Active Directory - Knowledge

**Active Directory** is a centralized database used by organizations to mange and organize network resources - such as computers, user accounts, file shares, printers, and security groups. * It streamlines access and administration of network-connected assets across the enterprise network * It serves as a centralized authentication source, allowing users to log into computers and access network resources using their **Active Directory** credentials * It manages user access permissions, granting or denying access to network resources based on user permissions ## Active Directory Components ### Domain * A **domain** is the fundamental unit of the Active Directory infrastructure * It represents a logical grouping of users, computers, printers, and other resources within an enterprise network * Each domain has a unique name (e.g., withabran.com) that identifies it within the directory ### Domain Controller (DC) * A **Domain Controller** is a server (Windows Server) that stores and manages domain data within a distributed database. * Active Directory is the service in the DC that manages this database, providing centralized authentication and authorization across the network. * Changes made to this domain database on one Domain Controller are automatically replicated to all other Domain Controllers within the domain, ensuring consistency, scalability, performance, and fault tolerance * Mostly all DCs are read/write, except **Read-Only Domain Controllers (RODCs)** * Through multi-master replication, changes happen in both direction between DCs. #### Schema * The schema is the blueprint of Active Directory. It defines the classes of objects (e.g., users, computers, groups) and the attributes those objects can have. * The schema can be extended with custom objects and attributes, but modifications should be made cautiously to avoid issues. #### Active Directory Data Format (X.500) * Active Directory data is structured hierarchically, following the **X.500** standard - a directory model that organizes objects in a tree-like format. * This hierarchy is implemented through **Organizational Units (OUs)**: * OUs allow administrators to logically group users, computers, and other objects. * They enable delegation of administrative control, application of **Group Policies**, and streamlined management of resources. * Every object in this structure is assigned a unique **Distinguished Name (DN)**, which defines its location in the directory. * Example Format: CN=JohnDoe, OU=Sales, DC=withabran.DC=local ### Read-Only Domain Controllers (RODCs) - A **RODC** is a type of Domain Controller that hosts a **read-only copy** of the Active Directory database. - It is designed for **locations with limited physical security** or **low bandwidth**, where deploying a full writable DC might pose risks. #### Key Features - **Read-Only Database**: Prevents changes from being made locally; all write operations are forwarded to a writable DC. - **Credential Caching**: Only selected user credentials are cached (users at given location), reducing the risk if the RODC is compromised. - **Unidirectional Replication**: RODCs receive updates from writable DCs but do not replicate changes back. - **Administrator Role Separation**: Local admins can manage the RODC without having elevated privileges in the domain. #### Use Cases * Ideal for **branch offices**, **retail locations**, or **remote sites** with: * Limited IT staff * Physical security concerns * Need for local authentication without full domain control ### Per Domain Flexible Single Master Operation (FSMO) Roles * Certain tasks in Active Directory require a **single authoritative Domain Controller** to avoid conflicts or inconsistencies. These tasks are handled by **FSMO roles**, which are not performed by all DCs simultaneously. * FSMO roles are **flexible**, meaning they can be transferred to another Domain Controller if needed—for example, during maintenance or server downtime. * In each domain, there are **three FSMO roles**: * **RID Master** – Allocates pools of relative IDs to DCs for creating new objects, which avoids the potential of different DCs assigning the same SID to objects. * **PDC Emulator** – Acts as a time source and provides backward compatibility with NT-style domains. * It behaves as the main source of time that other DCs will sync their time to and ultimately clients will too * Password changes always sync to the PDC Emulator * Account lockout * **Infrastructure Master** – Maintains references to objects in other domains. ### Trees * A tree in Active Directory is a hierarchical arrangement of domains that share a contiguous namespace * For example, `corp.example.com` and `sales.corp.example.com` are part of the same tree because they share the corp.example.com namespace. * Domains in a tree are automatically linked by trust relationships and share a common schema and configuration * Trees help organize domains logically within a namespace ### Forest * A forest is the top-level container in Active Directory. It can contain multiple trees, even if they have different namespaces * For example, `corp.example.com` and `marketing.brand.net` can ben in the same forest, each belonging to a separate tree * Forests define security boundaries: * All domains in the forest share the same schema, global catalog, and configuration. * Trust between forests must be explicitly created * Forests help unify multiple trees under one umbrella for centralized management and trust. * Admins often use single forest, single tree setups for simplicity, but multi-tree forests are common in mergers, acquisitions, or large enterprises. ### Lightweight Directory Access Protocol (LDAP) - **LDAP** is the protocol used to query and modify Active Directory data. - It enables applications and services to interact with the directory for authentication, directory lookups, and more. ### Domain Name System (DNS) - **DNS** is critical for locating Active Directory domains and services. - AD relies heavily on DNS for name resolution and service discovery (e.g., locating Domain Controllers via service records (SRV). ### Authentication * Active Directory supports multiple authentication protocols: - **NTLM**: Legacy protocol used primarily for backward compatibility. - **Kerberos**: The default and more secure protocol used in modern Windows environments. - **LDAP**: Can also be used for authentication, especially in third-party integrations.