Active Directory (AD) is Microsoft’s directory service that provides centralized authentication and authorization for Windows environments.

What is Active Directory?

Active Directory is a distributed database that stores information about network objects such as users, groups, computers, and resources, and provides authentication and authorization services.

Main Components

Domain Controller (DC)

  • Domain controller: Server that runs Active Directory
  • Authentication: Verifies user credentials
  • Authorization: Determines access permissions
  • Replication: Synchronizes data between controllers

Domain

  • Domain: Basic administrative unit
  • Namespace: Unique namespace
  • Policies: Group policy application
  • Security: Security boundaries

Forest

  • Forest: Collection of domains
  • Trust: Trust relationships between domains
  • Schema: Shared global schema
  • Global Catalog: Global object catalog

Organizational Unit (OU)

  • Organizational unit: Logical container
  • Delegation: Administration delegation
  • Policies: GPO application
  • Structure: Hierarchical organization

Active Directory Services

Authentication

  • Kerberos: Authentication protocol
  • NTLM: Legacy protocol
  • LDAP: Lightweight Directory Access Protocol
  • SSO: Single Sign-On

Authorization

  • ACLs: Access control lists
  • Permissions: Object permissions
  • Groups: User groups
  • Roles: Administrative roles

Identity Management

  • User Management: User management
  • Group Management: Group management
  • Computer Management: Computer management
  • Service Accounts: Service accounts

Active Directory Structure

Main Objects

  • Users: System users
  • Groups: User groups
  • Computers: Domain computers
  • Organizational Units: Organizational units

User Attributes

1
2
3
4
5
6
7
8
9

# Common user attributes
Get-ADUser -Identity "user" -Properties *
# Properties include:
# - DisplayName
# - EmailAddress
# - Department
# - Title
# - Manager
# - MemberOf

Active Directory Groups

  • Security Groups: Security groups
  • Distribution Groups: Distribution groups
  • Universal Groups: Universal groups
  • Domain Local Groups: Domain local groups

Group Policies (GPO)

GPO Configuration

1
2
3
4
5
6
7
8

# Create new GPO
New-GPO -Name "Security Policy"

# Link GPO to OU
New-GPLink -Name "Security Policy" -Target "OU=Users,DC=company,DC=com"

# Configure policy
Set-GPRegistryValue -Name "Security Policy" -Key "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" -ValueName "DisableAutomaticRestartSignOn" -Value 1 -Type DWord

Common Policies

  • Password Policy: Password policy
  • Account Lockout: Account lockout
  • Audit Policy: Audit policy
  • Security Settings: Security settings

Security in Active Directory

Strong Authentication

  • Multi-Factor Authentication: Multi-factor authentication
  • Smart Cards: Smart cards
  • Certificate Authentication: Certificate authentication
  • Biometric Authentication: Biometric authentication

Account Protection

  • Privileged Access Management: Privileged access management
  • Just-In-Time Access: Just-in-time access
  • Account Monitoring: Account monitoring
  • Anomaly Detection: Anomaly detection

Hardening

  • Least Privilege: Principle of least privilege
  • Regular Audits: Regular audits
  • Patch Management: Patch management
  • Monitoring: Continuous monitoring

Administration Tools

PowerShell

1
2
3
4
5
6
7
8

# User management
New-ADUser -Name "John Doe" -SamAccountName "jdoe" -UserPrincipalName "jdoe@company.com"

# Group management
New-ADGroup -Name "Developers" -GroupScope Global

# OU management
New-ADOrganizationalUnit -Name "IT" -Path "OU=Departments,DC=company,DC=com"

RSAT (Remote Server Administration Tools)

  • Active Directory Users and Computers: Graphical management
  • Group Policy Management: GPO management
  • Active Directory Sites and Services: Site management
  • ADSI Edit: ADSI editor

Third-Party

  • ADManager Plus: Management tool
  • Quest Active Roles: Advanced management
  • ManageEngine ADManager: Enterprise solution
  • SolarWinds Server & Application Monitor: Monitoring

Monitoring and Auditing

Security Events

  • Logon Events: Logon events
  • Logoff Events: Logoff events
  • Account Lockout: Account lockout
  • Privilege Escalation: Privilege escalation

Monitoring Tools

1
2
3
4
5

# Query security events
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4624} | Select-Object TimeCreated, Id, LevelDisplayName, Message

# Monitor AD changes
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4732} | Select-Object TimeCreated, Id, LevelDisplayName, Message

SIEM Integration

  • Splunk: Splunk integration
  • QRadar: IBM QRadar integration
  • ArcSight: ArcSight integration
  • LogRhythm: LogRhythm integration

Troubleshooting

Common Problems

  • Authentication Failures: Authentication failures
  • Replication Issues: Replication issues
  • DNS Issues: DNS issues
  • Time Synchronization: Time synchronization

Diagnostic Tools

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

# Verify replication
repadmin /showrepl

# Verify DNS
nslookup domain.com

# Verify time
w32tm /query /status

# Verify connectivity
ping domain-controller

Best Practices

Design

  • Single Domain: Single domain when possible
  • OU Structure: Logical OU structure
  • Naming Convention: Naming conventions
  • Documentation: Complete documentation

Security

  • Regular Audits: Regular audits
  • Principle of Least Privilege: Least privilege
  • Monitoring: Continuous monitoring
  • Training: Staff training

Maintenance

  • Backup: Regular backups
  • Updates: Regular updates
  • Monitoring: Performance monitoring
  • Documentation: Updated documentation

References