What is Active Directory Domain Services?
AD DS is organized as a distributed and searchable hierarchical directory that controls access to network resources and allows settings and configurations to be applied through policies.
AD DS is a server role installed on Windows Server and is included with the operating system (OS); no software needs to be downloaded. A server with an installed AD DS role is referred to as a domain controller (DC).
AD DS provides access to resources by authenticating and authorizing domain object resources.
Accessing domain resources is based on a two-stage concept that consists of authenticating and then authorizing; in a nutshell, it involves identifying who you are and determining what you can do:
- Authentication, also referred to as AuthN, is the identity component; it is the process of establishing the identity of a person (or service) and proving they are who they say they are. This can be done by validating access credentials against stored or known identifying information.
- Authorization, also referred to as AuthZ, is the access component; it is the process of establishing what level of access the authenticated person (or service) has to the resource, what they can access, and what actions they may take.
The concept of authenticating and authorizing is shown in the following diagram:
Figure 1.1 – Understanding authentication and authorization
The terms Active Directory and Domain Services (abbreviated to their short forms of AD and DS) are often used interchangeably to mean the same thing. When people refer to AD, they often mean just the DS component, mainly since it is the most common and foundational identity and access management service component to be implemented.
For this book and the exam, we will refer to AD in the context of the DS component only; we will refer to it simply as AD DS for brevity. For additional learning content on the other services that are part of AD, please refer to the Further reading section at the end of this chapter.
AD DS contains a list of objects, such as user accounts, along with their attributes, such as passwords and their assigned access rights to resources. This list can be queried to validate the identity and access rights to a resource in the domain that is created as an object in the information store database. This is shown in the following diagram:
Figure 1.2 – Domain resource access
AD DS functions by classifying everything stored in its information store (database) as an object. Objects can be user accounts, computer accounts, groups (security principals), printers, network appliances, applications, or services. These objects are hierarchical, meaning that objects can contain other nested objects; these types of objects are called containers. We will look at these terms in more detail later in this chapter.
Each object stored in the database has a set of attributes that match the object’s context; this is defined in a schema. The directories information data store is a database structure with a schema that is extensible and can store attributes that suit the business requirement. Being a directory service means every object can be searched, queried, access controlled, managed, and configured in a centralized and policy-driven manner.
The foundation of identity and access management (IAM) is that access to objects is controlled through role-based access control (RBAC) and the principle and practice of least privilege. This means providing the proper scope of control. Just enough access is given to perform a required task without unnecessarily providing elevated access rights that may give a broader scope than required and privileged lateral access if an account were to be compromised. The control mechanism is a group policy and provides group scoping for identities.
AD DS comprises a logical structure that often maps to the organization’s operating model and a physical structure that should map to the network topology.
The following can be considered as the logical components:
- Domain
- Domain tree
- Forest
- OU
- Partition
- Schema
- Container
The following can be considered as the physical components:
- Data store
- Global catalog
- Domain controller
- Read-only domain controller
- Site
- Subnet
These components will be covered in more detail later in this chapter.
This section introduced us to DS, one of AD’s services, which provides a centralized mechanism for authenticating and authorizing resources in a domain.
In summary, AD DS is built around a directory service that is a replicated information store (database) for all domain objects. It primarily provides authentication and authorization for accessing domain objects and configuration and management access.