Active Directory is a "Directory Service" which can be optionally installed on Windows 2000 and Windows 2003 Servers. It maintains a database with information on the users and computers on your network. When a user logs into the the network, Active Directory checks the user's credentials (username and password), and then allows or denies the user access to the network. Similary, when a computer boots up, it must authenticate with Active Directory. If it doesn't or fails to provide the Active Directory service with valid credentials, it is denied access to certain network recources (e.g. File Shares, Printers, SQL Databases, etc.)
Although setting up an Active Directory infrastructure can be a daunting and initially time-consuming task, there are a number of benefits which give it a high return on investment (ROI).
Besides authenticating users and computers, Active Directory also stores a great deal of information about the users and computers in its database, enabling it to implement the following:
- Single Sign-on: A user can use the same username and password to log onto many different machines. This reduces the System Administrator's work, as the administrator no longer has to setup a user account on each machine that the user needs access to.
- Roaming Profiles An Administrator can optionally setup some of the users with Roaming Profiles or Folder Redirection. This enables the Administrator to transparently store the users' personal documents, settings, and folders in a central location. To the user, her desktop and settings appear to follow her to whatever machine she uses. The job of backing up important files becomes easier for the administrator, as user documents are all stored in one or more central locations.
- Group Policy: Group Policy enables an Administrator to configure many computers simultaneously. The Administrator can specify that 3rd party software applications be automatically installed on certain computers (via .msi installation files), that certain user's can't use specific programs or Control Panel Applets, that specific machines should not run specific services, and much more. For more information, see Securing Computers with Group Policy.
- Organizational Units It can be difficult for an Administrator to sift through long lists of users or computers. Active Directory allows an Administrator to put users into "Organizational Units" (OUs). For example, the Administrator could put all the employees and computers in the Human Resources department into an OU called "HR". All of the accounting employees could go into another OU called "Accounting People". The Administrator could then apply one set of Group Policy settings to "HR" and another to "Accounting People". For example, the administrator could specify that "Accounting People" should have "Quickbooks Pro" automatically installed on their computer and that HR people must not be allowed to run screensavers.
- Global Security Groups: Active Directory allows you to create "groups" of users or computers and then allow or deny them access to files, printers, and other objects. Whereas an "Organizational Unit" gives you control over a user's rights to perform certain activities, "security groups" give you granular control over which files, directories, registry entries, and printers that a group of users is allowed to view, modify, or use. You can put many thousands of users into these security groups, and then grant or deny them access to a single resource with a few mouse clicks. For example, you could give the "Managers" security group the right to change all the documents in the "Business Plan" directory while giving the "Investors" security group Read-Only access to the same folder.
- Replication: Active Directory databases are stored on Windows 2000 or Windows 2003 servers called "Domain Controllers". Once you successfully run a program called "dcpromo" on your Windows Server (this program comes included with Windows Server -- don't run it until you've done extensive planning and research), your Active Directory Directory Service is up and running. Run dcpromo on a second machine, and your Active Directory database will be automatically replicated between the two machines. This way, if one machine dies, your AD network can continue to run. In addition, since both domain controllers have up-to-date Active Directory databases, some user's can use one Domain Controller (DC) while others use the other DC, allowing for load-balancing and better performance.
Active Directory is a big subject and their are many thick books written about it. For more information from, try http://www.microsoft.com/ActiveDirectory.
A good book for beginners is Active Directory For Dummies.
For the most in-depth coverage, try the MCSE Study Guide for Exam 70-217 or
MCSE Study Guide for Exam 70-297.