An Active Directory® is both the integral conceptual component and also the name of a software technology created by Microsoft®. It can be viewed much like a catalog, providing an essential reference listing for virtually anything that can be managed in a computer network infrastructure. The directory is structured hierarchically and can include computers, people and even entire networks. The system provides a means for centrally managing a computer network and its security that is scalable, synchronized and standardized throughout the entire network.
At the heart of Active Directory® is a directory service protocol known as the lightweight directory access protocol (LDAP). This protocol establishes the means by which the directory structure is organized and read from or written to. For security, Active Directory® uses the Kerberos network authentication protocol. The service also provides a domain name system (DNS) for translating Internet protocol (IP) addresses into recognizable names.
Everything that goes into an Active Directory® is considered an object. There are basically two types of objects, a resource and a security principle. Where resources are typically physical constructions, such as printers, the security principle objects are a little more abstract. Each security principle is given a security identifier (SID) in the Active Directory® system and then represents anything that can be authenticated by the system and have permissions associated with it. Since some objects can obviously be of both types, such as a computer on the network that is both a resource as well as a principle, they can be nested within each other in certain cases.
Viewed from three different hierarchical levels, an Active Directory® consists of what are known of as forests, trees, and domains. This can mirror an organization's actual structure, both geographically as well as organizationally. For example, a company's forest may consist of two primary domains, one for Chicago and another for New York. Beneath each, additional domains may be created for managing the business activities in each city such as the accounting department, a sales team, research and development, and so forth. These two domain trees then establish a trust relationship with each other so that users in either domain can have access resources in the other if necessary.
At the core of an Active Directory® is what's called an organizational unit (OU). Any number of OUs can be nested inside a domain. These allow for the structure of the Active Directory® to match that of the organization and provide a centralized means for distributed management of the objects in the directory. With an established organizational structure, additional management can then be delegated down to sub-domains in the tree, allowing for different levels of privilege to various OUs in an organization.
All of the information in an Active Directory® is stored in a database referred to as the directory store. The system allows for this database to replicate itself among the others in the domain tree and further up into the forest. Domains within the tree periodically check for changes to the directory store in other domains and then pull the data into their own should there be any changes.