M A IN C ON T R O L L E R A N D

DO
ACTIVE D IR E C T O R Y
PRESENTED BY:
WADIH DAHROUGE
AMINE BATROUNY
GEORGES EL BEAINY
EID KHATTAR
DOMAIN CONTROLLER
WHAT IS A DOMAIN CONTROLLER, AND
WHY WOULD I NEED IT?

• DOMAIN CONTROLLERS ARE RESPONSIBLE FOR ENSURING THAT ONLY

TRUSTWORTHY AND RELEVANT USERS CAN ACCESS THE NETWORK.

• A WINDOWS SERVER DOMAIN LOGICALLY GROUPS USERS, PCS, AND OTHER

OBJECTS IN A NETWORK, WHILE A DOMAIN CONTROLLER AUTHENTICATES ACCESS
REQUESTS.

• IT ALSO STORES INFORMATION ABOUT USER ACCOUNTS AND DEVICES AND

ENFORCES SECURITY POLICIES.
WHAT DOES A DOMAIN CONTROLLER
DO?

• EACH PC IN AN ORGANIZATION HAS ITS OWN LOCAL ACCOUNTS, BUT THESE ACCOUNTS CANNOT BE USED TO ACCESS THE NETWORK. THIS
IS BECAUSE IT MAKES MORE SENSE FOR IT ADMINISTRATORS TO MANAGE USER ACCOUNTS CENTRALLY, NOT SEPARATELY ON EACH PC.
ALSO, CENTRALLY MANAGED USER ACCOUNTS ALLOW USERS TO ACCESS NETWORK RESOURCES FROM JUST ABOUT ANY WORKSTATION. .

• DOMAIN CONTROLLERS ARE USED TO AUTHENTICATE AND AUTHORIZE USERS AND STORE ACCOUNT INFORMATION CENTRALLY INSTEAD
OF INDIVIDUALLY ON EACH COMPUTER. WITHIN A DOMAIN CONTROLLER, THE DOMAIN NAME SYSTEM (DNS) IS USED TO GROUP
COMPUTERS AND OTHER DEVICES IN THE NETWORK FOR EASE OF ADMINISTRATION. .

• A DOMAIN CONTROLLER IS A SERVER COMPUTER THAT ACTS LIKE A BRAIN FOR A WINDOWS SERVER DOMAIN.
 WHY IS A DOMAIN CONTROLLER
IMPORTANT?

DOMAIN CONTROLLERS CONTROL ALL DOMAIN ACCESS, BLOCKING UNAUTHORIZED ACCESS TO

DOMAIN NETWORKS WHILE ALLOWING USERS ACCESS TO ALL AUTHORIZED DIRECTORY SERVICES .
 THE PROS AND CONS OF A
DOMAIN CONTROLLER
PROS

• DOMAIN CONTROLLERS THAT SUPPORT PROTECTED AUTHENTICATION AND

TRANSPORT PROTOCOLS INCREASE THE SECURITY OF THE AUTHENTICATION
PROCESS.

• ACROSS COMPANY NETWORKS AND THE WIDE-AREA NETWORK, REPLICATED AND

DISTRIBUTED DOMAIN CONTROLLERS IMPOSE SECURITY POLICIES AND FEND OFF
ANY UNWANTED ACCESS.

• COMPANIES MAY AUTHENTICATE ALL DIRECTORY SERVICE REQUESTS USING A

CENTRALIZED DOMAIN CONTROLLER FOR DOMAIN CONTROLLER ADMINISTRATION.
CONS

• THE COST OF INFRASTRUCTURE IS VERY HIGH

• IF YOU ARE THINKING ABOUT A NETWORK THAN BEFORE STARTING IT GOOD
PLANNING IS MUST FOR BETTER RESULT.

• FORA SINGLE USER IT IS VERY TOUGH TO UNDERSTAND THE COMPLEX

STRUCTURE OF DOMAIN CONTROLLER.
ACTIVE DIRECTORY
WHAT IS ACTIVE DIRECTORY?

• MICROSOFT INTRODUCED ACTIVE DIRECTORY (AD) FOR CENTRALIZED DOMAIN MANAGEMENT IN WINDOWS SERVER 2000. AD INCLUDED SERVICES
SUCH AS DIRECTORY FEDERATION SERVICES FOR SINGLE SIGN-ON. IT ALSO INCLUDED SECURITY CERTIFICATES FOR PUBLIC-KEY CRYPTOGRAPHY, RIGHTS
MANAGEMENT, AND LIGHTWEIGHT DIRECTORY ACCESS PROTOCOL (LDAP).

• AN ACTIVE DIRECTORY IS A FRAMEWORK FOR MANAGING SEVERAL WINDOWS SERVER DOMAINS. A DOMAIN CONTROLLER IS A CRITICAL PART OF THE
ACTIVE DIRECTORY. THE SERVER RUNS THE ACTIVE DIRECTORY AND AUTHENTICATES USERS BASED ON THE DATA STORED IN THE ACTIVE DATA.

• A DOMAIN CONTROLLER IS A CRITICAL PART OF THE ACTIVE DIRECTORY. THE SERVER RUNS THE ACTIVE DIRECTORY AND AUTHENTICATES USERS BASED
ON THE DATA STORED IN THE ACTIVE DATA. AN ACTIVE DIRECTORY IS A FRAMEWORK FOR MANAGING SEVERAL WINDOWS SERVER DOMAINS.

• ONE-WAY TRUST: USERS OF ONE DOMAIN CAN ACCESS THE RESOURCES OF ANOTHER DOMAIN, BUT NOT VICE VERSA.

• TWO-WAY TRUST: USERS OF ONE DOMAIN CAN ACCESS ANOTHER DOMAIN AND VICE VERSA.

• TRANSITIVE TRUST: A TWO-WAY TRUST RELATIONSHIP THAT IS CREATED AUTOMATICALLY BETWEEN A PARENT AND CHILD DOMAIN.

• EXPLICIT TRUST: A TRUST THAT IS CREATED MANUALLY BY THE SYSTEM ADMINISTRATOR.

• FOREST TRUST: A TRUST BETWEEN TWO FORESTS. SELECTIVE AUTHENTICATION CAN ALSO BE IMPLEMENTED IN THIS TYPE OF TRUST.

• EXTERNAL TRUST: A TRUST BETWEEN DOMAINS THAT BELONG TO DIFFERENT FORESTS.

• SYSTEM ADMINISTRATORS CAN ALSO SET SECURITY POLICIES THROUGH DOMAIN CONTROLLERS, SUCH AS PASSWORD COMPLEXITY.
TYPES OF ACTIVE DIRECTORY
ACTIVE DIRECTORY FOREST

•  ACTIVE DIRECTORY FOREST IS THE COLLECTION OF MORE THAN ONE DOMAIN TREES HAVING
DIFFERENT NAME SPACES OR ROOTS. THIS MEANS THAT THE FOREST CONTAINS A NUMBER OF
DOMAIN TREES THAT DO NOT SHARE A COMMON NAME SPACE, OR MORE SO, DO NOT HAVE THE SAME
PARENT DOMAIN.

• BUT, FOR ALL THE TREES IN THE FOREST, THERE IS ONE COMMON CONFIGURATION AND GLOBAL
CATALOGUE.
• THE TREES IN THE FOREST ARE ALSO UNDER TRANSITIVE TRUST RELATIONSHIP WITH EACH OTHER. A
FOREST DOES NOT REQUIRE A SPECIFIC NAME.

• A FOREST’S TREES FORM A RANKING OR HIERARCHY FOR TRUST. AT THE ROOT OF THE TRUST, TREE IS
THE TREE NAME WHICH REFERS TO THE FOREST.
 ACTIVE DIRECTORY TREE

• JUST LIKE A PHONE DIRECTORY STORING ALL KINDS OF PHONE NUMBERS IN IT, AN ACTIVE DIRECTORY ABBREVIATED AS AD, IS A DIRECTORY OF
SERVICES OFFERED BY WINDOWS. THE ESSENTIAL SERVICE OF ACTIVE DIRECTORIES IS DOMAIN SERVICES AND THE USER'S INTERACTION WITH THE
DOMAIN IS HANDLED BY THE DOMAIN CONTROLLER.

• WINDOWS ACTIVE DIRECTORY WAS ORIGINALLY DESIGNED TO SYNCHRONIZE ALL THE ELEMENTS OF THE NETWORK. THE TREE IN ACTIVE DIRECTORY IS
A GROUP/COLLECTION OF DOMAINS IN THE WINDOWS ACTIVE DIRECTORY. JUST LIKE A TREE HAS VARIOUS BRANCHES, IT MEANS THAT EVERY SINGLE
DOMAIN IS PARENTED BY ONE PARENT AND MANY SUCH LEADS TO A RANKED TREE STRUCTURE. .

• EVERY DOMAIN IN THE TREE LIVES ON THE FOUNDATION OF TRUST, WHICH IS A TWO-WAY PROCESS. AS SOON AS A DOMAIN IS CREATED, THAT
NASCENT DOMAIN IS BY DEFAULT SHARED WITH ITS PARENT DOMAIN. THIS ALLOWS THE USER TO ACCESS BOTH THE RESOURCES OF PARENT AND
CHILD DOMAINS.

• AN ACTIVE DIRECTORY TREE IS A TREE OF DOMAIN NAMES, WHERE EACH DOMAIN HAS A SINGLE PARENT/ROOT AND BRANCHES OUT TO VARIOUS
OTHER CHILD DOMAINS. A CHILD-PARENT RELATIONSHIP SETS UP BETWEEN THE EXISTING DOMAINS AND A NEWLY BUILT DOMAIN. THERE IS ONE
COMMON BOUNDARY SHARED BY ALL THE DOMAINS IN THE TREE.

• TALKING ABOUT WHAT IS AN ACTIVE DIRECTORY TREE, TWO DIFFERENT TREES CANNOT SHARE ONE NAME SPACE. LIKE, ONE TREE
IS XYZ.COM, SO, THE OTHER TREE WILL BE ABC.COM
 THE PROS & CONS OF ACTIVE
DIRECTORY
PROS

• CENTRALIZED CONTROL & MONITORING: THE AD SERVICE OFFERS A CENTRAL PLACE FOR ADMINISTRATORS TO
CONTROL ALMOST ALL THINGS RELATED TO USER ACCESS AND NETWORK PERMISSIONS.

• SEAMLESS USER EXPERIENCE: USERS GET TO ENJOY SMOOTH ACCESS ONCE THE AD INFRASTRUCTURE IS SET AND
ALL PERMISSION POLICIES HAVE BEEN ENFORCED. EVEN WITH CLOUD SERVICES, AD MAKES SURE THAT USERS DON’T
FACT LAG IN ACCESSING RESOURCES.

• A DIFFERENT TYPE FOR EVERY DIFFERENT NEED: THERE ARE MANY ALTERNATIVE VERSIONS OF AD AVAILABLE
FOR DIFFERENT SCENARIOS, LIKE AD FEDERATION SERVICES, AZURE AD DIRECTORY APPLICATION PROXY, ETC. 

• FAR-REACHING POLICIES WITH GROUP POLICY OBJECTS: GPOS ARE POLICY OBJECTS THAT HELP ENFORCE
GLOBAL POLICIES LIKE PASSWORD LIMITS AND SYSTEM BEHAVIOR. MICROSOFT OFFERS A DEDICATED GROUP POLICY
EDITOR TO HELP EASILY SET UP THE POLICIES AND WHAT LEVEL THEY WILL BE ENFORCED ON. 
CONS

• CAN PROVE EXPENSIVE: A GLOBAL INFRASTRUCTURE LIKE AD CAN GET PRETTY PRICEY TO SET UP AND
MAINTAIN. APART FROM THAT, ONCE SET UP, CHANGING ITS CONFIGURATIONS IS ALSO EXPENSIVE.

• NETWORK BECOMES EXCESSIVELY DEPENDENT ON AD: WITH AD SERVICES HANDLING THE WHOLE

NETWORK AND ITS CAPABILITIES, THE NETWORK WILL ALSO DIE IF THE AD SHUTS OFF FOR SOME REASON.

• SECURITY RISKS: AD HAS SEVERAL SECURITY RISKS, LIKE ROOT DOMAINS EXPOSING THE WHOLE
STRUCTURE TO VULNERABILITIES, UNWANTED PERMISSION INHERITANCE, VULNERABILITIES DUE TO
INACTIVE ACCOUNTS, ETC. 
ACTIVE DIRECTORY VS DOMAIN
CONTROLLER  (AD VS DC):
DEFINITION

• A DIRECTORY SERVICE PRODUCED BY THE MICROSOFT FOR THE NETWORKS OF

WINDOWS DOMAIN IS KNOWN AS THE ACTIVE DIRECTORY WHEREAS A SERVER
THAT RESPONDS TO THE AUTHENTICATION SECURITY REQUESTS SUCH AS
CHECKING PERMISSIONS, LOGGING IN, ETC. FOR THE WINDOW DOMAIN IS
KNOWN AS A DOMAIN CONTROLLER.
FUNCTION

• THE MAIN FUNCTION OF THE ACTIVE DIRECTORY IS TO STORE INFORMATION

REGARDING ALL THE RESOURCES AND USERS IN AN ORGANIZED AND WELL-
PLANNED MANNER.

• IN CONTRAST WITH IT, THE DOMAIN CONTROLLER IS ASSIGNED WITH THE TASK
TO PERFORM THE AUTHORIZATION AND AUTHENTICATION OF THE USERS FOR
ACCESSING THE RESOURCES.
HERE IS A TABLE THAT SUMMARIZES THE DOMAIN
CONTROLLER AND ACTIVE DIRECTORY DIFFERENCE
THANK YOU 