Active Directory (AD)
What is Active Directory?
Active Directory (AD) is a system that allows to manage a set of computers and users connected in the same network from a central server.
The above diagram is known as a domain. A domain is a set of connected computers that shares an Active Directory database, which is managed by the central servers of a domain, that are called domain controllers.
Physical AD Components
Domain Controller
A domain controller is a server with the AD DS (Active Directory data store) server role installed that has specifically been promoted to a domain controller. It can:
host a copy of the AD DS
provide authentication and authorization services (Kerberos)
replicate updates to other domain controllers in the domain and forest
allow administrative access to manage user accounts and network resources
AD DS
The AD DS contains the database files and processes that store and manage directory information for users, services, and applications. It:
consists of the
Ntds.ditfileis stored by default in the
%SystemRoot%\NTDSfolder on all domain controllersis accessible only through the domain controller processes and protocols
Logical AD Components
AD Schema
The AD DS schema:
defines every type of object that can be stored in the directory
enforces rules regarding object creation and configuration.
For example:
| Objects Types | Function | Examples |
|---|---|---|
Class Object | What objects can be created in the directory | User, Computer |
Attribute Object | Information that can be attached to an object | Display name |
Domains
Domains are used to group and manage objects in an organization. It is:
an administrative boundary for applying policies to groups of objects
A replication boundary for replicating data between domain controllers
An authentication and authorization boundary that provides a way to limit the scope of access to resources
Trees
A tree is a hierarchy of domains in AD DS. All domains in the tree:
share a contiguous namespace with the parent domain
can have additional child domains
by default create a two-way transitive trust with other domains
Forests
A forest is a collection of one or more domain trees. Forests:
share a common schema
share a common configuration partition
share a common global catalog to enable searching
enable trusts between all domains in the forest
share the Enterprise Admins and Schema Admins groups
Organizational Units (OUs)
OUs are AD containers that can contain users, groups, computers, and other OUs. OUs are used to:
represent your organization hierarchically and logically
manage a collection of objects in a consistent way
delegate permissions to administer groups of objects
apply policies
Trusts
Trusts provide a mechanism for users to gain access to resources in another domain. Types of trusts:
All domains in a forest trust all other domains in the forest
Trusts can extend outside the forest
Objects
NTLM Authentication
NTLM (NT LAN Manager) authentication is used when a client authenticates to a server by IP address (instead of by hostname), or if the user attempts to authenticate to a hostname that is not registered on the AD integrated DNS server. Likewise, third-party applications may choose to use NTLM authentication instead of Kerberos authentication.
The NTLM authentication is composed by 3 messages/phases: NEGOTIATE, CHALLENGE and AUTHENTICATE:
Kerberos Authentication
While NTLM authentication works through a principle of challenge-response, Windows-based Kerberos authentication uses a ticket system. Kerberos focuses on the use of tokens called "tickets" that allows an user to be authenticated against a principal. At a high level, Kerberos client authentication to a service in AD involves the user of a domain controller in the role of a key distribution center (KDC).
Reference
Last updated
