Active Directory

Active Directory is referred to as a special purpose database that automates network management of user data, security and dispersed resources. It is specially designed to provide a common interface for organizing and information maintenance related to network resources. This directory keeps track record of all the information related to network and all network-based resources such as users, computers, files and applications etc. It basically acts like a central authority and provides searchable information repository with high-end security of network.

Active directory simplifies the administration and makes resources readily available for the users. One can easily locate network resources, such as files and printers. It also provides data protection while minimizing the barriers of online business. Following are the features of active directory, which will make the concept more clear:

- Object-Oriented Storage Organization
- Easier Access to Information
- Simplified Management of Network Resources for Convenience
- Scalability without Complexity
- Replication and Trust Monitoring

Logical Structure

Active directory instance comprises a database and corresponding executable code lines that are made responsible for catering requests and maintaining the database. The executable code, which is also called Directory System Agent, collects under one roof the Windows services and processes that execute on Windows 2000 and its recent releases. Active Directory databases have objects that are accessible via ADSI (component object model interface) and LDAP.

Objects in Active Directory

The above image has been taken from Wikipedia. No copyright infringement intended.

The image represents a simplified model example of the internal network in a publishing company. As mentioned, the network has four groups and three shared folders (each group has varying permissions to the shared folders)

Active Directory structures are arrangements of information about objects. Objects in active directory fall broadly into two categories:

- Resources (such as scanners and printers) and security principals (such as user and user accounts). Each security principal is assigned its own unique security identifier (SID).

Every object in the active directory represents singular entity, regardless of whether it is a computer, printer or user, and all its attributes combined. Some objects contain other objects too. An object is identified uniquely with its name attribute set. The attribute contains the characteristics and information with a characteristic schema. It is the schema that determines types of objects that can be stores in the directory.

Domains, Forests and Tress

The Active Directory framework holding the objects can be viewed differently and at different levels. Forest, tree, and domains are the logical divisions of the network.

Within the same deployment, objects are classified into into domains. All objects belonging to a single domain get stored in a single database that could be replicated at a later stage if required. Domains are also identified by their Domain Name server structure (the namespace).

Organizational Units

Now, the objects held within a domain name server are further grouped into OUs (or the organizational units). OUs can help impart the much-needed hierarchy to a domain. With a hierarchy imparted it becomes easy to administer and resemble the structure with in terms of its geography and management. Microsoft also recommends using organizational units instead of domains for structure in order to simplify policies, its administration and implementation.

OUs is the level recommended at which to apply your GPs (group policies). The group policies are objects of Active Directory that are formally named as group policy objects (GPOs), even though the same policies can also be implemented to domains. Administrative powers are commonly delegated at the level of OUs, but delegation can be performed on individual objects or attributes as well.

Physical Structure

In active directory, sites are physical components instead of logical because they are defined by one or more Internet Protocol subnets. The connection definition is held with the ADs, to help distinguish low-speed WAN and VPN from blazing fast LAN links. The definitions are or less independent of the OU structure and domain and are quite common across the forest. Sites are used not only to control the generated network traffic (through replication) but also to refer clients from the nearest DCs (domain controllers).