Active Directory

Active Directory (AD) is a special system made by Microsoft to help manage networks of computers that use the Windows domain setup. It is included in Windows Server operating systems and works through a group of processes and services.

A key part of Active Directory is a server called a domain controller. This server helps confirm who users are and what they can do on the network. It also sets rules for security and helps install or update software on computers. For instance, when someone logs into a computer in this kind of network, Active Directory looks at their username and password.

Active Directory uses several methods to work, including Lightweight Directory Access Protocol (LDAP), a system called Kerberos, and DNS. One way to think about it is like a database that stores important information about the network, such as details about computers, users, and groups.

For the cloud version of this system, see Microsoft Entra ID.

History

Active Directory began as a way to make technology designs more open and shared. It used ideas from many contributors and early internet projects. Microsoft first introduced Active Directory in 1999 with Windows 2000 Server. They added new features in later versions like Windows Server 2003 and Windows Server 2008. Over time, Active Directory included many tools for managing user accounts and computer networks.

Active Directory Services

Active Directory Services are tools that help manage groups of computers. The most famous tool is called Active Directory Domain Services (AD DS). This tool is very useful for networks that use Windows computers. It keeps a list of all the people and devices on the network, checks if they can join, and decides what they can do. When you sign into a computer or try to use something on the network, a special server called a domain controller helps make sure everything works right.

There are other tools that work with AD DS. These include tools for deciding what users can do, keeping files safe, and helping with things like email and sharing files. One special tool is Active Directory Lightweight Directory Services (AD LDS), which works like AD DS but does not need domains or domain controllers. Another tool, Active Directory Certificate Services (AD CS), helps make and manage special codes called certificates that keep information safe. There is also Active Directory Federation Services (AD FS), which lets users sign in once and use many different web services or network tools with the same account. Finally, Active Directory Rights Management Services (AD RMS) helps protect important documents by deciding who can see or change them.

Logical structure

Active Directory is a service that helps manage network requests and keeps a database updated. It works on Windows computers starting from Windows 2000. You can access the data in Active Directory using different methods, like LDAP and Security Accounts Manager.

Active Directory organizes information about items on the network, such as printers, users, and computers. Each item has a unique name and ID. These items can also contain other items inside them. Administrators can change how these items are set up, but changing important settings can affect the whole system.

In Active Directory, networks are organized into structures called forests, trees, and domains. A domain is a group of network items that share the same database. A tree links several domains together, and a forest is the largest group that includes all trees.

Within a domain, items can be grouped into organizational units (OUs). OUs help organize the domain and make it easier to manage. They can reflect how an organization is structured, like by departments or locations. OUs help apply certain rules and make managing the network simpler.

Physical structure

In Active Directory, sites are groups of network areas that share similar speeds, like fast LAN connections or slower WAN and VPN links. These sites help manage how information moves between different parts of the network and guide users to the nearest domain controllers, which are special servers that hold copies of the directory. Tools like Microsoft Exchange Server 2007 also use these sites to send email.

Active Directory stores its information on special servers called domain controllers. Each of these servers has a full copy of the directory. Other servers connected to the directory are known as Member Servers. Some domain controllers act as global catalog servers, offering a list of all items across the entire network. To keep this list manageable, only certain details about each item are shared. Active Directory works with DNS and needs TCP/IP to function properly.

Active Directory uses a method called multi-master replication to keep all domain controllers updated. This means that when a change is made on one server, others request the update themselves. The system automatically manages how often updates happen between different network areas. Special servers called bridgehead servers help send updates between distant parts of the network. Updates can travel through several links if needed, but direct links are usually preferred. For replication, Remote Procedure Calls over IP are used, and sometimes SMTP is used for certain types of updates.

Implementation

When using Active Directory, a network often has more than one Windows server. This helps if one server stops working. It’s best to use servers just for managing the directory and not for other tasks.

Some Microsoft products, like SQL Server and Exchange, can make things harder if they are on the same server. To keep things simple, it’s a good idea to have separate servers for these tasks. Using virtualization can save money, but it’s important not to put multiple virtual servers on the same physical machine for safety.

Database

The Active Directory database is a special storage area used in Windows 2000 Server. It uses technology called JET Blue and Extensible Storage Engine to keep information organized. Each part of the system, called a domain controller, can hold a lot of data. Programs can use special tools to work with Active Directory. These tools are known as Active Directory Service Interfaces. With these, programs can manage and access the information stored in Active Directory.

Trusting

Active Directory uses trusts to allow people in one group of computers to use things in another group. When you set up these groups, called domains, it automatically knows how to let them share things.

There are different kinds of trusts. Some only let one group share with another, but not the other way around. Others let both groups share with each other. Some trusts can reach further, letting more groups share, while others are more limited. This helps keep everything connected and secure.

Management tools

Microsoft Active Directory has special tools to help manage it. These include the Active Directory Administrative Center, Active Directory Users and Computers, Active Directory Domains and Trusts, Active Directory Sites and Services, ADSI Edit, Local Users and Groups, Active Directory Schema snap-ins for the Microsoft Management Console, and SysInternals ADExplorer.

Sometimes these tools aren't enough for very big networks. Extra tools made by other companies can help make managing Active Directory easier. These tools can save time, create reports, and connect with other services.

Unix integration

Active Directory can work with computers that are not Windows, such as those running Unix-like systems like Linux and Mac OS X. These computers can connect to Active Directory using special tools, though they might not understand all Windows features, like Group Policy.

There are tools made by other companies to help non-Windows computers join Active Directory, such as Samba, which is free software and can act like Active Directory. Some newer versions of Windows also have features that make this easier.

Other directory services can work with Active Directory, allowing Windows and non-Windows computers to share information. There are many ways to manage Active Directory using scripts written in languages like PowerShell, VBScript, JScript/JavaScript, Perl, Python, and Ruby. Since October 2017, Amazon AWS has offered ways to connect with Microsoft Active Directory.