Active Directory (AD) is a database developed by Microsoft that holds key information about the resources on a Windows server. It stores details about active objects such as network users (people and devices), along with their attributes, such as their usernames, passwords, contact details, roles, and permissions.
Common types of objects:
- Users
- Computers
- Applications
- Printers
- Shared folders
AD stores this information in one place, making it easy for admins to find, manage, and share resources, as well as monitor the overall activity and health of the server and enhance the security posture of their organization.
Note: Active Directory – also referred to as Active Directory Domain Services (AD DS) – is a Microsoft service and only works for Windows Server operating systems.
What is the structure of Active Directory?
Active Directory follows a logical, tree-like hierarchy based on a blueprint called the schema, which administrators can modify if needed. From the bottom up, the structure is as follows:
1. Domains
A domain is a collection of network objects such as users, devices, and organizational units (groups of objects) that are associated with the same team or physical network. Grouping these objects makes them easier to manage and secure.
2. Trees
A tree is a group of domains that share a common root and branch out into child domains.
3. Forests
Trees can be grouped into a forest, which sits at the top of the AD hierarchy as a security boundary. Objects from different forests can’t interact with each other without an admin’s permission.
Note: Admins should carefully tailor the AD schema before filling it with objects and attributes. Changing a schema later down the line can be complicated and time-consuming.
A server that runs AD is called a domain controller (DC). Organizations usually keep several copies of the DC for different on-site and cloud environments. These copies are identical – changes made to one instantly reflect in the others. Each DC can also store the global catalog, a database that lists every object in the forest, including those from other domains, making it easy for admins to organize the flow of information.
How AD strengthens identity security
AD helps admins authenticate users, manage permissions, set up password policies, and lock out accounts to protect sensitive assets. AD can also integrate with multi-factor authentication solutions to add an extra layer of security during the sign-in process. All of this allows admins to monitor security threats and suspicious behavior, and help their organization stay compliant with rules and regulations.