Evidence of Learning #4

Date: 3/18/2020

Subject: Domain Controllers vs. Active Directory

MLA Citations:
Kindle, Bill. “Domain Controllers vs. Active Directory: Explained.” Adam the Automator, Adam
the Automator, 1 Jan. 2020, adamtheautomator.com/domain-controller-vs-active-
directory/.

Analysis:

One of the main roles of an Information Security Officer is to audit policies and make
sure that different users have different permissions. For instance, a regular guest account should
not be able to have administrative privileges; otherwise, security breaches could arise. Thus, in
order to control this system, Information Security Officers often use Domain Controllers and
Active Directories. However, even though I knew why these tools are used in Cybersecurity
before researching this article, I didn't quite understand what the difference was between a
Domain Controller and an Active Directory. But after going through this article and the
“nightclub analogy”, this makes a lot more sense to me now.

First off, the author of this article used an analogy about a nightclub in order to explain
these concepts. For example, he stated that since only certain people can attend the nightclub,
there must be a bouncer. In the world of security, this can be equated to the Domain Controller as
it uses a “list” in order to only allow authorized members. This article also stated that there are
several Domain Controllers to serve as backup in case of an emergency situation. When I read
this part of the article, I was able to make a connection to what I had learned previously when
preparing for my BPA Network Design Team competition. When creating the network diagram,
we had to place primary and secondary components for each of the network hardware to serve as
backup, or in Networking terms, increase redundancy. Thus, reading about this showed me how
closely related Cybersecurity and Networking are.

Coming back to the analogy, the article stated that if the bouncer of the nightclub equates
to the Domain Controller, then the nightclub itself can be equated to the Active Directory. More
specifically, the Active Directory Server equates to the nightclub’s owner (since it determines
who is authorized/unauthorized) and the Active Directory Service equates to the “little black
book” that contains the regulations for who can enter/who cannot. Overall, this entire nightclub
analogy helped me understand how the Domain Controller and Active Directory interact with
each other in order to block unauthorized users from the system.
 Learning about this difference helped me make some more connections from the BPA
Computer Security competition that I participated in last week. For instance, during the finals
round, I had to complete several hands-on exercises on a Windows 10 virtual machine. Some of
these exercises were about making changes to the group policies, account lockout policies, and
password policies, and after reading this article, I understand that these services/policies are all
part of the Windows 10 Active Directory. This makes sense because these policies dictate what
each user is authorized to do on the system and it defines what everyone must follow. To put it
simply, reading about this helped me make some deeper connections with the things that I have
learned over the past few months from my mentor, own research, and BPA.

This article includes additional terms that are important to know, including “identity”,
“security principal”, “security identifier”, and “account”. Even though I had heard of these terms
before, I would not have been able to properly define them before reading this section of the
article. For instance, I knew that a security identifier is used to authorize users on a system, but I
did not know that a key was involved in this process. I also did not know that a security principal
is used to authenticate users and handle their permissions.

However, after reading this article, I still have some questions. If the group policies are
part of the Active Directory on Windows 10, what is part of the Domain Controller? Are there
any particular policies that are a part of the Domain Controller or are policies only related to the
Active Directory? Furthermore, I am curious to find out whether my mentor deals with the
Active Directory on a frequent basis to reduce the possibility of security breaches.

In summary, reading this article helped me get a clear picture about the differences
between the Active Directory and Domain Controller, which is essential for any Information
Security Officer to understand. I was also able to make several connections to what I had learned
over the past few months, which was very motivating. Overall, I hope to continue solidifying
fundamental Cybersecurity concepts by conducting further individual research and asking my
mentor any questions or doubts that I may have.

**Annotated article on following pages

It's common to think that Active Directory Domain Services

(ADDS) and domain controllers (DCs) are synonymous with
each other. In fact, they are very different. Wow, I did not know
that they are completely different; I thought they were pretty
similar as they help filter out unauthorized users from a system.
Knowing these differences will help you better understand how
both work together.

For this article, we'll center on Windows NT terminology. What

is Windows NT? Is Windows 10 part of Windows NT? Many of
the concepts and terms are the same or similar in Linux. To tell
the domain controllers vs. Active Directory story, I’m going to
use a story about a nightclub. This is pretty interesting...it will
be easier to understand.

I hope this will relate the equivalent scenarios and differences between Active Directory and
domain controller functionality better than simply regurgitating documentation.
If you're looking for Active Directory explained, you've come to
the right place.

Domain Controllers
A bouncer named Ox is standing guard at the door of the
nightclub dubbed Club BOFH. Ox's job is to check names
against a list before letting someone in line get into the club.
Every hopeful club-goer in line wants to get in, but they have to
be on the 'A' list.

Not on the list? They don't get in. If they try, they get ejected!
The bouncer is providing a critical service to the nightclub
owner, who, when not running a club, writes these types of blog
posts explaining IT topics. Okay, so the bouncer equates to the
Domain Controller since he stops random people from entering
the nightclub.

The domain controller (Ox the bouncer) or DC, is providing

security services for the night club. A domain controller hosts a
database (the 'A' list) that is used for authentication requests
(the club-goer giving their name to Ox).

Once Ox authenticates the club goer, they detach the velvet rope
and allow the club-goer (a user or computer) to pass. This is the
only way to gain access to domain resources (drinks, music, and
dancing within the night club). So basically, the Domain
Controller primarily deals with the authentication of users

Ox has a few friends (member servers acting as domain

controllers or DCs) help out. Should one of them get
overpowered by an angry person that was ejected from the night
club, any one of them can step in and continue providing
security services. This is similar to what I learned earlier this
year in networking. It is important to have backup devices or
services to ensure 24/7 functionality.
Ox does well providing redundant security services. But how do
Ox and friends get the list of club-goers who are or aren't
allowed to enter Club BOFH?

Active Directory
Club BOFH is unique. There's only one location. The night
club's owner, Roscoe, has a black book that contains all club-
goers who are authorized to enter and have paid their
membership fees.

If business continues to pick up, Roscoe plans on opening new

locations.

Ox uses this black book while providing security every night.

Roscoe updates this book regularly too. Names are always being
added or removed, often with notes on what a club-goer can and
cannot do while inside Club BOFH. The active directory list is
constantly being updated, but who controls this directory?

Ox's closest friend, Hanz (who helps out daily), has a copy of
this black book and occasionally compares their list to what Ox
has. Any entry in Ox's book that is not included in Hanz's book
is added or removed. When an employee joins a company, will
their name be added to the company system’s active directory?
Sometimes Ox has left the book at home. This isn't a problem as
Ox can still look at what Hanz has recorded and shared.

The Active Directory (Club BOFH) Domain consists of an Active

Directory Server (Roscoe) or 'AD' server and an Active Directory
Service (little black book). This makes sense - there are multiple
parts of the active directory, including the domain, server, and
service. This service stores objects like user and computer
account information.

Ox and friends employed by Roscoe (directory domain

controllers) all use the same domain service because they are
only operating in an Active Directory Domain.

Additional Terms To Know

Here's some critical information to understand:

● An identity can be a single user or computer. It can also be

a group of users or computers. When you look at Active
Directory Users and Computers (ADUC), you see user
names and security group names. These are identities.
● A security principal is used to authenticate an identity and
is what handles what permissions an identity has. It's used
to prove that an identity is genuine. I had heard of this
 term before, but I did not know that the security principal
is mainly concerned with the authentication of identities
on a system.
● A security identifier is just a key that is associated with an
identity that determines authority on the domain.
● An account is either a user or computer. A user account
stores information related to the user identity and is used
to verify access to network resources such as file shares.

A computer account contains information that

authenticates the account to the domain. Every computer
account includes a unique security identifier (SID). I
learned earlier that Wi-Fi networks also have SSIDs, which
is a unique security identifier, or name.

How They Work Together

Remember the example scenarios earlier involving Club BOFH.

Sit down at your computer to log in. Your computer is already a

member of the domain. It has an account that's been
authenticated using the SID that was assigned to your
computer, allowing this computer access network resources.
This was done through an exchange of security keys between the
computer and the domain controller. What exactly does this
mean? What is the purpose of this?

You proceed to type in your username, which is your identity

tied to your user account. Your account has a SID, and the
security principal assigns your rights to logon locally. Your
Microsoft Outlook program is already configured using your
company's Exchange server.

Where is all this information stored? It's assigned to you in

Active Directory. The computer account could also have data
stored, such as location and who manages it.

Conclusion
The differences between what Active Directory does and what a
domain controller does isn't a difficult subject once you can
visualize the process. It's easiest to remember that domain
controllers authenticate your authority, and Active Directory
handles your identity and security access. This is a good way to
put it simply, especially with the previously mentioned
nightclub analogy.