- AD is the basement/heart/glue for all Microsoft (and not only Microsoft) server products. Almost any Microsoft solution is based on AD as a prerequisite. Therefore it’s common misunderstanding and misuse that AD is considered only as side effect (or even as lesser unavoidable evil :)) of implementation of other Microsoft systems like MS Dynamics NAV, Exchange, Lync, Sharepoint. It means you cannot install Exchange without pre-installation and pre-configuration of AD. As a result of a such wrong approach to AD many companies don’t use Active Directory appropriately, some of them completely don’t understand what is the main role of AD in their corporate IT system. Btw you can consider any large corporate solution which doesn’t support AD integration as a incomplete raw immature solution. Under AD integration you should understand not only compatibility with AD, but there should be option to use (authenticate/authorize) AD users/groups in this corporate solution. It means that each corporate solution will not create own security database of users/groups/roles and so on. It means that users of a such systems could use AD multi-factor authentication and all other password policy features (unlike ordinary SQL simple password policies it imply proper audit, logging, monitoring features as well). Surely different systems can be integrated by SSO/single sign-on, but yet it’s surrogate, not native integration. Without AD you cannot even easily and properly setup file/print server with granular access control, in peer-to-peer network you can allow only two extreme options – anonymous/guest access with read-only or full access (if only you don’t like to create and manage on each computer the same set of users with own passwords 🙁 – which nobody never uses due to very complicated management)
- Active Directory Group Policy/GP provides more than 3000 windows settings controlled centrally from one console. For beginners Group Policy can be considered as a bunch of Windows registry settings to configure in bulk multiple computers. This settings are created in registry by Group Policy agents (exist on each recent windows computer) on each target computer after download of settings in specific format from AD server. Sometimes i see recommendations from IT audit companies as a remedy of findings to change list of registry settings to harden security and so on. I guess more appropriate approach is to configure Group Policies. Why? Because people always forget that the one of the main advantages of Group Policy is enforcement, when your settings apply not once but regularly restoring, propagating company wide settings again and again, even if someone(hacker, end-user …), something (virus, installation program and so on) managed to change settings. Surely it’s easier to configure Group Policy than manually create reg files with necessary settings – less mistakes and quicker implementation. But even manually created reg files better to deploy thru Group Policy – again because of existing system of propagation of GP – easier to target, combine, distribute thru replication and enforce.
- The cost of Active Directory implementation projects is NOT in high licensing or equipment requirements. As soon as you paid for Windows Server you have unlimited rights to implement Active Directory (only for Essentials, SMB and other specific Windows versions there are some restrictions). Even users with illegal copies can technically implement AD. So technically it’s almost free. Maybe it demands beefy servers? Not at all. Even Virtual Machine with one vCPU and 1.2-2Gb of vRAM on modern i7 desktop computer with Hyper-V can satisfy all needs of small companies (about 30-100 users). So the main cost of AD implementation is configuration expenses, implementation of new IT policies and rules. And under “configuration expenses” i meant not only easy installation of first Domain Controller and creation of new users, computers. Doing so you just acquire a IT “sword”. Next you need to learn how properly to use it. Ownership of a such “sword” itself is not enough. Unfortunately it’s not AK47 which can be used even by child. Deceiving easiness of first steps of AD implementation very often causes inadequate negligible attitude of sysadmins towards proper professional AD planning, designing and usage. It means that main expense is for human resources, investment into competence of IT pros. The more you invest into competence the more return of investment into IT software and hardware. Otherwise software, hardware and other company IT resources will be misused, underused or even not used. (for example: instead of flat one domain topology implementator unthinkingly used multi-domain structure with resulting budget overrun and other management overheads; lack of virtualization competence for AD leads many companies to create Domain Controllers on very beefy physical servers – overkill; sysadmins with only network education trying to avoid AD usage are forced to protect own accountants subnet by VLANs )
- Another strong feature is delegation, when specific ACL can be assigned to AD objects itself. For example no need to make HR Domain Admins to change employees photo, address, phone numbers and so on. Helpdesk IT engineers can be ordinary DomainUsers, just with some concrete elevated rights.
- Active Directory is network service. Poor state of LAN (for example: no control for attached active network devices like routers with enabled DHCP servers, uncontrolled splitting ports by multiple switches, permanent conflict of IP, bad cabling and so on) compromise all AD advantages.
- The most critical network services for proper functionality of AD are Time service and DNS. Without correct DNS settings computers in the LAN cannot locate IP of any AD server (unlike NTLM there is no broadcasts). Synchronized time is vital for Kerberos protocol (let’s consider Kerberos ticket as a ticket to cinema, then it’s obvious that you cannot watch your film at wrong time).
- Other common mistake is disabled DHCP client service on computers with static IP – Microsoft DCHP client service dynamically registers your static IP on DNS server.
- Other common mistake is setup of only one DNS server for member servers and client computers. Usually according to Microsoft requirements there should be at least two Domain Controllers per domain – so it’s very common that sysadmins forgot to setup second DC DNS server ip for member servers as secondary DNS server. In case of outage of first DC such member servers will lose connection with AD.
- Many admins configure AD DC on physical servers with builtin 2-4 NICs, forgetting to disable unnecessary physical NIC, just not configuring IP for them. In case of wrong cable commutations when you accidentally plug cable into unused NIC we get multi-homed DC – domain controller with multiple IP addresses in DNS server – clients will try and fail to access DC server getting by DNS round robin feature wrong server IP on a such unused NICs.
- Not disabled by Group Policy Computer Browser service on member servers and clients can cause unnecessary Master and Backup Window Browsers elections (Computer Browser service better to leave working only on DCs). Moreover if your network has linux/unix computers with Samba server it can break elections – as a result your Network Neighborhood can become empty or wrongly populated.
7. Regardless of the fact that you use or not use Active Directory you better limit your end-users according to the standard security principles of “least required access”. Doing so you at least reasonably prolong periods of stable, guaranteed work of end-user workstations with less maintenance overheads. Other conception ignored by self-taught sysadmins is providing authorization only for security groups, not for personalities, as much as possible. And Active Directory in both recommendations simplifies everything, logically and optimally, providing compliance with User Access Control IT policy, RBAC/Role-Based-Access-Control conception. Instead of directly assigning some permission to end-user for folder share or other company resource, better to assign the same permissions to dedicated security group in AD with standardized naming scheme, for example: “fs00-shares-readonly” and “fs00-shares-fullaccess” security groups (where “fs00” is server name, “shares” is shared folder name) and add this end-user account into these sec.groups.
- Next time if you need provide the same rights to other user just add him to necessary sec.group and ask to re-login (membership is checked usually during the login process).
- Now to check/control User Access Control you need only list security groups to which this user belongs.
- Another recommendation: if you need to create new Role (one security group with access to multiple resources) better to directly list all ACE/AccessControlEntries in “Notes” field of a such security group in ADUC/”AD users and computers” snap-in.
- The pitfall is that this approach works fine only until you and your colleagues strictly stick this methodology. If somebody from sysadmins starts to sabotage or just ignore the agreed methodology, then integrity, usability, trustworthy of above method immediately degrades. On other hand if you don’t follow above recommendations or log journal of assignment of rights, without organization and self-discipline you will need to check ACL of all company resources to understand this concrete user permission, rights in the company IT infrastructure.
- Maybe useful to read following article.