Microsoft Active Directory (AD) | Oveview.

 

Microsoft Active Directory (AD) - Overview

Scope:

• Intro,
• Core Functions,
• Key Components,
• Modern Evolution,
• The Concept of Microsoft Active Directory (deep dive),
• Core Concepts and Components,
• AD Logical Structure,
• Sample hierarchy,
• Authentication & Authorization (deep dive),
• Integration with Cloud and Modern Identity,
• Integration Sample for AWS IAM Identity Center with AD (Flow),
• Administrative Tools & description,
• Security Considerations,
• Visual AD Architecture Flow.

Intro:

• Microsoft Active Directory (AD) is a directory service for windows domain networks. 
• Microsoft Active Directory (AD) is included in most Windows Server operating systems as a set of processes and services. 

Core Functions

• Identity Management: Stores information about user accounts, groups, and computers to provide a single point of administration.
• Authentication & Authorization: Authenticates users (verifying identity) and authorizes access (permissions) to network resources via protocols like Kerberos.
• Centralized Administration: Allows twtech and IT admins to manage security policies and software deployment across an entire organization through Group Policy Objects (GPOs). 

Key Components

• Domain Controllers (DC): Servers that respond to security authentication requests and maintain the directory database.
• Forests, Trees, and Domains: A logical hierarchy where a forest is the highest level of container, holding one or more domains.
• Organizational Units (OU): Containers used to organize objects within a domain and link Group Policies. 

Modern Evolution

• Entra ID (formerly Azure AD): Microsoft's cloud-based identity and access management service. 
• While traditional AD is designed for on-premises networks, Microsoft Entra ID manages identities for cloud apps like Office 365.

1. The Concept of Microsoft Active Directory (deep dive)

• Microsoft Active Directory (AD) is an on-premises directory service developed by Microsoft for Windows domain networks.
•  Microsoft Active Directory (AD) provides centralized identity and access management (IAM) —
•  Microsoft Active Directory (AD) controls:
• User authentication,
• Authorization,
• Policy enforcement across computers, applications, and resources in a Windows environment.

 2. Core Concepts and Components

Component	Description
Domain	A logical grouping of objects (users, computers, groups) that share a common directory database and security policies.
Domain Controller (DC)	A Windows Server that hosts the AD database (NTDS.dit) and handles authentication/authorization requests.
Forest	A collection of one or more domains that share a common schema, configuration, and trust relationships.
Organizational Unit (OU)	Containers that organize objects within a domain for delegation and policy management.
Group Policy Object (GPO)	A set of configurations that enforce security and administrative policies across domain-joined devices.
Trust Relationships	Define how authentication requests are handled between domains or forests (one-way, two-way, transitive).

 3. AD Logical Structure

Active Directory is hierarchical and consists of:

1. Forest → Top-level security boundary
2. Domains → Organizational boundaries for policy enforcement
3. OUs → Administrative containers within domains
4. Objects → Individual items (users, computers, printers, groups)

Sample hierarchy:

Forest: corp.local

 └── Domain: corp.local

      ├── OU: Users

      │    ├── User: twtechpat

      │    └── User: twtechStacy

      └── OU: Computers

           ├── Computer: twtechDev-Dpt

           └── Computer: twtechTest-Dpt

                               └── Computer: twtechPre-Pro-Dpt

                               └── Computer: twtechProd-Dpt

4. Authentication & Authorization (deep dive)

A. Kerberos Authentication

• Default protocol used by AD.
• Relies on a Key Distribution Center (KDC) within each domain controller.
• Uses tickets to prove identity without transmitting passwords.

Flow:

1. User logs in → AD issues a TGT (Ticket Granting Ticket).
2. User requests access to a service → AD issues a Service Ticket.
3. User presents the service ticket → Service verifies it with AD.

B. LDAP (Lightweight Directory Access Protocol)

• Used to query and modify AD data (e.g., user lookups, group membership).
• Commonly used by external systems (e.g., AWS IAM Identity Center, applications) to connect to AD.

5. Integration with Cloud and Modern Identity

a. Azure Active Directory (Entra ID)

• Microsoft’s cloud-based identity platform.
• Extends AD capabilities to SaaS apps and modern authentication (OAuth 2.0, OIDC).
• Synced using Azure AD Connect to bridge on-prem AD users → Azure AD.

b. AD Federation Services (ADFS)

• Provides SAML and WS-Fed capabilities for federated sign-on.
• Enables Single Sign-On (SSO) between AD and third-party services (like AWS or Salesforce).

 6. Integration Sample for AWS IAM Identity Center with AD (Flow):

1. User authenticates with Active Directory via AWS Directory Service or AD Connector.
2. IAM Identity Center maps AD groups → AWS Permission Sets.
3. When the user signs in to AWS, STS issues temporary credentials tied to their AD identity.
4. Fine-grained access is controlled through IAM roles and permission sets linked to AD groups.

 7. Administrative Tools & Description

Tool	Description
Active Directory Users and Computers (ADUC)	GUI to manage users, groups, and computers.
Active Directory Administrative Center (ADAC)	Modern UI for managing AD objects.
PowerShell for AD	Command-line automation (e.g., Get-ADUser, New-ADGroup).
Group Policy Management Console (GPMC)	Manages GPOs for policy-based configurations.

 8. Security Considerations

• Enforce strong password policies and MFA.
• Use least privilege for admin accounts.
• Monitor Kerberos ticket lifetimes and LDAP queries for anomalies.
• Implement tiered administration (Tier 0 for DCs, Tier 1 for servers, Tier 2 for users).
• Use Privileged Access Workstations (PAWs) for sensitive tasks.

 9. Visual AD Architecture Flow