What is Active Directory domain (AD domain)?
An Active Directory domain (AD domain) is a collection of objects within a Microsoft Active Directory network. An object can be a single user or a group, or it can be a hardware component, such as a computer or printer. Each domain holds a database containing object identity information.
AD is the foundation of most modern Windows-based network management. It's part of the Windows Server family of operating systems (OSes). Conceptually, AD is often visualized as a classic telephone directory where users can look up anyone with a telephone and know their location and the number at which to reach them.
In practice, AD is fundamentally a database designed to hold all the relevant information about users and endpoints -- such as servers and storage -- across the enterprise network. AD also provides a suite of directory services that associate those network resources with their network addresses, ensuring that information is available to the entire network. In addition, AD handles security, such as authentication, to ensure that only valid users are allowed onto the network and authorization to ensure that valid users can only access resources to which they're entitled.
A domain is a logical grouping of the objects held within Active Directory. Objects within a domain share common administration, security and protection behaviors. IT staff are responsible for managing objects within a domain and an enterprise can establish numerous domains. Every Active Directory domain requires a domain controller (DC). A collection of AD domains is called a forest.
A DC is any conventional computer server that runs Active Directory Services software. The DC uses data stored in AD for authentication, authorization, policy administration and group management. Domain controllers can also store a global catalog of all objects in the forest to allow global searches. This DC is called a global catalog server.
It's important to note that a DC is a mission-critical business resource. If the DC server or database fails, the network and its resources could become inaccessible to users. An organization typically runs two or more DCs operating in tandem to share the network traffic load and provide operational resilience. Domain controllers each maintain an independent copy of the AD database, and the controllers automatically synchronize with each other using replication.
How does AD domain work?
A domain is a label or category that represents a logical grouping of objects or resources that Active Directory manages. Most enterprise admins won't create domains often, as domains are typically long-term entities that rarely change. However, administrators might need to add new domains periodically as the enterprise grows and organizational demands evolve. For example, a business adopting Office 365 might need to add a new domain to AD.
The process of adding a domain involves the following steps:
- Log into the current domain controller.
- Access the Active Directory Domains and Trusts dialog.
- Select Properties for Active Directory Domains and Trusts by right clicking the top button in the left tree view and selecting Properties from the dropdown menu.
- Add the new domain name to the Alternative UPN Suffixes field in the UPN Suffixes dialog.
- Click Apply and close the windows. The domain is now added to the selected domain controller.
Admins can also opt to select replication options for other domain controllers. Once completed, the new domain name can be used in Active Directory. Adding a new domain name won't affect any users, and new users and other objects can be added to the domain as required.
Active Directory Domains and Trusts is only one tool for managing domains and Active Directory. Other native tools can be installed using Remote Server Administration Tools and include the following:
- Active Directory Administrative Center.
- Active Directory Sites and Services.
- Active Directory Users and Computers.
- Active Directory Service Interfaces Edit.
- Active Directory module for Windows PowerShell.
How is Active Directory structured?
Active Directory is structured like a tree. The easiest way to understand the various concepts in AD structure is to consider the five major elements of the AD tree.
An object is the lowest-level, or most granular, logical unit of an AD structure. An object can be a user account, a computer or server, a group, a share such as a storage volume or a device such as a printer. Every object can have one or more attributes that detail their specific properties and limitations.
Organizational units and groups
Objects within AD are organized into logical groupings called organizational units (OUs). OUs are also considered objects for the purpose of AD management but allow administrators to better organize the objects within AD. OUs can be nested, meaning one OU can hold other OUs. However, an object can only be placed in one OU at any time.
Groups are a different way of organizing objects within AD. A group is a collection of objects, such as users, where a group grants the objects common properties such as permissions. For example, users placed within a group can all receive access to certain file shares. Objects can be members of more than one group. Groups objects can be placed into OUs.
A domain is a logical grouping of objects, which can include individual objects, such as computers, as well as groups and OUs. A domain typically exists within a physical network, such as a corporate local area network, and is managed by an admin or admin team. An organization can easily have two or more domains. For example, a business with multiple physical offices might have a domain for each physical office, such as "us.company.com" for the U.S. location and "eu.company.uk" for the U.K. office location.
Domains can be organized into trees. For example, a business with multiple domains at a given site might organize those domains into a single tree for organizational purposes. A tree allows all domains to share a common schema, or design, and global catalog for better searchability.
Trees can be organized into forests. For example, a business with trees of multiple domains established at various global locations can collect those trees into a single administrative forest which represents the entirety of the enterprise. A forest is the top security boundary for AD, and no trust is established with any other forest unless that trust is explicitly created by admins of each different forest.
What is Active Directory Domain Services?
Active Directory Domain Services (AD DS) is the principal service within Active Directory. AD DS stores and manages information about users, services and other objects connected to the network -- while providing a central point of administration for all network activities. The servers that host AD DA are domain controllers and an organization can host multiple redundant DCs.
AD DS is so common and vital to Active Directory that discussions around AD typically refer to AD DS. However, Active Directory also provides the following suite of complementary services beyond AD DS:
- Active Directory Lightweight Directory Services. These provide directory services for applications.
- Active Directory Lightweight Directory Access Protocol. This provides the interface between users and directory services.
- Active Directory Certificate Services. These manage the digital certificates used in encryption technologies.
- Active Directory Federation Services. These provide single sign-on capabilities.
- Active Directory Rights Management Services. These provide detailed control over documents and other content as well as other tools for content security and control.
A domain name is a text designation that maps to a corresponding IP address that identifies a network element. The domain name is the human-readable text, while the IP address is the precise network location. For example, the IP address of a company web server might appear as 192.0.2.2, but the domain name for the company appears as "mycompany.com." The domain name system (DNS) lets human-readable domain names be translated to corresponding IP addresses.
Managing servers might require admins to identify the server's fully qualified domain name (FQDN). A FQDN includes a server name along with the domain name such as "mail.mycompany.com." The FDQN for a Windows server can be located using the following steps:
- Open the Start menu and type "device name."
- Click the View Your PC Name menu.
- Select Advanced system settings.
- The "Full computer name" entry in the Computer Name tab should display the FQDN if appropriate.
Alternatively, start Windows Terminal and type the ipconfig /all command at the command prompt to display the complete Windows IP configuration, including the hostname, primary DNS suffix and connection-specific DNS suffix related to the computer.
Learn how the DNS name resolution process is essential for resolving hostnames, querying servers and locating IP addresses.