A blog about my experience with software, tech and more

Introduction to Microsoft Windows’ Active Directory

Based on LDAP Protocol (defined in RFC 4511), Active Directory is composed of a set of services available on the Microsoft Windows platform, designed to provide a variety of identity-based services to Windows-based domain. It consists of several different services that allow for authentication and authorization.

At the very base of operations exists Active Directory Domain Services (AD DS) which identifies the identifiable scope of manageable computing infrastructure, more commonly known as a domain. For everything to function in concert, AD DS identifies the manageable and configurable realms of the computing infrastructure using a forest.

A forest can be thought of as a collection of multiple domains, sharing a common directory schema (definition of attributes for all the manageable object in the AD) and namespace (for name resolution with DNS).

Upon AD DS, we can leverage the following services. These include:

  • Active Directory Certificate Services (AD CS) – Using this we can set up our own organization’s Public Key Infrastructure (PKI) for securing users, devices and applications by providing a Certificate Authority responsible for issuing security certificates. If done right, these certificates can be used to secure our organization’s computing resources.
  • Active Directory Rights Management Services (AD RMS) – This service allows us to restrict access to content generated on our computing infrastructure allowing us to specify who consumes our data and how it is to be consumed. This is accomplished by allowing the author of the data the ability to restrict access to contents while the data is at rest, in use or in transit.
  • Active Directory Federation Services (AD FS) – An identity federation service that allows internal and external services access to an identity already provisioned within an organization’s AD DS setup. This helps reduce the complexity associated with managing identities used for different business applications while simplifying access to applications for the organization’s users with capabilities such as SSO (single Sign On) for such applications.
  • Dynamic Access Control (DAC) – A service allowing better administration of access to organizational file and folder shares by introducing Role Based Access Control (RBAC) instead of the more traditional Discretionary Access Control (DAC). This service leverages already existing user attributes to provide access to those resources by allowing the usage of those attributes to build user claims. Using these claims, access to these file resources can be restricted on more than just your typical file system permissions while allowing for the usage of binary logic to construct the se claims.

Since its first introduction as a preview in 1999, Active Directory has undergone multiple changes. As part of one of their latest offerings, AD includes:

  • Introduction of Privileged Access Management – Based on Microsoft Identity Management (MIM), this grants the administrators of AD DS secured access to the management of the domain by segmenting a part of the traditional AD DS forest (creation of a bastion forest), allowing the administrative accounts to be handled more securely due to their sensitivity, while allowing users access to resources on the domain in a temporary, privilege limited manner.
  • Azure AD Join – This allows for identity provision and usage of organizational device even in a bring-your-own device setup. This enables device authentication and access to sensitive organizational resources.
  • Introduction of Microsoft Passport – To reduce or eliminate the usage of passwords, usage of key based authentication is introduced to allow access to a user’s account through gestures such as biometrics (finger print), facial recognition or PIN code in case any of the other two are not available.