Active Directory - Amir-Ahammed/Microsoft-Cloud-Hybrid-Infrastructure GitHub Wiki

Microsoft Active Directory Domain Services (AD DS)

Microsoft Active Directory Domain Services (AD DS) is a server role in Windows Server operating systems that allows administrators to manage and organize network resources. It provides a centralized and secure way to manage users, computers, and other network objects within an organization.

AD DS

AD DS is a centralized database that stores information about network resources. This includes:

  • Users (like employees, their usernames, passwords)
  • Computers (which machines are part of the network)
  • Printers, shared folders, and other devices/services.

πŸ“Œ Key Features & Core Functions

  • Centralized User & Resource Management:

    • Stores user/computer accounts, passwords, and permissions in a centralized directory.
    • Manages all users, computers, and resources from the directory.
    • Manages access to network resources (files, printers, apps).
    • No need to set up each computer individually for every user or resource.

  • Security & Authentication:

    • Identifies users and computers: Makes sure you are who you say you are (like a bouncer checking IDs – this is called authentication).
    • Controls access: Decides what you are allowed to use or see (this is called authorization). It uses things like Kerberos (a secure ticket system) for this
    • Multi-Factor Authentication (MFA): Confirms it's really you with extra proof (beyond just a password). It uses things like phone codes or biometrics, often via Microsoft Entra ID.
    • Group Policy Objects (GPOs): Lets admins set rules for security, software installation, and desktop settings across many computers automatically
    • Security Groups: Simplify permission management by bundling users and computers together. Access rights are then granted to the group, and they also help target Group Policy application.

  • Organization & Structure:

    • Domains: The main way AD DS groups things. Think of company.com as a domain – it's a boundary for management and security.
    • Organizational Units (OUs): Folders within a domain to further organize users, computers (e.g., "Sales" OU, "Marketing" OU). This helps delegate administrative tasks.
    • Trees: Groups domains that extend a common DNS name (like uk.mycorp.com from mycorp.com). These domains automatically trust each other.
    • Forests: Unites one or more domain trees (even with different DNS names like mycorp.com and anotherbusiness.org). They all share a common directory blueprint and trust each other by default.
    • Schema: Think of it as the official rulebook and set of definitions for Active Directory. It clearly lists:
      • Every type of item AD can keep track of (like 'users,' 'computers,' 'printers').
      • All the specific details (or properties) it can store for each type of item (like a user having a 'name,' 'email address,' and 'department').

  • Replication & Reliability

    • Domain Controllers (DCs): Use a multi-master replication model where information is copied and kept up-to-date across these multiple servers. If one DC has a problem, others can take over, so the network stays running (fault tolerance).
    • FSMO Roles: Assigns unique, critical AD DS jobs to a single designated Domain Controller (to prevent conflicts). These roles handle tasks like schema updates or distributing new security IDs.
    • SYSVOL Replication: Copies Group Policy files and login scripts between all Domain Controllers (to ensure consistent policy application). It uses DFSR (Distributed File System Replication) technology in modern setups.
    • Replication Topology (Sites & KCC): Governs how and when AD data replicates between Domain Controllers (optimized for different physical locations called Sites). The KCC (Knowledge Consistency Checker) automatically creates these efficient replication routes.
    • Conflict Resolution (AD Replication): Decides which change "wins" if the same data is updated differently on two Domain Controllers before they sync up (to prevent data inconsistencies). It typically uses methods like timestamps or version numbers to pick the correct update.

  • Directory Services:

    • Provides a searchable directory (like a phonebook) so users and applications can find resources (e.g., finding a printer). It uses LDAP (Lightweight Directory Access Protocol) for queries.

  • Single Sign-On (SSO)

    • Log in once with your username and password to access multiple network resources you're authorized for, without needing to log in repeatedly.

  • Integration & Compliance

    • Microsoft Entra ID: Sync with cloud services for hybrid environments.
    • Audit Logs: Track security events (logins, permission changes) for compliance.

πŸ“Œ How It Works

  • The Directory (NTDS.dit): Imagine a big, organized address book or database stored on servers called Domain Controllers (DCs). This database holds all the info about users, computers, permissions, etc

  • Domain Controllers (DCs): Think of these as powerful Windows Servers that act as the guardians and managers of the domain because they run the Active Directory Domain Services (AD DS)

    • When you log in to a computer joined to the domain, your computer talks to a DC.
    • The DC checks your username and password (authentication).
    • If you're verified, the DC tells your computer what you have access to based on your permissions and any Group Policies that apply to you (authorization).

  • DNS (Domain Name System): AD DS heavily relies on DNS (like the internet's phonebook) to help computers find DCs and other services within the domain.

  • Structure:

    • Everything is organized in a hierarchy: Forest (top level) > Trees (if multiple related domain structures) > Domains (e.g., sales.mycompany.com) > Organizational Units (OUs) (e.g., US_Sales_Team OU). This allows for clear organization and targeted policy application.

↑ Back to Top

Domain

An Active Directory Domain is a logical grouping of users, computers, and devices that share a centralized directory database and security policies. It serves as the core boundary for authentication, resource management, and policy enforcement in an on-premises network.

πŸ“Œ Key Features of an AD Domain

  • Centralized Management:
    • All objects (users, computers, groups) are stored in a single directory database (NTDS.dit) hosted on Domain Controllers (DCs).
  • Security Boundary:
    • A domain defines a trust boundary where authentication and authorization are managed uniformly.
    • Permissions and Group Policy Objects (GPOs) apply domain-wide unless overridden by finer-grained controls (e.g., OUs).
  • DNS Integration:
    • Domains are identified by DNS names (e.g., corp.company.com).
    • DNS is used to locate Domain Controllers and services (e.g., _ldap._tcp.dc._msdcs.corp.company.com).
  • Hierarchical Structure:
    • Organizational Units (OUs): Subdivisions within a domain to delegate administration (e.g., OU=Finance, DC=corp, DC=company, DC=com).
    • Group Policy: Policies can be targeted to domains, OUs, or specific groups.
  • Multi-Master Replication: Changes to the directory (e.g., new users) replicate automatically between all Domain Controllers in the domain.

πŸ“Œ Core Components of an AD Domain

Component Description
Domain Controller (DC) Hosts the AD database (NTDS.dit) and handles authentication requests.
Users Accounts and security groups (e.g., Sales_Team) for access management.
Computers Devices joined to the domain for centralized control via GPOs.
DNS Server Resolves domain names to IPs and locates DCs via SRV records.
SYSVOL Shared folder storing GPOs, scripts, and login files replicated across DCs.

πŸ“Œ How It Works

  • User Authentication: When a user logs in, their computer contacts a DC to verify credentials (via Kerberos/NTLM).
  • Resource Access: The DC checks the user’s group memberships and permissions to grant/deny access to files, printers, or apps.
  • Policy Enforcement: GPOs from the domain or OU level apply settings (e.g., firewall rules, software deployments) to users/computers.
  • Replication: Changes (e.g., new user accounts) replicate between DCs to ensure consistency (typically every 15–30 seconds).

↑ Back to Top

Azure AD Connect

Azure AD Connect is Microsoft’s hybrid identity bridge, synchronizing on-premises Active Directory Domain Services (AD DS) with Microsoft Entra ID (formerly Azure AD). It enables seamless access to both cloud and on-premises resources with a single identity.

πŸ“Œ Key Features of Azure AD Connect

  • Synchronization:
    • Syncs users, groups, and devices from AD DS to Entra ID (one-way or writeback).
    • Filters objects by OU/attribute (e.g., exclude service accounts).
  • Authentication Methods:
    • Password Hash Synchronization (PHS): Hashes synced to Entra ID for cloud auth.
    • Pass-Through Authentication (PTA): Real-time validation against on-premises AD.
    • Federation (AD FS): Uses on-premises federation services for authentication.
  • Seamless Single Sign-On (SSO):
    • Allows users to access cloud apps without re-entering credentials when on a corporate network.
  • Health Monitoring:
    • Azure AD Connect Health provides monitoring and alerts for sync and authentication services.

πŸ“Œ How It Works

  • Installation:
    • Deployed on an on-premises server (domain-joined, typically Windows Server 2016+).
  • Configuration:
    • Define sync scope (e.g., specific OUs), auth method (PHS/PTA/AD FS), and optional features (password writeback).
  • Synchronization Process:
    • Runs every 30 minutes by default (delta syncs for incremental changes).
  • Authentication Flow:
    • PHS/PTA: Cloud auth requests validated via synced hashes or on-premises AD.
    • AD FS: Redirects to on-premises federation service for auth.

↑ Back to Top