What is Active Directory (AD)?
Have you ever heard of or used Novell Netware? Unless you are an experienced IT professional or an aficionado of high-tech history, you probably haven’t. For the record, it was one of the tools used for administration on a Windows computer until the late 1990s.
Novell Netware and the like became obsolete when Microsoft introduced Active Directory (AD) in 1999 for Windows 2000. Active Directory is a directory management system that allows IT departments to store and manage information about devices, objects, and users on a network.[i] It is a primary feature of Windows Server.
Using AD allows an IT department to organize users into groups and subgroups. It also allows IT teams to manage file access so that only specific users have access to sensitive resources, information, and data.
Active Directory is like an index for network resources; if a member of the IT department needs to locate information about a computer, server, hardware resource, shared file or folder, or a group of users on a network, they access it through AD.
Organizations of all sizes and industries rely on AD managing resources and users to their Windows network.
The logical structure of Active Directory is a hierarchical organization of all users, computers, and other physical resources. This structure includes three main tiers:[ii]
Let’s define these terms. Objects, such as users or devices (e.g. workstation, printer, etc.), that all use the same database can be grouped into a single domain. Domains were introduced in Windows NT. When multiple domains are combined into a single group, it is known as a tree.
Logically, then, when multiple trees are grouped, it is called a forest.
Forests are the security boundaries of the logical structure. They can offer data and service autonomy and isolation within an organization.
Beyond domains, tree, and forests, there are three additional pieces to AD’s storage architecture:[iii]
- Domain Name System (DNS) support
- Data store
DNS is a name resolution service for domain controller location. People navigate to websites by domain name (url) but web browsers utilize IP addresses, so DNS handles the behind-the-scenes resolution for a smooth user experience.
A schema is a set of rules that defines the classes of objects and attributes contained in the directory, the constraints and limits on instances of these objects, and the format of their names. It includes definitions for all the objects that are used to store information in the directory.
While there is only one per forest, a copy of each schema lives on every domain controller (see below) in the forest. This allows the domain controller quick access to any object definition needed. Note that every domain controller uses the same definition when it creates a given object.
The data store is the directory portion that manages the storage and retrieval of data on each domain controller. Data stores use definitions created by the schema to enforce data integrity. All objects are therefore created uniformly, and all domain controllers use the same object definition.
AD Global Catalog
Active Directory also includes information about every object, called a global catalog, and features a query, index mechanism, and replication service.
As you can see, managing all of these processes manually would take a large, dedicated IT team. However, there are many automated tools available to help the IT team manage the authentication system.
Active Directory Domain Services
Active Directory also provides what is known as “Active Directory Domain Services” (ADDS).[iv] These services help IT teams manage client systems. These services include the following:
- Domain Services
- Certificate Services
- Lightweight Directory Services
- Directory Federation Services
- Rights Management
A server that is running ADDS is known as a domain controller. This controller authenticates and authorizes all users within the network. Some responsibilities include: enforcing security, installing software and updates, managing storage, and more.
Domain services refer to AD’s storage of centralized data and managed communication between users and domains. This includes login authentication, search functionality, and more.
Certificate Services is defined as the creation, distribution, and management of secure certificates.
Lightweight Directory Services support directory-enabled applications that use the open Lightweight Directory Access Protocol (LDAP) protocol. This is a vendor-neutral, industry-standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol network.
The next service, Directory Federation Services, offers single sign-on for user authentication. Application security is maintained by way of a claims-based access control authorization model.
Rights Management, of course, is focused on the protection of copyrighted information via access controls.
The cloud and the future
Microsoft introduced Azure AD in 2015 to account for IT infrastructure, systems, apps, storage, and other resources increasingly becoming cloud-hosted. According to the company, Azure is the next evolution of identity and access management solutions for the cloud.[v] This directory offers organizations an Identity-as-a-Service (IDaaS) solution for apps across the cloud and on-premises.
While more companies are moving to cloud services, Active Directory remains a tool that organizations rely on for many necessary features, particularly managing single sign-on and on-premise systems, applications, and resources. Removing AD impacts[vi]:
- management of shared printers
- control of shared data and backups
- management of Windows updates
- group policies
- an easy way to push out software
Active Directory also remains a reliable and relatively inexpensive tool for managing a network of computers. LDAP, mentioned above, is also used widely, meaning AD is a popular choice among IT teams. While Azure has been rolled out, Active Directory remains the standard-setter in the industry.[vii]