Active Directory

• Introduction to Active Directory

• AD Architecture
• Installation and Configuration
• AD Management Tools

Agenda
• Group Policy Management
• User and Group Management
• Organizational Units and Delegation
• Security Best Practices
• AD Design for NLDC system
• Failover Scenarios
Introduction to Active Directory

What is Active Directory (AD)?

 Introduction to Active Directory as a centralized directory service for managing users, computers, and resources in a
network.

 Importance of AD in Enterprise Environments:

 Streamlining identity and access management.
 Facilitating network security and administration.

 Key Features and Benefits of AD:

 Centralized management.
 Scalability and flexibility.
 Integration with other Microsoft services.

 Core Components:
 Active Directory Domain Services (AD DS): Core function of AD.
 Lightweight Directory Services (AD LDS): Directory service for specific applications.
 Active Directory Federation Services (AD FS): Single sign-on (SSO) for web-based applications.
 Active Directory Certificate Services (AD CS): Manages digital certificates.
Active Directory Components and Architecture

 AD Components Overview:
 Domains: Logical grouping of objects such as users and computers.
 Trees and Forests: Domains are organized into trees, and multiple trees form a forest.
 Organizational Units (OUs): Used to group users and computers for easy management.
 Domain Controllers (DCs): Servers that hold the AD database and provide authentication services.
 Logical vs. Physical Structure:
 Logical Structure: Domains, trees, forests, and OUs.
 Physical Structure: Sites and domain controllers.
 AD Schema and Global Catalog:
 Schema: Defines the types of objects and attributes in the directory.
 Global Catalog (GC): Contains a partial replica of every object in the forest, speeding up search queries.
Active Directory Domain Services (AD DS)

 What is AD DS?
 AD DS provides the core directory service functionality, handling authentication,
authorization, and identity management.
 Key Functions of AD DS:
 Authentication and Authorization: Managing login requests and access to resources.
 Directory Management: Centralized storage and management of objects (users,
computers, etc.).
 AD DS Role in the Enterprise:
 Provides the backbone for identity management and network security.
 Active Directory Trust Relationships:
 Types of Trusts: Parent-child, tree-root, external, and forest trusts.
 Transitive vs. Non-transitive Trusts: Inheritance of trust relationships between domains.
Installation and Configuration

Active Directory Installation Steps:

 Prerequisites: Ensure hardware and software requirements are met (Windows
Server, networking setup, etc.).
 Promoting a Server to a Domain Controller:
 Using Server Manager or PowerShell to install Active Directory Domain Services (AD
DS).
 Running dcpromo or the Active Directory Domain Services Configuration Wizard.
 Configuring Active Directory:
 Defining the Domain Structure: Creating a new forest, domain, or additional domain
controllers.
 Creating Sites and Subnets: For optimal replication and authentication traffic routing.
 Configuring DNS: Active Directory heavily relies on DNS for locating resources.
 Setting Up and Managing Users,
Groups, and OUs
 Managing Users in AD:
 Creating, modifying, and deleting user accounts.
 User properties: Password policies, account expiration, logon scripts.
 User Authentication and Access Control:
 Kerberos Authentication: The primary authentication protocol in AD.
 Single Sign-On (SSO): Streamlining access across multiple applications with one set of
credentials.
 Managing Groups in AD:
 Types of Groups: Security groups (for permissions) vs. distribution groups (for email lists).
 Group Scope: Domain Local, Global, and Universal groups.
 Nested Groups: Organizing groups within groups for simplified management.
 Organizational Units (OUs):
 Structuring users and computers into OUs for delegated administration and Group Policy
management.
 Best Practices for OU Design: Aligning OUs with business structures or functions.
AD Management Tools

Primary AD Management Tools:

 Active Directory Users and Computers (ADUC): Main interface for managing users,
groups, computers, and OUs.
 Active Directory Administrative Center (ADAC): Provides a modern, user-friendly
interface for managing AD objects and workflows.
 PowerShell for AD:
 Common commands like Get-ADUser, New-ADGroup, Set-ADOrganizationalUnit for scripting
and automation.
 Active Directory Sites and Services: Manages replication and site configurations.
 Active Directory Domains and Trusts: Configures trust relationships between domains.
Group Policy Management
 What is Group Policy?
 Group Policy provides centralized management and configuration of operating systems, applications, and user settings in an AD
environment.
 Components of Group Policy:
 Group Policy Objects (GPOs): Containers that store policy settings.
 Local vs. Domain GPOs: GPOs can be applied locally to individual computers or domain-wide.
 Inheritance and Precedence: GPOs can be linked to OUs, domains, and sites, with inheritance rules defining which policies take
priority.
 Common Group Policy Settings:
 Security Policies: Password policies, account lockout, software restriction policies.
 User Configuration: Desktop settings, folder redirection, scripts.
 Computer Configuration: Software installation, Windows settings, network configurations.
 Best Practices for Group Policy Management:
 Limit the number of GPOs to reduce complexity.
 Regularly audit and review GPOs.
 Use Group Policy Modeling and Results to test and troubleshoot GPO settings.
User and Group Management

 Managing User Accounts:

 Creating Users: Using ADUC or PowerShell to add new users.

 User Properties: Managing attributes such as logon hours, home folders, and group memberships.

 Password Policies: Enforcing complexity requirements, expiration periods, and account lockout policies.

 Managing Groups:
 Security vs. Distribution Groups: Security groups manage access to resources, while distribution groups are
used for email distribution lists.

 Group Scopes: Domain Local, Global, and Universal groups, and when to use them.

 Best Practices for User and Group Management:

 Use role-based access control (RBAC) to manage permissions efficiently.

 Organize users into appropriate groups for easy policy and access management.
Organizational Units (OUs) and Delegation

 What are OUs?

 OUs are containers within a domain used to group objects such as users, computers, and groups for easier administration
and the application of Group Policies.

 Best Practices for OU Design:

 Align OUs with the organizational structure (departments, regions).

 Avoid deep OU hierarchies to simplify management.

 Delegation of Control in OUs:

 Delegation: Assigning specific administrative rights to users or groups over particular OUs.

 Delegation Wizard: Allows granular control over which permissions are delegated (e.g., password resets, account
creation).

 Best Practices for Delegation:

 Follow the principle of least privilege when delegating rights.

 Document all delegations for auditing and tracking purposes.

Active Directory Security Best Practices

 Securing Domain Controllers (DCs):

 Physical and network security of domain controllers.
 Implementing secure protocols like LDAP over SSL (LDAPS).
 Best Practices for Securing AD:
 Least Privilege Principle: Grant only the necessary permissions for users and administrators.
 Securing Service Accounts: Strong password policies and limiting service account privileges.
 Password Policies and Account Lockout:
 Enforcing strong password policies: Complexity, expiration, and length.
 Configuring account lockout thresholds to protect against brute force attacks.
 Auditing and Monitoring:
 Enabling auditing of critical AD activities: Login attempts, changes to GPOs, modifications to user
accounts.
Active Directory Replication and Sites

 AD Replication Overview:
 How data is replicated between domain controllers to ensure consistency.
 Intra-Site Replication: Replication within a site (fast, frequent) using high-speed LAN.
 Inter-Site Replication: Replication between sites (slower, scheduled) using WAN links.
 Understanding AD Sites and Subnets:
 Site: Represents a physical location where domain controllers reside.
 Subnet: Associates a range of IP addresses with a site for optimal traffic routing.
 Replication Topology:
 Knowledge Consistency Checker (KCC): Automatically generates the replication topology.
 Bridgehead Servers: Designated domain controllers that handle inter-site replication.
 Replication Protocols:
 RPC over IP: Default protocol for intra-site replication.
 SMTP: Used for inter-site replication in specific scenarios.
Backup, Recovery, and Maintenance in AD

 Backup Strategies for Active Directory:

 System State Backup: Includes essential AD components (NTDS.DIT, SYSVOL, etc.).
 Scheduling regular backups to protect against data loss.

 Active Directory Recovery Options:

 Authoritative vs. Non-Authoritative Restore:
 Authoritative: Restores a domain controller and replicates changes across the domain.
 Non-Authoritative: Restores the DC to its last backup state, then syncs with other domain controllers.

 Using Windows Server Backup:

 Step-by-step guide to backing up and restoring AD using the built-in tool.

 Maintenance Tasks:
 Defragmenting the AD Database: Ensuring optimal performance by periodically defragmenting the NTDS.DIT database.
 Monitoring AD Health: Using tools like dcdiag, repadmin, and Event Viewer to monitor the health of AD and resolve
replication issues.
Active Directory Design for NLDC system

 At the five ALDC sites, the authentication and authorization requests will be carried out by the primary domain controller at the main NLDC.
 In case, the primary domain controller is not working, the failover scenarios will be explained in the later sections.
 Flexible Single Master Operations (FSMO)
Roles:
 FSMO roles are logical roles that carry out tasks related to the integrity of the AD Database. Main
AD server BDNAD01 hold the 5 roles.
 Schema Master: This role is responsible for maintaining and modifying the Active Directory schema, which
defines the types of objects, attributes, and relationships that can be created within the directory.
 Domain Naming Master: This role is responsible for controlling the addition or removal of domains in the
forest. It ensures that each domain name is unique.
 Infrastructure Master: This role is responsible for updating references from objects in its domain to objects in
other domains. It’s crucial for cross-domain object referencing.
 Relative ID (RID) Master: This role is responsible for processing RID pool requests from all domain controllers
in a particular domain. It’s essential for creating unique identifiers for each object.
 PDC Emulator: This role is the authoritative time server for a domain and handles password changes. It’s
also responsible for creating group policy objects.
 The second server will be designated to take over the roles in case of failure of the primary
domain controller.
 Failover Scenarios

 Below mentioned failover scenarios are explained in the subsequent sections:

 Normal Scenario
 Failover Scenario of BDNAD01 controller in MNLDC
 Failover Scenario of BDBAD01 controller in BNLDC
 Resync Scenario
 Failover Scenario of entire MNLDC
 Failover Scenario of entire BNLDC

1. Normal Scenarios:
 Under normal scenario, there will be two operational physical servers in both
the main and backup NLDC.
 Users will establish a connection to the domain through the primary domain
controller of the main NLDC.
 The primary domain controller in the main NLDC will manage the devices in
the main and backup NLDC.
 Below mentioned figure illustrates the normal scenario of the Active Directory.
2. Failover scenario of primary domain controller in main
NLDC:
 In case the primary domain controller in the main NLDC fails, the
additional domain controller will detect this failure and it will contain
all the information that was on primary domain controller by the Active
Directory replication process explained in previous sections.

3. Failover scenario of primary domain controller in backup

NLDC:
 In case BDBAD01 in the backup NLDC fails, BDBAD02 will detect this
failure and it will contain all the information that was on BDBAD01 by
the Active Directory replication process explained in previous sections.
4. Resync Scenario for Main NLDC :
 Failback ensures that the original primary domain controller resumes its role once it’s
operational again.
 Once the primary domain controller is repaired and comes back online, the failback
process begins.
 When the primary domain controller becomes reachable again, the additional
domain controller initiates the failback and users connect to primary domain controller
of main NLDC for authentication and authorization requests.
 Backup solution will be used to restore the backup of the primary domain controller.
 Similar process will be used for backup NLDC.
5. Failover Scenario of entire MNLDC:
 If the entire main NLDC system fails, the domain controllers of backup NLDC system will
be used to provide authentication and authorization requests to the users.

6. Failover Scenario of entire BNLDC:

 If the entire backup NLDC system fails, the primary domain controller of main NLDC
system will be used to provide authentication and authorization requests to the users.

Entire main NLDC failover scenario Entire backup NLDC failover scenario
THANK YOU