Consistency and clarity are necessary when managing a company's resources. Administrators need to know the Active...
Directory basics to see how the different services in this Microsoft tool work together for centralized management.
Active Directory is a combination of several services that run on Windows Server. Administrators new to IT should work to understand the Active Directory basics and how major enterprise applications, such as Exchange Server, depend on this directory service.
Active Directory Domain Services is the foundation
At the heart of Active Directory is Active Directory Domain Services (AD DS). When administrators discuss AD, they usually mean AD DS, which maintains a database of information for devices, resources, users and groups within the domain. AD DS defines user rights and verifies user credentials on the network.
AD DS runs on a server or server cluster called the domain controller. Each time a user logs in, accesses a network resource or runs an application, the AD domain controller authenticates the request. Corruption in the AD database or the failure of the domain controller server can devastate an enterprise, so administrators often set up AD DS on a server cluster for automatic replication and synchronization for resiliency and added performance.
Other services that rely on AD DS
Active Directory includes several other services that require AD DS as a foundation. For example, smaller organizations can use Active Directory Lightweight Directory Services, which functions almost identically to AD DS but does not need domains or separate domain controllers.
Active Directory Certificate Services creates, validates and revokes public key certificates used to encrypt files, emails, virtual private network traffic and Transport Layer Security/IPsec network traffic.
Active Directory Federation Services provides a single sign-on service to give users access to resources or services -- typically outside of the enterprise -- using one set of credentials.
Finally, Active Directory Rights Management Services controls encryption and access control for email, documents and web content.
Active Directory basics: Objects and OUs
The basic component in Active Directory is an object. Each object, such as resources -- computers or printers -- or individuals or groups, has an array of attributes based on an established schema. Admins cannot delete objects, only deactivate them.
IT can gather objects within a domain into organizational units (OUs) that make structural sense, such as by geographic location or business division, for resource management. Administrators can then apply group policies and administrative tasks at the OU level.
Active Directory also works across a series of levels. The domain is the lowest level and generally includes objects organized into a single database.
Trees are collections of one or more domains connected by a trust relationship. The forest is the highest level, which collects trees into a global structure and represents the ultimate boundary for accessibility in Active Directory. Objects are typically not accessible outside of the AD forest.
Dig Deeper on Microsoft identity and access management
Related Q&A from Stephen J. Bigelow
Microsoft Hyper-V on Windows comes with advanced protection schemes, including several virtualization-based security features the company introduced ... Continue Reading
The BitLocker encryption technology continues to evolve from its roots as a Windows Vista feature to protect resources both in the local data center ... Continue Reading
Some enterprises avoid the public cloud due to its multi-tenant nature and data security concerns. Learn what data separation is and how it can keep ... Continue Reading