Large organizations depend on Windows Active Directory (AD) to maintain order in the chaos that is managing users, computers, permissions, and file servers. The sheer number of articles available on the internet can disconcert beginners and make AD management seem more confusing than it actually is. This article aims to demystify AD for the dummies.
What is Active Directory?
AD is a directory service provided by Microsoft. A directory service is a hierarchical arrangement of objects which are structured in a way that makes access easy. However, functioning as a locator service is not AD’s exclusive purpose. It also helps organizations have a central administration over all the activities carried out in their networks.
Organizations primarily use AD to perform authentication and authorization. It is a central database that is contacted before a user is granted access to a resource or a service. Once the authenticity of the user is verified, AD helps in determining if the user is authorized to use that particular resource or service. If the user checks out on both counts, access is granted.
What’s LDAP and how does it factor here?
AD is based on the Lightweight Directory Access Protocol (LDAP). This protocol provides a common language for clients and servers to speak to one another.
How is it different from DAP?
As the name suggests, LDAP is a lightweight version of the Directory Access Protocol (DAP). DAP is an X.500 protocol—an architecture where the clients and servers communicate through the Open Systems Interconnection model. It does not use the TCP/IP standards and requires a large investment. LDAP is much easier on an organization’s wallet and also follows the TCP/IP protocol.
What is DNS?
DNS is the entity that helps in the location of services or resources on the network. DNS servers contain records of all the services they are responsible for. These are called service resource records (SRV) and they help a client PC in locating AD resources such as Domain Controllers (DCs). For this reason, it is imperative for the SRV records to be kept up to date by means of automatic (especially in the case of employees who move around a lot) or manual updates. In addition to SRV records, DNS also contains records such as A record, CNAME record, MX record, and so on which make the functioning of the AD environment smoother. Read more about DNS.
The two structures of AD
AD allows the storage of objects in a hierarchical manner. While deploying AD, there are two sides kept in mind for the structure:
- The logical side: This determines how the directory is structured. It depends on how the organization wants to administer their IT environment.
- The physical side: This deals with physical structures such as the servers that are required to carry out the directory services envisioned through the logical side. The physical structure is important to ensure good performance.
AD objects
Objects are components or resources that make up your physical AD environment and to which attributes can be defined. Some of the common AD objects are as follows:
- User: Every member of the organization is denoted in AD through a user object. This object contains employee details such as first name, last name, office, telephone number, and so on.
- Contact: A contact object is used to store the contact of vendors or suppliers, who are not in the employ of the organization. Only the name of the person and the contact details are stored. These contacts, unlike users, are not offered access to network resources.
- Printer: Refers to the printers in the network. All printers in the organization’s network can be represented using printer objects in the AD environment.
- Computer: This object contains information about all the computers in the network
- Shared folder: This allows users to access folders from other computers on the network that have been marked as shared. It should be noted that only folders, and not individual files, can be shared. If an individual file needs to be shared, it should be placed within a folder.
- Group: A group is a collection of directory objects put together so that certain security policies can be assigned to them. For example, an organization would want only a particular department to have access to certain documents. In that case, the network administrator would create a group containing all the department members and add a security policy, providing them access to the file server containing the documents.
- Organizational units (OUs): OUs help in structuring your network resources in an easy to locate manner. An OU is nothing but a container within which objects such as users, printers, computers, and others can be placed. OUs should be contained within a single domain; they cannot be shared across domains. The hierarchical arrangement of OUs, however, can be followed across domains
- Builtin: This is a container object that contains several default groups. These default groups are created automatically when you first install Active Directory Domain Services. Security policies can be assigned to the builtin container groups.
How do domains come into the picture?
A domain is a collection of objects in an AD environment. All objects within a domain follow the same policies for security and administrative purposes. Users seeking access to resources of a domain need to be authenticated by a server called a Domain Controller (DC).
Each domain should have at least one domain controller (DC). An organization deploys domains based on its departments or on the geographical locations of its branches. Large-scale organizations usually create their domains based on geographical locations.
For e.g., if xyz.com has deployed domains based on geographical locations, the sub-domains would include the regions where its offices are located. If it deploys domains based on departments, the sub-domains would be their names, such as “marketing”, “sales”, and so on.
Once the domains have been created, OUs can be nested under the sub-domains for each of the departments in those locations to which users, computers, printers, and other objects can be added. The DCs would be physically stored in each location.
This article is just a proverbial drop in the AD ocean. While it would definitely help out beginners with the basics of all things AD, learning everything about it requires a lot of hands-on practice.
Active Directory Basics: Everything you need to know