First I need to be honest with you: Active Directory is a big subject and doesn’t make for facile weekend reading. Entire tomes have been written on the topic and eminent authors like Brian Desmond have done a better job synthesizing the concepts. As such, my article is meant to give you a broad view of Active Directory so that when you overhear tech gurus bandy terms like Domain Controllers and Group Policy back and forth, you’re not left wide-eyed and confused.
The best way to think about Active Directory is to compare it something we all know. When you think of Active Directory it may be helpful to think of it like a phone book.
A phone book is a directory that contains names, addresses and phone numbers about businesses, people and local municipalities. In the same way, Active Directory contains information about users, computers, shares and systems. The “phone book” entries are known as objects and Active Directory lets you grant permissions to different objects based on policies you define.
Let’s talk about objects a little more because they’re pretty essential to Active Directory. Objects are often divided into two categories: Resources and Security Principals.
Resources are things like printers and shared drives and Security Principles comprise users, computers and groups.
Each Security Principal gets a unique Security Identifier (SID) that ties together all the attributes of the object. So you can rename a User from Vonnie to Bahknee but it won’t affect the permissions or security features of the object because the SID remains unchanged.
Objects are often lumped into Security Groups that can allow you to grant permissions and restrict access to resources. You can also create Distribution Groups so your staff can send emails to groups of users.
What’s the point?
But why bother, what’s the point of all this? The real benefit of AD is the centralized management of objects.
Imagine what your life would be like if you were the CEO and founder of a fast moving startup with 100 employees.
What happens when half your staff needs to find a shared drive on the network? You can either manually map each user to the drive or you can have users leverage the Active Directory Global Catalog (GC) which empowers people to find any objects they have rights to use. GC is better than a local search because users can find printers, servers, applications and even other users on the network.
Another benefit of AD is ease of management. How are each of your 100 employees going to login? But how are you going to manage that? Are you planning to visit each computer and create a local account for each user? That certainly seems unreasonably onerous; also what happens when Bob’s computer fails? While Bob’s PC is being repaired, he can’t use another working computer until you create a new user account on his local computer.
Conversely, with AD you only need to create the user account once and then by default, that user can sign-in to any PC joined to your domain. In addition, you can modify settings for entire swaths of users in a single sweep while never leaving your desk. For example, when you want to change the password policies for everyone in Sales, all you have to do is make the change from one place and apply it to the Sales group, you never have to visit each person in Sales to make configuration changes.
It’s also flexible because you can easily add hundreds of thousands of users to your AD site and none of your objects need to be geographically confined to a single location yet you can still set policies for all your assets from one place.
In the previous example, the Sales group is known as an Organizational Unit (OU). The purpose of OUs are to corral objects into containers so that they’re organized according to different business needs.
If you’re curious about the details you should read Ken St. Cyr of Microsoft TechNet list of best practices for designing OUs, but the short story is that most organizations use OUs to segment departments within a company. For example, Human Resources, Sales and Marketing might each have their own OUs.
The advantage is that it becomes really easy to apply common policies to all the objects in a given OU. It eases administration because you can marshal network settings into special objects known as Group Policy Objects (GPOs) and then link those GPOs to the OU. This centralize settings for all computers and users in the OU and thus eases management.
Group Policy to the rescue
The neat thing about GPOs is that there are hundreds upon hundreds of settings you can apply to the computers and users in your organization.
For example, you can configure power settings, specific mapped drives, password complexity, encryption settings, Windows Update settings and even create custom scripts to run on startup for specific computers.
Microsoft has primer on using Group Policy for beginners and I highly recommend you check it out but if you don’t have the time for that just keep in mind that Group Policy was designed for the methodical long-term management of objects; therefore, don’t be surprised when your client doesn’t receive instant updates. In some cases it can take up to 2 hours before the refresh occurs.
Domains and Forests
Active Directory is hierarchical so at the top you have Forests then inside those are one more Domains which are made up of the OUs. The actual objects are inside the OUs.
Domains and forests are ways to set management and security boundaries for your company.
Big businesses sometimes have multiple forests because they create distinct security boundaries between other forests. In other words, any objects in forrest1 can’t interact with objects in forrest2. Even if a user has the most privileged account, known as an Enterprise Administrator, he or she still has no permission to interact with objects in other forests. Administrators can get around this by creating a trust known as a Transitive Trust which basically extends the reach of select users in the domains in forrest1 to the domains in forrest2 – but by default, interactions are denied between forests.
DNS makes it all work
If you have problems with Active Directory the first thing I would confirm is that your DNS is properly configured because the domains are identified by their DNS names and are the logical groupings for the objects. I wrote an article on how DNS works a few weeks ago but the short story as it applies to AD is that DNS resolves names to IP addresses and AD depends on DNS to work because that’s how it locates objects within domains.
DNS is basically divided into three segments:
Servers contain all the records in zones and records are what link all the objects to an IP addresses. The most common record is known as an A record which simply contains a hostname and IP address. This is called a forward look-up.
When you install a new AD server with the DNS server role it automatically creates two forward lookup zones. One holds all the records your computers need to find the Domain Controllers so when users can login to workstations and servers. The other forward lookup zone contains all the records for all the actual computers. You need this so your computer named ws40nyc1 can communicate with your server named sv01nyc1. Without this second forward lookup zone you could browse the internet but wouldn’t be able to communicate with any of the objects on your network.
Let’s go back to your startup company with the 100 employees.
I gave a cursory explanation of Domain Controllers but think I should elaborate a little more.
When someone logs into a computer a server known as a Domain Controller (DC) authenticates that user and grants her access to certain resources depending on the Security Group her user account resides in.
Back in the stone ages of Windows NT Server, Administrators typically designated one DC as the Primary Domain Controller (PDC) and left the others as Backup Domain Controllers (BDC). That way, if the PDC failed, the BDC would be promoted to a PDC.
Today, no one uses PDCs and BDCs.
Instead, IT administrators just have two DCs that both authenticate users and computers at the same time. So when one fails, there are no promotions like the NT days; instead, the remaining DC continues to offer authentication services in the absence of its peer.
The two DCs synchronize their databases every 15 seconds but certain exigent events like account lockouts or changed passwords trigger an immediate replication event.
The Bottom Line
Active Directory is the de-facto choice for small to large enterprises who need to manage directories of users and shared resources. According to a 2010 study by Enterprise Systems, 95% of the Fortune 1000 companies use Active Directory. AD is ubiquitous and continues to evolve; therefore, it makes sense for IT professionals to understand and know how to use it.
I hope this guide help clear up any ambiguity you had. Feel free to share your experiences with Active Directory or some of your most perplexing questions in the comments below.