Microsoft Active Directory is one of the most popular directory services. As of November 2017, it was being used in 12.8 million organizations with 950 million users, as stated by Alex Simons, director of Program Management for the Microsoft Identity Division.
Initially previewed in 1999, Active Directory (AD) became so ubiquitous that it was later a general term for other similar services. Further features were added in the subsequent years, one of the latest additions being the Active Directory Federation Services in 2008. The solution uses LDAP, Kerberos, and DNS to manage information as objects and attributes.
In simple terms, AD is a database that stores information about people and assets. But it’s also a lot more than that; it can manage access, control information, and authenticate users for various applications. It lets users customize how they want to store their asset information and manage resources, and lets admins provide secure access to users.
With its security and data protection features, enterprise-level scalability, and the capability to manage devices distributed across a large geographical area, the solution is a favorite among asset managers and often a core part of asset management strategy for many organizations.
While the solution is popular, people often have a lot of questions about what it does and how it does it. In this article, we aim to clear them all.
12 frequently asked questions about Active Directory
1. What is Active Directory?
Active Directory is an asset management and access control solution developed by Microsoft. It is essentially a directory service for Windows domain networks. It stores information about your assets (hardware, software, files) and users, as well as information on which all users have access to which all assets.
Active Directory works by storing all the information about the different devices and users, including passwords and credentials. When a user wants to access a service or an asset, the Active Directory verifies the credentials and grants or denies access based on the user’s role.
2. What protocols do Active Directory use?
Active Directory uses LDAP, Kerberos, and DNS.
LDAP or Lightweight Directory Access Protocol is a vendor-neutral application protocol for accessing directory services across IP. In the Active Directory implementation, a client connects to the Domain Controller (explained below) and sends a request to the domain controller in return. There are many operations defined in the LDAP protocol. LDAP transmits information unsecured, but you can enable SSL/TLS encryption in Active Directory.
Kerberos is an authentication protocol developed by MIT that uses mutual authentication. Both the server and the client verify each other’s identity. The system uses a trusted third-party (key distribution center) to verify the identity, and in Active Directory, this role is performed by the Domain Controller. The process is complicated, but essentially the domain controller tells the service the user wants to access if the user has access.
Lastly, DNS or Domain Name System is often compared to a phone book and is commonly used to connect human-friendly domain names to IP addresses. In the Active Directory, DNS is used to locate domain controllers. When a user logs into the Active Directory domain, the DNS connects the user’s workstation to an Active Directory domain controller for the user to request services.
3. What is an Active Directory domain controller?
The domain controller (DC) is a server running the Active Directory domain services. There is usually more than one domain controller. While you can recover data if a domain controller fails, Microsoft recommends having a back or more for failover.
Whenever a user needs to access a service or a system, the domain controllers provide it based on the configured permissions. While earlier implementations relied on a single domain controller and a backup domain controller, the latest ones use a multi-master approach with multiple domain controllers in which the database is replicated.
Domain controllers carry the primary function of the Active Directory: manage devices, users, and access to network resources.
4. What are objects in the Active Directory?
Every piece of information in Active Directory is stored as an object and its attributes. They can be devices or assets like printers, security principles like users, computer accounts, or user groups. All security principals are assigned security identifiers or SIDs. The rules about objects, how they are organized, and other objects are stored in the Active Directory schema.
The schema also defines the rules about the object attributes. For example, it can determine which attributes are required for an object and which are optional. In this case, a username and password may be necessary for a user, but their email ID and first and last name may be optional.
Admins can define the schema and make changes as necessary, but changes after the initial implementation must be carefully planned.
5. How are objects grouped into domains, trees, and forests?
Domains, trees, and forests are the different ways objects are arranged. A group of objects comes under a single domain, and all of these are stored in a single database. A collection of domains comes under a tree, and a group of trees comes under a forest.
A forest represents the security perimeter for the Active Directory; all the domains within the forest have the same schema, share a global catalog, and trust each other to an extent. All the objects under a forest may be accessed by other objects regardless of their domain or tree. And all domains under a tree trust (explained below) each other.
6. How does Active Directory prevent conflicting updates?
When there are multiple domain controllers in an enterprise, changes to one will be replicated to the rest; and when any of them can be modified, this creates the possibility of conflicts. This is resolved by going with a single master approach in which only one domain controller can be updated. The changes in this will be replicated in the rest.
Earlier, this role was performed by the primary domain controller, but now there are different roles that can update different aspects of the database. These roles are referred to as the Flexible Single Master Operation roles (a.k.a. FSMO roles). This is because these roles are not tied to specific domain controllers; they can be assigned to different DCs in "seize" operations.
7. What are the different FSMO roles in Active Directory?
There are five different FSMO roles currently in Active Directory:
- Schema master
- Domain naming master
- RID master role
- PDC emulator role
- Infrastructure master role
Let's take a quick look at each one of them.
The schema master is the DC (domain controller) responsible for updating the directory schema for an entire forest. Once the schema master updates the directory schema, the rest of the domain controllers in the forest replicates them.
Domain naming master
This is the DC responsible for adding or removing domains from a forest. There’s only one domain naming master in the forest. Since the schema master and domain naming master roles are rarely used and only needed for these specific actions, they’re often combined into a single DC.
RID master role
The RID master role is responsible for processing all RID pool requests. The SID for every security principal (objects like users, user groups) consists of a domain-specific SID and a RID specific to the specific object. Now, every domain controller in a domain has a set of RIDs it can use for the objects it creates. If this set is about to run out, the domain controller requests the RID master for more RIDs.
Every domain has one DC with a RID master role.
PDC emulator role
The role of the PDC emulator is to tell the rest of the DCs what the time is. The rest of the DCs in the domain sync with the PDC emulator. If the forest has more than one domain, the forest root PDC is the authority for time and is configured to get the time from an external source.
The PDC emulator also acts as the domain's authority on passwords for DCs. Any changes to the password are replicated preferentially or first in the PDC. If another DC gets an incorrect password, it first checks with the PDC to see if the password has been changed before telling the user that the password is wrong.
Infrastructure master role
The infrastructure master is responsible for having the updated SIDs and distinguished names for objects in a domain. When an object in a domain references another object, the infrastructure master DC will provide the updated data. The infrastructure master gets this data from the global catalog, and the role must be carried out by a server that doesn’t host the global catalog.
8. What is the difference between Azure AD DS and Active Directory Domain Services?
Azure AD DS extends the on-premise Active Directory Domain Services to the cloud. Azure AD DS lets organizations manage user access to cloud apps and other resources. It’s essentially a service that lets you access multiple applications with a single sign-on; if your organizations have a lot of SaaS applications, you can use Azure AD DS to enable a single sign-on across all of them.
The users will have a username and password with which AD DS authenticates their identity, and once it's done, it will provide credentials to other applications. If your organization is using Microsoft 365, the seamless sign-on to all the apps is done by Azure AD DS.
9. Is Active Directory the same as single sign-on?
Active Directory used to work as an early version of single sign-on before the idea of single sign-on was realized. Active Directory is for on-premise applications, with which users can access resources on the same network by authenticating with AD. Meanwhile, single sign-on is for signing into multiple applications on the web by authenticating your identity once.
Active Directory Federation Services, one of the extended services of AD, lets organizations enable single sign-on for other applications.
10. What is the difference between LDAP and Active Directory?
LDAP or Lightweight Directory Access Protocol is used to access and manage information within a directory service. Active Directory uses LDAP to share data and control access to objects in its database along with other protocols like Kerberos and DNS. And of course, Active Directory is a proprietary product from Microsoft, while LDAP is vendor-neutral and is used by other directory services.
11. What are the different Active Directory Services?
Besides Active Directory Domain Services, Active Directory has other services:
- Lightweight Directory Services
- Certificate Services
- Active Directory Federation Services
Lightweight Directory Services
AD LDS or Active Directory Lightweight Directory Services is an implementation of LDAP, which lets applications access data from its store. It doesn’t need Active Directory and can simply act as a data storage and access system.
Active Directory Certificate Services or AD CS is used for creating and managing public keys for internal uses in an organization. It provides digital certificates and digital signatures for organizations. It lets organizations run their certificate authority. It can get all information from AD DS, so it's easier for users to get certificates.
Active Directory Federation Services
Active Directory Federation Services or AD FS enables organizations to use single sign-on for all applications. While Active Directory allows seamless access to internal resources, AD FS extends this to external applications.
12. What is trusting?
Trusting/Trusts allows users in one domain to authenticate for services in another domain. There are different types of trusts; one-way, two-way, transient, and more. There is transient trust among all domains in a forest.