Sunday, October 12, 2025

Microsoft Active Directory | Deep Dive.

 

Here’s twtech deep dive into Microsoft Active Directory (AD)

Scope:

  •        The Concept: Microsoft Active Directory,
  •        Core Concepts and Components,
  •        AD Logical Structure,
  •        Authentication & Authorization,
  •        Integration with Cloud and Modern Identity,
  •        Integration Example: AWS IAM Identity Center with AD,
  •        Administrative Tools,
  •        Security Considerations,
  •        Visual AD Architecture Flow.

1. The Concept: Microsoft Active Directory

  •       Microsoft Active Directory (AD) is an on-premises directory service developed by Microsoft for Windows domain networks.
  •        Microsoft Active Directory (AD)  provides centralized identity and access management (IAM)
  •        Microsoft Active Directory (AD) controls:

o   User authentication,

o   Authorization,

o   Policy enforcement across computers, applications, and resources in a Windows environment.

 2. Core Concepts and Components

Component

Description

Domain

A logical grouping of objects (users, computers, groups) that share a common directory database and security policies.

Domain Controller (DC)

A Windows Server that hosts the AD database (NTDS.dit) and handles authentication/authorization requests.

Forest

A collection of one or more domains that share a common schema, configuration, and trust relationships.

Organizational Unit (OU)

Containers that organize objects within a domain for delegation and policy management.

Group Policy Object (GPO)

A set of configurations that enforce security and administrative policies across domain-joined devices.

Trust Relationships

Define how authentication requests are handled between domains or forests (one-way, two-way, transitive).

 3. AD Logical Structure

Active Directory is hierarchical and consists of:

  1. Forest → Top-level security boundary
  2. Domains → Organizational boundaries for policy enforcement
  3. OUs → Administrative containers within domains
  4. Objects → Individual items (users, computers, printers, groups)

Example hierarchy:

Forest: corp.local

 └── Domain: corp.local

      ── OU: Users

      │    ── User: twtechpat

      │    └── User: twtechStacy

      └── OU: Computers

           ── Computer: twtechDev-Dpt

           └── Computer: twtechTest-Dpt

                               └── Computer: twtechPre-Pro-Dpt

                               └── Computer: twtechProd-Dpt

4. Authentication & Authorization

a. Kerberos Authentication

  • Default protocol used by AD.
  • Relies on a Key Distribution Center (KDC) within each domain controller.
  • Uses tickets to prove identity without transmitting passwords.

Flow:

  1. User logs in → AD issues a TGT (Ticket Granting Ticket).
  2. User requests access to a service → AD issues a Service Ticket.
  3. User presents the service ticket → Service verifies it with AD.

b. LDAP (Lightweight Directory Access Protocol)

  • Used to query and modify AD data (e.g., user lookups, group membership).
  • Commonly used by external systems (e.g., AWS IAM Identity Center, applications) to connect to AD.

5. Integration with Cloud and Modern Identity

a. Azure Active Directory (Entra ID)

  • Microsoft’s cloud-based identity platform.
  • Extends AD capabilities to SaaS apps and modern authentication (OAuth 2.0, OIDC).
  • Synced using Azure AD Connect to bridge on-prem AD users → Azure AD.

b. AD Federation Services (ADFS)

  • Provides SAML and WS-Fed capabilities for federated sign-on.
  • Enables Single Sign-On (SSO) between AD and third-party services (like AWS or Salesforce).

 6. Integration Example: AWS IAM Identity Center with AD

Flow:

  1. User authenticates with Active Directory via AWS Directory Service or AD Connector.
  2. IAM Identity Center maps AD groups → AWS Permission Sets.
  3. When the user signs in to AWS, STS issues temporary credentials tied to their AD identity.
  4. Fine-grained access is controlled through IAM roles and permission sets linked to AD groups.

 7. Administrative Tools

Tool

Description

Active Directory Users and Computers (ADUC)

GUI to manage users, groups, and computers.

Active Directory Administrative Center (ADAC)

Modern UI for managing AD objects.

PowerShell for AD

Command-line automation (e.g., Get-ADUser, New-ADGroup).

Group Policy Management Console (GPMC)

Manages GPOs for policy-based configurations.

 8. Security Considerations

  • Enforce strong password policies and MFA.
  • Use least privilege for admin accounts.
  • Monitor Kerberos ticket lifetimes and LDAP queries for anomalies.
  • Implement tiered administration (Tier 0 for DCs, Tier 1 for servers, Tier 2 for users).
  • Use Privileged Access Workstations (PAWs) for sensitive tasks.

 9. Visual AD Architecture Flow


at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Amazon EventBridge | Overview.

Amazon EventBridge - Overview. Scope: Intro, Core Concepts, Key Benefits, Link to official documentation, Insights. Intro: Amazon EventBridg...