What you will learn:
An organization will consist of multiple employees, devices, contacts, and large amounts of data. It would need to sort all these resources and information in a structured manner for easy access, and also secure its resources. This is where directory services come into play. A directory service categorically arranges all the resources in a structured and hierarchical manner with functionalities to search easily and locate the resources. It will also provide functionalities for security. Active Directory is one such directory service. In this article, we will take a look at the fundamental definitions you need to know to get started with Active Directory.
What is Active Directory?
Active Directory is a directory service provided by Microsoft. A directory service is a hierarchical arrangement of resources that are structured in a way that makes accessing them easy. However, functioning as a locator service is not AD’s exclusive purpose. It also helps organizations have a central administration over all the activities carried out in their networks.
Organizations primarily use Active Directory to perform authentication and authorization. It is a central database that is contacted before a user identity is verified and granted access to a resource or a service. Once the authenticity of the user is verified, Active Directory helps in determining if the user is authorized to use that particular resource or service. If the user checks out on both counts, access is granted.
What is LDAP?
Active Directory is based on the Lightweight Directory Access Protocol (LDAP). This protocol provides a common language for clients and servers to speak to one another.
LDAP is a lightweight version of the Directory Access Protocol (DAP). DAP is an X.500 protocol. It is an architecture where the clients and servers communicate through the Open Systems Interconnection model. It does not use the TCP/IP standards and requires a large investment. Hence, LDAP was proposed as a lighter version of DAP while retaining the core functionalities of DAP. LDAP is much easier on an organization’s wallet, and it also follows the TCP/IP protocol. You can learn more about LDAP in this article.
What is DNS?
DNS is the entity that helps in the location of services or resources on the network. A DNS servers contain records of all the services that they are responsible for. These are called service resource records (SRV), and they help a client system in locating Active Directory resources such as domain controllers (DC). For this reason, it is imperative for the SRV records to be kept up to date by means of automatic (especially in the case of employees who move around a lot) or manual updates. In addition to SRV records, DNS also contains records such as A record, CNAME record, MX record, and so on which make functioning of the AD environment smoother. You can read more about DNS here.
How does Active Directory work?
Active Directory, or AD in short, allows the storage of resources in a hierarchical manner. While deploying AD, there are two sides to be kept in mind with regards to its structure:
- The logical side: This side determines how the structure of the directory network is arranged in a hierarchical fashion. The logical side is designed in such a way that the hierarchy allows for certain resources to be placed within other resources, thus allowing for parent-child relationship between the resources. This relationship can be used to administer access rights and permissions easily. It depends on how the organization wants to administer their IT environment.
- The physical side: This deals with the physical location of hardware such as the servers in the physical world. It is important to design the physical structure carefully in order to ensure performance efficiency between servers and resources.
Objects in Active Directory
Objects are components in the AD network that represent the physical resources that are part of the AD environment. The object’s properties are defined by sets of information called attributes. Some of the common AD objects are as follows:
- User: Every member of the organization is denoted in AD through a user object. The user object contains the member’s details such as their first name, last name, office, telephone number, and so on.
- Contact: A contact object is used to store the contact of members that are not part of the organization itself, but are in ways associated with the organization. They may be vendors or suppliers who are not in the employ of the organization. Only the name of the person and the contact details are stored. These contacts, unlike users, are not offered access to network resources.
- Printer: Refers to the printers in the network. All printers in the organization’s network can be represented using printer objects in the AD environment.
- Computer: This object contains information about all the computers in the network.
- Shared folder: This object is a pointer that points towards the location of a shared folder in the AD network. It should be noted that only folders, and not individual files, can be shared. If an individual file needs to be shared, it should be placed within a folder.
- Group: A group is a collection of directory objects put together so that certain security policies can be assigned to them. For example, an organization would want only a particular department to have access to certain documents. In that case, the network administrator would create a group containing all the department members and add a security policy, providing them access to the file server containing the documents.
- Organizational units (OUs): OUs help in structuring your network resources in an easy to locate manner. An OU is nothing but a container within which objects such as users, printers, computers, and others can be placed. OUs should be contained within a single domain; they cannot be shared across domains. The hierarchical arrangement of OUs, however, can be followed across domains.
You can learn more about AD objects in this article.
Structure of Active Directory
Think of AD as a forest. A forest has multiple trees, and the trees contain branches and leaves. An AD environment is designed similarly. It may consist of one or more forests that represent the whole organization or an organization’s subsidiaries. Each AD forest is made up of one or more domains (equivalent to trees in a real forest), and each domain consists of various objects (equivalent to leaves in a tree) that are categorized into OUs and groups (equivalent to branches in a tree).
What is a domain?
A domain is a collection of objects in an AD environment. All objects within a domain follow the same policies for security and administrative purposes. Users seeking access to resources of a domain need to be authenticated by a server called a Domain Controller (DC).
Each domain should have at least one domain controller (DC). An organization deploys domains based on its departments or on the geographical locations of its branches. Large-scale organizations usually create their domains based on geographical locations.
Let’s say an organization has a forest named example.com. If the organization is an MNC, it would have deployed domains based on geographical locations such as the various countries it is based on. If it is a smaller organization, it would deploy domains based on departments, such as marketing, sales, among other examples.
Once the domains have been created, OUs can be nested under the domains for each of the sub-departments to which users, computers, printers, and other objects can be added.