Ever try to look up a term (like, say, Active Directory), only to get a definition that’s so complex and convoluted that you have to go look up all the words in it, and then half of the terms in those definitions, until you feel like you’re trapped in an infinite regress — and you’re more confused than when you started?
Not today. Not here. In this series of blog posts, I’m going to briefly explain what Active Directory (AD) is and what it’s used for, how you can manage and secure it, and how your organization can start using it. I’ll offer links where you can dive deeper into any of these topics and find high-quality Active Directory tools, but I promise, you’ll get a clear high-level understanding right in these blog posts.
Let’s get started!
What is Active Directory?
Basically, Active Directory (AD) is a database and set of services that help users get their work done in a Microsoft IT environment:
- The database (or directory) contains critical information about your environment, including what users and computers there are and who’s allowed to do what. For example, the database might list 100 user accounts with details like each person’s job title, phone number and password. It will also record their permissions — for instance, you might permit all users to read your company benefits information, but allow only a handful of people to look at or modify financial documents.
- The services control much of the activity that goes on in your IT environment. In particular, they make sure each person is who they claim to be (authentication), usually by checking the user ID and password they enter, and allow them to access only the data they’re allowed to use (authorization).
Now you know what Active Directory is and why we say it’s the heart of any Microsoft IT environment! But if you’re interested in more details about how it’s structured and how it works, read on for the answers to many common questions about AD.
Does my computer have Active Directory on it?
No. The main Active Directory service, Active Directory Domain Services (AD DS), is a feature of the Windows Server operating system. Desktops, laptops and other systems running the regular version of Windows do not run AD DS. However, they do support Active Directory, so any Windows computer can be part of an Active Directory environment.
The servers that run AD DS are called domain controllers (DCs). (I’ll explain what a domain is in just a second.) Organizations normally have multiple DCs, and each one has a copy of the directory for the entire domain. Changes made to the directory on one domain controller — such as a user changing their password or a user account being locked out for too many incorrect passwords — are replicated to the other domain controllers so they all stay up to date.
While we’re on the topic of where AD lives, it’s important to understand that Active Directory is only for on-premises Microsoft environments. Microsoft environments in the cloud use Azure Active Directory, which serves the same purposes as its on-prem namesake. AD and Azure AD are separate but can work together to some degree if your organization has both on-premises and cloud IT environments (which is called a hybrid deployment). This blog post series is focused on on-premises Active Directory, but Quest has many resources to help you understand Azure AD and tools for hybrid Active Directory security and governance.
How is Active Directory structured?
AD has three main tiers: domains, trees and forests. A domain is a group of related users, computers and other AD objects, such as all the AD objects for your company’s Chicago office. Multiple domains can be combined into a tree, and multiple trees can be grouped into a forest. The key things to know here are:
- A domain is a management boundary — the objects for a given domain are stored in a single database and can be managed together.
- A forest is a security boundary — objects in different forests are not able to interact with each other unless the administrators of each forest create a trust between them. For instance, if you have multiple disjointed business units, you probably want to create multiple forests.
We’ll mostly be talking about AD domains in these blog posts, because that’s where management takes place. We will talk a little about forests in the post on Active Directory management, in the backup and recovery section, since organizations need to plan for large-scale disaster recovery as well as the recovery of individual objects in a domain.
What’s in the Active Directory database?
The Active Directory database (directory) contains information about the AD objects in the domain. Common types of AD objects include users, computers, applications, printers and shared folders. Some objects can contain other objects (which is why you’ll see AD described as “hierarchical”). In particular, in subsequent posts we’ll explore how organizations simplify administration by organizing AD objects into organizational units (OUs) and streamline security by putting users into groups. These OUs and groups are themselves objects stored in the directory.
Objects have attributes. Some attributes are obvious and some are more behind the scenes. For example, a user object typically has attributes like the person’s name, password, department and email address, but also attributes like its unique Globally Unique Identifier (GUID) and Security Identifier (SID), last logon time, and group membership.
Databases are structured, which means there is a design that determines what types of data they store and how that data is organized. This design is called a schema. Active Directory is no exception: Its schema contains formal definitions of every object class that can be created in the Active Directory forest and every attribute that can exist in an Active Directory object. AD comes with a default schema, but administrators can modify it to suit business needs. The key thing to know is that it’s best to plan the schema carefully up front; because of the central role AD plays in authentication and authorizations, changing the schema of the AD database later can dramatically disrupt your business.
Where can I learn more?
Ready to discover even more about Active Directory? You’re in luck! Check out the other blog posts in this “What is Active Directory?” series:
- Part 2: Active Directory management
- Part 3: Active Directory security
- Part 4: Active Directory migration
- Part 5: Active Directory reporting
Where can I get help with my Active Directory environment?
Quest is the go-to vendor for Active Directory solutions. We can help you manage, secure, migrate and report on your AD environment to drive your business forward. We’ll explore which Active Directory tools help with which tasks in the other blog posts in this series.