Active Directory

Microsoft Active Directory for Windows networks can be used to centrally manage internal company IT resources, edit rights and policies, and monitor various services. Here, we explain what the directory service is all about and how Windows AD works.

Active Directory (AD) is a directory service developed by Microsoft for Windows networks. AD plays an important role for companies with complex IT resources, user rights, and hier­arch­ic­al work­groups. Basically, you can think of Active Directory as an address book of sorts, though with many more options for ad­min­is­trat­ors to manage, edit, query, and structure stored user and object data. The IT structure of an or­gan­isa­tion can be divided into so-called domains with the help of the directory service and can be clearly rep­lic­ated.

An Active Directory basically consists of three central com­pon­ents: schema, con­fig­ur­a­tion, and domain. At the heart of this are domains, which contain all the important in­form­a­tion about IT resources and users and map the network. Equally important for the overall structure are the database and its objects. Below, we take a look at the in­di­vidu­al com­pon­ents.

As the name suggests, the AD schema serves as a template for required and permitted clas­si­fic­a­tions as well as types of AD entries. This includes objects and their at­trib­utes, classes, and the syntax of at­trib­utes. The schema uses defin­i­tions to determine which objects are available or can be made available on the network.

While the schema defines the possible contents, the AD con­fig­ur­a­tion maps the structure of the Active Directory and all contained objects, user roles, and shares. This includes existing domains that subdivide work­groups in the computer network. In turn, domain-specific content and in­form­a­tion is only available via internal domain con­trol­lers of the re­spect­ive domain. These contain a global catalogue with all important in­form­a­tion and partial in­form­a­tion about the schema, con­fig­ur­a­tion, and other domains in the same network. The global catalogue can be used to search for and retrieve important partial in­form­a­tion across domains.

Domains are the basis of Active Directory and are used in the hier­arch­ic­al struc­tur­ing of objects, work­groups, and users managed by ad­min­is­trat­ors. Like dir­ect­or­ies and sub­dir­ect­or­ies, a domain contains all in­form­a­tion about objects and at­trib­utes that only concern the domain. Domain-specific in­form­a­tion can be accessed from other domains only if they are included in the global catalogue. All other in­form­a­tion is available only on the internal domain con­trol­ler. A domain is therefore an important struc­tur­ing element, defining ad­min­is­trat­ive and network units into areas, work­groups, and de­part­ments, and hier­arch­ic­ally struc­tur­ing au­thor­isa­tions. Domain names are assigned in the same way as with classic DNS servers.

The Active Directory database is based on the Microsoft Jet Engine, similar to a Microsoft Exchange Server. It is object-based and hier­arch­ic­al. The objects represent the re­spect­ive data sets and group policies for IT resources. Their prop­er­ties are called at­trib­utes and their types are defined ac­cord­ingly. Objects are sub­divided into ‘accounts’ (e.g. service- and user-related accounts for employees, groups, or devices) and ‘resources’ (e.g. shares for ap­plic­a­tions and services).

Objects are divided into ‘con­tain­ers’, which contain further pre­defined or self-defined objects, and
‘non-con­tain­ers’, which don’t contain any further objects and are also called end nodes/leaf nodes.

Four central standards are used to enable uniform com­mu­nic­a­tion between computers, ap­plic­a­tions, services, AD dir­ect­or­ies, and domains:

• LDAP (Light­weight Directory Access Protocol): protocol for unified requests to Active Directory dir­ect­or­ies.
• Kerberos protocol: Protocol for cent­ral­ised, unified au­then­tic­a­tion and access rights of users in AD servers.
• SMB (Server Message Block): Protocol for access rights like group policies or log-in scripts to files in the AD network and on servers.
• DNS (Domain Name System): System to uniformly address computer names and domains in the Active Directory.

If you only take a quick look, you won’t see the Active Directory for the trees. Although it may sound like a bad pun, it’s actually true, because the overall structure of AD is also called the forest and can contain several trees in the form of root domains and sub­do­mains of a DNS space. Con­tain­ers organised into domains are con­sidered the lowest unit. Joined domains map the or­gan­isa­tion­al structure and resources of the en­ter­prise, but can also be con­figured in­de­pend­ently of physical and logical en­ter­prise struc­tures. In this way, several locations can be united in one domain or different domains can be managed at one location.

In­form­a­tion that can be accessed by all AD users is

• the schema,
• the con­fig­ur­a­tion
• and domain in­form­a­tion in the global catalogue.

Domain-specific data, on the other hand, can only be accessed via the internal domain con­trol­lers already mentioned. A domain usually has two con­trol­lers, which prevent data loss through mul­ti­mas­ter rep­lic­a­tion, i.e. backup con­trol­lers and AD copies.

The ad­vant­ages of Active Directory for complex Windows networks in companies at a glance:

• Cent­ral­ised man­age­ment and con­fig­ur­a­tion of shares, rights, and policies for users, groups, services, and ap­plic­a­tions.
• Pro­tec­tion against failures and data loss through mul­ti­mas­ter rep­lic­a­tion within the domain structure.
• Mapping and central con­fig­ur­a­tion of the or­gan­isa­tion­al structure of Windows computer networks.
• Flexible extension and scaling of domain struc­tures.
• In­form­a­tion pro­tec­tion through hier­arch­ic­al de­marc­a­tion between areas, de­part­ments, and work­groups with different access rights.
• Com­pat­ib­il­ity with other directory services.
• Cost and effort reduction through cent­ral­ised ad­min­is­tra­tion.