NIST's guidance for a Zero Trust Architecture

Header blog slider

Fundamentals of Active Directory, workgroups and domains

The five services within Active Directory.

Active Directory (AD) is a set of five services that run on a Windows server to manage permissions and access to network resources. These five services are:

  1. AD Domain Services (AD DS)
  2. AD Lightweight Directory Services (AD LDS)
  3. AD Federation Services (AD FS)
  4. AD Certificate Services (AD CS)
  5. AD Rights Management Services (AD RMS)

AD DS is most commonly refered to as AD.

AD DS is the most deployed component of AD. In a way, AD DS has become synonymous with AD, and when people speak about AD, they’re usually referring to AD DS. If they want to refer to any of the other four services, they explicitly mention that service by name.
AD DS is essentially a store of information just like a telephone directory. The table below shows the fields of information in a telephone directory.

BurnsJoe1 Dorset Place804 0650
AdamsMarilyn20 Dundurn Street391 7683
RajanRanjit60 Mistdale Cres691 8967

Think of each row in a telephone directory as a distinct object with attributes like last name, first name, address, and phone number. In an AD environment, these distinct objects can be users, computers, groups, printers, and more. Each of these objects have characteristics or attributes; both the objects and their attributes are stored in AD. AD is extensible, i.e., we can add objects and object attributes to it as needed.

Is AD a database or a directory?

Some people consider AD as a database. After all, you can write data to, retrieve data from, and store data in it. However, it’s more of a directory than a database since it’s optimized for read operations rather than write operations. While you can add new data to AD, the existing data usually doesn’t undergo many changes. Furthermore, the data in AD is arranged in a logical and hierarchical manner so that finding information is easy. This is just like how the Yellow Pages organizes objects by types of business, and the White Pages organizes objects in alphabetical order.

The AD structure.

When we deploy AD in an organization, we need to consider two sides of its structure:

  1. The logical side: This is the hierarchy of objects such as users, computers, groups, and organizational units. The AD administrator needs to design a logical side that closely mimics how the business functions and helps them effectively manage their IT infrastructure. Correctly arranging these various objects helps you easily manage permissions (access) and security.
  2. The physical side: When designing the physical side, the administrator needs to think about the servers that provide the AD services and contain all the critical directory information. They need to answer questions such as:
    • How will these servers speak to each other and share information?
    • What network links need to be set up so that remote users can be given access?
    • How can users in different locations be directed to the servers?

Workgroups vs. domains.

A workgroup is a peer-to-peer network with no central authentication. Each computer in a workgroup functions as both a client and a server. When a user in a workgroup wants to access another user’s computer or even a shared resource like a file, they need to create their username and password on the other user’s computer. Workgroups are great for small office networks with 15 or less computers, however, they aren’t ideal for larger companies with hundreds or thousands of users. In such environments, we need to set up a client-server network environment. In Windows, this is achieved by setting up domains. The figure below shows the basic difference between a peer-to-peer and client-server network environment.

The domain setup ensures better security as we can give varying degrees of permissions for different users or groups of users. Furthermore, we can deploy company-wide policies for administration. If a user wants to access another computer on the domain, they don’t need to create another account on that computer.
All login and access requests by users are managed by a domain controller (DC) that runs AD. A DC is a centralized server that responds to all such requests, and is effectively a security gatekeeper for the network. Both authentication and authorization are done by the DC.

  • Authentication: The client and server authenticate each other to verify who the user or system is.
  • Authorization: The server determines if the client has the requisite permissions to access a resource.

Authentication is done through usernames and passwords (along with a process of encryption). The DC will check in its AD database to authenticate users requesting access to the domain. If the user’s credentials match the information contained in AD, they are allowed to log on to the network. Authentication is completed using the Kerberos authentication protocol. Authorization is done through Access Control Lists (ACLs). An ACL is a list of permissions attached to an object and it also specifies which users are allowed access to the object, and what operations they can do.

Related posts
Header blog slider

PSO AD Administrative Center

Header blog slider

NTLM and Kerberos authentication protocols

Leave a Reply

Your email address will not be published. Required fields are marked *