Active Directory is the foundation for a majority of enterprise networks, and cybersecurity professionals need to have a solid understanding of it to protect and secure sensitive data.
Most any cyberattack will affect Active Directory (AD) in some way, whether it’s a compromised user or service account, a hacked authentication ticket, or a stolen authentication token.
Get the Free Pen Testing Active Directory Environments EBook
If some of those terms are unfamiliar, you are in the right place. This guide is going to cover the basics of AD and serve as a gateway to more detailed information.
Additional Chapters on Active Directory
The remaining chapters of this guide cover various Active Directory topics. See the articles and resources listed below by category.
Basics
- Learn Active Directory: The Basics
- Active Directory Users and Computers
- Active Directory Domain Services
- Domain Controller
- Risks Renaming Your Domain in Active Directory
- Active Directory Domain Controller (AD DC) Could Not Be Contacted
- How to Get Started with PowerShell and Active Directory Scripting
Group Management and Auditing
- Difference Between Active Directory and LDAP
- Group Policy
- Difference Between Organizational Units and Active Directory Groups
- How to Find Active Directory Group Member
- Active Directory Audits
Advanced Tutorials for IT Pros
- Active Directory Forest
- Windows vs Azure Active Directory
- FSMO Roles
- Active Directory has a Privacy Problem
- Azure Active Directory Best Practices
- Top 10 Active Directory Tutorials
- Active Directory Migration Tool
- Active Directory Security
What is Active Directory?
Let’s start with the basics. Active Directory (AD) is Microsoft’s directory service that stores data about objects on your local network. It records information on users, devices, applications, and groups. AD organizes this data in a hierarchical structure so that you can easily find details of how your network is operating from a central location.
AD was first introduced back in 2000, as part of Windows 2000 Server. Many system admins started using AD at that time to manage users on the networks, but since then the system has expanded to include a number of additional directory services and third-party tools.
Essentially, AD acts as a phone book in which you can look up data about your network, and manage devices and users from a centralized hub.
What does Active Directory do?
There is one major advantage of using directory services like AD: convenience.
AD allows you to monitor and manage a huge variety of entities from one location. These include users, devices, applications, and groups. It brings authentication for access to these entities into one place, so you can manage them without having to enter separate account details for each.
This is extremely useful for a variety of tasks:
-
-
- Adding, removing, and managing users.
- Creating and removing user groups.
- Monitoring usage and activity on devices.
- Reporting on application usage.
-
All of these tasks can be accomplished from other, discrete systems, but by using AD you can do all of them from one place. That’s why AD has become such an important tool for system admins.
Active Directory Services
Active Directory is a collection of several different services that function together as Active Directory Domain Services. We just say AD instead of AD DS to save time and characters.
-
-
- Domain Services: Domain services are the core of the AD infrastructure. This is where all of the usernames, passwords, computers, and devices that can connect to the network are stored. The computer that runs domain services is called a Domain Controller. To log onto the network users need to contact the domain controller.
- Lightweight Directory Services: Lightweight directory services is the Microsoft implementation of the LDAP protocol. LDAP is the core technology that allows for authentication to access resources on the network. LDAP also creates a local data store to track authentication tokens, so users don’t have to provide credentials every time they need to access a server.
- Certificate Services: Certificate services provide a public-key infrastructure to AD. It can create, revoke, or validate public key certificates that are used to encrypt user data on the network.
- Federation Services: Federation services are the backbone for a single-sign-on (SSO) infrastructure. SSO allows users to have a single set of credentials that authenticate to several different resources.
- Rights Management Services: Rights Management Services (RMS) implement encryption and selective functionality denial capability to documents like emails, Word files, and web pages. RMS allows for specific rights on a single document depending on group membership, environment, or time. For example, one could say that only people on the network can print a document, and anyone not on the network can’t.
-
Active Directory Features
Here are a few reasons that organizations choose to setup AD to manage users and devices.
-
-
- Hierarchical organizational structure: AD is expandable to grow with the organization with the creation of multiple Organizational units that all roll up to one domain. This structure makes it possible to distribute domain administration responsibilities, so no single person is responsible for the entire domain.
- Multimaster authentication and Multimaster replication: Modern enterprises are spread across the world, and AD supports multiple DCs that all have identical configurations to provide faster responses to users and back each other up in case of failure.
- Support for Internet Standards: AD conforms to standards like Domain Name Services (DNS) and Lightweight Directory Access Protocol (LDAP), which facilitates communication with other non-Windows systems.
- PowerShell cmdlets: Microsoft PowerShell supports cmdlets that can make changes to AD to streamline administrative processes.
- Application integration: Multiple applications support AD, like Exchange and Azure, or can use SSO from AD with little configuration.
-
Advantages of Active Directory
Active Directory provides several advantages to enterprises like:
-
-
- Centralized security administration: AD is a hub for administrators to manage access to data across the enterprise.
- SSO: SSO allows for a single user/pass combination to access multiple resources, which makes it easier to add or remove users, and change one password
- Searchable resource listing: AD is a searchable database of resources that users can access, like printers or file servers
- Trust relationships to other domains: AD supports logins to multiple domains in a “forest.” Admins create trust relationships with other domains that allow users from one domain to see the resources in the other.
-
Difference between Windows and Azure AD
Azure AD is the cloud version of directory services that Microsoft created for its cloud infrastructure. AD is the on-premise system that Microsoft released with Windows 2000.
While the two have several basic similarities, they are different systems with different configurations and permission sets. There is a native integration that will sync AD with Azure AD, so your on-premise users can also exist in Azure AD and visa versa.
Additional Resources:
LDAP vs. AD
AD uses the internet standard LDAP to communicate with other authentication systems, like Samba, for example. But they are not the same thing at all. LDAP is a protocol that many different directory services and access management solutions can understand but should be thought of as a subset of overall AD functionality.
Additional Resources:
Main Competitors to Active Directory
Some organizations want to move away from AD to manage directory services, and these days there are plenty of options. Here are some of the more well known.
-
-
- Okta: Okta is a cloud-based Identify Management solution.
- OpenLDAP: OpenLDAP is an open-source LDAP implementation
- Red Hat Directory Services: RH DS is an LDAP based directory services implementation on Unix and Linux.
-
How do you Secure Active Directory?
AD is critical to maintaining data security and compliance with data privacy regulations like GDPR, CCPA, and HIPAA. Attackers know how to infiltrate, escalate privileges, perform reconnaissance, and cover their tracks in AD. It is incumbent upon admins to know those same tricks and make their networks as hard to crack as possible.
Here are a few tips from the Active Directory Security Best Practices blog.
-
-
- Document everything about AD: To keep a clean and secure AD, you must know everything about that AD – and I do mean everything. Document naming conventions and key security policies in addition to every user, service account, computer, and access group.
- Enforce Safe Practices Among Users: Enforce strong passwords, train users to recognize phishing attacks, lock users out of making changes that can compromise security, limit access to make administrative changes to a few secured systems
- Max security on DCs: Configure the network so admins only access DCs from a hardened terminal. If an attacker gains access to a DC they win.
- Monitor AD: Track every change, every login, every group add.
-
There is much more to AD security than those four points, but they are a place to start so you can begin to manage the rest.
Basics of Active Directory
In this section, we will cover some of the very basics about AD, including some definitions and key terms you need to know. Feel free to jump around the additional resources as well.
Additional Resources:
Getting Started
The best way to learn AD is to set up a domain and play around with it. It’s best to do this in a lab that isn’t connected to any other domains. It’s unlikely, but possible, that a novice with permissions can make changes to a production domain unintentionally.
Follow this guide to set up a domain controller and create your domain.
Domain, Tree, and Forests
Domains, trees, and forests are the major components of an AD system.
The domain is the container for a group of users and computers. Under each domain, you can have several different trees. Several domains make up a forest.
Additional Resources:
Domain Controllers
A domain controller (DC) is a computer that hosts services that make AD work. Read all about DCs in this blog.
Active Directory Glossary
It is tough getting started with Active Directory. There are lots of reasons for this: the years of cruft, the inherent complexity, the intimidating raw power… and the fact that everything has about six different names.
To help make sense of this, we’ve translated AD terms back into something a human might use when conversing with another Active-Directory-using-human. We hope you find it useful.
Here is a table of AD terms that every beginner should know:
| Term | What it’s Like | How You Might Describe It to a Friend |
| Attribute (Property) | A field on a form | The details that make up an Active Directory Object. |
| Attribute Instance | What you write into a field on a form | The actual value of an attribute. It’s not “Name” it’s “Jim Smith” |
| Class | A form (User, Group) that has all the fields | Top category of everything in Active Directory. |
| Class Instance | A filled out form | One particular user “jsmith”. |
| Content Rules | Required fields on a form | The rules about what a class must-have. Can’t create a user without a username and password. |
| Derivation (Inheritance) | Photocopying a form and changing some stuff | As if you wanted to create one “standard” user and make all the new ones match that. |
| Directory Information Tree (DIT) | A file cabinet with all your forms in it | Like a family tree, but without all the circular references. |
| Control Access Rights | Stopping someone from reading, modifying or shredding your form. | It’s the actions, not the objects. |
| Lightweight Directory Access Protocol (LDAP) | A standard for how information is listed in a tree. | It’s like SMTP or HTTP – a generic protocol implemented by a bunch of different systems. |
| Class-Schema | Category of form. | That it’s a User, not a Printer or Group form. |
| Attribute-Schema | List of data in the form. | That Description is of the User, not a group or some other object. |
| Object Identifier | Internet Domain Names | There are TLDs like .com, .net, etc. – and there are domains like microsoft.com, and subs like support.microsoft.com – except it’s all numbers so nobody who isn’t an android can read them quickly. |
| Poss-Superiors | Rules about military ranks. | You can’t have a Father after a Son in a family tree. You can’t have a General under a Sergeant in the Army. |
| Must-Contain | Required Form Fields. | Rules for the bare minimum set of information you need to create an object. |
| May-Contain | Optional Form Fields. | Stuff you only enter if you are feeling fancy. |
| Back Link | A form field (attribute) that gets updated when a “forward” link is updated. | Kind of like a database trigger |
| Canonical Name | A pathname that uniquely identifies the object | The version of the name that looks like a URL you’d put into a web browser. |
| Distinguished Name | The label and the value for all parts of a name. | The version of the name that looks like an algebra problem. |
| Domain Functional Level | Minimum requirements to be in charge. | Check what versions of Windows Server are allowed to be a domain controller on the network. |
| Domain Controller | Master set of records for a domain. | Database of active directory objects for a domain. |
| Filtered Attribute Set | Do not fly list for certain fields. | It’s inefficient to move all the data around, so to Read-Only Domain Controllers it makes sense to not send everything. |
| Forward Link | A form field that when it’s changed updates other linked fields | It’s like the authoritative domain entry in DNS. |
| Group | A folder with a bunch of forms in it | A basket you put other objects into users, contacts, or computers. |
| Link Table | A linked list | |
| Member Server | A windows server that handles tasks on the network. | Any server that is not a Domain Controller. |
| Mixed Mode | That one old adapter you keep for the odd bit of kit. | Don’t worry about this unless you’re still doing something with Windows NT. |
| Native Mode | A new clean server room. | Woohooo – no Windows NT domain controllers. |
| Naming Context | The drawers you keep your different folders in. | Top-level sanity organization elements for all the objects in a network. |
| Relative Distinguished Name | A nickname to where something is at | It’s like saying “your Desktop folder” – it’s relative to the user who is logged in. |
What you should do now
Below are three ways we can help you begin your journey to reducing data risk at your company:
- Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
- Download our free report and learn the risks associated with SaaS data exposure.
- Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Reddit, or Facebook.
