This article serves as a refresher for Directory Servers. It does not teach you how to set them up step by step but aims to provide the information needed for people with some IT background.

Terminology

Directory server: Contains a lookup server that provides mapping between network resources and their network addresses. It is used to organize user accounts, user groups, telephone numbers, and network shares.

Directory servers exist to centralize user accounts/host information for easy access instead of having them stored on every host machine.

Replication: A process carried out by directory servers to copy or synchronize data across multiple directory servers. It will appear as a unified lump of data that also helps maintain redundancy and lower latency.

Workgroup: It is an absract area made up of a collection of computers without a directory server.

• There is no central authority and each computer manages its own resources.
• Computers share information and resources through P2P (peer to peer).

Domain: An abstract area that share a common set of objectives.

• It includes computers, wires and everything within it.
• There is a central authority that provides all the configurations needed to function.

Organizational Unit (OU): It is a container object within an Active Directory (Microsoft's Directory server implementation) that holds user accounts, groups and computers. It is the "folders" of a domain.

Forest: It is a collection of trees and is the highest level of organization within an Active Directory.

Tree: It is a collection of domains within the Active Directory network.

Group Policy Object (GPO): It is a set of policies or preferences that are applied to a group of objects in a directory service.

A litte bit about Directory Services

Imagine there is a new, large corporation facility that is yet to be live and the staff is in urgent need to have their computer networks sorted out. We have to ensure their staff have access to their headquarters, organize data, and configure all the necessary settings for the local network.

In order to implement this, it is crucial to centralize and streamline the management of all network resources and identities. This is precisely the role of Directory Services.

Understanding the Structure

What does "directory service" mean?

The Directory Service (also known as just " Directory") refers to a software designed to manage and organize network resources. It uses a hierarchical structure to store information about various objects on the network and are stored on dedicated computers called directory servers.

What does "object" mean?

The object is the smallest and most fundamental unit in a directory service. It represents a distinct entity, such as a user, computer, group, or resource, each with its own set of defined attributes.

It is no different from a reference book containing a person's name, phone number, street or email address etc.

What structure do directory services follow?

They are structured like trees in a forest. A company’s forest can contain multiple trees, each made up of branches called "domains", with branches consisting of leaves referred to as "objects." Each domain manages its own infrastructure.

Here is an illustration:

The domain refers to an area within a network containing computers and user accounts. It serves as a boundary for security and administrative control.

Within each domain, directory servers centralizes all network resources for authentication and authorization purposes. If we wish to further divide a company domain into separate "departments," we will need Organizational Units (OUs) to organize resources and apply policies specific to each department.

For example, if we take the European branch of the company "ABC" (europe.abc.com), their departments can be organized into separate OUs like "Human Resources", "Finance", "Marketing". This way, each department will have authorized or unauthorized access of data.

User Authentication

What kind of user authentications are there for directory services?

In order to allow authenticating users within a domain, we need "Bind Operation". It is called "binding" because both the client and the server need to create a strong connection before data access.

In order to achieve this, there are three ways to implement:

• Anonymous Bind: It is a connection request to a directory server without any credentials. It has no authentication and is prone to security risks (users without an account will be able to access the data).

• Simple Bind: Requires a username and a password in plain text. It is recommended to set up an encryption for this (like SSL/TLS).

• SASL (Simple Authentication and Security Layer) Bind: It is a framework that enables pluggable authentication protocols. It acts an intermediary layer forcing both the client and the server to negotiate (i.e. plain password/username, Kerberos ticket, etc. ) while implementing a standard way to communicate.

Networking Protocols Involving Directory Servers

What are the protocols that interact with directory servers?

The most common protocol is "Lightweight directory access protocol" (LDAP). It is an extensible protocol that helps clients and servers query directory data.

There are multiple implementations of LDAP:

• Red Hat: Red Hat Directory Server
• IBM: IBM Security Verify Directory
• Microsoft: Active Directory or "AD"
• Oracle: Oracle Unified Directory
• OpenLDAP Project: Open LDAP (open source alternative)

In this article, we will mostly discuss Microsoft's Active Directory (AD) and Open LDAP.

Microsoft's Active Directory (AD)

"AD" is Microsoft's implementation of LDAP. Its most promiment component is Active Directory Domain Services (AD DS). AD DS is crucial to access networking objects.

We use two AD clients to manage AD DS.

• ADUC ("Active Directory Users and Computers")
  • ADUC focuses more on users, groups, and computers.
• ADAC ("Active Directory Administrator Center")
  • ADAC is a more modern/comprehensive version of ADUC.
  • ADAC provides extensive details and allows complete control.

We can also use Powershell cmdlets as well. It is the most versatile and powerful way to achieve the same results.

Note:

• AD clients are only available in Windows Pro and Enterprise editions. It is not possible to install in Windows Home or Standard Editions.
• "Directory server" in AD terminology is called "Domain Controller" (or DC). Domain Controllers are required to have AD DS running.

When we interact with AD DS, we see that it has already organized its directory objects into different logical "containers". In AD lingo, a Container is a collection of objects that help us administer resources specific to their purpose within the Active Directory hierarchy.

If we wish to have separate departments for our infrastructure (i.e. "Marketing", "Human Resources", "IT" etc.), we create Organizational Units (OU) and have custom rules to facilitate our demands. These "rules" are referred to as "Group Policy" and are implemented as objects called Group Policy Objects (GPO).

Note:

• OUs are containers, but not all containers are OUs. If the container has a GPO capability, then it is an OU.
• In AD lingo, a "domain" is a collection of containers and objects. They hold either built-in objects like "Computers" or "Users" or administrator-created OUs.

Understanding Group Policy Object (GPO)

GPOs are a set of policies or preferences applied to any containers (OUs, Domains, or Sites) in the directory. It is used to enable or disable terminal access, USB support, wallpaper image etc.

GPOs can contain either one or both types of these configurations:

• Computer Configuration: Applied as the computer is booting up while it is connected to the network.
• User Configurations: Applied at user sign in.

Here is an image to see the various kinds security settings available:

They are all represented as values in the Windows Registry.

Note: "Sites" refer to the geographic location of AD. If we want to apply a GPO on a particular site, all the domains within it will be affected.

Should we apply a different configuration within a specific set of objects we first need to open Group Policy Management Console (gpmc.msc). From here, we have two filtering options to apply our GPOs:

• WMI filtering: Narrow down Operating systems, manufacturer name, hostname etc. at which GPO is applied.
  • Here is an excellent WMI filtering cheat sheet and video made by Danny Moran.
• Security filtering: Determines which users and/or computer objects will process the GPO's configured settings (i.e. enable max login attempt account reset, configure password reset, enforce complex password etc.)

OpenLDAP

work in progress

References

• https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/get-started/virtual-dc/active-directory-domain-services-overview
• https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/understanding-the-active-directory-logical-model
• https://delinea.com/what-is/active-directory
• https://www.amazon.ca/Mastering-Active-Directory-Dishan-Francis/dp/1787289354
• https://en.wikipedia.org/wiki/Active_Directory
• https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/group-policy/group-policy-overview
• https://www.openldap.org/doc/admin26/intro.html