Active Directory: What it is and why it’s useful
Active Directory is a service created by Microsoft for the Windows operating system. It’s typically found in Windows Server domains and is used for the purposes of centralizing network administration and security protocols. User authentication and software updates, among other administration tasks, are handled by the service, allowing them to be spread across the whole network without the administrator having to manually update each computer or account on the system. An example would be that when a user logs into the network, Active Directory would then verify the password and check to see if that user is a system administrator or simply a regular user.
For a brief technical explanation, Active Directory structures are arrangements of “objects” and the information attached to them. Objects consist of resources like printers, computers, users, and workgroups and security principles, which are the user, computer, or workgroup accounts. Principles are assigned unique security identifiers or SIDs. Objects can contain other objects depending on the type, and each object has its own unique ID and set of attributes that consist of the information associated with the object and its characteristics. These attributes are defined by a “schema object” which also determines what type of objects are stored by Active Directory.
Schema objects are system controller objects that allow modification or deactivation of objects contained in the system the schema applies to, with changes made to them propagating automatically through the entire system controlled by the schema. This can be used by systems and network administrators to modify whole networks quickly. However, because of the far-reaching impacts of changing the schema, planning is often required to ensure system integrity and continuity throughout the network the schema controls.
The other major object type is called a “site object” which is physical, geographic location that hosts networks within the system, such as server units and domain controller units.
The structure of an Active Directory system itself is divided into three different categories or levels. The base level is called a “domain”, identified by its DNS name structure or “namespace”, and consists of the objects grouped inside it. The next level up is called a “tree”, which is a collection of one or more domains and linked domain trees in a collective namespace, all communicating with each other through security protocols known as “trusts” that come in a small variety of different types and configurations. The top level is called a “forest”, which is a collection of domain trees that share common global catalogs, logical structures, directory structures, and schema objects. The forest also determines the security boundaries of the assets and resources it contains, determining access within the various domain trees.
Further options exist for the grouping of objects, such as Organizational Units or OUs, which Microsoft suggests using as opposed to domains for ease of administration. Group Policy Objects or GPOs are typically implemented within OUs, helping to simplify overall administration within systems. Another is Shadow Groups; however these are not a default option and have to be built manually using a program like Visual Basic.
Worth noting is that there exists methods for using Active Directory with Unix or Linux systems through third-party programs, although certain functions may not work and limitations may apply since Active Directory would not be running native within a Unix-based system.
In conclusion, Active Directory provides a powerful and flexible tool for systems and network administrators to manage the large networks and server configurations needed by today’s business world. Any IT specialist focused in the fields of network administration and repair would do well and definitely increase their marketable skill set by learning the complexities and possible implementations of this service.
Austin, Texas has been Peter Wendt’s writing headquarters for a number of years now. For readers who wish to learn more about this subject, he recommends they check out Active Directory.