Active Directory is a Microsoft software technology that provides centralized management of computer networks and security. It uses LDAP for directory structure, Kerberos for authentication, and DNS for IP addresses. Objects are divided into resources and security principles, and the system is organized into forests, trees, and domains with organizational units for distributed management. Information is stored in a database that can replicate among domains.
An Active Directory® is both the integral conceptual component and name of a software technology created by Microsoft®. It can be viewed as a catalog, providing an essential reference list for virtually everything that can be managed on a computer network infrastructure. The directory is hierarchically structured and can include computers, people, and even entire networks. The system provides a means for centralized management of a computer network and its security that is scalable, synchronized, and standardized across the network.
At the heart of Active Directory® is a directory service protocol known as Lightweight Directory Access Protocol (LDAP). This protocol establishes the means by which the directory structure is organized and read or written. For security reasons, Active Directory® uses the Kerberos network authentication protocol. The service also provides a domain name system (DNS) to translate Internet Protocol (IP) addresses into recognizable names.
Everything that enters an Active Directory® is considered an object. There are basically two types of objects, a resource and a security principle. Where resources are typically physical constructs, such as printers, the objects of the security principle are a little more abstract. Each security principle is assigned a security identifier (SID) in the Active Directory® system and therefore represents anything that can be authenticated by the system and has permissions associated with it. Since some objects can obviously be of both types, such as a networked computer that is both a resource and a principle, they can be nested within each other in some cases.
Viewed from three different hierarchical levels, an Active Directory® consists of what are known as forests, trees and domains. This can reflect the actual structure of an organization, both geographically and organizationally. For example, a company’s forest might consist of two primary domains, one for Chicago and one for New York. Under each, additional domains can be created for managing business activities in each city, such as the accounting department, a sales team, R&D, and so on. These two domain trees then establish a trust relationship with each other so that users of both domains can access each other’s resources if needed.
At the heart of Active Directory® is the so-called organizational unit (OU). Any number of organizational units can be nested within a domain. These allow the structure of Active Directory® to match that of the organization and provide a centralized means for distributed management of objects in the directory. With an established organizational structure, additional management can be delegated to subdomains in the tree, allowing for different levels of privilege to various OUs in an organization.
All information in Active Directory® is stored in a database called the directory store. The system allows this database to replicate among others in the domain tree and further up the forest. Domains within the tree periodically check for changes to the directory store in other domains and then populate their own if there are any changes.
Protect your devices with Threat Protection by NordVPN
