Active Directory

What is Active Directory?

Active Directory is a specialized software tool that was developed by Microsoft to make it easier for the administrators and security management teams of Windows domain networks to manage and deploy network changes and system or security policy changes to all machines connected to the domain, or to defined groups of users or endpoints.

Features of Active Directory: network objects, schemas, and hierarchy

With Active Directory, network administrators can achieve high-level control over the various domains, users and objects within a network. Administrators can organize users into groups, assign or remove security and access privileges based on group membership and maintain oversight of access controls at every level of the organization. Active Directory employs a unique methodology for structuring network objects that lets network admins deploy changes in an organized and streamlined way, without having to change each object individually. The software also delivers a range of network services known as Active Directory Domain Services (AD DS).

Active Directory provides information on network objects and endpoints (authentication status, certification status, etc.), and services to users. To understand the inner workings of the Active Directory software tool, we need to be familiar with how the tool defines and treats different objects in the network.

A network object in Active Directory can represent anything on the network, including users, groups, computers, tablets, mobile phones, end-user applications, security applications, printers, or shared folders. A network object is assigned a type or class, and all network objects in the same class have the same set of attributes (but different values for at least one of these attributes). Attribute data for a user could include things like First Name or Telephone Number, while attributes for a printer might include Model Number and IP Address. Each object is uniquely defined by its attributes.

The unique identification associated with each network object is also known as its characterization schema. These schemas determine how each object will be used in the network. When network administrators modify a schema in an active directory, the changes automatically propagate throughout the system.

In the Active Directory framework, objects are grouped into hierarchies that determine how they can be viewed, who can access them, and how they can be modified by the administrator.

The Active Directory structure: forests, trees, and domains

Forests, trees, and domains form the hierarchical structure of objects within an Active Directory network. These are the logical divisions by which objects are categorized.

Individual objects are grouped into domains and the objects for each domain are stored in a single database. Each domain is uniquely identified by its DNS name structure. A domain can be defined as a group of network objects that share the same Active Directory database. A domain is considered a management boundary – the objects contained within it are essentially grouped together to facilitate their collective management.

On the next level of the hierarchy are the trees. A tree is a group of domains and domain trees that exist in a contiguous namespace. In the same way that objects in a single domain can be collectively managed, domains that are grouped together in a single tree can be collectively managed.

At the top of the hierarchy in Active Directory, we have forests. A forest is a collection of trees that share the same global catalog, logical structure, and directory schema and configuration. At the forest level, a network administrator can see all of the objects in the directory. The forest also creates a security boundary, such that a network administrator in one forest would have no permissions in a separate forest and only objects within the forest can be accessed.

Active Directory and trusts

Active Directory uses rules called Trusts to allow users in a given domain to access resources in another domain. There are many different types of trust rules that grant varying levels of access and permissions to users.

Trusts can be one-way or two-way. In a one-way trust, users from Domain A can access Domain B, but users from Domain B cannot access Domain A.

Trusts can be transitive or intransitive. A transitive trust can be extended to more than two domains in the forest, while an intransitive trust is a one-way trust that exists between only two domains.

A forest trust applies to the entire forest, is characteristically transitive and may be one-way or two-way. The default boundary for forest trusts is set by the network administrator and will be automatically applied for all newly created domains.

What are Active Directory Domain Services (AD DS)?

In addition to simplifying the management of groups of network objects, Active Directory also provides crucial security services in the form of AD DS. These services include:

1. Domain services – performs login authentication for users and provides search functionality, managing interactions between users and domains and storing data in a central location
2. Rights management – prevents unauthorized access or theft of digital content, protects intellectual property
3. Certificate services – handles the creation, assignment, and oversight of security certificates
4. Lightweight directory services – uses LDAP protocol to support directory-enabled apps
5. Directory federation services – provides single sign-on services to streamline user access to web applications

Analyze Active Directory logs with Sumo Logic

Sumo Logic’s Active Directory application helps network administrators gain insight into activities across their network & security administration systems. With Sumo Logic, network administrators can identify and track changes to objects, groups, trees, and other organization units, monitor network speed and performance and rapidly identify security events before they lead to a costly data breach.

Sumo Logic provides a dashboard that displays the top 10 messages reported in your system with message text and count in a table for the past 24 hours.