What Is Active Directory?

Back to Computer Technology > Software

Microsoft's new Active Directory service is one of the central components of Windows 2000. So central is it, in fact, that maximizing your use of Windows 2000—and your business—depends on your being able to understand what it is and how it works.

What Makes It So Active?
It might be easiest to get a handle on the basic Active Directory concepts by taking a look at another "active" service Microsoft has created—the Active Desktop in Windows 98. Visually, it's a desktop metaphor with objects, typically those that you use most often, displayed on your screen. Add Windows Explorer to that and now you have access to all of the files on all of the disks in your computer. As well as access, however, you also have control. You can keep the desktop as a traditional double-click environment or make it react as a Web page for single-click access. Right click on an object and you'll find options that let you modify or explore it in a variety of ways. The process is a lot simpler than hunting through multiple hard drives, typing in pathnames, and generally working on a hit or miss basis.

Let's take that basic single system, single directory structure and apply the idea to Windows 2000. Remember that this is a business operating system, the current successor to Widows NT. Its platform is a network environment, in both the traditional server with workstations and server to server configurations. You sit at the console of your server. You have a local directory. You have workstations with their directories. You have servers that control Internet access and print servers as well. You have a tremendous number of resources to monitor and maintain. And in a wide area network (WAN) some of these resources may not even be local to you. That's hardly an atypical network scenario and it produces a tangle of specialized directories that require time and effort to manage.

Active Directory acts as a focal point for these resources and services. It will permit users to log on to different systems without needing a catalog of passwords and accounts to accommodate them. In effect, while you'll probably only hear it described as Active Directory, the word "Service" should be tacked on to the end of that name. It's a dynamic construct, not just a static list. It contains both the directory structure of the network and the ability to manipulate the items within it transparently—without the need to know where they are in the network or how they're physically connected.

What Does Active Directory Do?

If you ask Microsoft what its Active Directory Service does it would most likely ramble on about containers, trees, forests, and things equally esoteric. Instead, let's sneak up on it from the side, by example.

Take the average medium-sized company composed of administration, marketing, sales, service, and human resources divisions. Microsoft would tell you that each of these divisions would be defined in their own "containers" under Active Directory. Because it's a hierarchical construct, the various containers would contain trees (as would a traditional directory structure).

Assume at some point that the marketing software needs to be revised. Under typical network procedures, an IT technician would go to each of the marketing workstations and install the revisions. Whether the workstation was down the hall, across the street, or in another state, the task would normally require a physical presence to be accomplished. Not so with Active Directory. Instead, having defined all of the marketing personnel, you could simply grant them access to the revised software en masse, from your console, and they would have it. The same would apply to granting access to disk drives, printers, and telecommunications servers—or any device on your network. It's not just limited to software.

Better still, if one of your marketing people transfers from down the hall to across the state (or country, or world), Active Directory, in conjunction with IntelliMirror management technologies, will automatically install assigned applications and permissions to the terminal from which that person is working when he or she logs in. No one needs to go onsite and do the setup work manually. Your network becomes user-centric rather than workstation-centric.

Active Directory employs that user-centric concept to help maintain network security as well. You won't need to establish separate security models for those accessing your system from within, via your Intranet, and from without, through the Internet. Once a user is authenticated and logged on, the permission and restriction levels granted to that user carry-over no matter what the log-on point might be. The reverse is equally assuring: Without that user authentification there are no implicit or explicit permissions granted simply by the location of the workstation.

As carefree as that sounds, however, it also means that users will need to be doubly attentive about accidentally distributing their network identities to unauthorized individuals. Then again, there has yet to be a lock made that wouldn't open to someone with the proper key.

Where's Active Directory Going?

If the concept of a user-centric model has evoked a nagging sense of familiarity, it should. It's an Internet model. If you have an Internet account, once you've been authenticated through your ISP, no matter where you are when you log on, you have the same level of permissions available to you as you would from where ever your usual log on point might be. You can access your mail, Internet stored files, and, if you've setup any of the personalized Web pages available, that page will appear the same everywhere you go. As with Active Directory, your log on location is transparent. This is not an accident.

The Internet is a TCP/IP network and every destination within it is a domain under a hierarchical access system. (Just as "the Internet" isn't really one place but rather a giant domain which is the collection of all of the other domains under it.) To get back to Microsoft's technical explanation, it's an inverted tree with the root being the DNS access name, followed by parent and child domain names forming the branches and leaves For example, you type in "www.zdnet.com" and the Domain Name System (DNS) translates that name into its correct Internet Protocol (IP) address, the four numbers separated by periods that you'll often see, and you're connected to the ZDNet root—if you're authorized to do so.

A system running the Windows 2000 Server operating system is effectively a domain controller. Active Directory uses DNS and IP addresses to allow processes running on computers in TCP/IP networks to identify and connect to one another. Each of the four numbers in the IP address represents a potential Active Directory domain name. And Active Directory is based on standard directory access protocols (such as Lightweight Directory Access Protocol or LDAP)—which means it can interoperate with other directory services employing these protocols, the same as how things are done on the Internet.

You're still going to spend a phenomenal amount of time developing your site for e-Business but, once you're done, letting the outside world access it will be a snap. The routing and access permissions for Internet visitors are built into Active Directory. You can then define your customers with different access permissions than would apply to first time browsers, create personal Web pages, storage areas, whatever—just as easily as you could if you were administering a LAN thanks to Active Directory.