Microsoft Windows Active Directory: a whistle-stop tour

What’s Active Directory?

Active Directory is the directory service included with Windows server OS. It stores all the information you would need to manage a windows network, for example user accounts, file servers and printers, and the rules about who’s allowed to do what (called Group Policy Objects).

Notice the word Object pop up there. The data stored in the directory is organised into things called objects. The Active Directory Schema is where you define what kinds of objects you can put in your directory. If you’ve never heard of objects and schema, the concept is similar to XML schema which you can read more about at w3schools .

Lots of Confusing Words

In Active Directory you have to organise all your information into objects. These objects are best organised into a structure. So Microsoft have provided lots of ways to structure your directory.


You lump everything to do with your Local Area Network in to sites. Site means your physical site.


You put all your users, printers, email addresses, databases etc. into domains. You can make one domain and use it over different sites or locations. So if your organisation has two main sites in two cities, you can simply use one big domain.

Domain Controller

Something you can touch! This is your active directory server that keeps a copy of the domain directory. You can have more than one domain controller in a domain. However each domain controller can only service one domain. The domain controller is the server that checks your password is correct when you login etc.


A hierarchy of domains is a… tree! You can organise domains in to a tree structure. This tree concept is very similar to DNS (Domain Name System). As an example, you have a domain name is the ‘top level domain’ or main site, and is my little corner. There are lots of ‘child’ domains under for all the blogs on wordpress, like

You can visualise this domain name structure as a tree. is at the root of the tree diagram, and cyleft, and torinelson are two of the branches coming out from the root.


Forests? Seriously? If for example, you had as a domain tree and as another domain tree, you can make a forest. You can share Active Directory Schema in a forest, and communicate between trees etc. Both trees trust each other, so if you login to one tree, the other tree trusts that you’re a logged on user and gives you access (otherwise you’d need to login to both trees individually).

Organisational Unit (OU)

You make OUs to help you administrate your network. You can create lots of separate administrative groups to manage different parts of your windows network. You can put OUs in other OUs to create a tree structure too.

Global Catalog

If you have more than one domain in a forest, you need a global catalog so that you can login to the network no matter which domain controller you are using. That’s what the global catalog does, it stores all group membership information. This is usually stored on a global catalog server and cached on each domain controller.

Users and Groups

When you login to your Windows computer, you can login in two ways,

  1. Your username and password is stored and checked on your computer, known as a Local User Account.
  2. Your user name and password is stored in the Domain Directory on a domain controller. This is called a domain user account.

This means that you can have local administrative accounts that have privileges to control your physical computer, and domain administrator accounts which let you change things in the domain, tree, or forest.

You also have user groups. These are just to lump users and things (like printers) together. You can have different types of groups, some are limited to a single domain, and some groups let you grant permissions and access to anything in any domain in the forest.

Group Policy

This should really be called GROUPED Policies! A GP is a collection of settings and rules that tell you how programs, Windows etc. will be setup for users and computers in the Active Directory.

You save GPs in a Group Policy Object. You can apply GPOs to domains, sites, OUs etc. GPs are not applied to groups, you apply them to domains, or OUs or whatever.

You can have local GPOs for your local computer and domain policy GPOs which get applied to every user in the domain.

Tools & Utilities

Here’s a list of tools and utils used to administer/diagnose Active Directory. If you want to know more, just ask:

  • netdiag.exe
  • dcdiag.exe
  • ntdsutil.exe (NT Directory Service was the old name for Active Directory type stuff in years gone by)
  • dcpromo
  • gpedit.msc
  • netdom
  • dsastat
  • repadmin
  • dsadd, dsmod, dsquery
  • whoami
  • runas
  • gpresult

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s