In this series of blogs, I will be discussing about:
Basic of active directory
Different kind of possible design
Real time use case
All possibilities of implementation
Best approach
What is a directory in computing terms? A classic analogy is the white and yellow pages of a telephone book. A common feature of both white and yellow pages is the ability to search for information; the difference in the two is the way they are indexed.
Directories, such as Lightweight Directory Access Protocol (LDAP) and Active Directory (AD)are types of databases that can be searched to provide useful network information. A user
can find network information without any knowledge of the structure of the network. For example, the user can search the Active Directory for a share, requiring no knowledge
of the network.Active Directory, on the other hand, stores all of the domain information in a common and searchable format. All the user accounts, computer accounts, group accounts, access control lists, security identifiers, Group Policy Objects (GPOs), shares, printers, properties aboutpeople and their locations, are all stored in the Active Directory.
Microsoft Active Directory
Active Directory is Microsoft’s implementation of directory services. It is based on various standards, most importantly LDAP and X.500 (the schema is based on X.500).
In addition to compliance with LDAP, AD has additional features and compatibility such as the close integration of the directory services to Windows domains and Domain Name Service (DNS).The integration of directory services to Windows domains is the key to directory scalability (domains and scalability will be described below).AD security, authentication, and access control are also provided by the integration of thedomains to the directory.
Components of the Active Directory
Domain: The core unit of logical structure in the Active directory is the domain, which can stores million of objects.Objects stored in the domain are considered “Interesting” to the network.”Interesting” objects are items the networking community members need to do their jobs:printers,documents,e-mail addresses,databases,users and other resources.Active Directory is made up of one or more domains.
Trees:Domain tress are collection of domain that for a contiguous name space.A domain tree is formed as soon as a child domain is created and associated with a given root domain.Trees allow the hierarchical structure necessary for organization.
Root Domain: openwriteup.com
Child domain (for production): Prod.openwriteup.com child Domain(QA):test.openwriteup.com
Forest:There are cases where two or more domain trees, each represented by separate DNS name space,need to be included as one enterprise. A tree must be represented by a contiguous DNS name space and disallow participation of domains that are not within its name space. The mechanism for connecting one or more trees is the Forest.
Organizational Units :The Organizational Unit (OU) is a critical design factor impacting security, policy, efficiency,and the cost of administration. Organizational Units are a type of LDAP (X.500) container.
It can be thought of as a sub-domain element with similar properties to domains.
They are components internal to domains. OUs are part of the LDAP name space and not the
DNS name space.OUs are commonly used to contain user accounts, group accounts, and computer accounts. Powerful configurations can be obtained when the OU design is harmonized with group policy and security groups.benefit of Organizational Units is the concept of delegation of authority. Domain Administrators can delegate partial administration rights through the OU. The granularity of the delegated rights is quite fine. Take the case of a help desk as an example. The domain administrator can delegate the “right” to reset passwords to help desk personnel and therefore, offload the domain administrator’s responsibility of fielding callspertaining to lost or expired passwords. The change-the-password right is usually enforced by a Group Policy Object (GPO), filtered by security groups, and applied at the OU level.
Schema
The schema dictates the data definitions for the AD. If an object or attribute is not in the
schema, that object/attribute will not be stored in the AD.The directory contains information in the form of objects and object attributes. The directory is actually a type of database that is optimized for querying. Data that is more or less static and is searched often can be beneficially stored in the directory. Data that changes often is not a good choice for storage in the directory.
Group Policy Objects
Group Policy Objects are especially critical to the justification for additional domains. Group Policy is the primary component of Windows implementation of Change and Configuration Management (CCM), and is the primary mechanism for establishing uniform, effective security policies within a Windows domain.