublic, 8/23/2010.

⁵Active Directory Best Practices at Microsoft TechNet on 1/21/2005.