Active Directory can really simplify our life, compared to other network systems. Let’s say that we have our regular computer that we log on to and we have to memorize our username and password for that computer. Maybe we also have a database server which we have to access as well, which has a totally separate and independent username and password, that we have to memorize. We may also have a file server with sepparate username and password. We may also have an email server, again with yet another, separate username and password. Those are all common in any business environment. This may get very complicated, especially when we have more users.
Active Directory can simplify all that. Let’s say that we add a Windows Server 2012 Domain Controller to our environment. With that we get a Single Sign-On (SSO). This means that once we log on to out domain controller, our user account gets something called Kerberos ticket, whicht can be used to gain access to other servers without having a separate username and password. For example, if we have a Microsoft Exchange integrated into our Active Directory, then we don’t have to sign on again to get our email. Also, if we want to access files or shared printers, we don’t have to have a separate account for that. We just use our SSO from our original log on to our domain controller (DC). For database, if we are using Microsoft SQL, we don’t have to logon separately for that.
With Active Directory, we can also use trust relationships or a federation, which is great in multi-domain environments. With that we can enable a two-way trust relationship between two entities, for example, between two business sites. For example, this will enable our users to use resources on any site, with only one username and password.
Besides SSO, Active Directory can also provide mechanisms for centralized policy based management, which can improve workstation security and manageability. It can also provide central storage for individuals and departments, backup and restoration services for central storage. It can provide DNS integration.
How Does Active Directory Work
When we first install a Windows computer, server or a workstation, there’s no domain involved at all. They are all standalone or workgroup computers. This is the environment in which we have separate usernames and passwords all over the place.
Active Directory helps to put all that together into a single organization. It starts off with a database known as the NTDS.DIT file (NT Directory Services . Directory Information Tree) that sits on one or more domain controllers.
So, although all the computers are standalone at first, when we decide we want the benefits of AD, we can install Active Directory Domain Services on a server. That server will contain ntds.dit file, where we will start entering in our users, user groups, computer accounts, etc. All those will go into that file, as well as many other active directory objects.
Once we’ve created that, we’ll have our first domain controller. We can also add additional domain controllers to that domain. Domain in active directory is the same as a DNS name. For example, in our tutorials we will use utilizewindows.com domain. Besides that we can have additional domains, such as europe.utilizewindows.com or something similar, like other domains for various divisions within our company and so forth. This is based on a standard called X.500 which was redesigned into a new protocol called LDAP (Lightweight Directory Access Protocol), which is a big part of active directory.
Active Directory uses Kerberos, which is a security mechanism that AD uses. It’s used in many other authentication schemes as well. The advantage of Kerberos is that it doesn’t transfer the actual password over a network, so it’s secure in that respect. Once a user is logged on, Kerberos uses a ticket granting system, which means that the user will have a ticket TGT (Ticket Granting Ticket) that they can present to other servers and workstations throughout that same domain or even other domains if we have a trust relationship. This will identify that it was initially issued by a trusted domain controller and based on that it will allow the rest of the transaction or the rest of the authorization to take place.
Active directory has consistent synchronization across peer domain controllers. We mentioned earlier that we can have more than one domain controller. We should have more than one domain controller for backup purposes. We’ll normally have many domain controllers in large organizations so it is very important that all those domain controllers contain the exact same information. Active directory uses a synchronization mechanism that ensures that we have consistent data across all the domain controllers.
AD is also extensible which basically means that we can adapt or modify active directory data by using special tools. Those tools will expose parts of it that are not normally seen in any of the other tools we’ll have. For example, if we wanted to add a CV file to each user’s account, we can do that (it takes some development skills).
AD can interoperate with other forests or domains. Normally we’ll start off with a domain. If we want to interoperate with another domain, like partner or division in our company, we need to exchange resources back and forth and we need to prove that each of the domains can trust the other domain users. Interoperation works through trusts or federations.