Directory services are crucial in the management of today’s IT infrastructures. The Active Directory managed by Microsoft is one of the most popular directory services out there. Today, we’ll be looking at what Active Directory does and how you can use it to your advantage.
What Is Active Directory
The Active Directory is a service storing data within a network environment. This data includes records on devices, users, apps, and even groups of devices within your network hierarchy.
Directory services like Active Directory have become so popular because networking resources are swiftly growing in complexity. Network administrators, therefore, resort to directory services as a way to keep this complexity manageable.
In essence, Active Directory is like a phonebook containing all of the devices within your network. It helps you access and manage the data and resources within your network without needing to be present.
What Active Directory Does
There are many causes for enterprises using Active Directory and similar services. The biggest is that it’s convenient. Using Active Directory removes the hassle of logging into multiple locations or being present on-premises to manage resources.
This helps administrators cut down on menial tasks like logging in to multiple devices or entering their credentials whenever they want to manage a resource.
Setting Up Active Directory Using RSAT
RSAT or Remote Server Administration Tools makes it a lot easier to set up Active Directory. However, it requires that you’ve got access to Windows Enterprise or Windows Professional.
If you’re using Windows 10 (Version 1809), you’ll want to use the following steps:
- Go to “Start”
- Next, navigate to “Settings”
- Finally, go to “Apps”
- Click “Manage Optional Features” and go to “Add Feature”
- From the menu, pick “ RSAT: Active Directory Domain Services and Lightweight Directory Tools”
- Click Install
Now you can access Active Directory by navigating to the Start menu and clicking “Windows Administrative Tools”.
If you’re using a different version of Windows 10, or are using Windows 8, then follow these steps:
- Right-click “Start”
- Go to “Control Panel” and then “Programs”
- Click on “Programs and Features”
- Click on “Turn Windows Features on or off”
- Go to “Role Administrator Tools”
- Make sure you check “AD DS” tools in “AD DS and AD LDS Tools”
- Click Ok
Now you can access Active Directory by clicking Start and navigating to “Administrative Tools”.
Setting Up A Domain Controller
Navigate value out of Active Directory, and you’ll need to set up a domain controller. This is a central computer that will deal with authentication requests across the network. This is where you’ll keep all of the login credentials of your network’s devices.
This is quite simple. All you need to do at first is to set a static IP address to the Domain Controller and install ADDS(Active Directory Domain Services); after that, and it’s just a matter of following a few more steps:
- Open up the Server Manager
- Go to “Roles Summary” and click on “Add roles and Features”
- Press Next
- Pick “Remote Desktop Services Installation” in case you’re setting up your Domain Controller within a VM, or pick a different form of installation like feature-based or role-based installation
- Pick a server from the pool
- When a list pops up, pick “Active Directory Domain Services” and press Next
- Leave all of the default features checked
- Click on “Restart the destination server automatically if required”
- Press install
When the installation is complete, you’ll see a notification pop up next to your Manage menu. Once that happens, follow these steps:
- Click “Promote this server into a domain controller”
- Next, press “Add a new forest”. Right-click the Root domain name
- Pick the Domain functional level you feel comfortable with and decide upon a password to enter into the “Type the Directory Services Restore Mode(or DRSM)” section
- Once you see a DNS Options page, press Next
- Type a domain into the “NetBios Domain” section, usually the same as your root domain name
- Pick a folder that will contain your log and database files
- Press Install
After your system has finished rebooting, you’ll be done!
Setting Up Active Directory Users
The first two groups that Active Directory lets you manage are users and computers. This section is dedicated to setting up brand new user accounts. Much like the last section, this is relatively simple to do.
Managing users is most accessible by using the “Active Directory Users and Computer” tool, ADUC. This tool comes together with the RSAT pack, also known as the Remote Server Administration Tools.
Installing ADUC is quite simple if you’re using Windows 10 version 1809 or above, do the following:
- Right-click Start
- Go to “Settings” then “Apps”
- Click “Manage Optional Features” and go to “Add feature”
- Pick RSAT: Active Directory Domain Services and Lightweight Directory Tools
- Click “Install”
You’ll now be able to access it from Windows Administrative Tools.
If you’re using Windows 8 or Windows 10 (below version 1804), do the following:
- Install Remote Server Administrator Tools
- Right-click Start
- Go to “Control Panels” then “Programs”
- Move to “Programs and Features” then “Turn Windows features on or off”
- Pick “Remote Server Administration Tools” from the menu
- Click “Expand Role Administrator Tools”, then go to “AD LDS Tools”
- Make sure “AD DS Tools” is checked, then click “Ok”
You can now access ADUC by going to Start, then “Administrative Tools, First, go” and clicking on “Active Directory Users and Computers”.
Making A New User Using ADUC
- Open up the Server Manager
- Navigate to the “Tools” menu and click “Active Directory Users and Computers”
- Expand the menu and press “Users”
- Right-click the right pane
- Navigate to “New” then “User”
- You’ll see a “New Object-User” box pop up; type its First name, Last name, and User logon name. Click Next
- Type in a password for the user
- Press Finish
Now you’ll be able to find the user within ADUC’s “Users” section.
Monitoring Active Directory
Much like any other kind of IT infrastructure, you’ll need to monitor Active Directory to make sure you’re staying safe. Doing this is crucial in preventing cyberattacks on your network and ensuring that you give your users the best experience possible.
Thankfully, Active Directory has a codified way of letting you know what network events are occurring. Therefore, you should especially monitor replay attacks and audit policy changes.
Looking At Active Directory Trees And Forests
While dealing with Active Directory, you’re bound to hear about forests and trees quite a lot. These are the two quintessential terms you’ll need to understand to grasp the logical structure of Active Directory. Put simply:
- Trees are entities that exist in a single domain or group followed by their child domains
- Forests are groupings of domains
This means that when multiple trees are grouped, they become a forest.
Trees within the same forest are connected with a trust relationship. This lets domains within a forest share info with each other. By default, all domains will trust each other, allowing access to each with the same account information you use for the root domain.
Every forest has a single unified database. In logic, forests sit at the top of the hierarchy, while individual trees are at the bottom. Therefore, one of the biggest challenges you’ll face using Active Directory is managing forests correctly while still keeping the whole directory secure.
An example of this is whether you need a design that incorporates multiple forests or if one forest will do the trick. The efficient solution is to use just one forest; however, that compromises security. On the other hand, using multiple forests is more difficult and expensive to manage but increases security.
How Trust Relationships And Types Work
Like we discussed above, we use trusts to enable communication between different domains. Trusts make authentication and resource allocation between trees and forests much easier to handle.
There are two types of trust: one-way and two-way. In one of these trusts, we divide domains between trusting domains and trusted domains.
- One-Way Trust: A one-way trust means that the trusting domain can access the authentication details of a trusted domain for the user to access the resources within the trusting domain.
- Two-Way Trust: A two-way trust means that both domains can access the other’s authentication details as well as access resources between each other.
By default, every domain in a single forest trusts every other domain in that forest. However, you can make it so that domains in different forests can transfer information between each other.
Making trusts is facilitated through the New Trust Wizard. This config wizard lets you create new trusts and look at the Domain Name, Trust Type, and the Transitive status of your trusts.
The Various Types of Trust
- Parent and Child: These trusts are established when a child’s domain gets added to a domain tree. It is a transitive, two-way trust set up by default
- Tree-root: Another transitive, two-way trust is set up when a tree is made in a forest by default
- External: This is a non-transitive trust that can operate both one-way and two-way; it gives resources to a domain unsupported by a forest trust or in a Windows NT 4.0 domain
- Realm: This non-transitive trust can be one-way or two-way and is used to make a trust between a Kerberos realm not using Windows and a domain in Windows Server 2003
- Forest: A transitive trust that can be one-way or two-way and facilitates sharing resources among forests
- Shortcut: A transitive trust that can be one-way or two-way and is used to reduce the time spent logging on between two domains in a Windows Server 2003 forest
Finding The Source of An Account Lockout
Finding an account lockout using Active Directory is made simple by using the Event Viewer. Active Directory automatically generates a Windows Event message whenever an action occurs, so you’ll need to find the correct event log.
You can do this by following these steps:
- Open up PowerShell, and this is done by opening Run and typing in “powershell”
- Type (get-addomain).pdcemulator in the command line
- Write down the PCD Emulator domain controller’s address, which will pop up on the following line
- Exit Powershell
- Go to the DC with the same name as that PDC Emulator
- Expand Windows Administrative Tools within the Start menu
- For example, open up “Event Viewer”
- In Event Viewer, go to “Security”
- You’ll now see Security events listed on the central panel; press on “Filter Current Log” on the right panel
- Within the “Event IDs” field, write down “4740” instead of any instances of “<All Event IDs>”
- Pick a time horizon within the drop-down list on the top of the form
- If you’re looking for a lockout on a specific user or resource, you can write down the hostname or username
- Double click on any log entries relating to the user or resources you’re interested in with a matching timestamp. This opens up the Event Report
In the Event Report, you’ll be able to see the locked out user, what device the lockout occurred on, as well as its source and reason.
Frequently Asked Questions About Active Directory
How Is Active Directory Different From Domain Controllers?
A domain controller is an authentication management system implementing Active Directory functions upon the objects within that domain’s database. On the other hand, Active Directory is a system that serves to handle authentication and management of these domains.
How Do I Enable Active Directory Security Auditing?
- Log into Windows Server as admin
- From the Start menu, click on “Administrative Tools”
- Go to the “Group Policy Management Console”
- Navigate to the Domain/OU you wish to audit
- Right-click on the chosen object and click “Edit”
- In the popup(called the Group Policy Management Editor,) go to the left tree menu and then “Computer Configuration”
- Go to “Policies” then “Expand Windows Settings”
- From there, click “Local Policies”
- Finally, click on “Audit Policies”
- From the Editor’s main panel, press on “Audit object access” and pick Success/Fail options
- Press on “Audit Directory service access” and pick Success/Fail options
How Are LDAP and Active Directory Different?
LDAP or Lightweight Directory Access Protocol is an open standard defining how access rights are possible to manage. Active Directory, on the other hand, is a system that facilitates the management of those systems. In essence, Active Directory is the next step of the concepts LDAP defined.
How Are Single Sign-On And Active Directory Different?
Single Sign-on or SSO gives every user access to multiple systems using a single authentication procedure. On the other hand, Active Directory is a whole management system capable of implementing its own SSO environments.
Is It Possible To Install Active Directory On Client Systems?
This is impossible. Active Directory is a server-exclusive feature of Windows Server. Therefore, any client that would install Active Directory would be a server.
Do You Need Monitoring Software For Active Directory?
Like any other piece of infrastructure, Active Directory needs to be monitored. So getting a tool to help you monitor Active Directory can be a great idea to help you manage your domains efficiently. When looking at a tool, you should keep some factors in mind:
- For example, how intuitive is the UI?
- Does it help you organize Active Directory better?
- How good is it at creating reports for audits?
- Can it monitor more than one Active Directory instance?
- What factors can it track?
- Does it come with a free trial, so you don’t have to commit to purchasing immediately?
Active Directory has proven time and time again to be one of the best resource management tools out there. However, we’ve only looked at the tip of the iceberg in terms of its potential today.
If you’re using Active Directory to make your resource management more efficient, make sure you account for its security risks. Note down key events, and use a tool to help you monitor them.
What’s your favorite thing about Active Directory?
Do you use an Active Directory monitoring tool? Why?
Let us know in the comments below!