Active Directory Domain Services (AD DS) are the core functions in Active Directory that manage users and computers and allow sysadmins to organize the data into logical hierarchies.
AD DS provides for security certificates, Single Sign-On (SSO), LDAP, and rights management.
Understanding AD DS is a top priority for Incident Response (IR) and cybersecurity practitioners because all cyberattacks will affect AD, and you need to know what to look for and how to respond to attacks when they happen.
Benefits of Active Directory Domain Services
There are several benefits to using AD DS for your basic network user and computer management.
- You can customize how your data is organized to meet your companies needs
- You can manage AD DS from any computer on the network, if necessary
- AD DS provides built in replication and redundancy: if one Domain Controller (DC) fails, another DC picks up the load
- All access to network resources goes through AD DS, which keeps network access rights management centralized
Active Directory Domain Services Terms to Know
In order to understand AD DS, there are some key terms to define.
- Schema: The set of user configured rules that govern objects and attributes in AD DS.
- Global Catalog: The container of all objects in AD DS. If you need to find the name of a user, that name is stored in the Global Catalog.
- Query and Index Mechanism: This system allows users to find each other in AD. A good example would be when you start typing a name in your mail client, and the mail client shows you possible matches.
- Replication Service: The replication service makes sure that every DC on the network has the same Global Catalog and Schema
- Sites: Sites are representations of the network topology, so AD DS knows what objects go together to optimize replication and indexing.
- Lightweight Directory Access Protocol: LDAP is a protocol that allows AD to communicate with other LDAP enabled directory services across platforms.
What Services are Provided in Active Directory Domain Services?
Here are the services that AD DS provides as the core functionality required by a centralized user management system.
- Domain Services: Stores data and manages communications between the users and the DC. This is the primary functionality of AD DS.
- Certificate Services: Allows your DC to serve digital certificates, signatures, and public key cryptography.
- Lightweight Directory Services: Supports LDAP for cross platform domain services, like any Linux computers in your network.
- Directory Federation Services: Provides SSO authentication for multiple applications in the same session, so users don’t have to keep providing the same credentials.
- Rights Management: Controls information rights and data access policies. For example, Rights Management determines if you can access a folder or send an email.
Role of Domain Controllers with Active Directory Domain Services
Domain Controllers (DC) are the servers in your network that host AD DS. DCs respond to authentication requests and store AD DS data. DCs host other services that are complementary to AD DS as well. Those are:
- Kerberos Key Distribution Center (KDC): The kdc verifies and encrypts kerberos tickets that AD DS uses for authentication
- NetLogon: Netlogon is the authentication communication service.
- Windows Time (W32time): Kerberos requires all computer times to be in sync.
- Intersite Messaging (IsmServ): Intersite messaging allows DCs to communicate with each other for replication and site-routing.
AD must have at least one Domain Controller. DCs are the containers for the domains. Each domain is part of an AD Forest, which can include one or more domains organized in Organizational Units. AD DS manages trusts between multiple domains, so you can provide access rights to users in one domain to others in your forest.
The most important concept to understand is that AD DS is a framework for domain management, and the computer that users use to access AD is the DC
Modern cybersecurity depends on a deep understanding of Active Directory. Active Directory is central to attackers’ capabilities for infiltration, lateral movement, and data exfiltration. No matter how stealthy or clever they are, attackers leave breadcrumbs in AD logs as they move through your network.
Varonis monitors AD for those breadcrumbs, as well as file activity, DNS calls, VPN activity, and more. Varonis correlates that data into a full picture for each user and computer in AD, compares the current activity to a normalized baseline and a catalog of data security threat models, and proactively identifies potential threats to your data.
Want to learn more about AD security? Check out our on-demand webinar “4 Tips to Secure Active Directory.”