Microsoft Active Directory, simply put, is a database and a directory service. It is an identity and access management solution that allows you to define who can do what in your network. Enterprises rely on Active Directory to efficiently manage their networks.

As a database, Active Directory allows you to store user information such as emails, phone numbers, and passwords. As a directory service, it allows users to authenticate themselves to access a resource, and authorizes access for users in the network itself.

 

How does Active Directory work?

Active Directory offers a set of services for administrators to manage their IT networks. These services are deployed on a Windows server called a domain controller. Active Directory Domain Services (AD DS) is the most widely used Active Directory service. It authenticates Active Directory objects and authorizes access to network resources. AD DS also stores and organizes data in a logical, hierarchical structure and can be managed from anywhere in the network. Other important AD services include Active Directory Federation Services (AD FS), Active Directory Certification Services (AD CS), Active Directory Lightweight Directory Services (AD LDS), and Active Directory Rights Management Services (AD RMS).

Read on to learn more about Active Directory and its services.

What are the services
offered by
Active Directory?

Active Directory offers the following services to
secure and maintain your organization's network.

         
 
Active Directory Domain services (AD DS) is the fundamental and primary directory service in a Windows domain. The domain controller that hosts AD DS stores and authenticates network resources. AD DS oversees replication and communication between domain controllers in the network.
 
Active Directory Rights Management Services (AD RMS) uses information rights management to manage and restrict access to documents in your Active Directory network.
 
Active Directory Lightweight Directory Services (AD LDS) provides directory services to applications independent of Active Directory and its restrictions. It can also be run as a stand-alone directory with multiple AD LDS instances.
 
Active Directory Certificate Services (AD CS) acts as a Certificate Authority and provides public key infrastructure functionality in your Active Directory environment.
 
Active Directory Federation Services (AD FS) facilitates federated identity management and single sign-on access to applications.

What is Active Directory Domain Services (AD DS)?

Active Directory Domain Services (AD DS) is one among the many services offered by Active Directory. AD DS provides the flexibility to organize and manage your network resources from a single console.

       

What is a
Domain Controller in
Active Directory and
What does it do?

 

Domain controllers (DCs) are Active Directory servers that host AD DS. DCs are responsible for the authentication and security of Active Directory objects. DCs are the key components in an Active Directory environment and thus have to be up and running at all times. DCs are designed to be resilient and fault tolerant. Applications and clients use the Lightweight Directory Access Protocol (LDAP) to interact with DCs. An LDAP query is used to fetch information from Active Directory databases. Active Directory objects are stored in DCs. In an organization with multiple DCs, data and changes made to it are replicated systematically.

The Global Catalog (GC) is a data storage catalog that is equivalent to a book index. The GC server is a DC that makes it easier to search for and locate Active Directory objects from any domain in a forest. The GC server holds a copy of all the objects in its domain and a partial copy of objects from other domains in the forest. This is managed by the AD DS replication system.

The entire Active Directory database is stored in the ntds.dit file, and the information on it is segregated into directory partitions (naming contexts). The data stored in a partition depends on the partition type, and each partition has an independent replication scope.

By default, there are three partitions in Active Directory:

  • A schema partition
  • A configuration partition
  • A domain partition

AD DS also lets you configure application directory partitions as and when needed.

DCs also have various roles installed on them to ensure that replication is consistent across DCs. There are five Flexible Single Master Operation (FSMO) roles installed on different DCs to combat "last writer wins" and "single master replication" situations. They are:

1Schema master

The DC with the schema master role handles updates to the Active Directory schema. This role is unique in a forest.

 
     
2Domain naming master

The DC with this role is capable of adding or removing domains from your Active Directory. Like the schema master role, there is only one per forest.

 
     
3PDC emulator

There is only one domain controller with the primary domain controller (PDC) emulator role in a domain. This DC handles password change requests, time synchronization, and bad password attempts.

 
   
4RID master

This role is unique to a domain, and the DC with this role allocates identifiers (a domain security ID (SID) and a unique relative ID (RID)) to other DCs in the domain.

 
     
5Infrastructure master

The DC with this role takes care of cross-domain updates and references. The infrastructure master role should be on a DC that is not a GC server.

 
     

DCs respond to authentication requests and authorize access to resources based on the set permissions. AD DS logs all these requests, their status, user activity, and the changes made to Active Directory objects.

What
is the structure
of Active Directory?

Active Directory stores information in a logical, hierarchical framework to streamline Active Directory management. An object is the fundamental entity in an Active Directory, while a forest is the highest.

A schema in Active Directory lets you define which objects can be stored in your Active Directory. Every object has a set of attributes based on its classSchema. The schema is extensible and can be structured based on an organization's needs. However, changes made to the schema are irreversible, so it should only be updated or modified when it is essential.

 
User accounts Contacts Shared folders Computer accounts Groups Organizational units
   

Active Directory stores network resources and related information as objects. User accounts, computer accounts, contacts, groups, organizational units, and shared folders are all the different objects that can be found in Active Directory.

AD Objects

Objects that can be authenticated—user accounts, computer accounts, and groups—are called security principals, and other objects like printers are called resources. Attributes like sAMAccountName or userPrincipalName are unique to an object and cannot be duplicated. Active Directory objects in a domain have a unique globally unique identifier and an SID that changes relatively with domains. SIDs are provided by the DC equipped with the RID master FSMO role.

 

AD Organizational Units (OUs)

Objects can be grouped into organizational units (OUs) or groups based on administrative need. OUs in Active Directory are container objects and can contain objects like user accounts, computers, or other OUs in the domain, which are referred to as nested OUs. Configuring OUs enables you to depict an organization's structure, apply Group Policies, and delegate administrative rights.

   

AD Organizational Units (OU's)

Objects can be grouped into organizational units (OUs) or groups based on administrative need. OUs in Active Directory are container objects and can contain objects like user accounts, computers, or other OUs in the domain, which are referred to as nested OUs. Configuring OUs enables you to depict an organization's structure, apply Group Policies, and delegate administrative rights.

 
   

AD Groups

Active Directory groups allow you to organize the security principals in your Active Directory for ease of administration. There are two different groups in Active Directory: security and distribution groups.

Security groups are used to assign permissions and user rights. They are also mail-enabled, so they can be used to send messages to all their members at once. Every security group has a group scope, which determines to what extent the assigned permissions and user rights hold true in Active Directory. There are three group scopes: universal, global, and domain local.

Distribution groups are just mail-enabled and can only be used to send out emails. They are extremely handy in an Exchange environment.

 

AD Domains, Trees and Forests

Objects in the same network and with similar security constraints can be logically grouped into a domain. Domains can have subdomains within them called child domains. Changes made to domains are constantly updated in the domain naming context.

Domains in Active Directory that share a common root and trust relationships form a tree. As a whole, all these components make up a forest. A forest in Active Directory contains domains that share a common structure, GC, and schema. It acts as a security constraint and can be accessed by other Active Directory forests only when a trust relationship is configured between them.

   

AD Domains, Trees and Forests

Objects in the same network and with similar security constraints can be logically grouped into a domain. Domains can have subdomains within them called child domains. Changes made to domains are constantly updated in the domain naming context.

Domains in Active Directory that share a common root and trust relationships form a tree. As a whole, all these components make up a forest. A forest in Active Directory contains domains that share a common structure, GC, and schema. It acts as a security constraint and can be accessed by other Active Directory forests only when a trust relationship is configured between them.

Thus, Active Directory follows a logical, hierarchical structure: Objects make up domains, domains make
up trees, and trees make up a forest.

What are the benefits of Active Directory?

Active Directory acts as a centralized management tool and is highly scalable. It lets you oversee your IT network from a single console. Active Directory allows you to customize objects to meet your organization's requirements. It comes with a built-in replication feature that allows you to distribute data across the DCs in your network. It also comes with a backup and recovery feature that lets you restore information as and when needed once it has been configured.

Overall, Active Directory, helps in managing your IT network—but make sure to carefully structure it, because it can make or break your business.

 
 

Simplify Active Directory Management

Administrative tasks like object creation, modification, and deletion; password resets; and access control can be performed using the Active Directory Users and Computers console (ADUC). Active Directory objects can also be managed using PowerShell scripts. The GC server, Active Directory replication, sites, subnets, and other related settings can be configured in the Active Directory Sites and Services snap-in.

A Group Policy in Active Directory allows you to configure the Windows environment of users and computers. Policy settings and preferences are grouped and contained in a Group Policy Object (GPO). GPOs can be applied at the OU, domain, or site level. They can be modified using the Local Group Policy Editor or the Group Policy Management Console.

Apart from the snap-ins provided by Microsoft, Active Directory can also be managed using ADManager Plus, an Active Directory management and reporting solution.

Get your free, 30-day trial  

Learn about the most critical areas of Active Directory

AD Management

 

AD Reporting

 

AD Auditing

 

AD Migration

 

AD Backup & Recovery