Windows Lesson 2 - Active Directory

What is Active Directory?

Active Directory is a database that contains many object types including users and groups. Active Directory is the name of Microsoft directory service that provides centralized authentication.

In a small network without a server providing this centralized authentication you have a database of usernames and passwords stored on each computer called the SAM (Security Account Manager) Database. In the image below we see 6 computers in a small network. Each computer contains a user account for the user who uses the computer. In the example below we have an account on each computer for Larry Baker, our local administrator. If Larry changes his password on one computer that change is not replicated to the other computers. Also if any of the other users want to use another computer they would not be able to log in. This may work well in smaller networks, but as you add computers to your network the need to centralize your authentication increases.


The collection of computers we see above creates a workgroup. A workgroup is a collection of computers that all share the same group name. In a workgroup all the computers are the same level, no computer has control over another computer. Each computer maintains it's own SAM database of users and passwords and there is no syncing of this information between computers. This works well for a network up to about 20 computers.


The alternative to a workgroup is a domain. A domain is a collection of computers that all share the same group name and use a centralized server for authentication. In the diagram below we see a server acting as a Domain Controller (DC). A DC contains a copy of the Active Directory database which contains a list of all the users and their passwords. When a user on a computer that's a member of the domain tries to log in their information is sent to the DC to make sure it's correct. Any user with an account on the DC can log into any domain member.


Installing the Active Directory Domain Services role on a Windows server and promoting it to a DC creates a Domain in your environment. You can have multiple Domain Controllers on your network. Each DC contains an editable copy of the database and replicates changes to all other DC's. This is an example of a multi master database, each DC can accept changes, and will replicate those changes to other DC's.

The Active Directory database is made up of objects and attributes.

Objects in the database have attributes associated with them. The mapping of the attributes to the objects is called the Schema. An attribute can be mapped to multiple objects. These objects and their attributes are replicated between Domain Controllers.

Forests and Trees

Active Directory is scalable, meaning it will run on small networks as well as very large networks. When you create your first domain you are creating a forest with a single tree in it. The entire forest shares the same schema. The Domain Controllers are inside the Domain and hold the Active Directory database for that domain. The naming of a Domain follows DNS rules, in the example below we have

As your organization grows so can Active Directory. In the diagram below we added two child domains to our parent domain. A child domain shares the same name space as the parent domain following DNS rules. This creates two entirely new domains each with it own Domain Controllers and their own Active Directory databases. A Global Catalog exists between all domains to determine what objects and attributes will replicate across domain boundaries. Each Active Directory database contains a subset of other domains in the forrest as defined by the global catalog. In this environment we still have one tree in our forest, but the tree has gotten bigger. The entire forest shares the same schema.

We continue to grow by purchasing another company. We can integrate their namespace into our forest by creating a second tree. Now our forest has two trees. Each domain shares the same schema.

Member Servers

It is common to have a server be a member of the domain, but not be a domain controller. When a server is joined to the domain and is running other roles beside Active Directory Domain Services it's called a member server. A member server will user domain controller's for authentication just like a Windows client joined to the domain. A member server can be used to provide other services to your clients.

1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10