Windows Server Knowledge Base

Active Directory (AD):

Active Directory (AD) is a technology created by Microsoft to provide network services including LDAP directory services; Kerberos based authentication, DNS naming, secure access to resources, and more.


Lightweight Directory Access Protocol – an application protocol for querying and modifying directory services developed at the University of Michigan in the early 1990s. An LDAP directory tree is a hierarchical structure of organizations, domains, trees, groups, and individual units.


The domain is typically of the Internet naming variety (e.g., but you are not forced to stick with this structure – you could technically name your domain whatever you wish.

Domain Controllers

In Windows NT, domains used a Primary Domain Controller (PDC) and Backup Domain Controller (BDC) model. This had one server, the PDC, which was “in charge” while the other DCs where subservient. If the PDC failed, you had to promote a BDC to become the PDC and be the server in charge

In Active Directory, you have multiple Domain Controllers which are equal peers. Each DC in the Active Directory domain contains a copy of the AD database and synchronizes changes with all other DCs by multi-master replication. Replication occurs frequently and on a pull basis instead of a push one. A server requests updates from a fellow domain controller. If information on one DC changes (e.g. a user changes their password), it sends signal to the other domain controllers to begin a pull replication of the data to ensure they are all up to date.

Servers not serving as DCs, but in the Active Directory domain, are called ‘member servers.’

Active Directory requires at least one Domain Controller, but you can install as many as you want (and it’s recommended you install at least two domain controllers in case one fails).


Groups serve two functions in Active Directory: security and distribution.

A security group contains accounts which can be used for security access. For example, a security group could be assigned rights to a particular directory on a file server.

A distribution group is used for sending information to users. It cannot be used for security access.

There are three group scopes:

Global: Global scope security groups contains users only from the domain in which is created. Global security groups can be members of both Universal and Domain Local groups.

Universal: Universal scope security groups can contain users, global groups, and universal groups from any domain. These groups are typically used in a multi-domain environment if access is required across domains.

Domain Local: Domain Local scope groups are often created in domains to assign security access to a particular local domain resource. Domain Local scope groups can contain user accounts, universal groups, and global groups from any domain. Domain Local scope groups can contain domain local groups in the same domain.


An Active Directory site object represents a collection of IP subnets, usually constituting a physical Local Area Network (LAN). Multiple sites are connected for replication by site links. Typically, sites are used for:

Physical Location Determination: Enables clients to find local resources such as printers, shares, or domain controllers.


Active Directory is integrated with Domain Naming System (DNS) and requires it to be present to function. DNS is the naming system used for the Internet and on many Intranets. You can use DNS which is built into Windows 2000 and newer, or use a third party DNS infrastructure such as BIND if you have it in the environment. It is recommended you use Window’s DNS service as it is integrated into Windows and provides the easiest functionality.

AD uses DNS to name domains, computers, servers, and locate services.

A DNS server maps an object’s name to its IP address. For example, on the Internet, it is used to map a domain name (such as to an IP address (such as In an Active Directory network, it is used n
ot only to find domain names, but also objects and their IP address. It also uses service location records (SRV) to locate services.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s