Active Directory in nutshell

By | February 1, 2020

Microsoft’s Active Directory is perhaps the most undisputed product in the industry. There is absolutely no other alternative of the Active Directory. Whether you are using Windows or Linux-Like Operating System, you must need AD to setup your organizational structure from scratch.

It was introduced with Windows 2000 Server and till Windows 2003 Server, we used to term it as an “Active Directory”. When Microsoft launched Windows Server 2008, we started using the term called “Directory Services Suite”. It’s a combination of multiple Directory Services products such as – Active Directory Certificate Services (AD CS), Active Directory Federation Services (AD FS), Active Directory Rights Management Services (AD RMS) and Active Directory Lightweight Directory Services (AD LDS). As far as the classic Active Directory is concerned, it’s now called Active Directory Domain Services (AD DS). These 5 products all together creates Directory Services Suite.

When any organization starts, the first thing it needs is the “Identity”. In simple term we need a name by which we can identify the organization. AD DS help us to create the identity of the organization, called the “Domain”. Domain is the logical Boundary of the organization which decides the maximum reach of the organization. Means our domain “” actually represents the company DevOpsAge Technologies, and any object belongs to also belongs to the company. Anything out of the domain has nothing to do with the organization.

If we have more than one domain which belong to a single company, like we normally see in big organization, it forms a “Forest”. For example IBM has offices in US, India and UK and their individual domains are, and respectively. All Child Domains are part of root domain Together all domains including root domain (,, and will form a Forest called In other words we can say the forest has four domains in total, ine root domain and three child domains.

Earlier we had a concept of “Tree” which is gone now. Tree has not become a type of Domain. You have already seen an example of IBM. Now suppose HCL Corporation ( has two companies – HCL Infosystems Ltd. ( and HCL Technologies Ltd. ( Now unlike IBM, all three domains are part HCL Corporation but they don’t include the root domain name with it like IBM.

Means in IBM, all the other domains include the root domain in their name (,, that’s why they are called as “Child Domain”. But in HCL, however both and are part of the forest, but they have their separate domain names and don’t include the root domain in their names. Such kind of structure is called as “Tree Domain”. So in AD DS, there are two types of Domains – Child Domain and Tree Domain.

Now suppose within a domain, you want to create a separate departments for Sales, IT and HR and wants Department Heads can manage their department individually. One way is to create separate domains (, hr.DevOpsAge.ocm) but this will make our infrastructure complex. To address this issue there is a concept of “Organizational Unit” in OU. Within, we can create three separate OU – Sales, HR and IT and delegate their access to respective department heads. This will help us to keep our infrastructure architecture simple.

Till now whatever components of AD DS we have discussed, all are virtual or Logical. Forest, Domain and OU are called the logical structure of AD DS, means we can’t have any physical existence of them. There is only one Physical component in AD DS which is called Site. The Site is the actual Physical locations where we keep our AD DS servers. For example, DevOpsAge has three physical offices in Delhi, Mumbai and Singapore. So withing forest, we will create three Sites – DEL, MUM and SPR which represents the actual physical location and connected with multiple network subnets.

I have mentioned that in physical site, we install our servers. These servers holds the Active Directory Database and called the “Domain Controller” (DC). So Domain Controller is nothing but physical or virtual servers where we install AD DS role. Each working Site must have at-least one DC. Whatever information one DC will have, the exact same information will be synced with all other available DCs and this process is call “Active Directory Replication”.

Active Directory is so huge that it can’t be covered in one article. There are lot many other concepts in AD but this article was just to give you a glimpse about AD. I hope this post will give you an overall idea about Active Directory. If so, please share it with your friends. Cheers!

Leave a Reply

Your email address will not be published. Required fields are marked *