17 May 2023 Reading time: 3 minutes

Active Directory and LDAP

ISPSystem

Definition of Active Directory and how it works

Active Directory (AD) is a proprietary implementation of directory services used in Microsoft operating systems. The solution is a centralized database that stores information about users, groups, computers, and other resources on the network.

How AD works

Active Directory components

As explained above, Active Directory (AD) allows you to centrally manage users, groups and computers on a network. The key structural elements of AD are:

  • A domain is a logical group of objects (users, groups, and computers) that are combined based on certain criteria, such as geographic location or functional affiliation. The domain is the main administrative unit of AD.
  • The domain controller is the server that manages the domain in AD. It stores information about objects in the domain, performs user authorization and manages access to resources on the network.
  • A domain tree in Active Directory is a group of linked domains that are combined into a hierarchical structure. The domain tree consists of a root domain and one or more child domains, which are linked hierarchically.
  • A domain forest in Active Directory is a group of linked domain trees that are combined into a single structure. The domain forest consists of one or more domain trees, which are linked by a trust relationship.

Active Directory services

As a rule, the basic Active Directory services are the following:

  • Domain Services (AD DS) - store and verify user credentials;
  • Lightweight Directory Services (AD LDS) - LDAP-enabled directory services that provide flexible support for directory-oriented applications and eliminate the requirements of a traditional Active Directory Directory Service (AD DS);
  • Certificate Services (AD CS) - public key certificates that support encryption;
  • Federation Services (AD FS) - to set up a single login;
  • Rights Management Services (AD RMS) - access rights management.

Why a company needs AD

  • Single point of entry
    Active Directory provides a single point of authentication, allowing users to use the same credentials to access different corporate resources on the network. When a user logs in, they enter their credentials, and if those credentials are correct, the user gains access to the resources to which they has been granted access.
  • Centralized policy management
    Active Directory allows you to centrally manage security policies for all users and resources on the network. Administrators can define access rights to resources, configure security settings, set credential limits, and more.
  • High level of information security
    Using Active Directory provides storage of accounts in a single secure repository, which is located on dedicated domain servers and protected from external access. In addition, the Kerberos protocol is used for authentication in a domain environment, which is considered more secure than NTLM in workgroups.
  • Integration options
    LDAP (Lightweight Directory Access Protocol) allows users to access resources depending on the rights configured by the directory administrator. Other systems such as mail servers, proxy servers and solutions outside of the Microsoft ecosystem also support LDAP. The benefits of this integration include a single login and password for all applications with which the user interacts. This gives the ability to connect and authenticate over corporate hotspots, using Wi-Fi or an external VPN.