Active Directory and its uses

Gavin Livingstone, Bryley Systems Inc.

Microsoft’s Active Directory (AD) is not well known, but it is a critical component in securing Windows Server-based networks.

Active Directory, introduced with Windows Server 2000, is included with most versions of Windows Server, but is also available as a service1.  Its primary function is to facilitate authentication and authorization of users (members) and resources within an AD domain.  (An AD domain is a logical collection of users, computers, groups, and other objects; multiple domains can be created for different sites or groups, and trust relationships can be established between these domains.)

One of AD’s greatest strengths is to permit the centralized creation of user and group-based policies; it can then enforce these policies, ensuring that members comply with login and usage requirements.  Plus, it logs policy violations and login attempts, supporting the automation of error-log-checking solutions.

Basic AD services include:

  • Domain Services (AD DS) – Stores and verifies member credentials
  • Lightweight Directory Services (AD LDS) – A limited-feature version of AD DS
  • Certificate Services (AD CS) – Public-key certificates supporting encryption
  • Federation Services (AD FS) – Single sign-on functionality; AD and non-AD
  • Rights Management Services (AD RMS) – Management of access rights

Single instances of AD DS run on a server; once AD DS is deployed, this server is known as a domain controller (DC).  Most Windows Server-based networks have two or more domain controllers; a primary DC and secondary DC(s) to provide failover directory (via replication) and location-based access to the directory.

During login, users authenticate to the primary DC or to a secondary DC.

Active Directory is managed through a series of tools; most are included within Windows Server, but third-party tools2 exist that provide better control and automation, particularly for larger organizations managing complex environments.

Best practices for AD design include3:

  • Build a logical structure based on a hierarchical, tree-like approach:
    • Forests – Top-level container (not always used)
    • Domains – Second-level containers within forests
    • Organizational units – Third-level containers within domains
  • Construct a physical model to address location requirements/constraints:
    • Place at least one domain controller (preferably two) at each site
    • Determine placement of replicas of domain data
    • Describe network topology
    • Consider traffic limitations

AD design tips4 include:

  • Keep it simple
  • Match site topology to network topology
  • Ensure you have at least two DNS servers
  • Try to dedicate a server as a domain controller

Security best practices for AD include5:

  • Rename or disable the Administrator account
  • Physically secure domain controllers and servers
  • Apply Group Policy settings to restrict users, group, and computer access

Basically, Active Directory forms the heart of any Windows Server-based network; it is a critical component, even when using Cloud-based resources.  (Cloud-based resources can often be integrated within AD through Federated Services.)


1Active Directory as a service is available through Microsoft’s Azure Active Directory, Bryley Systems’ Hosted Cloud Server™, and other providers.

210 Must-Have Active Directory Tools by Walker Rowe of Anturis, 4/14/15.

3Best Practice Active Directory Design for Managing Windows Networks and Best Practice Active Directory Deployment for Managing Windows Networks from the Microsoft Developer Network.  (These are dated, but extremely detailed.)

410 Tips for effective Active Directory design by Brien Posey of TechRepublic, 8/23/2010.

5Active Directory Best Practices at Microsoft TechNet on 1/21/2005.

The value of a computer-network assessment

Gavin Livingstone, Bryley Systems Inc.

Most situations benefit from an assessment – Firefighters assess the structure, locale, and availability of resources (water) before rushing into a burning building; politicians (hopefully) assess the potential consequences before stating their position on a controversial topic; my insurance company wants to assess the damage before they fix my car.

Business owners and decision-makers use assessments continuously:  Useful, structured information is key to reducing risks and to measuring these risks against the intended result.  An assessment simply allows one to read the current state, consider the desired outcome and potential consequences, and provide (hopefully) all of the information needed to make a superior decision.

In order to make an informed business decision on your IT investment and future, you need comprehensive, factual information on the current state of your IT infrastructure, focusing on at least these topics:

  • Business goals, needs, and budget
  • Applications, Cloud or on-premise, and their operating environments
  • End-users devices (workstations, notebooks, mobile devices, printers, etc.)
  • Network equipment (servers, SANs, firewalls, switches) and Cloud options
  • Exceptions to best and standard practices

To do so, you would request a computer-network assessment, which identifies network-based and Cloud-based assets; it should also expose security gaps and all other issues that could impact uptime.

Done right, an assessment should include:

  • Business:
    • Review business goals relative to mission-critical technology.
    • Determine current and future needs in terms of applications, users, network capacity, and Cloud options.
    • Define the available budget to address these goals and needs.
  • Applications:
    • List each application; include vendor-contact information.
    • Identify all users of each application and their operating environment.
    • Assess application’s environment for current and future needs.
  • End-user devices:
    • Create a configuration sheet for each device with relevant details.
    • Assess capacity of device compared to current and future needs.
  • Network equipment and Cloud options:
    • Create a configuration sheet for each on-premise item with full details.
    • Assess capacity of equipment compared to current and future needs.
    • Identify software licenses:
      • Review non-OEM licensing.
      • Verify license count to server settings and actual users.
    • Identify and assess Cloud options.
  • Exceptions:
    • Identify exceptions to standard practices.
    • Identify environmental exceptions.
    • Create exceptions document.

Bryley Systems offers an entry-level service, Network Assessment/Basic™, but also offer two higher-value network-assessment options:

  • Network Assessment/Plus™
  • Network Assessment/Pro™

Network Assessment/Basic™ provides basic information at a modest investment.  It includes the following:

  • Deployment of our secure, non-invasive, network-assessment tool for one-time collection of data (followed by immediate removal of this tool).
  • Brief, non-client-facing review of these reports by a Bryley Engineer.
  • Presentation of these network-infrastructure reports:
    • Network Assessment PowerPoint – Summary with risk and issue scores
    • External Network Vulnerabilities Summary – External vulnerabilities
    • Client Risk Report – Overall risk score with risk-area charts
    • Site Diagram – A Visio-style graphic of network assets

Network Assessment/Plus™ is a mid-level approach with additional reports and an in-depth review with written comments.  It includes the deliverables above plus these additional items:

  • In-depth, non-client-facing review with comments from a Bryley Engineer.
  • Presentation of these additional, network-infrastructure and security reports:
    • Full Detail Report – Unfiltered details on configurations and activity
    • Internal Vulnerabilities Report – Deviations from industry standards
    • Network Security reports – Proprietary Security Risk Score
    • Security Assessment reports –Security policies and login

Network Assessment/Pro™ is an all-inclusive effort with an onsite, client-facing presence by a Bryley engineering team and a complete, detailed write-up with recommendations.  Its purpose is to review and document all assets, security gaps, and related issues identified via our network-assessment tool and an onsite, visual examination.  These findings are documented, along with all relevant reports from our network-assessment tool, and are presented onsite to the recipient.

Click here to see our current promotion on Network Assessment/Basic™.  You can also email or call 978.212.5806.