Safekipedia

Active Directory

Adapted from Wikipedia · Discoverer experience

A network diagram showing how different departments in a publishing company access shared folders based on their roles.

Active Directory (AD) is a special system made by Microsoft to help manage networks of computers that use the Windows domain setup. It is included in Windows Server operating systems and works through a group of processes and services. At first, it was only used for managing domains, but it grew to cover many identity-related services.

A key part of Active Directory is a server called a domain controller. This server runs something called Active Directory Domain Services (AD DS) and it helps confirm who users are and what they can do on the network. It also sets rules for security and helps install or update software on computers. For instance, when someone logs into a computer in this kind of network, Active Directory looks at their username and password to decide if they are a regular user or a system administrator.

Active Directory uses several methods to work, including Lightweight Directory Access Protocol (LDAP), a system called Kerberos, and DNS. One way to think about it is like a database that stores important information about the network, such as details about computers, users, and groups. This helps keep everything organized and secure. For the cloud version of this system, see Microsoft Entra ID.

History

Active Directory started as a way to make technology designs more open and shared. It used ideas from many contributors and early internet projects. Microsoft first showed Active Directory in 1999 and released it with Windows 2000 Server. They kept updating it with new features in later versions like Windows Server 2003 and Windows Server 2008. Over time, Active Directory grew to include many tools for managing user accounts and computer networks.

Active Directory Services

Active Directory Services are a group of tools that help manage networks of computers. The most well-known service is called Active Directory Domain Services (AD DS). This service is very important for networks that use Windows computers. It keeps track of all the users and devices on the network, checks if they are allowed to join, and decides what they can do. When you sign into a computer or try to use something on the network, the server that runs this service, called a domain controller, helps make sure everything works correctly.

There are other services that work with AD DS. These include tools for controlling what users can do, keeping files safe, and helping with things like email and file sharing. One special service is Active Directory Lightweight Directory Services (AD LDS), which works like AD DS but does not need domains or domain controllers. Another service, Active Directory Certificate Services (AD CS), helps create and manage special codes called certificates that keep information safe. There is also Active Directory Federation Services (AD FS), which lets users sign in once and use many different web services or network tools with the same account. Finally, Active Directory Rights Management Services (AD RMS) helps protect important documents by deciding who can see or change them.

Logical structure

Active Directory is a service that includes a database and special code to manage network requests and keep the database updated. It runs on Windows computers starting from Windows 2000. You can access the data in Active Directory using different methods, like LDAP and Security Accounts Manager.

A simplified example of a publishing company's internal network. The company has four groups with varying permissions to the three shared folders on the network.

Active Directory organizes information about different items on the network, such as printers, users, and computers. Each item has a unique name and ID. These items can also contain other items inside them. Administrators can change how these items are set up, but changing important settings can affect the whole system.

In Active Directory, networks are organized into structures called forests, trees, and domains. A domain is a group of network items that share the same database. A tree links several domains together, and a forest is the largest group that includes all trees.

Within a domain, items can be grouped into organizational units (OUs). OUs help organize the domain and make it easier to manage. They can reflect how an organization is structured, like by departments or locations. OUs help apply certain rules and make managing the network simpler.

Physical structure

In Active Directory, sites are groups of network areas that share similar speeds, like fast LAN connections or slower WAN and VPN links. These sites help manage how information moves between different parts of the network and guide users to the nearest domain controllers, which are special servers that hold copies of the directory. Tools like Microsoft Exchange Server 2007 also use these sites to send email.

Active Directory stores its information on special servers called domain controllers. Each of these servers has a full copy of the directory. Other servers connected to the directory are known as Member Servers. Some domain controllers act as global catalog servers, offering a list of all items across the entire network. To keep this list manageable, only certain details about each item are shared. Active Directory works with DNS and needs TCP/IP to function properly.

Active Directory uses a method called multi-master replication to keep all domain controllers updated. This means that when a change is made on one server, others request the update themselves. The system automatically manages how often updates happen between different network areas. Special servers called bridgehead servers help send updates between distant parts of the network. Updates can travel through several links if needed, but direct links are usually preferred. For replication, Remote Procedure Calls over IP are used, and sometimes SMTP is used for certain types of updates.

Implementation

When using Active Directory, a network usually has more than one Windows server. This helps keep things running smoothly if one server stops working. It’s best to use servers just for managing the directory and not for other tasks.

Some Microsoft products, like SQL Server and Exchange, can make things harder if they are on the same server. To keep things simple, it’s a good idea to have separate servers for these tasks. Using virtualization can save money, but it’s important not to put multiple virtual servers on the same physical machine for safety.

Database

The Active Directory database is a special storage area used in Windows 2000 Server. It uses a technology called JET Blue and Extensible Storage Engine to keep information organized. Each part of the system, called a domain controller, can hold up to 16 terabytes of data and manage up to 2 billion items, though usually only about 1 billion are used for security purposes. Older systems, like NT4, could only handle around 40,000 items.

Programs can use special tools called COM interfaces to work with Active Directory and its features. These tools are known as Active Directory Service Interfaces. With these, programs can easily manage and access the information stored in Active Directory.

Trusting

Active Directory uses something called trusts to let people in one group of computers use things in another group. When you set up these groups, called domains, it automatically knows how to let them share things.

There are different kinds of trusts. Some only let one group share with another, but not the other way around. Others let both groups share with each other. Some trusts can reach further, letting more groups share, while others are more limited. This helps keep everything connected and secure.

Management tools

Microsoft Active Directory has special tools to help manage it. These include the Active Directory Administrative Center, Active Directory Users and Computers, Active Directory Domains and Trusts, Active Directory Sites and Services, ADSI Edit, Local Users and Groups, Active Directory Schema snap-ins for the Microsoft Management Console, and SysInternals ADExplorer.

Sometimes these tools aren't enough for very big networks. Extra tools made by other companies can help make managing Active Directory easier. These tools can do things like saving time, creating reports, and connecting with other services.

Unix integration

Active Directory can work with many types of computers that are not Windows, such as those running Unix-like systems like Linux and Mac OS X. These systems can connect to Active Directory using special tools, though they might not fully understand all the features that Windows uses, like Group Policy.

There are tools made by other companies to help non-Windows computers join Active Directory, such as Samba, which is free software and can fully act like Active Directory. Some newer versions of Windows also have features that make this easier to use.

Other directory services can also work together with Active Directory, allowing both Windows and non-Windows computers to share information. There are also many different ways to manage Active Directory using scripts written in languages like PowerShell, VBScript, JScript/JavaScript, Perl, Python, and Ruby. Since October 2017, Amazon AWS has also offered ways to connect with Microsoft Active Directory.

Related articles

Microsoft
Windows domain
Windows Server
Operating system
Process (computing)
Windows service

This article is a child-friendly adaptation of the Wikipedia article on Active Directory, available under CC BY-SA 4.0.

Images from Wikimedia Commons. Tap any image to view credits and license.