Domain Controllers and Active Directory: access and corporate identity issues

In the day-to-day of organizations, the security of access to the organization’s IT resources from any device has become a priority. Hence, the organization’s security strategists require resources to make the remote management of passwords, authentication, and other access protocols for each device more efficient.

What is a Domain Controller?

To understand what a domain controller is, let’s first understand what a domain is. A domain is just a device network (PC, laptop, printers, security cameras, etc.) linked by a connection infrastructure (wired or Wi-Fi) to a server computer (which will be the domain controller). That is, a domain controller is a server from which a set of functions of a domain is controlled.

The main functions of a domain controller are as follows:

  • Host user information, password management and access.
  • Distribute software using group policies.
  • Manage user and equipment policies.

Each user within a domain will have a unique user account associated with it, through which they may access the resources within the domain as long as they have access rights.

Types of Domain Controllers

Domain controllers are usually deployed as a cluster, to ensure high availability and maximize reliability. In a Windows environment, a domain controller works as a Primary Domain Controller (PDC); the other servers work as Backup Domain Controllers (BDCs). In Unix-based environments, one machine works as the master domain controller and others work as replica domain controllers, periodically replicating the database information from the primary domain controller and storing it in a read-only format. To be clearer:

  • Primary Domain Controller (PDC): In early versions of Windows Server, a domain controller was designated as a PDC, which was responsible for maintaining the master copy of the user’s database and managing client logon requests. If the PDC failed, a backup domain controller (BDC) could be promoted to take its place.
  • Backup Domain Controller (BDC): BDCs were introduced to provide redundancy to CDPs. They maintained a copy of the user database and could authenticate customers in case the PDC was unavailable.

Although PDC and BDC are no longer used in modern Windows-based networks today, they represent the two types of domain controllers that were used in early versions of Windows Server. Since Windows 2000, Active Directory (more on that later) replaced the primary domain controller and backup domain controller roles.

Specialized Domain Controller Roles

When Windows Server is installed on a computer, a server role specific to that computer can be configured. When you wish to create a new domain or an additional domain controller in an existing domain, the server is configured with the domain controller role by installing Active Directory® Domain Services (AD DS).
There are specialized domain controller tasks that perform specific functions in an AD DS environment. These specialized roles are:

  • Global Catalog Servers
    A global catalog server stores its own complete, recordable domain replica (all items and all attributes) plus a partial, read-only replica of all other domains. The AD DS replication system automatically creates and updates the global catalog. Object attributes that are replicated on global catalog servers are the attributes most likely to be used to search for the item in AD DS. The attributes that are replicated in the global catalog are identified in the schema as the partial attribute set and are defined by Microsoft by default. However, to optimize the search, you may edit the schema by adding or removing attributes stored in the global catalog.
    The global catalog makes it possible for clients to search AD DS without having to be forwarded from one server to another until a domain controller is found that has the domain directory partition storing the requested item. By default, AD DS searches are directed to global catalog servers.
    The first domain controller is automatically created as a global catalog server. Thereafter, they may designate other domain controllers to be global catalog servers if necessary.
  • Operations masters
    Domain controllers performing operations master functions are designated to perform specific tasks to ensure consistency and get rid of the possibility of conflicting entries in the Active Directory database. AD DS defines five operations master roles: schema master, domain name master, relative identifier (RID) master, primary domain controller (PDC) emulator, and infrastructure master.

Domain Name System (DNS)

The Domain Name System (DNS)​ is a decentralized hierarchical naming system for devices connected to IP networks such as the Internet or a private network. This system associates multiple information with domain names assigned to each of the participants.
The DNS server uses a distributed and hierarchical database that stores information associated with domain names on networks such as the Internet. Although as a database the DNS is able to associate different types of information to each name, the most common uses are the assignment of domain names to IP addresses and the location of the email servers of each domain.
Three main components are used for DNS:

  • Customers phase 1
    A DNS client program running on the user’s computer that generates DNS name resolution requests to a DNS server (For example: Which IP address corresponds to name.domain?)
  • DNS Servers
    That respond to customer requests. Recursive servers have the ability to forward the request to another server if they do not have the requested address.
  • Areas of authority
    It is a part of the domain namespace for which a DNS server is responsible, which can have authority over several zones. (For example: subdomain.Wikipedia.ORG, subdomain.COM, etc.)

Items in Active Directory

Active Directory structures contain information about items classified into two categories: resources (such as printers) and security principles (including accounts and groups of users or computers). Each security entity is assigned a unique security identifier (SID). An item represents a unique entity, such as a user, computer, printer, or group of items, along with their attributes. Some items may even contain other items inside. Each item has a unique name and its definition is a set of features and information using a schema that determines storage in Active Directory.

Something important to consider is that each schema item is an integral part of the Active Directory object definition. Disabling or changing them can fundamentally alter or disrupt an implementation. Schema modification affects the whole system automatically and new items cannot be deleted, but only deactivated. Changing the outline usually requires proper planning.

Replication in Active Directory

Active Directory infrastructure depends on healthy replication. This is because every domain controller on the network must be up to date on every change that has been made. When the domain controller activates synchronization, it passes data through the physical network to its destination.

There are basically two types of replications:

  • In-site replication: It refers to replication that takes place at a site. By default, (according to Microsoft) any domain controller will be aware of any directory updates in 15 seconds. Within the site, despite the number of domain controllers, any directory updates will be replicated in less than a minute.
    Within the site, replication connections operate in ring topology. Which means that any domain controller has two replication links (of course, there are a minimum of three domain controllers). This architecture will prevent domain controllers from having endless replication loops. For example, if there are 5 domain controllers and they are all connected to each other with a one-to-one connection, each domain controller will have 4 connections and when there is an update in one of the domain controllers, it must announce it to the 4 domain controllers. This means that, despite the number of domain controllers on site, any given domain controller only needs to advertise or listen to two domain controllers at any given time.

  • Inter-site replication: If the active directory infrastructure contains more than one site, a change takes place in one site that must be replicated to other sites. This is called inter-site replication and its topology is different from intra-site replication. On-site replication always benefits from high-speed links. But when it comes to bandwidth between sites, latency and reliability are things to consider.

    When it comes to links between sites, replication is done through links to sites – replication on each site still uses the ring topology. Taking the figure above as an example, suppose an item was added to REBEL-DC-02 at the London site. Now, depending on the topology, it will also be announced in REBEL-DC-03. But in addition to being a domain controller, this particular domain controller is also a bridgehead server. Therefore the responsibility of this server is to announce the updates it received on the bridge server on the Canada site, which is REBEL-DC-04. Once the update is received, it will be announced to the other domain controllers on the site. Inter-site replication must still obey the rules that apply to control replication. Active Directory Domain Services automatically selects the bridge server for a site. But if necessary, you may decide what should work as a bridge server for the site.

Active Directory (AD)

Introduction to Active Directory

We mentioned Active Directory several times, so it is now up to us to understand what it is. Active Directory (AD) is a directory service developed by Microsoft for Windows domain networks. Windows Server operating systems include it as a set of processes and services. Originally, only centralized domain management used Active Directory. However, it eventually became an umbrella title for multiple directory-based identity-related services.

Configuring DNS integration with Active Directory Domain Services (AD DS). As mentioned earlier, AD authenticates and authorizes all users and computers on a Windows domain network, assigns and enforces security policies for all computers, and installs or updates software. For example, if a user logs into a computer that is part of a Windows domain, Active Directory verifies the username and password to determine whether the user is a system administrator or a non-administrator user. It also enables information management and storage, provides authentication and authorization mechanisms, and establishes a framework for implementing other related services: certification services,
servicios de federación de Active Directory and rights management services.

Other Active Directory Services

Active Directory services consist of multiple directory services.

  • Active Directory Domain Services (AD DS) are the most common ones and are the base for the whole Windows domain network. AD DS stores information about domain members, including devices and users, verifies their credentials, and defines their access rights. The server that runs this service is called a domain controller. A domain controller is contacted when a user logs into one device, accesses another device over the network, or runs a downloaded line-of-business application on a machine.
    Other Active Directory services include Group Policies, File Encryption, BitLocker, Domain Name Services, Remote Desktop Services, Exchange Server, and SharePoint Server.
  • Active Directory Lightweight Directory Services (AD LDS) runs as a service on Windows Server and offers the same feature as AD DS, including an equivalent API. However, AD LDS does not require creating domains or domain controllers. It provides a data store for storing data and a directory service right away with a Lightweight Directory Access Protocol directory service interface (LDAP). Unlike AD DS, multiple instances of AD LDS can run on the same server.
  • Active Directory Certificate Services (AD CS) establish on-premise public key infrastructures. You may create, validate, revoke, and perform other similar actions, as well as public key certificates for internal uses of an organization. These certificates can be used to encrypt files (when used with Encrypting File System, EFS), emails (based on standard S/MIME) and network traffic (when used in virtual private networks, Transport Layer Security protocol or IPSec protocol). AD CS requires an AD DS infrastructure.
  • Active Directory Federation Services (AD FS) is a single sign-on service. With an AD FS infrastructure in place, users may use multiple web-based services (e.g., internet forums, blogs, online shopping, webmail) or network resources using only one set of credentials stored in a central location, rather than having to request credentials for each service. AD FS uses many popular open standards to pass token SAML, OAuth or OpenID Connect credentials. The purpose of AD FS is to be an extension of AD DS, allowing users to authenticate and use devices that are part of the same network using a set of credentials. AD CS requires an AD DS infrastructure.
  • Rights Management Services: Active Directory Rights Management Services (AD RMS), formerly known as Rights Management Services or RMS before Windows Server 2008, is server software that enables information rights management, included with Windows Server. It uses encryption and selective denial to restrict access to multiple documents, such as corporate emails, Microsoft Word documents, and web pages. It also limits the operations that authorized users may perform on them, such as viewing, editing, copying, saving, or printing. IT administrators may create preset templates for end users for convenience, although end users may still define who can access certain content and what actions they can take.

Active Directory Structure

Active Directory is a service comprising a database and a executable code, responsible for handling requests and maintaining the database. The Directory System Agent is the executable part, as a set of Windows services and processes running on Windows 2000 and later. Objects in Active Directory databases can be accessed through different interfaces, such as LDAP, ADSI, messaging API and Security Accounts Manager).

Active Directory structures contain information about items classified into two categories: resources (such as printers) and security principles (including accounts and groups of users or computers). Each security entity is assigned a unique security identifier (SID). An item represents a unique entity, such as a user, computer, printer, or group of items, along with their attributes. Some items may even contain in turn other items inside. Each item has a unique name and its definition is a set of features and information using a schema that determines storage in Active Directory. Administrators may expand or modify the schema. However, as we mentioned earlier, because each schema item is an integral part of the Active Directory item definition, disabling or changing them may fundamentally alter or disrupt an implementation.

In Active Directory, the frame containing items has different levels: the forest, the tree, and the domain:

  • Domains contain items stored in a single replicable database and the DNS name structure identifies their domains (namespace).
  • A domain is a logical group of network items, such as computers, users, and devices, that share the same Active Directory database.
  • A tree is a collection of domains and domain trees in a namespace linked in a transitive trust hierarchy. The forest is at the top of the structure, where there is a collection of trees with a standard global catalog, directory schema, logical structure and directory configuration. The forest is a secure boundary that limits access to users, computers, groups, and other items.

Another important element in the AD structure is the Organizational Units (OUs), which refers to the fact that the items contained within a domain can be grouped into organizational units. These units provide hierarchy to a domain, make its administration easier, and may resemble the structure of the organization in administrative or geographical terms.

Microsoft recommends using OUs instead of domains to structure and simplify policy implementation and administration-although policies can also be applied to domains or sites.

Using Pandora FMS with Domain Controllers

Pandora FMS can help us manage our domain controller:

Data that can be Retrieved with Pandora FMS

Pandora FMS has plugins, WMI remote queries and the software agent with which you may retrieve information from your server to alert in case of any issues.

The data you may retrieve are the following:

  • Log files.
  • Access logs.
  • Monitor the server service.
  • Get information about server resources.

There are specific Active Directory plugins in Pandora FMS that allow to extract much more information:

  • AD Users
  • Unused AD User
  • AD Schema Master
  • AD Root Domain
  • AD Forest Domains
  • AD Computer DNS Host Name
  • AD Global Catalogs
  • AD SPN suffixes
  • AD UPN suffixes
  • Connectivity
  • Replication admin
  • Service DNS status
  • Service DFS Replication status
  • Service Intersite Messaging status
  • Service Kerberos Key Distribution Center status
  • Service NetLogon status
  • Service Active Directory Domain Services status
  • Test Advertising status
  • Test FrsEvent status
  • Test SysVolCheck status
  • Test KccEvent status
  • Test KnowsOfRoleHolders status
  • Test MachineAccount status
  • Test NCSecDesc status
  • Test Netlogons status
  • Test ObjectsReplicated status
  • Test Replication status
  • Test RidManager status
  • Test Services status
  • Test SystemLog status
  • Test VerifyReferences status

Any of these modules can be used to generate reports, alerts and display graphs of their evolution over time.

Active Directory Integration on Pandora FMS

Can we use our domain controller in Pandora FMS? The answer is yes.

Pandora FMS allows to use authentication using AD (Active Directory) which are tools that are part of our Domain Controller.

With this integration you will be able to log into Pandora FMS automatically with users created in your AD without having to previously create them, or associate any type of profile with them in Pandora FMS console.

Conclusion

It is more than clear that in any network there are hundreds of devices (printers, PCs, LapTops, servers, etc.), so managing user credentials and the authentication of each device individually can be a burdensome task in terms of time, costs and efforts. Domain controllers come to simplify the tasks of IT staff, from a domain controller you may manage the authentications of other devices, so that each time a user logs in, their credentials are verified against the master directory database.
Of course, cybercrime knows this too, and domain controllers are often target for cyberattacks. Therefore, sufficiently robust and constantly updated cybersecurity must be implemented. It is also recommended to take turns with domain controller configuration experts to learn what data to retrieve (logs, access logs, server services, etc.) as they can help us identify possible connectivity risks or possible network security breaches.

Parlez à l'équipe de vente, demandez un devis ou posez vos questions sur nos licences