Active Directory is a database that contains many object types including users and groups. Active Directory is the name of Microsoft directory service that provides centralized authentication.
In a small network without a server providing this centralized authentication you have a database of username and passwords stored on each computer. In the image below we see 6 computers in a small network. On each one there is a user account for each user who uses the computer as well as an account for Larry Baker. If Larry changes his password on one computer that change is not replicated to the other computer. Also if any of the other users went to another computer they would not be able to log in. This may work well in smaller networks, but as you add computers to your network the need to centralize your authentication increases.
The collection of computers we see above creates a workgroup. A workgroup is a collection of computers that all share the same group name. In a workgroup all the computers are the same level, no computer has control over other computer. Each computer maintains it's own database of users and passwords and there is no syncing of this information between computers. This works well for a network up to about 20 computers. Windows 7 introduced a feature called HomeGroup. A HomeGroup is a way of extending a workgroup making it easier to share data with other members of a workgroup. When you going a HomeGroup using a password you are able to share data with other computers in the HomeGroup. (There are some limitations with this, for example Windows 7 Professional can join a HomeGroup but can only access data, not share it. Also Windows 7 Starter and Home Basic can join a HomeGroup, but they can't create one.)
The alternative to a workgroup is a domain. A domain is a collection of computers that all share the same group name and use a centralized server for authentication. In the diagram below we see a server acting as a Domain Controller (DC). This DC contains a list of all the users and their passwords. When a user on a computer that's a member of the domain tries to log in their information is sent to the DC to make sure it's correct. Any user with an account on the DC can log into any domain member.
A Windows server running the Active Directory Domain Services role creates a domain on your network. You can run the Domain Services role on multiple servers on your network. When you have multiple servers running Active Directory they each contain an editable copy of the database and replicate changes to all other DC's. This is an example of a multi master database, each DC can accept changes, and will replicate those changes to other DC's.
Objects in the database have attributes associated with them. The mapping of the attributes to the objects is called the Schema.
Active Directory is scalable, meaning it will run on small networks as well as very large networks. When you create your first domain you are creating a forest with a single tree in it. The entire forest shares the same schema.
As your organization grows so can your Active Directory setup. In the diagram below we add two child domains to our parent domain. A child domain shares the same name space as the parent domain. We still have one tree in our forest, but the tree has gotten bigger. The entire forest shares the same schema.
We continue to grow by purchasing another company. We can integrate their namespace into our forest by creating a second tree. Now our forest has two trees. Each domain shares the same schema.
It is possible to have a server be a member of the domain, but not be a domain controller. When a server is joined to the domain and is running other roles beside Active Directory Domain Services it is called a member server. A member server will user domain controller's for authentication just like a Windows client joined to the domain. A member server can be used to provide other services to your clients.