Gavin Livingstone, Bryley Systems Inc.
Microsoft’s Active Directory (AD) is not well known, but it is a critical component in securing Windows Server-based networks.
Active Directory, introduced with Windows Server 2000, is included with most versions of Windows Server, but is also available as a service1. Its primary function is to facilitate authentication and authorization of users (members) and resources within an AD domain. (An AD domain is a logical collection of users, computers, groups, and other objects; multiple domains can be created for different sites or groups, and trust relationships can be established between these domains.)
One of AD’s greatest strengths is to permit the centralized creation of user and group-based policies; it can then enforce these policies, ensuring that members comply with login and usage requirements. Plus, it logs policy violations and login attempts, supporting the automation of error-log-checking solutions.
Basic AD services include:
- Domain Services (AD DS) – Stores and verifies member credentials
- Lightweight Directory Services (AD LDS) – A limited-feature version of AD DS
- Certificate Services (AD CS) – Public-key certificates supporting encryption
- Federation Services (AD FS) – Single sign-on functionality; AD and non-AD
- Rights Management Services (AD RMS) – Management of access rights
Single instances of AD DS run on a server; once AD DS is deployed, this server is known as a domain controller (DC). Most Windows Server-based networks have two or more domain controllers; a primary DC and secondary DC(s) to provide failover directory (via replication) and location-based access to the directory.
During login, users authenticate to the primary DC or to a secondary DC.
Active Directory is managed through a series of tools; most are included within Windows Server, but third-party tools2 exist that provide better control and automation, particularly for larger organizations managing complex environments.
Best practices for AD design include3:
- Build a logical structure based on a hierarchical, tree-like approach:
- Forests – Top-level container (not always used)
- Domains – Second-level containers within forests
- Organizational units – Third-level containers within domains
- Construct a physical model to address location requirements/constraints:
- Place at least one domain controller (preferably two) at each site
- Determine placement of replicas of domain data
- Describe network topology
- Consider traffic limitations
AD design tips4 include:
- Keep it simple
- Match site topology to network topology
- Ensure you have at least two DNS servers
- Try to dedicate a server as a domain controller
Security best practices for AD include5:
- Rename or disable the Administrator account
- Physically secure domain controllers and servers
- Apply Group Policy settings to restrict users, group, and computer access
Basically, Active Directory forms the heart of any Windows Server-based network; it is a critical component, even when using Cloud-based resources. (Cloud-based resources can often be integrated within AD through Federated Services.)
210 Must-Have Active Directory Tools by Walker Rowe of Anturis, 4/14/15.
3Best Practice Active Directory Design for Managing Windows Networks and Best Practice Active Directory Deployment for Managing Windows Networks from the Microsoft Developer Network. (These are dated, but extremely detailed.)
410 Tips for effective Active Directory design by Brien Posey of TechRepublic, 8/23/2010.
5Active Directory Best Practices at Microsoft TechNet on 1/21/2005.