What’s Active Directory?
Active Directory is the directory service included with Windows servers. It stores all the information you would need to manage a windows network, for example user accounts, file servers and printers, and the rules about who’s allowed to do what (Group Policy Objects).
You might have noticed the word Object pop up there in GPO. The data stored in this ‘Active Directory’ is organised into things called objects. The Active Directory Schema is where you define what kinds of objects you can put in your directory. If you’ve never heard of objects and schema, the concept is quite similar to XML schema.
It’s a confusing abstract term “object”. In my head, I substitute object with “thing”.
Lots of Confusing Words
In Active Directory you have to organise all your information into objects. These objects can be organised into a structure. So Microsoft made up all these things to help you structure your directory, and here they are.
All your computers are probably networked. So you normally look at a manageable chunk of your system, for example by looking at your local area network. You then create a Site and lump in everything to do with your LAN in there. Site means your physical site.
You put all your users, printers, email addresses, databases etc. into domains. You can make one domain and use it over different sites or locations. So if your organisation has two main sites in two cities, you can simply use one big domain.
Something real! This is your active directory server that keeps a copy of the domain directory. You can have more than one domain controller in a domain. However a domain controller can only service one domain. A domain controller is the server that checks your password is correct when you login etc.
When you create a hierarchy of domains, you have a… tree! By making a tree of domains in your active directory. This is actually quite a nice simple idea, and it’s tied to DNS a bit. Imagine you have a domain name cyleft.wordpress.com. wordpress.com is the top level domain or main site, and cyleft.wordpress.com is my bit. There are lots of ‘child’ domains under wordpress.com for everybody else who uses wordpress like torinelson.wordpress.com, everyone looks after their bit. So you can think of it like a tree, with wordpress.com at the root, and cyleft, and torinelson as two branches coming out from there, among others. That’s what your tree is, a domain tree helps you organise your directory.
Trees are fine, but Forests? If for example, you had blogspot.com as a domain tree and wordpress.com as another domain tree, you can make a forest! Now you can share Active Directory Schema, and communicate between trees etc. Both trees trust each other, so if you login to one tree, the other tree trusts that you’re a real user who gave the right password (otherwise you’d need to login to both trees)
Organisational Unit (OU)
You make OUs to help you administrate your network, so you can have lots of separate administrative groups to manage your actual (huge) windows network. You can put OUs in other OUs in a nice tree structure as well.
If you have more than one domain in a forest, you need a global catalog so that you can login to the network no matter which domain controller you are using. That’s what the global catalog does, it stores all group membership information. This is usually stored on a global catalog server and cached on each domain controller.
Users and Groups
When you login to your Windows computer, you can login in two ways. One, your username and password is stored and checked on your computer, known as a Local User Account. The other place you can store and check your password in is the Domain Directory on a domain controller, making it a domain user account. This means that you can have local administrative accounts that can control your computer, and domain administrator accounts which let you change things in the domain, tree or forest.
You also have user groups. These are just to lump users and things (like printers) together. You can have different types of groups, some are limited to a single domain, and some groups let you grant permissions and access to anything in any domain in the forest.
It should really be called Grouped Policies. A GP is a collection of settings that tell you how programs, Windows etc. work for users and computers in the active directory. You save them in a Group Policy Object and apply it to domains, sites, OUs etc. It doesn’t mean that you create some policies or settings that you apply to a group. GPs are not applied to groups, you apply them to domains, or OUs or whatever. Stupid I know. You can have local GPOs for your local computer and domain policy GPOs which get applied to every user in the domain.
Tools & Utilities
Here’s a list of tools and utils used to administer/diagnose active directory. If you want to know more, just ask:
- ntdsutil.exe (NT Directory Service was the old name for Active Directory type stuff in years gone by)
- dsadd, dsmod, dsquery
There are lots of details about Active Directory which will bore the hair off your eyebrows but I have already had enough.