What is Active Directory (AD)? A Quick & Easy Explainer
Active Directory forms the basis of millions of Windows networks worldwide. Our beginner’s guide explains everything you need to know about the directory service in simple terms.
What Is Active Directory?
Active Directory is a directory service used to administer Windows networks and an essential application for any organization operating their own on-premises Windows domain. You can think of a directory service as a kind of database that stores information about network components such as users, computers and other devices. However, Active Directory not only lists these elements, but allows admins to group them together, organize them in a hierarchical structure and apply different settings and policies to them.
To do this, Active Directory creates what is known as a domain, a networked environment in which computers and devices are managed by a domain controller (DC). The domain controller is the central authority in the network: It contains the policies and settings that are applied to different devices and it stores the user credentials needed to verify a person’s identity during the Windows logon. To avoid outages, Active Directory actually uses multiple domain controllers simultaneously. Each stores the same information, which they continuously replicate amongst each other.
To summarize, the essential facts you need to know about Active Directory are that it is…
Hierarchical: Objects within Active Directory can be grouped together, placed in parent-child relationships and subjected to different rules based on their place in the network structure.
Centrally managed: All essential data about the objects, structures and policies of the network is stored in the domain controllers, who then apply these settings to users and devices.
Scalable: An AD domain can be divided into different organizational units, combined with other domains to form a tree or combined with multiple trees into a forest.
How Is Active Directory Structured?
Within a single Active Directory domain, the domain controllers (DCs) form the center. They store information about all the different network components โ i.e. user accounts, computers and other devices like printers โ as well as the settings that apply to these objects. For example, domain controllers contain the group policy objects that govern user and computer settings in Windows environments.
In addition, AD domains can be combined in various ways. They can be formed into trees with subdomains, combined into forests or even arranged into multi-forest environments. It is generally recommended to stick to a single domain for easier administration, though separate domains or forests can be necessary in large and complex organizations or in order to isolate specific services. More on Active directory forests.
To ensure that all network participants can communicate effectively even across complex overarching structures, Active Directory relies on a few essential background services:
DNS: The Domain Name System (DNS) is protocol that connects network addresses and networked resources, ensuring that all network participants can correctly locate them. It is often likened to a kind of phone book for translating human-friendly lookup data like URLs or file server paths into machine-friendly formats like IP addresses and hard drive storage. Active Directory uses DNS to help devices locate available domain controllers and as part of the Server Message Block (SMB) protocol for looking up resources in the domain’s name space.
Schema: The Active Directory schema is a set of rules that governs valid object classes and attribute types within a domain. In essence, the schema determines the structure for entries in the Active Directory database.
Data Store: The Data Store is the actual database that holds all the information about a domain’s objects and settings. It also comprises various services and protocols that handle access requests for this data.
Active Directory Services: Overview
Aside from Active Directory Domain Services (AD DS), the main directory services that forms the core Active Directory, AD also contains a number of other services that cover different related tasks.
Lightweight Directory Services (AD LDS): The Lightweight Directory Service essentially provides a copy of a domain’s data store that can be accessed using the LDAP protocol. This allows third-party applications to pull information from the AD, for example to sync account data.
Federation Services (AD FS): The federation service AD FS supports single sign-on based on a user’s Windows authentication, such as automatically signing users into web applications after the Windows logon. AD FS relies on Security Assertion Markup Language (SAML). However, organizations increasingly rely on Microsoft’s cloud-based directory Entra ID for its SSO capabilities.
Certificate Services (AD CS): Active Directory’s certificate services operates the public key infrastructure (PKI) needed to encrypt communication, sign electronic documents and use secure transport protocols like SSL/TLS.
Managing Active Directory
Without Active Directory to act as a central authority and directory, managing large-scale Windows networks would be all but impossible. However, operating an Active Directory domain still requires quite a lot of effort. Aside from setting up domain controllers and the required services, the biggest time sink for admins is managing the users, devices and policies their network comprises.
To administer Active Directory effectively, it is important to familiarize yourself with some essential best practices that will make admin life a lot easier. For example, Active Directory permissions should only be assigned through dedicated permission groups in order to make them easier to track. By following Microsoft’s AGDLP model and adding these permission groups to user groups that model the different business roles in your organization, you can make permission management even easier.
You can find more important tips and tricks in our free best practice white paper!
Access Governance Best Practices for Microsoft Environments
Everything you need to know about implementing access control best practices in Active Directory, from implementation tips to common mistakes.