This is the ultimate FAQ for Microsoft Active Directory — built lớn answer all of the most frequently asked questions about the legacy, on-prem directory service. We’ll get into lớn the what, when, why, who, & how of Microsoft Active sầu Directory — otherwise known as AD or MAD.

Bạn đang xem: Active directory domain services overview

AD is both widely used and widely misunderstood. Developed by Microsoft in the late 1990s, AD is the world’s most well-known on-prem directory service or often referred to lớn as an identity provider (IdP). AD ushered in the era of modern identity management in the early 2000s, but with a shifting IT landscape there are a number of questions that IT admins và organizations have about just what AD is, how it works, & why it matters.

We’ve sầu identified some of the most common questions about Active Directory & answered them below.


Get Rid of your Domain Controller

See why a domainless approach lớn IT can help you modernize your environment.

Read More

Active Directory Basics

What is Active sầu Directory?

Active Directory is a directory service / identity provider that enables administrators khổng lồ connect users to lớn Windows-based IT resources. Further, with AD, IT can manage and secure their Windows-based systems and applications. AD stores information about network objects (e.g. users, groups, systems, networks, applications, digital assets, and many other items) and their relationship to one another.

Admins can use AD to create users and grant them access to lớn Windows laptops, servers, & applications. They can also use AD to control groups of systems simultaneously, enforcing security settings và software updates.

Access & controls are done using the concept of a domain name. The domain name concept is essentially a concept of inclusion and exclusion. Traditionally, this approach was leveraged for physical locations. Historically, many IT resources were hosted on-prem and as a result they were a part of the tên miền – i.e. internal network – and when a user was in the physical location they would have sầu access to all of their requisite resources on-prem. If a user was off-prem, they would need khổng lồ VPN in to make it appear that they were on-prem. This approach worked well when IT resources and people were in the same physical proximity.

AD is part of the wider Identity & Access Management (IAM) space and is often supplemented with single sign-on (SSO) or MDM (điện thoại device management) solutions ahy vọng many others. Directory Platkhung is a cloud-based alternative sầu to Active Directory.

Get a more in-depth definition of Active Directory with “What is Active Directory, Anyway?”

When was Active Directory released?

What protocols does AD use?

Active Directory takes advantage of the networking protocols for DNS/DHCP & the Lightweight Directory Access Protocol (LDAP), alongside Microsoft’s proprietary version of Kerberos for authentication.

Many people ask why AD doesn’t natively tư vấn more protocols, such as SAML and RADIUS. We won’t speculate on their reasoning, but we vì believe that a multi-protocol approach is the future of IAM. Support for protocols such as SAML và RADIUS can be accomplished through Microsoft add-on solutions as well as third các buổi party solutions.

Why is Active sầu Directory called active?

Our best guess is that AD is called Active sầu Directory because it actively updates information stored in the directory. For example, when an administrator adds or subtracts a user from the organization, Active Directory automatically replicates that change khổng lồ all of the directory servers. This happens at a regular interval so that the information always remains up-to-date & synchronized.

Today, this “active” type of behavior is expected in IT systems. But, before the era of computerized directory services, the concept of a directory that kept itself up to date was pretty innovative sầu. Keep in mind that when the Active sầu Directory moniker was coined, physical encyclopedias were still commonly used and the “active” Wikipedia hadn’t yet launched.

Who uses Active Directory?

Generally speaking, when an organization leverages Active sầu Directory, every single employee uses Active sầu Directory every day without even knowing it. People use Active Directory when they log in to their work machines and when they access apps, printers, và tệp tin shares.

But the primary users of Active Directory are the admins. These people actually operate, manage, and configure AD. AD admins likely include all of the IT team & may also include members of the security, DevOps, or engineering teams.

Virtually all organizations around the world use a solution such as Active Directory or other identity provider. Enabling và controlling access to IT resources is one of the most important aspects of operating an organization in modern times. Solutions such as directory services enable organizations khổng lồ be productive sầu.

Why does Active sầu Directory matter?

Whether people realize it or not, Active sầu Directory has been making the business world go ‘round since the turn of the century. AD is in place at almost every large organization & many small ones. It’s just such a foundational tool (always humming away quietly in the background) that many people who use AD every day don’t even realize what AD is—or that it’s the key to lớn their secure access khổng lồ their laptop, applications, network, & even files. In short, a directory service is what connects users to lớn their IT resources, and AD has done that for users lớn their Windows resources for almost two decades.

Looking for a more in-depth answer? We also have sầu a full blog covering why AD is important.

Active sầu Directory Definitions

What are Active Directory objects?

An object is the generic term for any unit of information stored within Active sầu Directory’s database. Objects can include users, laptops, servers, và even groups of other objects (explained below).

What are Active Directory groups?

AD enables admins lớn manage sets of multiple objects & these sets are known as groups. Using GPOs (group policy objects), an admin can make a change on one group & have sầu that change apply to lớn all objects within that group. They’re often used to lớn segment users or systems by department or clearance.

The bottom line is that group-based management makes IT administration more efficient.

What are forests, trees, & domains in Active sầu Directory?

A forest is the most top part of Active Directory’s logical structure, which also includes objects, trees, domains, & organizational units (OU). A forest describes a collection of trees, which denote a collection of domains. So, what are trees và domains?

Well, a domain is a collection of users, computers, & devices that are part of the same Active Directory database. If an organization has multiple locations, they may have a seperate tên miền for each one. For example, an international organization could have a domain for their London office, another one for their Thành Phố New York office, & a third one for their Tokyo office.

A tree could be used lớn group all three of those domains as branches belonging to the same tree, so lớn speak. An organization that has multiple trees could then group them into lớn a forest.

This is a core concept of Active sầu Directory và can be complicated. If you have questions, drop us a note và we’d be happy lớn help you work through what type of AD structure makes sense for your organization.

What is a tên miền controller?

A tên miền controller is any hệ thống that is running Active sầu Directory Domain Services. At least one tên miền controller is necessary khổng lồ use Active sầu Directory, though most organizations have sầu at least two per location. Large, multinational organizations may require dozens of tên miền controllers across each of their physical locations in order khổng lồ ensure high availability for their AD instance. Generally, DCs are thought of being tied khổng lồ a physical office, which in the current remote work environment can be challenging.

Individual users và their systems are connected to the domain controller through the network. When users request access khổng lồ objects within the Active sầu Directory Database, AD processes that request & either authorizes or prevents access to lớn the object.

Once within the domain name, a user doesn’t need to put in another username & password to lớn gain access to domain-bound resources that they have sầu rights to. The authentication và access occurs seamlessly. That’s the beauty of the tên miền. But this concept begins to fall apart as non-Windows resources are introduced. It also struggles if users are remote & not physically attached to the domain name – in this case, the end user will need khổng lồ VPN into the network and be authenticated by the DC in order khổng lồ gain access to their on-prem, Windows-based resources.

cảnh báo that Microsoft has also extended the concept of a tên miền to lớn Azure. Organizations can create a separate tên miền at Azure through Azure AD DS. This tên miền is separate and distinct from the on-prem domains, although the two can be bridged through a variety of connective sầu technology including Azure AD Connect and Azure AD.

We should also note that there is a new concept called the Domainless Enterprise, which is taking the approach of eliminating the domain concept, but still retaining the idea of securely and frictionlessly accessing IT resources wherever they may be. This concept is especially helpful for organizations that leverage web applications, cloud infrastructure, và non-Windows platforms (e.g. macOS, Linux).

What is Active Directory Domain Services (AD DS)?

AD DS basically sets up the database of objects that serves as the foundation for AD management. AD DS isn’t the only server role associated with Active sầu Directory, but you could argue that it’s the VPS role that corresponds most directly to lớn the core functionality that people associate with AD.

How does Active Directory work?


When Active Directory Domain Services is installed on a VPS, it becomes known as a domain name controller. This server stores the Active Directory Database, which contains a hierarchy of objects và their relationship to lớn one another.

Active Directory is managed by an admin through a thick-client GUI (graphical user interface) that resembles the file manager in Windows (pictured above). This application runs on a Windows hệ thống and is not a modern browser-based application. Admins can point, click, và drag objects within AD & adjust their settings by right-clicking with the mouse & accessing the dropdown thực đơn.

AD can also be controlled via the commvà line và through tools that leverage PowerShell, Microsoft’s language for automation & API-màn chơi tasks.

The biggest misconception around Azure AD is that it’s Active sầu Directory in the cloud. But the truth is that Azure AD wasn’t built khổng lồ be a standalone AD in the cloud. Instead, Azure AD has been designed to lớn extend an existing Active Directory instance to the cloud.

To better understvà the AD và AAD relationship, Microsoft’s reference architecture diagram can be helpful.


The concept can be a great deal of work with a lot of moving parts: synchronize your on-prem AD with Azure AD Connect và you can connect your existing database of user identities & groups to lớn Azure cloud-based resources. Of course, you need Azure AD and then if you would lượt thích to create a domain name within Azure, the Azure AD DS hàng hóa as well.

Azure AD can actually bởi many things that AD can’t (e.g. it has an integrated website application single sign-on component)—and the wider umbrella of Microsoft’s Azure platsize spans functionality so broad that you can think of it as Microsoft’s competitor to Amazon Web Services. But don’t be fooled into lớn thinking that means that Azure AD can do everything that on-prem Active sầu Directory can.

What is Azure AD Connect?

Azure AD Connect is a tool used to federate on-prem Active sầu Directory identities lớn resources that are hosted within the Azure platkhung through Azure Active sầu Directory. These resources could include Office 365™ and Azure systems, servers, và applications.

What AD Is & Isn’t

Is Active Directory Single Sign-On (SSO)?

You could say that Active Directory was SSO before SSO existed. By that, we mean that AD can provide a single sign-on experience for users by centralizing access lớn all Windows-based resources within the database. Further, those resources were all on-prem or at minimum connected to the domain.

That said, what the industry conventionally considers lớn be SSO (web tiện ích SSO) is very different from AD—và in fact, conventional SSO arose out of AD’s inability to authenticate users into web apps during the mid-2000’s. Today, many organizations still supplement their Active Directory with a browser-based web application SSO tool.

However, new business requirements have driven the concept of SSO khổng lồ now extover lớn devices, networks, file servers, và more, so the modern concept of SSO goes beyond just access khổng lồ Windows resources or even web applications. The concept of True SSO is even more expansive sầu and highly relevant for modern organizations where users & their IT resources may be all over the world.

Is Active Directory software?

Yes, Active sầu Directory is software developed by Microsoft that is installed, maintained, and updated on Windows-based server hardware. The AD software is licensed through a concept called CALs (client access licenses) among muốn other mechanisms. Licensing for AD software can be quite complex, so discussing with a Microsoft reseller is your best bet.

Further, the AD software and hardware is not a complete solution. You’ll need to lớn procure other components lớn help make AD run including solutions for security, high availability, back-up, VPN, and more.

Is Active sầu Directory a server?

Not exactly. That said, Active Directory requires a Windows VPS in order lớn function. A VPS running Active sầu Directory Domain Services software is known as a domain controller – whether that hệ thống is physical hardware located on-prem or virtualized.

Is Active Directory a database?

It would be more accurate to lớn say that Active Directory contains a database. The Active Directory database is the store of all the users, groups, systems, printers, and policies within the network. These are known as objects and can be manipulated by admins using Active sầu Directory.

Xem thêm: Câu Đố Mẹo Cây Gì Không Có Lá ? Câu Đố Mẹo Cây Gì Có Hoa Mà Không Có Lá

Is Active sầu Directory open source?

No. Active sầu Directory was developed privately by Microsoft & its code has not been made available to lớn the public lượt thích an open source tool. The primary open source alternative sầu khổng lồ Active Directory is OpenLDAP. (others include FreeIPA, Sambố, 389 Directory, & others). You can learn more about the difference between OpenLDAPhường & AD.

Is Active Directory LDAP?

Active Directory isn’t LDAP.., but it uses LDAP. AD is a directory service that is capable of communicating through the LDAP protocol and managing access to lớn LDAP-based resources. AD’s primary protocol is a Microsoft proprietary version of Kerberos.

Active sầu Directory Functionality

What bởi vì you need khổng lồ operate Active sầu Directory?

Generally, to operate AD, you’ll need a server, a backup, data center space, and VPNs. That’s just khổng lồ get through the basics, but for most organizations you’ll also need to lớn figure out security, load balancing / high availability, data back-up, và much more. You’ll also need an IT admin who is technically adept enough khổng lồ install, manage, and maintain AD.

That said, the hardware & software requirements necessary to operate Active Directory are chất lượng khổng lồ each organization. Some aspects you need to consider when determining what you’ll need lớn operate AD include the following:

number of usersnumber of systemsmàn chơi of RAM requirednetwork bandwidth needstệp tin storage capathành phố and performance demandsprocessing power

Accurately assessing your IT environment is crucial for effective sầu use of Active Directory, và taking shortcuts could result in performance issues down the line. For more information, consider checking out Microsoft’s capathành phố planning article. You’ll also want to lớn talk lớn Microsoft resellers regarding licensing as it can be complex. Those licensing requirements can include the VPS software, client access licenses, and more.

Of course, if you have non-Windows systems, applications, tệp tin servers, và network infrastructure, you’ll need to lớn purchase add-ons as well such as web applications SSO, multi-factor authentication, privileged access management, governance và auditing, và more.

What Are Active sầu Directory’s Limitations?

Yes, there are limits in Active sầu Directory. From maximum number of objects lớn maximum number of GPOs applied, Active Directory has its restrictions. Here are a few of them:

A domain controller can create “a little bit less” than 2.15 billion objects during its lifetimeUsers, groups, and computer accounts (security principals) can be members of a maximum of approximately 1,015 groupsYou can apply a limit of 999 Group Policy Objects (GPOs) to lớn a user account or a computer account.You should avoid performing more than 5,000 operations per LDAPhường. transaction when writing scripts or applications for an LDAPhường transaction.

You can read more about Active Directory limitations here. From a practical standpoint, there are limitations due to lớn VPS hardware capathành phố, bandwidth, performance latency, và more. IT admins will need khổng lồ understand their entire infrastructure to lớn understand how their users are impacted by these types of limitations.

Why backup Active sầu Directory?

Take a moment and think about all of the hard work you’ve sầu put into lớn creating a secure, seamless IT environment. You’ve sầu nailed providing users with just the right amount of access in all of the IT resources they need khổng lồ get work done. You’ve got all the right GPOs in place. Your logical structure is pristine.

With no backup, you run the risk of having lớn start all over.

Not only is it a pain khổng lồ set everything up again, but the rest of the company will be significantly delayed in getting bachồng lớn work. Employees won’t be able to lớn access their IT resources until you’ve rebuilt your Active Directory thiết đặt. So, having a backup strategy for your Active sầu Directory instance can save sầu a lot of pain và time in the sự kiện you experience a failure or disaster. For advice on what to consider for your disaster recovery plan, consider reading this r/sysadmin Reddit post.

Of course, backing up AD is only one of the disaster scenargame ios that you’ll need to account for. Internet connections can be severed, hardware can fail, human errors can occur as well, và more. Those will all need to be accounted for as well. As IT admins know, authentication services are generally a 100% uptime initiative.

When is it time lớn replace Windows Server?

The estimated lifespan for a hệ thống is generally about five years. After that, you’re on borrowed time. If you’re still using Windows Server 2003 or Windows Server 2008, then you should definitely be thinking about getting a new domain controller. The EOL for Windows Server 2003 occurred in July năm ngoái và the EOL for Windows Server 2008 was January 14, 2020.

Are there any Active sầu Directory best practices?

Yes. When building out Active Directory infrastructure, there are some best practices that can help you maintain svào security and also avoid configuration issues. Here are a few recommendations:

How vì chưng you secure Active sầu Directory?

Many of the best practices listed above get khổng lồ the heart of this: keep your AD instance patched, up-to-date, & utilize principles of least privilege. Don’t use your domain controller for anything other than the roles required for domain name services.

When it comes khổng lồ physical security, you could consider locking up the VPS room, having alarms at all access point, keeping the premises under video clip surveillance, & also setting up flood alarms and fire prevention systems.

You’ll also have sầu lớn train any users who have access to AD about how to stay secure. Read our in-depth guide to lớn security training, Security Training 101: Employee Education Essentials.

Of course, for many organizations the concept of physical security can be left khổng lồ a cloud provider, if one is utilized.

How vày you ensure high availability with AD?

There’s no one-size-fits-all formula for how khổng lồ achieve high availability (HA) for your Active Directory instance. Different organizations have sầu different uptime needs and standards. But redundancy is a “must-have” for all except the least risk-averse admins. The approach we see most commonly at SMBs is to have sầu one direct domain name controller in the production environment và then a second DC to serve as a failover. This general strategy of redundancy can be scaled up for larger organizations & enterprises.

There are a number of network infrastructure và hardware components that are necessary to lớn ensure high availability. Many organizations are shifting lớn the cloud và leveraging cloud providers to help them solve sầu the HA & load balancing concerns.

Can Active sầu Directory work with Macs?

We’ve put together a resource on this topic called best practices for integrating Macs with Active Directory.

Why learn Active sầu Directory?

Knowing how khổng lồ use AD is a valuable skill—and one that’s broadly applicable at organizations worldwide. Learning AD is particularly valuable if you want to lớn work in IT supporting Windows devices, Azure cloud services, Sharepoint, and many other enterprise softwares và platforms.

That said, it’s possible khổng lồ advance a career in IT without ever learning AD. Modern, cloud-forward organizations are bypassing on-prem AD altogether và going straight lớn cloud-based directory services. You can practice with directory services by taking advantage of a không tính tiền Directory Platkhung tài khoản. There’s also the University that can help you learn the concepts around a cloud directory platform and the Domainless Enterprise.

Evaluating Active Directory

Is Active Directory free?

This is a common misconception. While AD is technically included with Windows Server, the servers it runs on certainly aren’t, and Microsoft cleverly makes its money from AD customers through licensing khổng lồ Windows Server. The cost of CALs (Client Access License) ensures that organizations using AD will keep paying Microsoft month after month.

How can I calculate the cost of Active sầu Directory?

We have a pretty straightforward equation for estimating the cost of AD:

Costs of Active sầu Directory = servers + software + hosting + backup + security + monitoring + VPNs + IT admin + third-party SW + multi-factor authentication + governance

That said, the real cost of AD for your specific use case is not as straightforward. If you would like access khổng lồ our directory service ROI calculator, you can request one here.

What kích thước organizations need AD?

The larger a company is more likely it is khổng lồ use Active sầu Directory. Enterprises, universities, & government organizations all need directory services in order to efficiently & securely manage access to lớn their thousands of IT resources.

While smaller organizations have sầu been able khổng lồ get by without Active Directory (some use Google Workspace or SSO solutions as their user directory), many small teams still choose to implement AD in order lớn improve sầu security & efficiency. Usually, it’s when an organization grows to lớn about trăng tròn team members when the people responsible for all of the IT infrastructure begin to think that it’s time for directory services.

As organizations grow the cost & complexity khổng lồ operate AD can scale dramatically. Many IT organizations have sầu been searching for different ways lớn address this and ultimately look for Active sầu Directory alternatives.

What are the advantages và disadvantages of Active Directory?

To put it in terms of simple benefits, Active sầu Directory offers these advantages:

Greater Administrative sầu Control over Windows resourcesImproved Efficiency for Users và AdminsMore Secure Windows Systems, Networks, & DataReliable & Thorough Reporting for Auditing & Compliance

But Active Directory is also important in the way that it comes with its disadvantages:

Reduced Functionality with Mac & Linux SystemsDifficult to Configure & ManageRequires On-Premises HardwareHigh Upfront CostsLimited Connectivity to Cloud Apps & Infrastructure

When is Active sầu Directory needed?

Most anything that Active Directory does can be done on an individual system without Active Directory. For instance, setting up a new user for a laptop or instituting a certain security setting can all be done manually from the OS. But the key word there is manual. Active sầu Directory is needed once an organization has reached a kích cỡ where manual administration over its systems và IT resources is no longer feasible. The ability for AD to perkhung group-based management tasks across users và Windows systems, at scale, is what has made it a ‘must-have’ at large organizations.

Another comtháng reason Active Directory is needed is when an organization is subject khổng lồ auditing & compliance requirements. The stringent security demands of regulatory statutes such as HIPAA, PCI, and GDquảng bá often “force the hand” of organizations that may otherwise not need AD.

As more organizations shift to lớn the cloud, leverage website applications, utilize modern platforms, và more, the need for AD is waning, although the requirement for a holistic identity & access management solution is more critical than ever.

Do I need AD to lớn pass our audit?

This really depends on your compliance needs—are you facing an audit from PCI, HIPAA, SOX, SSAE 16, or ISO? But the short answer is that you never need AD to lớn pass an audit. Generally speaking, directory services can be very helpful in achieving compliance since they can (1) secure identities, (2) limit access to critical resources và data, và (3) simplify the auditing, logging, và reporting processes. That said, Active Directory is only one of an assortment of possible directory solutions that can help boost your security.

Learn more about how helps with security & compliance.

When shouldn’t you use Active sầu Directory?

As many organizations shift to lớn the cloud, the opportunity to lớn use modern cloud directory platforms increases. These can create agility for organizations và save sầu significant costs.

Are there any alternatives to lớn AD?

Yes, there are a few alternatives to Microsoft Active sầu Directory. It all depends on what you want. Some organizations consider manual user & system management a viable alternative lớn AD. Manual management is feasible up to a point, but it simply doesn’t scale.

The conventional competitor to AD is OpenLDAP™. You can think of this as the open source alternative to AD. But OpenLDAP isn’t really a true alternative to AD. It is a directory service, but it doesn’t match up with AD feature for feature, and the overall level of technical expertise lớn configure and maintain an OpenLDAP instance is demanding. Specifically, OpenLDAPhường doesn’t help manage systems (e.g. lượt thích GPO capabilities of AD).

More recently, there are website IAM tools that offer a degree of IAM. So, these are the SSOs of the world, along with major players like Google & their Google Workspace platkhung for businesses & organizations. That said, the “browser-first” approaches lớn IAM have sầu always fallen short when it comes to the feature set of true directory services (i.e. user and system management). It would be a stretch khổng lồ Call SSO or Google Workspace an alternative to lớn AD, but if you’re fine with a limited feature mix, it’s possible.

You could also consider MDM solutions here. Again, they provide some AD-like capabilities, but fall short of true directory services. They can manage systems, but struggle with user management.

Finally, there are cloud-directory services, exemplified by our own cloud directory platsize. Think of as Active Directory and LDAP.. reimagined for modern IT.’s diverse feature phối includes the robust, group-based system management that directory services are known for, but it does it across Windows, Mac, và Linux – securely connecting a single user identity lớn their workstation, files, networks, and apps – without the need for a domain controller.

Still Looking For Answers? What Did We Miss?

We want this to be an authoritative guide, so if you have any additional questions that we didn’t answer, please reach out lớn us và let us know. We’re happy to lớn take a swing at additional questions about AD or consider amending an answer if you can shed further light on one of them. That’s the only way we’ll be able khổng lồ truly make this an ultimate FAQ.

Got questions about or cloud directory services? We’ve got answers for you. If you would lượt thích to lớn try, you can sign-up for a không tính tiền account with 10 users & 10 devices. You’ll also get 10 days of 24×7 Premium in-ứng dụng chat tư vấn.

link tải 567 live app | W88Vuive | tải app qqlive apk |