Active Directory (AD) is the cornerstone of any on-premises or hybrid Microsoft environment. It stores information about users, computers and other objects, and provides vital services that enable employees to be productive and business processes to run. This article covers the Active Directory basics you need to know.
What is Active Directory?
Active Directory is a directory service for Windows network environments. The directory serves as a central database for information about users, computers, groups and other objects in the environment. The core services that AD provides are authentication and authorization:
- Authentication is the process of verifying that a user, application or other identity is who they claim to be, for example, by checking their user ID and password.
- Authorization is the process of determining whether the identity has the proper permissions to access the service or resource that it has requested.
How Is Active Directory Structured?
An Active Directory environment is structured in a hierarchy: forest, tree and domain. The primary units are forests and domains; trees are the logical structure of domains and child domains under them.
What are forests?
A forest is a set of one or more domains. Many organizations have a single forest, but organizations with multiple divisions, service providers, and companies in the process of a merger or acquisition often have multiple forests.
What are forest trusts (one-way, two-way, transitive, non-transitive)?
A forest is a security boundary — objects in different forests cannot interact with each other unless the administrators of the forests create a trust between them. A trust is a method of linking two forests to enable a seamless authentication and authorization experience for users.
Trusts can be one-way (users in domain A can access resources in?domain B, but not vice-versa), or two-way (users in either domain can access resources in the other forest). A trust can also be transitive or non-transitive, which determines whether it can be extended outside of the two domains with which it was formed.
What is a domain?
A domain is a collection of AD objects, such as users, computers, groups and Organizational Units, that are stored in a shared database. An Active Directory domain is a management boundary, which means the objects in it can be managed together.
What is an organizational unit (OU)?
An AD domain can be further organized into organizational units. Administrators often use OUs to group users, computers and users into units that mirror the organization’s structure to easily apply relevant policies to each group. For example, you might have an OU for each department that contains the associated user and computer objects.
What are the main components of Active Directory (both logical and physical)?
The logical structure of Active Directory is what we’ve just described, with components such as forests, trees, domains and OUs.
The physical components of Active Directory include:
- Domain controllers — Domain controllers are special servers that provide core Active Directory services, including authentication and authorization services.?Each domain must have at least one domain controller, but having multiple DCs improves reliability.
- Sites — A site is a well-connected IP subnet. Sites are used to control replication traffic between domain controllers and help ensure that users connect to local resources.
What are other important Active Directory concepts?
Some other Active Directory fundamentals include the following:
- User — A user is a type of AD object. While many user accounts are assigned to individuals, some user accounts are used by applications; they are known as service accounts. A good example is when system services log into each to run reports or take other actions.?
- Groups- Group objects are collections of user accounts, computer accounts, or other groups, used for simplifying access control, permissions management, and resource allocation. Types of groups include Security Groups (used for access control) and Distribution Groups (used for email distribution).
- Computers- Computer objects represent network devices, workstations, servers, or other computing devices joined to the domain, enabling centralized management, authentication, and policy enforcement.
- Shared folder — A shared folder is a container for files that need to be accessed by multiple users. For example, a team or department might have a shared folder with documents for all members to access.
- Global catalog server — A global catalog server is a domain controller stores a copy of all objects in its domain, as well as a partial copy of objects in other domains. Global catalog servers are important for both authorization and object search functionality.
Suggested Reading
To learn about Active Directory step by step, you can use this ordered list of posts on AD basics:
FAQ
What is Active Directory?
Microsoft Active Directory is a directory service that runs on Windows servers called domain controllers (DCs). It stores information about users, computers and other objects in a database, including properties like names and passwords, and provides authentication and authorization services.?
What is Active Directory Domain Services??
Active Directory Domain Services (AD DS) is one of the directory services provided by Active Directory. Its primary functions are providing authentication and authorization to manage access to network resources.
What are LDAP and DNS?
Lightweight Directory Access Protocol (LDAP) provides a common language that servers and clients can use to communicate.?
Domain Name System (DNS) translates a human-readable domain name like www.netwrix.com into an IP address to load the correct webpage.
Where can I get started learning about Active Directory?
There are a variety of free resources that can help you understand the fundamentals of Active Directory. Here are some of our favorites:
- Netwrix eBook: What is Active Directory?
- Microsoft course: Fundamentals of Active Directory
- Microsoft course: Active Directory Domain Services
- Pluralsight course: Active Directory Administration in Windows Server 2016
- ClassCentral course: Managing Microsoft Windows Server Active Directory Domain Services
- Comparitech tutorial: What is Active Directory? A step-by-step tutorial
- Dummies.com cheat sheet: Active Directory for Dummies Cheat Sheet
Is there a certification for Active Directory?
There are no notable certifications specific to Active Directory. However, Microsoft offers a variety of credentials and certifications that you can explore.?
What sources — blogs, forums and other types of content — do you use to learn about Active Directory? We want to know! Please let us know in the comments on this post.
