Active Directory (AD) is a directory service for use in a Windows Server environment. It is a distributed, hierarchical database structure that shares infrastructure information for locating, securing, managing, and organizing computer and network resources including files, users, groups, peripherals and network devices.
Active Directory is Microsoft’s own directory service for use in Windows domain networks. It provides authentication and authorization functions, as well as providing a framework for other such services. The directory itself is an LDAP database that contains networked objects. Active Directory uses the Windows Server operating system.
When people talk about Active Directory, they typically mean Active Directory Domain Services, which provides full-scale, integrated authentication and authorization services.
Before Windows 2000, Microsoft’s authentication and authorization model required breaking down a network into domains, and then linking those domains with a complicated, and sometimes, unpredictable system of one- and two-way trusts. Active Directory was introduced in Windows 2000 as a way to provide directory services to larger more complex environments.
Over time, Microsoft has added additional services under the Active Directory banner.
Active Directory Lightweight Directory Services
This light version of Domain Services removes some complexity and advanced functionality to offer just the basic directory service functionality, without the use of domain controllers, forests or domains. Typically used in small, single office network environments.
Active Directory Certificate Services
Certificate Services offers digital certification services and supports public key infrastructure, or PKI. This service can store, validate, create and revoke public key credentials used for encryption rather than generating keys externally or locally.
Active Directory Federation Services
Provides a web-based, single sign-on authentication and authorization service primarily for use across organizations. Thus, a contractor might log on to his own network and be authorized for his/her access on the client’s network as well.
Active Directory Rights Management Services
This is a rights management services that breaks down authorization beyond an access granted or access denied model and limits what a user can do with particular files or documents. The rights and restrictions are attached to the document rather than the user. These rights are commonly used to prevent the printing, copying or taking a screenshot of a document.
One key feature of Active Directory structure is delegated authorization and efficient replication. Each part of the AD organizational structure limits either authorization or replication to within that particular sub-part.
The forest is the highest level of the organization hierarchy. A forest is a security boundary within an organization. A forest allows for delegation of authority to be segregated within a single environment. This provides for an administrator with full-access rights and permissions, but only to a specific subset of resources. It is possible to just use a single forest on a network. Forest information is stored on all domain controllers, in all domains, within the forest.
A tree is a group of domains. The domains within a tree share the same root name space. While a tree shares a name space, trees are not limits on security or replication.
Each forest contains a root domain. Additional domains can be used to create further partitions within a forest. The purpose of a domain is to break the directory into smaller pieces to control replication. A domain limits Active Directory replication to only the other domain controllers within the same domain. For example, an office in Oakland wouldn’t need to be replicating AD data from the office in Pittsburg. This saves bandwidth and limits damage from a security breach.
Each domain controller in a domain has an identical copy of that domain’s Active Directory database. This is kept up to date via constant replication.
While domains were used in the previous Windows-NT based model, and still do provide a security barrier, the recommendation is to not only use domains to control replication, but use organizational units (OUs) to group and limit security permissions instead.
Organizational Units (OUs)
An organizational unit provides for the grouping of authority over a subset of resources from a domain. An OU provides a security boundary on elevated privileges and authorization, but does not limit the replication of AD objects.
OUs are used to delegate control within functional groupings. OUs should be used to implement and limit security and roles among groups, while domains should be used to control Active Directory replication.
Domain Controllers are Windows Servers, which contain the Active Directory database and perform Active Directory related functions, including authentication and authorization. A domain controller is any Windows Server installed with the Domain Controller role.
Each domain controller stores a copy of the Active Directory database containing information about all objects within the same domain. In addition, each domain controller stores the schema for the entire forest, as well as all information about the forest. A domain controller will not store a copy of any schema or forest information from a different forest even if they are on the same network.
Specialized Domain Controller Roles
Specialized domain controller roles are used to perform specific functions that are not available on standard domain controllers. These master roles are assigned to the first domain controller created in each forest or domain. However, an administrator may manually reassign the roles.
Only one schema master exists per forest. It contains the master copy of the schema used by all other domain controllers. Having a master copy ensures that all objects are defined the same way.
Domain Name Master
Only one domain name master exists per forest. The domain master ensures that all objects names are unique and, when necessary, cross-references objects stored in other directories.
There is one infrastructure master per domain. The infrastructure master keeps the list of deleted objects and tracks references for objects on other domains.
Relative Identifier Master
There is one relative identifier master per domain. It tracks the assignment and creation of unique Security Identifiers (SIDs) across the domain.
Primary Domain Controller Emulator
There is only one Primary Domain Controller (PDC) Emulator per domain. It exists to provide backward compatibility from the older Windows NT-based domain systems. It responds to requests made to a PDC as an old PDC would have.
Storage and retrieval of data on any domain controller is handled by the data store. The data store is composed of three layers. The bottom layer is the database itself. The middle layer is service components, the Directory System Agent (DSA), the database layer, and the Extensible Storage Engine (ESE). The top layer is the directory store services, LDAP (Lightweight Directory Access Protocol), the replication interface, the Messaging API (MAPI), and the Security Accounts Manager (SAM).
Active Directory contains location information on objects stored in the database, however Active Directory uses Domain Name System (DNS) to locate domain controllers.
Within the active directory, every domain has a DNS domain name and every joined computer has a DNS name within that same domain.
Everything within Active Directory is stored as an object. The class could also be defined as the “type” of an object in the schema. The attributes are the components of the object – the attributes of an object are defined by its class.
Objects must be defined within the schema before data can be stored in the directory. Once defined, data is stored within the active directory as individual objects. Every object must be unique and represent a single thing, such as a user, computer, or a unique group of things (e.g. user group).
The two primary types of objects are resources and security principals. Security principals are assigned Security Identifiers (SIDs), but resources are not.
Active Directory uses multiple domain controllers for many reasons including load balancing and fault tolerance. For this to work, each domain controller must have a complete copy of its domain’s own Active Directory database. Ensuring that each controller has a current copy of the database occurs through replication.
Replication is limited by the domain. Domain controllers on different domains do not replicate between one another, even within the same forest. Every domain controller is equal. Although previous versions of Windows had Primary and Secondary domain controllers, there is no such thing in Active Directory. There is occasionally some confusion due to the continuation of the name ‘domain controller’ from the old trust-based system to Active Directory.
Replication works on a pull system, meaning that a domain controller requests or “pulls” the information from other domain controller rather than each domain controller sending or “pushing” data to others. By default, domain controllers request replication data every 15 seconds. Certain high-security events trigger an immediate replication event, such as an account lockout.
Only changes are replicated. To ensure fidelity across a multi-master system, each domain controller keeps track of changes and requests only the updates since the last replication. Changes are replicated throughout the domain using a store-and-forward mechanism such that any change is replicated when requested, even if the change did not originate on the domain controller answering the replication request.
This both prevents excess traffic and can be configured to ensure that each domain controller requests its replication data from the most desirable server. For example, a remote location with one fast connection and one slow connection to other sites with domain controllers can set a “cost” on each connection. In doing so, the replication request will be made across the faster connection.