Active Directory (AD) was introduced in 1999, and understanding this core technology is a key requirement for most IT administrators today. In this part of the tutorial, we provide an overview of AD basics, including what an Active Directory domain is.
AD Fundamentals
What is AD?
Active Directory is the directory service used in Microsoft networks. A directory service (or name service) connects network resources (such as volumes, folders, files, printers, users, groups and devices) with their respective network addresses, and provides that information to entities in the network. In other words, AD is a set of databases and services that are used to organize, locate and manage network resources.
What does AD do?
The Active Directory database stores information about users and computers, including their names and access rights. The Active Directory schema defines the objects that can be stored in the directory.
Active Directory Domain Services (AD DS) controls many of the operations of your IT environment and helps ensure directory security by managing the following processes:
- Authentication — Ensuring that each security principal is who they say they are, usually by verifying credentials such as a user ID and password during a logon process.
- Authorization — Ensuring that each security principal can use only the data and services they are permitted to access.
- Name resolution — Enabling clients and domain controllers to locate and communicate with each other. AD DS uses DNS as its main name resolution method.
- Centralized management — Controlling a wide variety of settings from a single location via a feature called Group Policy.
What does AD include?
A fundamental unit of Active Directory is the domain. An AD domain is a logical group of objects that share common administration, security and replication settings. Using Active Directory domains, IT teams can define administrative boundaries and manage sets of devices, services and systems in a centralized manner.
A domain controller (DC) is a server that runs Active Directory Domain Services and uses data stored in AD for user authentication and authorization, group management, policy administration, and additional functions. In practice, organizations typically have multiple domain controllers in on-premises datacenters and/or in the cloud. Each DC in a domain maintains a copy of the AD database, and they synchronize data between themselves using Active Directory replication. DCs can also store the global catalog — a read-only registry of all objects in the domain’s directory and a partial copy of all objects in all other domains in the forest to facilitate searches for information about objects. A DC with this feature enabled is called a global catalog server. The primary access protocol for Active Directory is Lightweight Directory Access Protocol (LDAP).
How is AD managed?
Active Directory management can be performed on domain controllers via native tools, such as:
- Active Directory Administrative Center
- Active Directory Domains and Trusts
- Active Directory Sites and Services
- Active Directory Users and Computers
- ADSI Edit
- Active Directory module for Windows PowerShell
These tools can also be installed on workstations as part of Remote Server Administration Tools (RSAT) to enable admins to manage AD remotely.
AD Structure
Now that we have covered the basic concepts of AD, let’s review the Active Directory structure. Active Directory contains multiple logical units, organized hierarchically. From smallest to largest, they are:
- Objects
- Organizational units (OUs)
- Domains
- Trees
- Forests
Objects
An Active Directory object is the smallest logical unit. Examples include:
- User account
- Computer account
- Group
- Printer
- Share
Objects have one or more attributes that define their properties, limits and format. Attribute values can be multi-valued, strings, integers, Boolean (true or false), or other types. The attributes that each object has are specified in the schema.
Organizational units (OUs)
AD objects within a domain can be grouped into logical containers called organizational units (OUs). OUs are objects too, which allows administrators to create nested OUs. All objects in any given OU must have unique names, and each object can be in only one OU at any given time.
Be careful not to confuse OUs with AD groups. A group is a collection of AD objects, such as users, whose membership in the group grants them certain permissions. A given user can be (and usually is) a member of multiple groups. The confusion typically arises because Group Policy objects (GPOs) can be linked to OUs (but not to groups), which also affects what users, computers and other objects can and cannot do.
Domains
An Active Directory domain is a logical group of objects (users, computers, OUs and so on) that is managed by the same administrative team and is usually located on the same physical network.
Trees
Domains are organized into trees. An AD DS tree consists of multiple domains connected by two-way transitive trusts. Each domain in an AD DS tree shares a common schema and global catalog.
Forests
The Active Directory forest is the highest level of the hierarchy. While domains represent administrative boundaries, forests are the main security boundary for AD DS; it is assumed that all domain administrators within a forest are trusted to some degree. Objects in separate forests are not able to interact with each other unless the administrators of each of those forests create a trust between them.
Physical Structure
Let’s briefly touch on the physical structure of Active Directory. It can be divided into:
- Hosts — Devices connected to the domain network
- Subnets — Network groups with a specified range of IP addresses and a network mask
- Sites — Groups of one or more subnets used to optimize bandwidth use by the DC replication service
Active Directory Services
Finally, Active Directory services consist of multiple directory services. We already talked about Active Directory Domain Services (AD DS). AD DS uses information about objects stored in the directory to authenticate users and authorize them to perform actions according to their access rights.
When people talk about Active Directory, they usually mean Active Directory Domain Services. However, there are other Active Directory services, including:
- Active Directory Lightweight Directory Services (AD LDS) — Provides directory services for applications
- Active Directory Certificate Services (AD CS) — Creates and maintains digital certificates used in security systems that use public key technologies
- Active Directory Federation Services (AD FS) — Provides single sign-on (SSO) capabilities to systems and applications across organizational boundaries
- Active Directory Rights Management Services (AD RMS) — Provides granular control over access to documents by providing management and development tools for working with insider threat prevention and other security technologies, such as encryption, certificates and authentication
For More Information
You can learn more about core Active Directory concepts by reading our eBook, What is Active Directory.
