If you had to explain Active Directory to someone how would you explain it?
-
3Who is the audience for this little briefing. My wife would get a different explanation than my boss. \\uSlackr – uSlackr Feb 04 '10 at 20:31
5 Answers
I'm glossing over quite a bit here, of course, but it's a decent semi-technical summary that would be suitable for communicating to others who are not familiar with Active Directory itself, but generally familiar with computers and the issues associated with authentication and authorization.
Active Directory is, at its heart, a database management system. This database can be replicated amongst an arbitrary number of server computers (called Domain Controllers) in a multi-master manner (meaning that changes can be made to each independent copy, and eventually they'll be replicated to all the other copies).
The Active Directory database in an enterprise can be broken up into units of replication called "Domains". The system of replication between server computers can be configured in a very flexible manner to permit replication even in the face of failures of connectivity between domain controller computers, and to replicate efficiently between locations that might be connected with low-bandwidth WAN connectivity.
Windows uses the Active Directory as a repository for configuration information. Chief amongst these uses is the storage of user logon credentials (usernames / password hashes) such that computers can be configured to refer to this database to provide a centralized single sign-on capability for large numbers of machines (called "members" of the "Domain").
Permissions to access resources hosted by servers that are members of an Active Directory domain can be controlled through explicit naming of user accounts from the Active Directory domain in permissions called Access Control Lists (ACLs), or by creating logical groupings of user accounts into Security Groups. The information about the names and membership of these security groups are stored in the Active Directory.
The ability to modify records stored in the Active Directory database is controlled through security permissions that, themselves, refer to the Active Directory database. In this way, enterprises can provide "Delegation of Control" functionality to allow certain authorized users (or members of security groups) to perform administrative functions on the Active Directory of a limited and defined scope. This would allow, for example, a helpdesk employee to change the password of another user, but not to place his own account into security groups that might grant him permission to access sensitive resources.
Versions of the Windows operating system also can perform installations of software, make modifications to the user's environment (desktop, Start menu, behaviour of application programs, etc) by using the Group Policy. The back-end storage of the data that drives this Group Policy system is stored in Active Directory, and thus is given replication and security functionality.
Finally, other software applications, both from Microsoft and from third-parties, store additional configuration information in the Active Directory database. Microsoft Exchange Server, for example, makes heavy use of the Active Directory. Applications use Active Directory to gain the benefits of replication, security, and delegation of control described above.
Whew! Not too bad, I don't think, for a stream of consciousness!
Super short answer: AD is a database to store user logon and group information, and configuration information that drives group policy and other application software.
- 141,071
- 19
- 191
- 328
-
2Good answer - but how to you respond to the question: "if it's just a database, then why not just store everything in SQL Server?" – marc_s Jun 12 '09 at 07:54
-
9Because this particular database is the one that Microsoft chose to use for all these functions-- not SQL Server. Why do clocks run "clockwise"? *smile* Certainly, Microsoft could have stored all of the kinds of information that Active Directory manages in an SQL Server-based database, but they opted to use the Jet Blue engine instead. The fact that AD isn't using the SQL Server storage engine doesn't make it any less of a database. – Evan Anderson Jun 12 '09 at 11:50
-
1LDAP is a database but it is highly tuned for reads due to the nature of the traffic. SQL is tuned for more general traffic. – uSlackr Feb 04 '10 at 16:43
-
3@uSlackr: LDAP isn't a database-- it's a communications protocol. – Evan Anderson Feb 04 '10 at 17:21
-
1@Evan Anderson I stand corrected - LDAP was written as a protocol to front-end the complex x.500 directory services. However, no one implements x.500 any longer, only the LDAP interface. So, LDAP is generally considered a directory service in and of itself, now. But my larger point remains true. LDAP directory services are read heavy and write light. – uSlackr Feb 04 '10 at 20:24
-
Question about the group policy statements. Aren't GPO settings kept in files that are replicated outside of AD by FRS? I thought AD kept only the policy meta data (where it is linked, what files hold the settings, etc). Look in \\example.com\sysvol\example.com\Policies – uSlackr Feb 04 '10 at 20:30
-
2@uSlackr: Yep-- the actual settings specified in GPOs are kept in files replicated either via NTFRS or DFS-R. Like I said in my very first sentence "I'm glossing over quite a bit here..." In this answer I'm treating the amalgam of data stored in the DIT file and in the SYSVOL as being "the Active Directory". – Evan Anderson Feb 05 '10 at 05:00
"See, imagine a giant tree with a bunch of buckets on the limbs. Inside these buckets are little keys that grant you access to special doors that live in an area, past the tree. If your name matches a name etched on one of those keys in one of those buckets, you get to open the door that matches that key and access the special information that's stored in there."
And my job, as an active directory administrator, is to make sure that all those buckets, keys and names etched on each are all up-to-date, working well, removed when no longer useful or needed. In addition, I build NEW doors that protect NEW rooms, mill the new keys that allow access and even water and grow the tree that holds all of it together."
(Technically, I liked Evan's answer better, but this is how I'd explain it. :)
- 1,166
- 1
- 9
- 16
If it was my wife I'd just describe it as like a phone directory with a bit more info.
- 2,604
- 1
- 20
- 28
I don't have commenting rights (low reputation), so just assume that this answer is comment to Evan's answer about why not SQL server ?
What I recall was, Microsoft wanted AD database to be so robust and self-healing that normal DBA kind of activity should not be required nor a special DBA. At that time (early or mid 90's) SQL DB technology was not robust enough for AD's intended purpose.
There was a discussion on this topic at mailing list on activedir.org (THE BEST mailing list for Active Directory. PERIOD.)
- 994
- 4
- 12
See it like a cross breed of an SQL server with a network file share, take the best bit of these two technologies, throw it away and whats left is Active Directory (or for that matter any LDAP).
Now imagine that everything you usually do to configure a single PC, like setting up users, groups, printers, network shares, access rights and the such can be stored in a specific place and applied to any (multitude) of computer(s) willing to access that specific place.
This is how Microsoft wants us to use Active Directory.
- 597
- 2
- 5