What is Active Directory? How does it work? | Quest (2024)

Active Directory (AD) is a database and set of services that connect users with the network resources they need to get their work done.

The database (or directory) contains critical information about your environment, including what users and computers there are and who’s allowed to do what. For example, the database might list 100 user accounts with details like each person’s job title, phone number and password. It will also record their permissions.

The services control much of the activity that goes on in your IT environment. In particular, they make sure each person is who they claim to be (authentication), usually by checking the user ID and password they enter, and allow them to access only the data they’re allowed to use (authorization).

Read on to learn more about the benefits of Active Directory, how it works and what’s in an Active Directory database.

Active Directory simplifies life for administrators and end users while enhancing security for organizations. Administrators enjoy centralized user and rights management, as well as centralized control over computer and user configurations through the AD Group Policy feature. Users can authenticate once and then seamlessly access any resources in the domain for which they’re authorized (single sign-on). Plus, files are stored in a central repository where they can be shared with other users to ease collaboration, and backed up properly by IT teams to ensure business continuity.

The main Active Directory service is Active Directory Domain Services (AD DS),which is part of theWindowsServer operating system. The servers that run AD DS are called domaincontrollers (DCs). Organizations normally have multiple DCs, and each one hasa copy of the directory for the entire domain. Changes made to the directoryon one domain controller — such as password update or the deletion of auser account — are replicated to the other DCs so they all stay up todate. A Global Catalog server is a DC that stores a complete copy of allobjects in the directory of its domain and a partial copy of all objects ofall other domains in the forest; this enables users and applications to findobjects in any domain of their forest. Desktops, laptops and other devicesrunning Windows (rather than Windows Server) can be part of an ActiveDirectory environment but they do not run AD DS. AD DS relies on severalestablished protocols and standards, including LDAP (Lightweight DirectoryAccess Protocol), Kerberos and DNS (Domain Name System).

It’s important to understand that Active Directory is only for on-premises Microsoft environments. Microsoft environments in the cloud use Azure Active Directory, which serves the same purposes as its on-prem namesake. AD and Azure AD are separate but can work together to some degree if your organization has both on-premises and cloud IT environments (a hybrid deployment).

ADhas three main tiers: domains, trees and forests. A domain is a group ofrelated users, computers and other AD objects, such as all the AD objects foryour company’s head office. Multiple domains can be combined into atree, and multiple trees can be grouped into a forest.

Keepin mind that a domain is a management boundary. The objects for a given domainare stored in a single database and can be managed together. A forest is asecurity boundary. Objects in different forests are not able to interact witheach other unless the administrators of each forest create a trust betweenthem. For instance, if you have multiple disjointed business units, youprobably want to create multiple forests.

TheActive Directory database (directory) contains information about the ADobjects in the domain. Common types of AD objects include users, computers,applications, printers and shared folders. Some objects can contain otherobjects (which is why you’ll see AD described as“hierarchical”). In particular, organizations often simplifyadministration by organizing AD objects into organizational units (OUs) andstreamline security by putting users into groups. These OUs and groups arethemselves objects stored in the directory.

Objectshave attributes. Some attributes are obvious and some are more behind thescenes. For example, a user object typically has attributes like theperson’s name, password, department and email address, but alsoattributes most people never see, such as its unique Globally UniqueIdentifier (GUID), Security Identifier (SID), last logon time and groupmembership.

Databasesare structured, which means there is a design that determines what types ofdata they store and how that data is organized. This design is called aschema. Active Directory is no exception: Its schema contains formaldefinitions of every object class that can be created in the Active Directoryforest and every attribute that can exist in an Active Directory object. ADcomes with a default schema, but administrators can modify it to suit businessneeds. The key thing to know is that it’s best to plan the schemacarefully up front; because of the central role AD plays in authentication andauthorizations, changing the schema of the AD database later can dramaticallydisrupt your business.

Active Directory is central to the success of any modern business. Check outthese additional helpful pages to learn best practices for the most criticalareas of Active Directory:

• ActiveDirectory management
• ActiveDirectory security
• ActiveDirectory migration
• ActiveDirectory reporting

Learn how Quest Software can help

Learn how to take advantage of unique Active Directory tools and solutions