Active Directory – Hybrid Deployment Architecture
Core principle of any Infrastructure design is “keep it simple”. Management of Identity Solution is never easy. Organizations around the world have different business / compliance requirements that make Active Directory Architecture “complex”. In this article we will see Active Directory Hybrid Deployment Architecture, Isolation, Security and Governance.
You may have Applications that are accessed by Internal and External Users, Applications managed by different vendors and Applications that allow currency transactions. Each of these applications will need to be protected from attacks including Identity, and to reduce Blast radius of any attack.
While Network and Application provide security at their layer, Active Directory or your Identity Management system may also play important role in securing the Infrastructure. Before we begin with possible Active Directory layouts, there is need to recall that primary purpose of Active Directory is Authentication and not Authorization. Authorization is provided by Applications.
Possible Active Directory Layouts for Applications –
- Single Forest Single Domain
- Single Forest Multi Domain
- Multi Forest Multi Domain
Of course, I have missed Azure Active Directory here. It will be covered later in this article.
Now, why would you pick one over the other. The answer lies within your business requirements and what level of Isolation is required.
Pros and Cons of different AD Deployment options
|Single Forest Single Domain||Single Forest Multi Domain||Multi Forest Multi Domain|
|Pros||1. Simple Management
2. Centralized Group management for all computers
3. Easy Backup and Restore
| 1. Provides cleaner and segregated Administrative boundary
2. Default trust between domains allows resources access across domain
|1. Provides cleaner isolation between AD Forests with no trust between them
2. No dependency on other forests on replication
|Cons|| 1. Loose Isolation Administrative boundary
2. Prone to human errors in providing access to resources
|1. Requires more Domain Controllers footprint for each domain
2. Complex Backup and Recovery
| 1. Complex User life cycle management
2. Complex SSO Integrations
3. Complex Group Policy Management
** For business reasons, these domains or forests can be deployed in On-Premises or in Cloud (Azure/AWS)
There is another major challenge of Administration with multi-forest architecture, monitoring and auditing. It can be addressed by introducing another “Admin or Infra” forest that will have one way trust with all Application forests. See below
In the diagram above, you have one Infra Forest that can manage your Production and Non-Production Forests.
Extend Identity to Cloud
Now that Core-Foundation of Identity has been laid out, extend the Identity to Azure Active Directory using Azure AD Connect (not covered in this post). The domain Controllers or forests can be deployed from the above architecture either On-Premise and on the Cloud.
The Diagram below shows various options of Azure and AWS IAM Logins, replication, Site Links, MFA and SSO Integrations.
Security and Governance on Identity System
Now in Active Directory – Hybrid Deployment Architecture and Isolation , we will cover different areas where Security can be deployed to secure Applications, attack prevention and various tools that can be leveraged.
|Encryption||Active Directory Certificate Services, SSL for ADFS|
|Firewall||Allow AD Specefic ports on Windows Firewall|
|Branch Office||Read-Only Domain Controllers|
|Access Control||Delegated Access on Active Directory resources to Administrators|
|Auditing||Tools from Manage Engine (www.manageengine.com)|
|Policies on Computers and Users||Group Policies|
|Identity Life Cycle Management||Microsoft Identity Manager 2016 (Part of Azure AD Premium)|
|Logins (Cloud and Apps)||Linked to Enterprise AD using ADFS and MFA|
|Attack Prevention||Account Lockout policies, SSL for ADFS, Allow traffic from trusted sources, Logon To specific computer option|
|Authorization||AD Group based, Azure RBAC, AWS IAM|
|Monitoring||SCOM, Manage Engine tools|
|Domain Security||Keep Domain and Schema Admins group empty|
|Service Accounts||Use “Managed Service Accounts”, change passwords periodically|
|Quick Recovery||Make use of lagged AD Domain Controller replication for authoritative restrore|
|File Shares||Remove permission for everyone and provide access to specific AD Groups|
Hope this post would help in making decision in laying out Active Directory Infrastructure and guide through Security and Logical flow in your design decision. Any questions, please feel free to write to me. Thank you.