For the best web experience, please use IE11+, Chrome, Firefox, or Safari

What is Active Directory?

Learn what AD is and how it works

Dive into Active Directory 02:25

Active Directory (AD) is a database and set of services that connect users with the network resources they need to get their work done.

The database (or directory) contains critical information about your environment, including what users and computers there are and who’s allowed to do what. For example, the database might list 100 user accounts with details like each person’s job title, phone number and password. It will also record their permissions.

The services control much of the activity that goes on in your IT environment. In particular, they make sure each person is who they claim to be (authentication), usually by checking the user ID and password they enter, and allow them to access only the data they’re allowed to use (authorization).

Read on to learn more about the benefits of Active Directory, how it works and what’s in an Active Directory database.

Benefits of Active Directory

Active Directory simplifies life for administrators and end users while enhancing security for organizations. Administrators enjoy centralized user and rights management, as well as centralized control over computer and user configurations through the AD Group Policy feature. Users can authenticate once and then seamlessly access any resources in the domain for which they’re authorized (single sign-on). Plus, files are stored in a central repository where they can be shared with other users to ease collaboration, and backed up properly by IT teams to ensure business continuity.

How does Active Directory work?

How does Active Directory work?

The main Active Directory service is Active Directory Domain Services (AD DS), which is part of the Windows Server operating system. The servers that run AD DS are called domain controllers (DCs). Organizations normally have multiple DCs, and each one has a copy of the directory for the entire domain. Changes made to the directory on one domain controller — such as password update or the deletion of a user account — are replicated to the other DCs so they all stay up to date. A Global Catalog server is a DC that stores a complete copy of all objects in the directory of its domain and a partial copy of all objects of all other domains in the forest; this enables users and applications to find objects in any domain of their forest. Desktops, laptops and other devices running Windows (rather than Windows Server) can be part of an Active Directory environment but they do not run AD DS. AD DS relies on several established protocols and standards, including LDAP (Lightweight Directory Access Protocol), Kerberos and DNS (Domain Name System).

It’s important to understand that Active Directory is only for on-premises Microsoft environments. Microsoft environments in the cloud use Azure Active Directory, which serves the same purposes as its on-prem namesake. AD and Azure AD are separate but can work together to some degree if your organization has both on-premises and cloud IT environments (a hybrid deployment).

How is Active Directory structured?

How is Active Directory structured?

AD has three main tiers: domains, trees and forests. A domain is a group of related users, computers and other AD objects, such as all the AD objects for your company’s head office. Multiple domains can be combined into a tree, and multiple trees can be grouped into a forest.

Keep in mind that a domain is a management boundary. The objects for a given domain are stored in a single database and can be managed together. A forest is a security boundary. Objects in different forests are not able to interact with each other unless the administrators of each forest create a trust between them. For instance, if you have multiple disjointed business units, you probably want to create multiple forests.

What’s in the Active Directory database?

What’s in the Active Directory database?

The Active Directory database (directory) contains information about the AD objects in the domain. Common types of AD objects include users, computers, applications, printers and shared folders. Some objects can contain other objects (which is why you’ll see AD described as “hierarchical”). In particular, organizations often simplify administration by organizing AD objects into organizational units (OUs) and streamline security by putting users into groups. These OUs and groups are themselves objects stored in the directory.

Objects have attributes. Some attributes are obvious and some are more behind the scenes. For example, a user object typically has attributes like the person’s name, password, department and email address, but also attributes most people never see, such as its unique Globally Unique Identifier (GUID), Security Identifier (SID), last logon time and group membership.

Databases are structured, which means there is a design that determines what types of data they store and how that data is organized. This design is called a schema. Active Directory is no exception: Its schema contains formal definitions of every object class that can be created in the Active Directory forest and every attribute that can exist in an Active Directory object. AD comes with a default schema, but administrators can modify it to suit business needs. The key thing to know is that it’s best to plan the schema carefully up front; because of the central role AD plays in authentication and authorizations, changing the schema of the AD database later can dramatically disrupt your business.

Where can I learn more about Active Directory?

Where can I learn more about Active Directory?

Active Directory is central to the success of any modern business. Check out these additional helpful pages to learn best practices for the most critical areas of Active Directory:

Resources

On-Demand Webcast: Best Practices to Avoid Common Active Directory Migration Mistakes
On Demand Webcast
On-Demand Webcast: Best Practices to Avoid Common Active Directory Migration Mistakes
On-Demand Webcast: Best Practices to Avoid Common Active Directory Migration Mistakes
Mergers, acquisitions, and divestitures are common business activities that can have a huge impact on your Microsoft 365 tenant. These events come with complicated legal maneuvers and rigid timelines.
Watch Webcast
Be Prepared for Ransomware Attacks with Active Directory Disaster Recovery Planning
White Paper
Be Prepared for Ransomware Attacks with Active Directory Disaster Recovery Planning
Be Prepared for Ransomware Attacks with Active Directory Disaster Recovery Planning
Reduce your organization’s risk with an effective Active Directory recovery strategy.
Read White Paper
Colonial Pipeline Ransomware and MITRE ATT&CK Tactic TA0040
On Demand Webcast
Colonial Pipeline Ransomware and MITRE ATT&CK Tactic TA0040
Colonial Pipeline Ransomware and MITRE ATT&CK Tactic TA0040
Ransomware attacks are exploiting Active Directory. This security-expert-led webcast explores a 3-prong defense against them.
Watch Webcast
M&A IT Integration Checklist: Active Directory
Technical Brief
M&A IT Integration Checklist: Active Directory
M&A IT Integration Checklist: Active Directory
If your organization is involved in a merger and acquisition, the impending IT integration project might seem overwhelming.
Read Technical Brief
Nine Best Practices to Improve Active Directory Security and Cyber Resilience
E-book
Nine Best Practices to Improve Active Directory Security and Cyber Resilience
Nine Best Practices to Improve Active Directory Security and Cyber Resilience
This ebook explores the anatomy of an AD insider threat and details the best defense strategies against it.
Read E-book
Five Ways to Secure Your Group Policy
E-book
Five Ways to Secure Your Group Policy
Five Ways to Secure Your Group Policy
Discover how to dramatically improve security by ensuring proper GPO governance.
Read E-book
Protect Your Active Directory from Ransomware using the NIST Cybersecurity Framework
On Demand Webcast
Protect Your Active Directory from Ransomware using the NIST Cybersecurity Framework
Protect Your Active Directory from Ransomware using the NIST Cybersecurity Framework
Learn guidance on how to identify, protect, detect, respond to, and recover from ransomware cyberattacks.
Watch Webcast
Retailer Ensures PCI DSS Compliance
Case Study
Retailer Ensures PCI DSS Compliance
Retailer Ensures PCI DSS Compliance
Any retailer that wants to continue accepting credit cards needs to maintain compliance with PCI DSS standards — and prove it during annual audits. One of the PCI DSS requirements can be particularly tough to meet: storing a whole year’s worth of audit data. Discover how one large retail
Read Case Study

Blogs

The anatomy of Active Directory attacks

The anatomy of Active Directory attacks

Learn the most common Active Directory attacks, how they unfold and what steps organizations can take to mitigate their risk.

8 ways to secure your Active Directory environment

8 ways to secure your Active Directory environment

Taking the right steps to secure your Active Directory has never been more critical. Learn 8 Active Directory security best practices to reduce your risk.

Active Directory forest: What it is and best practices for managing it

Active Directory forest: What it is and best practices for managing it

Active Directory forest is a critical — but often underappreciated — element of the IT infrastructure. Learn what it is and how to manage it.

Active Directory disaster recovery: Creating an airtight strategy

Active Directory disaster recovery: Creating an airtight strategy

Businesses cannot operate without Active Directory up and running. Learn why and how to develop a comprehensive Active Directory disaster recovery strategy.

5 Active Directory migration best practices

5 Active Directory migration best practices

Active Directory delivers key authentication services so it’s critical for migrations to go smoothly. Learn 5 Active Directory migration best practices.

Active Directory security groups: What they are and how they improve security

Active Directory security groups: What they are and how they improve security

Active Directory security groups play a critical role in controlling access to your vital systems and data. Learn how they work.

Get started now

Successfully manage AD – the heart of your IT environment.