What is Active Directory and how does it work?Active Directory (AD) is Microsoft's proprietary directory service. It runs on Windows Server and enables administrators to manage permissions and access to network resources. Show
Active Directory stores data as objects. An object is a single element, such as a user, group, application or device such as a printer. Objects are normally defined as either resources, such as printers or computers, or security principals, such as users or groups. Active Directory categorizes directory objects by name and attributes. For example, the name of a user might include the name string, along with information associated with the user, such as passwords and Secure Shell keys. The main service in Active Directory is Domain Services (AD DS), which stores directory information and handles the interaction of the user with the domain. AD DS verifies access when a user signs into a device or attempts to connect to a server over a network. AD DS controls which users have access to each resource, as well as group policies. For example, an administrator typically has a different level of access to data than an end user. Other Microsoft and Windows operating system (OS) products, such as Exchange Server and SharePoint Server, rely on AD DS to provide resource access. The server that hosts AD DS is the domain controller. Active Directory servicesSeveral different services comprise Active Directory. The main service is Domain Services, but Active Directory also includes Lightweight Directory Services (AD LDS), Lightweight Directory Access Protocol (LDAP), Certificate Services, or AD CS, Federation Services (AD FS) and Rights Management Services (AD RMS). Each of these other services expands the product's directory management capabilities.
Major features in Active Directory Domain ServicesActive Directory Domain Services uses a tiered layout structure consisting of domains, trees and forests to coordinate networked elements. Domains are the smallest of the main tiers, while forests are the largest. Different objects, such as users and devices, that share the same database will be on the same domain. A tree is one or more domains grouped together with hierarchical trust relationships. A forest is a group of multiple trees. Forests provide security boundaries, while domains -- which share a common database -- can be managed for settings such as authentication and encryption.
Trusting terminologyActive Directory relies on trusts to moderate the access rights of resources between domains. There are several different types of trusts:
History and development of Active DirectoryMicrosoft offered a preview of Active Directory in 1999 and released it a year later with Windows 2000 Server. Microsoft continued to develop new features with each successive Windows Server release. Windows Server 2003 included a notable update to add forests and the ability to edit and change the position of domains within forests. Domains on Windows Server 2000 could not support newer AD updates running in Server 2003. Windows Server 2008 introduced AD FS. Additionally, Microsoft rebranded the directory for domain management as AD DS, and AD became an umbrella term for the directory-based services it supported. Windows Server 2016 updated AD DS to improve AD security and migrate AD environments to cloud or hybrid cloud environments. Security updates included the addition of PAM. PAM monitored access to an object, the type of access granted and what actions the user took. PAM added bastion AD forests to provide an additional secure and isolated forest environment. Windows Server 2016 ended support for devices on Windows Server 2003. In December 2016, Microsoft released Azure AD Connect to join an on-premises Active Directory system with Azure Active Directory (Azure AD) to enable SSO for Microsoft's cloud services, such as Office 365. Azure AD Connect works with systems running Windows Server 2008, Windows Server 2012, Windows Server 2016 and Windows Server 2019. Domains vs. workgroupsThe workgroup is Microsoft's term for Windows machines connected over a peer-to-peer network. Workgroups are another unit of organization for Windows computers in networks. Workgroups allow these machines to share files, internet access, printers and other resources over the network. Peer-to-peer networking removes the need for a server for authentication. There are several differences between domains and workgroups:
Main competitors to Active DirectoryOther directory services on the market that provide similar functionality to AD include Red Hat Directory Server, Apache Directory and OpenLDAP. Red Hat Directory Server manages user access to multiple systems in Unix environments. Similar to AD, Red Hat Directory Server includes user ID and certificate-based authentication to restrict access to data in the directory. Apache Directory is an open source project that runs on Java and operates on any LDAP server, including systems on Windows, macOS and Linux. Apache Directory includes a schema browser and an LDAP editor and browser. Apache Directory supports Eclipse plugins. OpenLDAP is a Windows-based open source LDAP directory. OpenLDAP enables users to browse, search and edit objects in an LDAP server. OpenLDAP features include copying, moving and deleting trees in the directory, as well as enabling schema browsing, password management and LDAP SSL (Secure Sockets Layer) support. Read this overview to learn about Active Directory basics. Learn what techniques can be used to troubleshoot common issues in Active Directory, and tips on replication troubleshooting. This was last updated in June 2021 Continue Reading About active directory
Dig Deeper on IT operations and infrastructure management
What is a domain container?The domain container is the root container of the hierarchy of a domain. Changes to the policies or the access control list (ACL) on this container can potentially have domain-wide impact. Do not delegate control of this container; it must be controlled by the service administrators.
What is computer container in Active Directory?In Active Directory, the default container for user objects is the Users container and the default container for computer objects is the Computers container. If you create user or computer objects programmatically and do not specify a target OU, the objects will be created in their default container.
Which Active Directory container has all the computers in the domain?The Computers container is the default location for computer objects in Active Directory. After a domain is upgraded from Windows NT 4 to Active Directory, all computer accounts are found, initially, in this container.
Which container object can contain users groups computers etc in it?Organizational Unit (OU) This type of object is a container that can include other objects like users, computers, or groups from the same domain.
|