This section will help you to learn about the physical and logical components of Active Directory, and how those can be used to build an Active Directory environment by considering business requirements, availability, efficiency, and security. Before we dive into the management and advanced functionalities of Active Directory, we still need to learn about the technology behind a directory service, and the chapters in this section will guide you with this. Apart from that, we are also going to look into the new features of Active Directory 2016.
As we all know, organizations are moving into cloud services on an increasingly frequent basis. This changes the authentication and authorization requirements as well. Therefore, we are also going to evaluate the benefits of moving to a hybrid identity with Azure Active Directory.
This section contains the following chapters:
- Chapter 1, Active Directory Fundamentals
- Chapter 2, Active Directory Domain Services 2016
- Chapter 3, Designing an Active Directory Infrastructure
- Chapter 4, Active Directory Domain Name System
- Chapter 5, Placing Operations Master Roles
- Chapter 6, Migrating to Active Directory 2016
It has been two years since the release of the first edition of this book, Mastering Active Directory. First of all, I would like to thank all my readers for their valuable feedback, which encouraged me to write the second edition so soon after the first. I am sure that you will all benefit from the additional content that has been added to this new edition.
So, the biggest question is, what has changed in Active Directory? Many articles stated that there were no significant changes in Active Directory 2019 soon after its release. Is this true? Does Microsoft not want to do anything more to improve an on-premises Active Directory? Before we look for answers, let's see what has changed in the requirements for identity infrastructure.
Edwin Drake is considered the father of the petroleum industry. Back in 1859, he drilled the first oil well in Titusville, Pennsylvania. Before this, people gathered oil when it naturally rose to the surface, or when they accidentally found it in wells or mines. Nobody drilled wells for the purpose of gathering oil. Therefore, the innovation of the oil well created a whole new industry. It made a huge contribution to the second Industrial Revolution. Oil became the new currency. It created many new opportunities, new businesses, new monopolies, and new politics.
Similarly, we now live in another revolutionary period. This time, data is the new oil. More and more data is now being stored and processed using computers:
The following are the links to the articles mentioned in the preceding screenshot:
When we consider identity infrastructures, our digital identities define what level of access we have, how we access data, and when we have access to the data associated with it. Our identities follow data. For over 15 years, Microsoft Active Directory has been helping organizations to store digital identities in a central repository and arrange it according to the needs of the business. When the infrastructure security boundary is smaller, it is easier to manage identities and the associated data.
But with the fast adoption of cloud technologies, our infrastructure security boundaries are expanding. With these new changes, on-premises identity infrastructures are also transforming into cloud-only and hybrid identity infrastructures. It is changing the way we manage our identities. It is changing the way we secure our identities. It is changing the way identities are contributing to data security. So, yes, to fit its purpose, Microsoft is adding more features to Azure Active Directory (Azure AD) (cloud-based identity and access management). Most of these features also support hybrid identity infrastructure environments.
Therefore, in this second edition, I am going to share more knowledge, which will help you to transform your on-premises identity infrastructure to a hybrid infrastructure. This will allow you to receive the benefits from both the Azure AD and the on-premises Active Directory. It will help you, and your organization, to face the challenges of modern identity infrastructure with confidence.
We are going to start this journey by familiarizing ourselves with the building blocks of the Microsoft Active Directory service. With that in mind, this chapter will cover the following topics:
- Benefits of using Active Directory
- Understanding Active Directory components
- Understanding Active Directory objects
- Active Directory server roles
- Azure AD
A few years ago, I was working on an Active Directory restructuring project for a world-famous pharmaceutical company. According to the company policies, I had to travel to their headquarters to perform the project tasks. So, on a rare sunny English morning, I walked into the company's reception area. After I explained who I was and why I was there, the receptionist handed me a set of forms to fill in. The forms included questions such as my name, phone number, how long I would be there, and in which department. Once I had completed the forms, I handed them over to the receptionist, and she had to make a few calls to verify whether my visit was expected, and then confirm my access to different buildings with the respective department managers. Then, she made a magnetic card with my details on it, and handed it over to me. She instructed me on how to use it and which buildings I was allowed into.
The following diagram outlines this process:
When we think about this process, we find that it contains the functions of a directory service:
- The forms that the receptionist handed over to me contained certain questions to help her understand who I was. They were predefined questions, and I had to answer them in order to register my information in their system. Similar to this form, in a directory service we have to provide values for specific attributes.
- Once I had submitted the forms, she didn't hand over the magnetic card right away. She made a few calls to verify my identity, and also to confirm which buildings I would have access to. Then, my details were registered in the system, and it generated a magnetic card that had my photo and a barcode. With that, I became a part of their system, and that particular card was my unique identity within their organization. There would be no other visitor with the same barcode and identification number at the same time. Similarly, in a directory service, each identity is unique.
- If I needed to get access to buildings, I needed to tap the card at the entrance. Could I use my name or any other card to get through? No! The locking system of the building doors only recognized me if I presented the correct card. So, having a unique identity in their system was not enough; I needed to present it in the correct way to get the required access. Likewise, in an identity infrastructure, you need to validate your identity according to the method that the system had defined. It can be a username and password, a certificate, biometric information, and so on.
- I went to another building and tried to tap the card. Even when I used it correctly, the doors wouldn't open. The guard in the building asked for my card to check. Once I handed it over, he scanned it with a barcode reader and checked some information on his computer screen. Then he informed me that I was not allowed into that building, and he guided me to the correct building. This means that my information can be accessed from any building through their system in order to verify my identity and access permissions. In a similar way, in a directory, identities are saved in a central repository. This data can be accessed and verified from any system o...
