This Active Directory tutorial explains what is Active Directory, its features, benefits, and details of Microsoft Azure Active Directory:
In recent times, we have seen a sharp surge in the domain of directory services. This has also brought along a plethora of features and functionalities which are seemingly more complex than the ones available earlier.
The domain has expanded to include not just single directory products like Active Directory Service but also many other directory services which are more advanced, however Active Directory from Microsoft tops the chart.
The most common use of Active Directory for organizations is to carry out tasks of authentication and authorization. An important feature of directory service is that objects are graded in a manner that makes them easy to access.
Every time a user needs to be granted access to a resource, checks are made with this central database called Active Directory to verify that the user is authentic and has the authorization to access a particular resource.
In this Active Directory tutorial, we will look at step-by-step learning for Microsoft Active Directory Tool.
What You Will Learn:
- What Is Active Directory
- Azure Active Directory
What Is Active Directory
Website: Active Directory
Directory service allows information to be stored, classified, and retrieved. The directory service in Microsoft office is called Active Directory. It is a database that is used to store an enormous amount of information about the User, User Groups, Client computers, and Network resources like Printers and Shared folders.
Microsoft Active Directory not just functions as a locator service, but also provides great benefits to the organizations by enabling a centralized execution of activities that take place in the network.
The image below depicts the important aspects of Active Directory. It includes Users and resources and it shows that Active Directory is used to carry out tasks of authentication and authorization for resources.
Active Directory Structure
In the Active Directory structure, the top part is called a Forest. As we move down the hierarchy, it forms the tree which can be seen as a collection of domain and sub-domains. The domain is at the center of the Windows Network.
While a tree is a unit with one domain or group of objects, it further has child domains. Forest is at the top of the hierarchy representing a group of domains. We can also say that Forest is a group of Trees or multiple domains.
The image below illustrates the structure of Active Directory.
The connection between Forest and Trees is a trust relationship that allows the exchange of information across different domains. Trust follows across all domains, and this makes accessing these domains simpler with the same credentials as used on the root domain.
A domain is a network structure where one server or multiple servers are responsible for dealing with security and permissions on the network. It is created in order to control user’s access and permission where 50, 100, or thousands of computers are connected. The topmost domain created in the directory is the root. Domains that follow here onwards have their own unique names and are called Child Domains.
So, how are these domains controlled? They are controlled through a Domain Controller.
What Is Domain Controller
The domain controller is a Windows server that saves information regarding all the objects which are within that domain. It is an Active Directory server that contains all the information related to objects.
User accounts and computer accounts are added to Domain Controller when information is stored. A database of information called Schema is created. To explain this in simple terms, Schema is the database or the type of data stored on the domain controller regarding user accounts and computer accounts.
The schema of AD has the essential feature of being extendable. This can be better explained with the help of an example.
When the Domain controller is installed for the first time, there is a certain type of data that can be stored for user accounts and computer accounts but in case the exchange server is installed on the network, the type of data that can be stored on the domain controller can be extended.
These user accounts and computer accounts are put under groups, and security policies are applied to these groups.
The image below shows a representation of the Domain Controller.
Domain controller plays a pivotal role in accepting requests for change to the database and also replicate the information amongst all the other domain controllers in the domain. Over a period of time, there may be a need for additional domain controllers.
In a situation when the server connects to the network, it has a default status of a standalone member server. Here, in case this member server needs to be used as a domain controller, we need Active Directory to install the wizard which is called- DCPROMO.EXE.
This is how a standalone member server becomes a domain controller and it uses a multi-master replication process to interact with other domain controllers. Domain controllers work in sync when information is to be updated.
Next, we have the Organizational Units or OU which are linked to specific domains. The purpose of organizational units is to reduce the number of domains in the organization.
There are multiple ways of authentication in Active Directory within a network. One such example is Kerberos. Kerberos provides security and authentication and if there are any non-domain members.
Let us now look at some features of Active Directory.
Features Of Active Directory
These are enlisted below:
- It is a database of Objects. Some of these objects can be- Users, Groups, Printers, Devices, and computers.
- It stores, organize and enables access to other objects.
- It also provides essential networking services like DNS and Kerberos-based authentication.
- If there is a network of hundreds or thousands of computers, an Active Directory is the only option to manage this network easily.
- It also includes LDAP (Lightweight Directory Access Protocol) directory services.
- It is a centralized database to store a vast amount of information.
- Active Directory is mostly used by system administrators to save user’s data, assigning security-related policies, and place software.
- Active Directory governs the security policies when a VPN connection is established and people are allowed to connect to that network. It allows Administrators to sit and centrally give users and computers permissions on the network and on individual computers.
- The usage of Active Directory can vary from small organizations with a few hundred users to thousands of users across the world. If there is a network of hundreds or thousands of computers, an AD is the only option to manage this network easily.
Benefits Of Active Directory
These are enlisted below:
- One of the main benefits of using Active Directory for an organization is ease. With Active Directory, it is possible for users to access and control resources from a centralized location. It provides the convenience to control multiple devices because of integrated login credentials. This helps to get rid of the redundant task of entering account details every time a machine needs to be accessed.
- Active Directory essentially allows administrators to sit down at one console and give users and individual computers permission to do things on the network. Therefore, Active Directory offers great benefits to an enterprise or organization.
- When there are thousands of computers to work on, it is impossible to configure security policies on each computer. This is where Active Directory comes into play. It allows administrators to create security policies within the domain controller, and these policies are spread across the network. This enables controlled access to unauthorized users.
Now that we have looked at the benefits and features of Active Directory, let us also see how to set up Active Directory.
Active Directory Set up With RSAT
The pre-requisite to use the Remote Server Administration Tool (RSAT) is to have Windows Professional or Windows Enterprise installed else RSAT cannot be installed.
Set up of Active Directory in Windows 10
In order to set up Active Directory for Windows 10 version 1809, the following steps are to be followed-
Step 1: Click on Start (use the right key) and select Settings.
Step 2: Select Apps and then select Manage optional features.
Step 3: Click on Add feature.
Step 4: Click on RSAT: Active Directory Domain Services and Lightweight Directory tool.
Step 5: Click on Install.
Step 6: Click on Start and then select Windows Administrative tools to access Active Directory.
Set up of Active Directory in Windows 8
When Active Directory needs to be set up on Windows 8, we need to follow the below-mentioned steps.
It is very important to ensure that the version of the Server Administration tool installed is compatible with Windows 8 and Windows 10.
Step 1: Select Start (use the right key) and click on Control Panel.
Step 2: Click on Programs and then select Programs and Features.
Step 3: Select the option Turn Windows features on or off.
Step 4: Scroll to the bottom and select the option Remote Server Administration Tools.
Step 5: Select Role Administration Tools.
Step 6: Select AD DS and AD LDS Tools.
Step 7: Ensure AD DS tools are checked.
Step 8: Click on OK.
Step 9: Select Start and then click on Administrative tools to see Active Directory.
When Active Directory is to be used, the first step is to set up Domain Controller. As we have discussed earlier, the Domain controller plays a pivotal role in accepting requests for change to the database and also replicate the information amongst all the other Domain Controllers in the domain. It is a database of all the login credentials of computers and printers.
Let us now see how Domain Controllers are set up.
How To Set Up Domain Controller
It is not rocket science to set up Domain Controller. We can follow the below-mentioned steps to set up Domain Controller.
Step 1: Log on to Server Manager.
Step 2: Select Roles Summary and then select Add roles and features.
Step 3: Click on Remote Desktop Services installation. (This selection is to be made in case the domain controller is to be installed on a virtual machine). Otherwise, click on role-based or feature-based installation.
Step 4: Choose a Server from the server options available.
Step 5: From the list of options- click on Active Directory Domain Services and select the Next tab.
Step 6: Features should be checked as default. Select Next.
Step 7: Select Restart the destination server automatically if required and then select Install. It is required to close the window after the process of installation is complete.
Step 8: Choose the option to Promote this server into a domain controller after AD DS has been installed. This option is available next to the Manage tab.
Step 9: Select the option- Add a new forest and choose a Root domain name. Click on the Next tab.
Step 10: Choose a domain functional level as per choice and create a password to enter into the Type the Directory Services Restore Mode (DSRM password) part. Select Next tab.
Step 11: Select the Next option on the page displaying DNS Options.
Step 12: Type a domain in the box – NetBIOS Domain name. It is recommended to continue with the same name as a root domain name. Click Next tab.
Step 13: Choose a folder where database and log files can be saved. Click Next tab.
Step 14: Click on Install and allow the system to reboot.
User Accounts In Active Directory
We have been talking about objects in Active Directory. Users and computer are two main objects which need to be managed in Active Directory. In this section, we will see steps that can be followed to create a new AD user account.
User account object is an interface between an actual human user in the organization and Active Directory Domain Services enterprise. These users, when on the network, need to be able to access resources. As administrators, we need to either grant or restrict their access to these resources. This is done through the user account created to represent these users.
The easiest way to create a user account in Active Directory is to use the ADUC tool- Active Directory Users and Computers tool. This tool is available with the Remote Server Administration Tools (RSAT) package.
How to Create User Account
Step 1: Log onto Server Manager.
Step 2: Click on Tools on the menu and select Active Directory users and computers.
Step 3: Click on the domain name, which represents the users. This is on the left pane of the screen. When this domain name is expanded by clicking on the (+) sign, we see a few folders which can be also be called containers.
Step 4: Select the folder or container in which the object “User” needs to be created.
Step 5: After selecting the folder, right-click on the folder and hover the mouse on New in the menu, and select Users.
Step 6: We now see the New object wizard. This wizard requires the user details like First name, last name, and user login name to be filled in. It is important to ensure at this step that the user login name is unique, as there is no duplication allowed on the network to avoid security breaches. Click on Next.
Step 7: The next screen is the password screen. This is where the password needs to be created and re-entered. This screen also has few options where the first one says- User must change password at first log on. This is a recommended step as administrators usually choose generic passwords and not strong passwords and users must change it to a password that is only known to them.
The other options here are “User cannot change password” and “Password never expires”. This allows full control to the administrators.
Step 8: Click on Next and then click on Finish.
Let us also see how to move user accounts from one folder or container to another.
Moving User Accounts
- The easiest and traditional way to move user accounts is to right-click on the user account and select the option Move. This takes us to a window with other folders or containers where the user needs to be moved. Select the appropriate folder and the user account is moved.
- The other way to move user accounts is to drag the user account to the appropriate container or folder where it has to be moved. As soon as the user account is dragged, there is a warning that appears on the screen reminding us that this movement may lead to a change in permissions and access available to the user. Click on the Yes tab and the user account is moved.
Trust Relationship Across Domains
In the above paragraphs, we have discussed domain and domain controller. In an event when the organization decides to expand to more than one domain, we see an interesting aspect called “Trust relationships” that is formed. What this simply means is that with multiple domains in a network, trust relationships enable the smooth process of authentication and access to resources between domains.
The trust relationship is a rational relationship among the domains which helps in the process of authentication and resource accessibility. In this relationship, one domain is trusted, and another domain is trusting.
For example, when Domain A and Domain B have an equation of trust, users from Domain B if given the required permissions can access resources on Domain A. Thus we can conclude that Trust is an essential building block that enables smooth management of identity and access to resources.
Types Of Trusts In Active Directory
#1) Transitive Trust
The equation of trust in AD Forest develops automatically and is bi-directional and transitive. Therefore, it is established that domains- parent and child, root and trees have trust relationships and users and other objects are allowed to access resources across domains.
In the event of the creation of new or additional child domains, this trust relationship is also automatically transferred from the parent domains and resources can be accessed by these child domains.
#2) Non-transitive Trust
This type of trust is limited only to those domains where the trust was created and does not get extended to other domains. For example, Domain A and Domain B trust each other, and Domain C and Domain D trust each other. But Domain A will not trust Domain C or D unless a different trust is created with these domains.
Some of the other types of trusts are discussed below:
- Tree-Root Trust: It is created when additional root domains are included in Active Directory. This type of trust only includes the domains which are at the top of the tree. This trust is created by default in Active Directory.
- Parent-Child Trust: This type of trust is created automatically by Active Directory when there is an addition of new child domains. This is also a default trust in Active Directory.
- Forest Trust: In order to create a Forest trust, one must have the rights of an administrator. The trust is created between two forests in Active Directory. This allows inter-domain trust between domains of forests. The rights to decide this trust to be bi-directional or one-directional remain reserved with the Administrators.
- Realm Trust: This type of trust is developed between Forest on Active Directory and a non- Windows Kerberos environment. Examples of this non-Kerberos environment can be Linux, Unix, etc. This type of trust can be either bi-directional or one-directional.
- External Trust: This type of trust is an example of non-transitive trust. It is created between Active Directory domains, which are present in different Forests, or between Active Directory Forest and pre Windows Server 2000, for example- Windows NT.
- Shortcut Trust: This type of trust is created manually, and the aim of this trust is to enable authentication in order to shorten the way of trust across domains. This type of trust is created in the case of a large Active Directory setup.
Trust across forests can only be created by Administrators with special rights and who are a part of Domain/Enterprise administration. They also reserve the right to restrict access to resources to some identities in a forest. This type of trust must be created after a thorough consideration of trust and relationships between users and other objects within domains.
So, we can say that trust relationships are created either automatically or manually between forests, trees, and domains to create a path in order to enable access to resources.
We have seen that Active Directory is a great service that offers identity and access management within the infrastructure of an enterprise, but what if we need to manage cloud-based identity and access? Is there a solution for that as well?
The answer is Yes, there is. The name of this solution is Microsoft’s Azure Active Directory domain services.
Azure Active Directory
Azure Active Directory is a management service offered by Microsoft for managing cloud-based identity and access. Enterprise can either choose Microsoft Active Directory tool or Azure Active Directory in case the preference is for a pure cloud-based solution. Active Directory and Azure Active Directory can also co-exist.
It allows users to sign in and get access to any external resource which are held in Office 365 and many other web-based applications. Sometimes these applications can also be on Intranet or the corporate network.
Azure Active Directory is completely cloud-based, and this is a USP for Azure. This enables Azure Active Directory to be the sole director for the organization or it can be used together with AD within premises using Azure AD connect. It offers benefits of Single Sign-On (SSO), multi-factor authentication (MFA), and conditional access to name a few.
Another important reason for the popularity of Azure AD is that it gives a single place from which identity, security, and compliance can be controlled for the entire organization. It has proved to provide great benefits to administrators by allowing them comprehensive control over access to resources and applications by making use of features like MFA and conditional access.
It is also an extremely beneficial solution for developers, as it can be used to enable features such as SSO.
For employees and users, it is a great solution for enabling quick and easy access to resources on multiple devices irrespective of their location.
The image below shows the Working Of Azure Active Directory:
Azure Active Directory Price
Azure Active Directory offers various licensing options. These are mentioned below:
- Basic license: It is priced at $1 per user for one month.
- Premium P1: It is priced at $6 per user for one month. It is offered as a part of the Office 365 E3 suite.
- Premium P2: It is priced at $9 per user for one month. . It is offered as a part of the Office 365 E5 suite.
The pricing for monthly users for P1 and P2 license also varies as per Monthly Active User (MAU). The first 50,000 MAUs are free in P1 and thereafter a charge of $0.00325 per user applies to the P1 license. On the P2 license, this charge is $0.01625 per user.
Azure Free Trial version
Azure AD also has a trial version available for free and can be used once the Azure free tenant has been set up. This version is ideal for testing environments but not for a live business setup due to the lack of security features.
Let us now look at some frequently asked questions on Active Directory.
Frequently Asked Questions
Q #1) Is Active Directory a tool?
Answer: Yes, Microsoft Active Directory tool is the most important tool for administrators at the enterprise level. It helps administrators in controlling assets, users, and authorizations across the network.
Q #2) Who uses AD?
Answer: It is used by IT administrators to manage the identity and authentication of objects and enable access to resources across the network.
Q #3) What information can be stored in AD?
Answer: It is capable of storing data and information about the objects in the domain. Some examples of these objects are users, computers, printers, etc.
Q #4) What are the requirements for AD?
Answer: It requires a minimum of 1GB of hard disk space to install the software. Also, 256 MB of space is needed for the job result directory and log directory, respectively.
Q #5) How many users can be created in AD?
Answer: In Active Directory, the limit for user creation is 230 or 1073741823 RIDs, while user groups and computer accounts are allowed as members of approximately 1015 groups.
In this article, we discussed the features, structure, and benefits of Active Directory. Active Directory and Azure Active Directory can prove to be great solutions for managing objects across the network.
We hope that by following the steps and knowledge mentioned in this article, understanding and using Active Directory will be a cakewalk.