Understanding Active Directory® & its architecture

Managing the ecosystem with Active Directory

In any business organisation there is a complex, and evolving, ecosystem of users, computers, file servers, printers, applications etc. These systems and resources may be spread over more than one physical network, site, or across several countries. Even a small organization may wish to provide its external partners with access to its systems. Managing all this can rapidly become an administrative headache.

Microsoft® Active Directory® (AD) is a suite of tools that helps systems administrators to manage these complex network ecosystems. Its fundamental purpose is to centralise system administration and help users quickly find and use resources within their organisation.

The Active Directory portfolio

In simplistic terms AD is often likened to a form of company phone book for the computer systems: providing a centralised directory which stores information about resources on the network, so that users can look them up and access them securely with the correct authority. So, for example, a user can easily find their nearest printer and be given access to use it.

In fact, this is only one aspect, and AD is a portfolio of technologies that provide the following broad-brush authentication, identification and security facilities:

  • The systems directory – Active Directory® Domain Services (AD DS)
  • Managing users’ rights to access and use content – Active Directory® Rights Management Services (AD RMS)
  • Federation of user identity across, and between, organizations – Active Directory® Federation Services (AD FS)
  • Handling digital certificates – Active Directory® Certificate Services (AD CS)

AD provides a centralized way to handle all these issues. It makes system and resource management more efficient and secure, increases user productivity, protects intellectual property and helps with corporate policy and compliance issues.

Application integration

A number of key enterprise applications use AD services to integrate with the wider network ecosystem and improve the support they offer users. Primary examples include Microsoft’s own enterprise products such as Exchange, Office, and SQL Server®, and third party offerings such as Adobe® Acrobat®.

The Architecture of Active Directory

AD is divided into two layers: physical and logical. The physical layer describes and controls how AD works within the Windows® operating system architecture (for example which low-level operating system services and components it can access). The logical layer is more conceptual, allowing description of the organisation and how it operates.

Active Directory physical layer

Physically, AD is a network operating system built on top of the various iterations of Windows Server®. It forms part of the security sub-system and uses some its key components such as Kerberos authentication and NET LOGON. AD uses the Lightweight Directory Access Protocol (LDAP), an industry standard, as its primary protocol.

The physical layer also describes how directory information is stored on the hard disc, with key directory information, such as the core AD Ntds.dit file, being stored in database files on the physical servers that provide the service.

Active Directory® also makes use of the Domain Name System (DNS), the standards-based naming and location system used on the Internet. This means AD requires access to a DNS server, although almost all organisations will already be running one for Internet address resolution. Microsoft® provides a DNS server which can be configured when installing AD, but other, existing, solutions can be used (e.g. Berkeley Internet Name Domain (BIND)).

Active Directory logical layer

The logical layer determines the conceptual structure of the data stored in these physical components and how it is accessed. When designing this layer, the aim is to describe how an organisation and its staff are organised and work, rather than worry about physical details such as the network connections between sites.

Essentially, everything being managed (users, printers, servers etc.) is considered to be an object within the AD store and has associated attributes (following the fundamental LDAP protocol model). So, for example, a user object will have attributes such as first and middle name. The power of the logical layer comes from the ability to organize objects into hierarchies and groups, and to allocate classes or types.

So, for example, AD can set up Group policies, rules and permissions that apply to all users and computers across the ecosystem or to a smaller sub-group of users. Using Group Policy, administrators can control many aspects of the network environment, such as a user’s behaviour on the system (e.g. defining desktop configurations such as power saving), controlling who has access to what resources (e.g. shared folders) and automating key tasks (such as updating applications).

The logical level can get quite complicated with a number of building blocks – domains, groups, directory trees and forests, naming schema, and organisational units. These logical constructs can be organized hierarchically, so that a forest, for example, is, unsurprisingly, a collection of trees. Security arrangements and trust between objects varies within these different types of building blocks.

Designing and planning the logical level is a complex task but if done correctly it allows AD to support the organisation to operate more efficiently and helps with administrative management and security.

In summary, AD is a suite of tools that helps to provide efficient administration and management of users and network resources, supporting a number of key business processes such as digital rights management. In many organisations it has become a mission-critical service and for this reason serious consideration needs to be given to disaster recovery and threat protection.

Microsoft, Active Directory, SQL Server and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

Adobe and Acrobat are trademarks or registered trademarks of Adobe Systems Incorporated.