What Is Active Directory?

Active Directory is a directory service developed by Microsoft that centralizes identity and access management for computers and other devices within a network. It provides a structured way to manage users, computers, and other resources, ensuring secure and efficient operation across an enterprise.

How Active Directory Works

At its core, Active Directory functions as a comprehensive database of network resources. Every entity within the network, such as a user, computer, group, or printer, is represented as an "object" with specific attributes (e.g., name, email address). This standardization allows for consistent management.

Organizing Resources

To maintain order, objects are organized hierarchically. "Organizational Units" (OUs) group related objects, like departments or specific types of devices. These OUs reside within a "Domain," which defines a logical and security boundary, often corresponding to a company's primary network (e.g., company.com). Multiple domains can be linked together to form a "Tree," and several trees can combine to create a "Forest." The Forest represents the ultimate security boundary, sharing a unified global catalog of all resources.

Domain Controllers

The physical servers that host Active Directory are called "Domain Controllers." These critical servers perform two main functions: authenticating users and authorizing their access to resources. When a user attempts to log in, their computer communicates with a Domain Controller.

Authentication with Kerberos

Active Directory primarily uses the Kerberos protocol for authentication. Instead of transmitting passwords directly, a user's computer requests a secure digital "Ticket Granting Ticket" (TGT) from the Domain Controller. The Domain Controller verifies the user's identity and issues this TGT, which then acts as a secure credential, allowing the user to request access to various network services without re-entering their password. When accessing a specific resource, like a printer, the TGT is used to obtain a service-specific ticket from the Domain Controller, which is then presented to the resource for access.

Enforcing Policies with Group Policy

Beyond identity and access, Active Directory utilizes "Group Policy" to enforce network-wide rules and configurations. Administrators can define policies, such as blocking USB drive access or deploying software updates, and apply them to specific OUs, domains, or the entire forest. Due to the hierarchical structure, these policies automatically propagate to thousands of computers, ensuring consistent security and configuration management across the enterprise.

Key Takeaways

• Centralized Management: Active Directory provides a single point of control for network resources and user identities.
• Hierarchical Structure: It organizes resources into OUs, Domains, Trees, and Forests for scalable management.
• Secure Authentication: Uses Kerberos for robust and secure user authentication.
• Policy Enforcement: Group Policy allows administrators to define and apply security and configuration rules across the network.
• Domain Controllers: Dedicated servers that handle authentication and authorization processes.