Active Directory (AD) is a directory service developed by Microsoft for managing permissions and access to networked resources, such as users, computers, applications, and other devices within a Windows domain network. It provides a centralized and standardized system for network management and security, allowing administrators to easily manage permissions, enforce policies, and organize resources.
Active Directory operates on a hierarchical structure that allows resources to be grouped and organized logically. It is most commonly used in enterprise environments to handle authentication (logins) and authorization (permissions) for resources.
Active Directory Structure
Active Directory has a hierarchical structure that includes several key components:
1. Domain
- A domain is a logical grouping of objects (users, computers, etc.) within a network that share a common directory database. Domains act as a boundary for administrative policies and security. Each domain has its own database of objects, and it can trust or share resources with other domains.
- Example:
company.com
could be an Active Directory domain, containing users, computers, and other resources related to that organization.
2. Objects
- An object in AD represents a single entity, such as a user, a computer, a printer, or a group. Each object has attributes, such as a user’s first name, last name, or email address.
- Types of objects:
- Users: Represent individuals in the organization.
- Computers: Represent physical or virtual machines.
- Groups: Collections of users, computers, or other objects for easier management.
- Printers, Shared Folders, and more.
3. Organizational Units (OUs)
- OUs are containers within a domain that can contain users, groups, computers, and other OUs. They are used to organize objects for administrative purposes and to apply policies. OUs are useful for delegating administration or applying Group Policies.
- Example: You could create an OU named
HR
to group all human resources-related users and computers.
4. Forest
- A forest is the highest level of the AD structure and contains one or more domains that share a common schema (a set of rules defining object types and their attributes). The first domain created in the forest is called the forest root domain, and it acts as the central point for managing the entire forest.
- Forests can have multiple domains, and domains can trust each other within the same forest.
5. Trees
- A tree is a collection of domains within a forest that share a contiguous namespace. The domains in a tree are organized in a hierarchy, and each domain can have its own subdomains.
- Example: A domain tree could consist of
company.com
,sales.company.com
, andhr.company.com
.
6. Sites
- Sites in AD are used to represent the physical layout of the network. Sites are groups of IP subnets used to manage replication traffic and assign resources to users based on their physical location.
- Example: If you have offices in different locations (e.g., New York, London), you would define each location as a site to manage the replication of data efficiently between them.
7. Global Catalog
- The Global Catalog is a distributed data store that contains a searchable, partial representation of every object in every domain within the forest. It helps speed up searches for objects in different domains.
How Does Active Directory Work?
Active Directory functions as a centralized database and is built on several key services that enable its operations:
1. Authentication and Authorization
- Authentication: AD uses Kerberos and NTLM protocols for authenticating users and computers within a domain. When a user logs in, AD checks their credentials against the database and issues a security token if valid.
- Authorization: AD controls what resources users and computers have access to through group membership and permissions assigned to objects.
Example: When a user logs in to their workstation, AD verifies their username and password, grants access, and applies policies like which network drives are available to them.
2. LDAP (Lightweight Directory Access Protocol)
- AD uses LDAP as the primary protocol for querying and modifying directory services. Applications and services use LDAP to search, retrieve, and update information within the directory.
- Example: An email server might use LDAP to search AD for a user’s email address when sending an email.
3. Group Policies
- Group Policies allow administrators to apply security settings, application settings, and configurations to users and computers in the domain. Group Policies can be linked to OUs, domains, or sites to enforce specific rules.
- Example: You can use a Group Policy to enforce password policies, screen lock settings, or restrict access to certain applications.
4. Replication
- AD uses replication to ensure that all domain controllers in the network have up-to-date information. This means if an object (such as a user or a group) is modified in one domain controller, those changes are replicated to all other domain controllers.
- Replication is optimized using sites to reduce bandwidth usage.
5. Domain Controllers (DCs)
- Domain Controllers are the servers that host the Active Directory database. They are responsible for authenticating users, enforcing policies, and replicating data across the network.
- Primary DC: Every domain has a Primary Domain Controller (PDC), which is the central point for managing the domain.
- Backup DCs: Other domain controllers act as backups to provide redundancy.
6. Trust Relationships
- AD domains can trust other domains in the same or different forests. Trust relationships allow users in one domain to access resources in another domain.
- Example: Users from
hr.company.com
can access resources insales.company.com
through a trust relationship.
Active Directory Workflow Example: User Login
- User Attempts to Log In:
- The user enters their username and password on a Windows workstation.
- Authentication:
- The workstation sends a request to the nearest Domain Controller (DC) using the Kerberos protocol.
- The DC verifies the credentials against the AD database.
- Authorization:
- After authentication, AD checks the user’s group memberships and applies any policies (e.g., access to network drives or printers).
- Access Granted:
- If the credentials are correct and the user has the necessary permissions, they are granted access to resources like shared folders, printers, or applications.
- The system applies Group Policies, such as desktop settings or security restrictions.
Benefits of Active Directory:
- Centralized Management: Allows administrators to manage user accounts, security settings, and resources from a single location.
- Scalability: Active Directory can handle small to large enterprises with complex organizational structures.
- Security: Provides robust authentication and authorization mechanisms.
- Policy Enforcement: Group Policies allow for consistent enforcement of security and system settings across the network.
In summary, Active Directory is a powerful directory service that simplifies managing users, computers, and resources in a network, offering scalability, security, and centralized control.