close

Home

Active Directory

What is Active Directory: The Ultimate Guide

Author avatar - Michael Reinders

Michael Reinders

|
Datacenter networking servers

Learn what Active Directory (AD) is and how AD makes it easier for IT to manage their organization’s computer resources. Active Directory is especially useful for companies that have to manage lots of endpoints and servers. Read more here.

What is Active Directory and why is it used?

Active Directory (AD) is a directory service from Microsoft that stores information about objects on the network and makes this information easy for administrators and users to find and use. Active Directory uses a structured data store as the basis for a logical, hierarchical organization of directory information. Think of it as a telephone directory but for objects and devices on a computer network.

advertisment

Active Directory Users and Computers
Active Directory Users and Computers

AD controls much of the activity that goes on in your IT environment. In particular, they make sure each person is who they claim to be (authentication), usually by checking the user ID and password they enter and allowing them to access only the data they’re allowed to use (authorization).

What is AD Domain Services?

Active Directory Domain Services (AD DS)
Active Directory Domain Services (AD DS)

A directory is a hierarchical structure that stores information about objects on the network. A directory service, such as Active Directory Domain Services (AD DS), provides methods for storing directory data and making this data available to network users and administrators.

When you install AD DS in your environment, servers install the AD DS Server Role and they become the keys to the kingdom for this directory service, other known as domain controllers (DC). For example, AD DS stores information about user accounts, such as names, passwords, phone numbers, computers, and other devices like printers and other network resources.

This allows only authorized users, which are each assigned a unique security identifier (SID), to access protected information on the same network to. The individual attributes of a user: name, address, location, manager, and so on, are stored in the directory database.

advertisment

What determines what users can do with the various resources in your network? Permissions. Tokens, are granted every time a user logs on to a computer. Those access tokens contain the keys that the user needs to be able to open the G: drive and open that Excel file in the Sales folder.

Who is Active Directory for?

advertisment

Well, honestly, I would have to say AD is for almost any company or organization out there. I have yet to come across an environment that didn’t utilize Active Directory Domain Services. AD simplifies life for administrators and end users while enhancing security for organizations.

Administrators and end users share the centralized user and rights management, as well as centralized control over computer and user configurations through the AD Group Policy feature. Users can authenticate once and then seamlessly access any resources in the domain for which they’re authorized (single sign-on).

Plus, files are stored in a central repository where they can be shared with other users to ease collaboration and backed up properly by IT teams to ensure business continuity.

How Active Directory works

So, what’s at the heart of how this service introduced in Windows 2000 works? Well, Active Directory Domain Services (AD DS) is a part of the Windows Server operating system. The servers that run AD DS are called domain controllers (DCs).

Back in the days of Windows NT Server, there was a specific role, the Primary Domain Controller (PDC), that was specified to hold a lot of the key roles across the domain amongst the other DCs.

Organizations normally have multiple DCs for redundancy, performance, and business continuity. Each one has a copy of the directory for the entire domain. Changes made to the directory on one domain controller — such as password update or the deletion of a user account — are replicated using a replication service to the other DCs so they all stay up to date.

In addition, the schema of the database central to AD DS includes the various attributes each person, group, or computer can hold.

A Global Catalog (GC) server is a domain controller that stores a complete copy of all objects in the directory of its domain and a partial copy of all objects of all other domains in the forest; this enables users and applications to find objects in any domain of their forest.

Desktops, laptops, and other devices running Windows (rather than Windows Server) can be part of an AD environment, but they do not run AD DS.

AD DS relies on several established protocols and standards, including LDAP (Lightweight Directory Access Protocol), Kerberos, and DNS (Domain Name System).

IT admins can use various tools to access AD information, including the Active Directory Users and Computers (ADUC), the AD Administrative Center, as well as AD Sites and Services. I invite you to check my separate post about how to access Active Directory

It’s important to understand that Active Directory is only for on-premises Microsoft environments. Microsoft environments in the cloud use Azure Active Directory, which serves the same purposes as its on-prem namesake.

AD and Azure AD are separate but can work together to some degree if your organization has both on-premises and cloud IT environments (a hybrid deployment). I’ll give you more on what Azure Active Directory (AAD) is at the end of this post.

Understanding the structure of AD Domain Services

There are three core logical structures to AD DS. They are domains, trees, and forests. A domain is a group of related users, computers, and other AD objects, such as all the AD objects for your company’s various headquarters and branch offices. Multiple domains can be combined into a tree, and multiple trees can be grouped into a forest.

Keep in mind that a domain is a management boundary. The objects for a given domain are stored in a single database and can be managed together. A forest is a security boundary. Objects in different forests are not able to interact with each other unless the administrators of each forest create a trust between them.

For instance, if you have multiple disjointed business units, it’s likely to assist you with managing them if you create multiple forests.

What about other Active Directory services?

So, is Active Directory simply AD DS? Nope. There are a few other software features that make up the whole of AD. The most common one after AD DS is Active Directory Federation Services (AD FS).

Active Directory Federation Service (AD FS) enables Federated Identity and Access Management (IAM) by securely sharing digital identity and entitlements rights across security and enterprise boundaries.

AD FS extends the ability to use single sign-on functionality that is available within a single security or enterprise boundary to Internet-facing applications to enable customers, partners, and suppliers a streamlined user experience while accessing the web-based applications of an organization.

Starting in Windows Server 2012 R2, AD FS included a federation service role service that acts as an identity provider (authenticates users to provide security tokens to applications that trust AD FS) or as a federation provider (consumes tokens from other identity providers and then provides security tokens to applications that trust AD FS).

The other main services include:

How Active Directory helps IT

There are several benefits for IT folk in using AD DS in your organization:

  • You can choose how to organize your data across the various teams of users and roles in your organization.
  • You can manage AD DS from any computer on the network, if necessary.
  • AD DS provides built-in replication and redundancy: if one domain controller (DC) fails, another DC picks up the load.
  • All access to network resources goes through AD DS, which keeps network access rights management centralized.

The largest benefit of implementing Active Directory for your users is a centralized token to log in to their computer. Instead of needing this user account to access the resources on this server, and another for server two, and so on, you can grant tokens to a single account that a user can use to seamlessly access resources and printers across the enterprise.

What are the steps in setting up Active Directory?

There are several articles on Petri that contain step-by-step tutorials on how to install AD in your environment. There is also a considerable amount of planning that is required in laying out the design of your infrastructure. Number of servers, physical or virtual, on-premises or in Azure, etc. I’ll give you the high-level outline of the steps required.

Adding a new AD domain to an existing forest
Adding a new AD domain to an existing forest

  1. Install the AD DS Role in Server Manager or PowerShell.
  2. Promote the server to a domain controller.
  3. Reboot your server and start adding additional domain controllers, and then user account objects.
  4. Start joining organization devices and computers to the domain.

Active Directory vs LDAP or NIS

We already explained what Active Directory is above. But, what about LDAP and NIS? What are they, how are they different?

The Network Information Service or NIS (originally called Yellow Pages or YP) is Sun Microsystems client-server Directory Service protocol for distributed system configuration data such as user and host names between computers on a computer network. NIS is a discovery mechanism.

What is LDAP? Companies store usernames, passwords, email addresses, printer connections, and other static data within directories. LDAP is an open, vendor-neutral application protocol for accessing and maintaining that data. LDAP can also utilize authentication, so users can sign on just once and access many different files on the server (SSO).

Windows Server Active Directory vs Azure Active Directory

Syncing your on-premises AD environment with Azure Active Directory
Syncing your on-premises AD environment with Azure Active Directory

Azure Active Directory (Azure AD, or AAD) is the next evolution of identity and access management solutions for the cloud. As I stated at the top of this post, Microsoft introduced Active Directory Domain Services in Windows 2000 to give organizations the ability to manage multiple on-premises infrastructure components and systems using a single identity per user.

Azure AD takes this approach to the next level by providing organizations with an Identity as a Service (IDaaS) solution for all their apps across cloud and on-premises.

Feel free to read our separate post about Active Directory, Azure Active Directory, and other identity providers to see all the core differences between AD and AAD and how managing them differs.

Article saved!

Access saved content from your profile page. View Saved