Active Directory Basics

7 min readSep 8, 2021

¿What is Active Directory?

Active Directory is a directory service created by Microsoft that centralizes the management of users, computers and other objects within a network.

¿What is Active Directory for?

You could see Active Directory as a service / database which stores records data on users, devices, applications, groups, give permissions and manage all this information in a hierarchical structure, its primary function is to AuthN and AuthZ users and computers.

Active Directory Keywords

AD: Abbreviation for “Active Directory”.

AD DS: “Active Directory Domain Services”, it refers to a server that is running it.

DC: “Domain Controller”, it refers to a server that is running the AD DS role, the primary function of a domain controller is to authenticate and authorize users and their resources into a domain network.

DNS: Abbreviation for “Domain Name System”, AD DS uses DNS name resolution services so clients can locate DC’s and for the DC’s that host the directory service to communicate with each other. You can learn more about DNS here.

GC: “Global Catalog” is a data storage service for a DC, by default the first DC in a domain is designated as the GC server, a DC running the GC is known as the Global Catalog Server, the GC Server stores copies of all objects within a domain and is used to perform forest searches.

Schema: It is a blueprint that defines of how objects can be created, stored and used in AD, every object is an instance of a class and every class has their own attributes and syntax, if you create a “Computer object”, that object is an instance of the “Computer Class”.

RODC: “Read-Only Domain Controller” is the server that holds a read-only AD database and do not allow changes, its purpose is to improve physical security.

FQDN: “Fully Qualified Domain Name” is a name composed of a hostname and the domain name, for example, the FQDN for a computer object named “server1” in the domain “mirage.net” would be “server1.mirage.net”.

FSMO: “Flexible Single Master Operation” are roles installed on the first DC when a new forest is created.

LDAP: “Lightweight Directory Access Protocol” is an open protocol that provides a communication mechanism for applications and systems used for accessing and authenticating directory services, supports Kerberos Auth, SASL (Simple Authentication Security Layer), SSL (Secure Sockets Layer), works with a client/server model and runs over TCP/IP. In simple words LDAP is a way of speaking to AD.

ADWS: “Active Directory Web Services” is a service that allows remote management of local directory domains and ADLDS instances, it is installed automatically with ADDS or ADLDS role and uses the Web Socket protocol over port 9389.

AD Recycle bin: this feature allows you to restore deleted objects, by default is not enabled but you can learn how to enable here.

SYSVOL: Store information from AD and replicate it to other DC’s, is a shared folder and their default location is %SYSTEMROOT%\SYSVOL\sysvol.

Domain Structure

AD is not concerned about the network topology or the DC’s, it just structures resources logically. So rather than find resources by its physical location, AD finds them by its name, AD follows following hierarchical structure:

Forest: A forest is the collection of one or more AD trees, it is the top container in the hierarchical structure and creates a logical separation between trees. The first domain created in AD will automatically generate a forest. A forest can have single or multiple trees with one or more domains, also trees within the forest share the same schema, meaning that all the content within objects will be replicated in all domains in the forest. Domains into a forest trust each other by default.

Tree: Is a series of domains connected in a hierarchical fashion all using the same DNS namespace. they are part of the same domain tree and a trust is automatically created between the parent and child domains, an example would be if “mirage.net” was added to a domain called “dev” it would be named “dev.mirage.net”.

Domain: Domains are logical units of containers and objects within Active Directory. A domain contains a hierarchical structure for users, groups, computers, a domain also contains a DNS name to identify the domain, policies that can be applied to users, groups and computers, security services that provide authentication and authorization to resources in the domain and other domains. A domain can have multiple sub-domains (A.K.A Child Domains).

Active Directory Objects

Objects in AD are resources representing something on a network such as users, groups, computers, printers, shared folders or apps, these objects can be placed into domains and OU’s, let’s take a look of each object type.

OU: An OU is an object that can contain different objects from the same domain, you can use OUs to store and manage users, contacts, computers, and groups. OUs are also used to apply group policy settings and permissions to the entire container.

Users: Are objects assigned to individuals to gain access to domain resources. Users can also be used to run programs or system services.

Groups: These objects are a collection of users, computers or contacts, there are two types of groups:

° Security: Are a group of objects that can be used to assign to resources or apply permissions.

° Distribution: This groups are used by email apps to send an email to a group of users.

Computers: This represents other computers that are joined to the domain.

Contacts: This object contains information about third-party contacts, is not possible to log into the domain, this object doesn’t have a SID and it cannot be used to secure permissions.

Printers: These objects are shared printers within the domain.

FSMO

As said in “Active Directory Keywords“, FSMO are roles, this roles allow DC’s authentication and give permissions, authentication and authorization are separated into different roles and can be distributed across multiple DC’s to get better performance and failover in case one DC goes down.

There are 5 FSMO roles:

° Schema Master: Is a forest wide role that handles all the changes to the Active Directory schema. There is only one in the entire forest.

° Domain Naming Master: Is a forest wide role that is in charge of managing domain names. There is only one in the entire forest.

° PDC Emulator: “Primary Domain Controller Emulator”, The DC with the PDC Emulator role is the DC with the highest authority within the domain, this role handles authentication requests, password changes, user lockouts, group policies and is the time server for the clients. Is a domain-wide role.

° RID Master: “Relative Identifier” master role is in charge of keeping blocks of SIDs and assigning them to different DCs within the domain, also ensures objects do not get assigned the same SID and RIDs, when objects are created, they get a unique SID and a relative ID. Is a domain-wide role.

° Infrastructure Master: This role is used to reference objects in other domains, it translates GUIDs, SIDs, and DNs between domains, if users from Domain A are members of a security group in Domain B, the infrastructure master role is used to reference the accounts in the correct domain Is a domain-wide role.

Other Active Directory Services

AD offers other services related to permissions, identities and network resources, these are:

Active Directory Domain Services (AD DS)

This is the most common service used, this service provides capabilities for storing and manage directory data, in this post we have described what it is, what it is for and what information it can store.

Active Directory Certificate Services (AD CS)

This is a server role that lets managers generate and manage a Public Key Infrastructure (PKI) and provide digital certificates and signatures for your organization, this role allows you set roles and policies with the purpose of creating, managing, distributing, using, storing, revoking certificates and public keys, encrypt network traffic, and authenticate users and computers.

Active Directory Federation Services (AD FS)

This service is an identity management solution, it allows single sign on to external web sites and applications using Single-Sign-On (SSO) so users only need to remember one set of credentials to use in multiple places. Office 365 is a common use for federation services.

Active Directory Lightweight Directory Services (AD LDS)

This service provides directory services using the LDAP protocol without deploying DC’s, is completely independent of domain limitations of AD DS and is not limited to AD, its forests and domains. This service can run on any stand-alone server and provides its own data store.

Active Directory Rights Management Services (AD RMS)

This service is a data access control solution, it provides methods for protecting digital content like documents, emails, office docs, and web pages by defining who can open, modify, print, forward or take other actions.