Active Directory (often simply abbreviated as "AD") is a central directory service (as the name suggests). It was originally developed (around 1999) by Microsoft to solve certain problems within Windows networks. With AD, it is relatively easy to manage users, groups, devices, and resources. In times when many services are hosted in the cloud, Microsoft started offering "Azure AD" to provide Active Directory functionalities here as well. Meanwhile, "Azure AD" has been renamed to "Microsoft Entra ID".
Why do you need an Active Directory?
Generally speaking - although not entirely accurate - an Active Directory can be compared to a phone book. It contains all relevant information about users, groups, resources, and devices. Using this information, it can be determined who is allowed to access which resource within the network - and who is not. Active Directory is thus the core piece of IT for any company that primarily relies on Windows systems (and that's most companies). From an IT administrator's perspective, AD is an indispensable tool for managing and protecting a company's IT infrastructure.
What structure and organization does an Active Directory have?
An AD has three fundamental components:
- - Schema - this defines types of objects and their properties
- - Configuration - the structure of the entire directory is represented in this component
- - Domain - all information about objects within a domain is stored in this component
An object generally refers to, for example, a user, an endpoint device, a user group, or resource. Each of these objects can have properties - for instance, a user could have an attribute "email" or "position".
An Active Directory is always strictly hierarchically structured. The highest level is the forest - this is essentially a federation of multiple domains. Within a forest, there are individual domains, which are further divided into organizational units (OU). Users, groups, devices, and resources can then be stored within an OU. This information is stored on so-called domain controllers - essentially the heart of an Active Directory (more on this below).
In practice, an Active Directory is very carefully planned and structured based on location, tasks, and IT roles (or combinations thereof).
All relevant information is stored in special databases and saved in a structured manner.
What functions and services does AD offer?
"Active Directory" is quite a broad term that can encompass various services - without going into details - here's a selection of the most important services and functions:
- - AD DS / AD Domain Services (Domain Service)
- - AD LDS / Lightweight Directory Services (limited/simplified version of AD DS)
- - AD FS / Federation Services (Authentication of external users to AD and Single Sign-On)
- - AD RMS / Rights Management Services (Rights Management)
- - AD CS / Certificate Services (Certificate Management)
Well-known and still commonly used protocols are LDAP (Lightweight Directory Access Protocol), Kerberos, and SMB. With these protocols, users can authenticate, access resources, and exchange data. DNS is also a component and serves for hostname resolution - this allows communication between two devices in the network using names (e.g., "computer1.companyname") instead of IP addresses.
Domain Controllers and their Purpose
In an AD information infrastructure, domain controllers (DC) play an important role. These servers are responsible for authenticating users and devices. They ensure that only authorized users can access certain resources. Domain controllers are therefore essentially the "guardians" of Active Directory. From an attacker's perspective, a domain controller is the main target - if you have control over it, access to the entire network is open. Accordingly, it is particularly important to protect domain controllers.
Thank you for your feedback! We will review it and optimize this content.
