What Is Active Directory? Definition, Services, and Key Concepts Explained
Active Directory (AD) is Microsoft’s directory service for managing users, computers, and access permissions across a network. First introduced with Windows 2000 in 1999, it remains the dominant identity management system in enterprise Windows environments. Most organizations with more than a handful of employees rely on Active Directory to control who can access what — from shared files to printers to cloud services.
What is Active Directory?
Active Directory is a hierarchical database of objects — users, computers, printers, groups, and other network resources — organized so that administrators can manage permissions and access from a single centralized location. Its two core functions are authentication (verifying who a user is) and authorization (determining what that user is allowed to do).
Every object in Active Directory has a name, a data type, and a set of properties. A user object, for example, stores a username, password, email address, department, and phone number. When a user logs in to a Windows computer joined to the domain, Active Directory validates their credentials and grants or restricts access based on the permissions assigned to their account or group.
According to Microsoft’s official documentation, Active Directory Domain Services (AD DS) is the foundation for managing identity and access in Windows Server environments, and it integrates directly with Group Policy, DNS, and Microsoft’s cloud platform Azure AD.
Active Directory services
Active Directory is not a single product — it’s a collection of directory services, each handling a specific administrative function.
Active Directory Domain Services (AD DS)
AD DS is the core service. It stores centralized data about users, computers, and groups, and manages authentication and communication across domains. This is what most people mean when they refer to “Active Directory” in a general sense. AD DS controls logon processes and searches across the network.
Active Directory Certificate Services (AD CS)
AD CS issues and manages digital certificates — the credentials that encrypt data transferred between users and systems. Certificates enable secure communication over public networks using public key infrastructure (PKI), and AD CS determines which data can be exchanged and with whom.
Active Directory Lightweight Directory Services (AD LDS)
AD LDS supports applications that require directory data but don’t need a full domain controller. It shares the same codebase as AD DS and supports Lightweight Directory Access Protocol (LDAP), making it useful for custom applications that need to store and retrieve directory information independently from the main domain.
Active Directory Federation Services (AD FS)
AD FS enables Single Sign-On (SSO) across multiple applications and networks. Once a user authenticates through AD FS, they can access authorized applications on different networks without logging in again. This is widely used for integrating on-premises systems with cloud services and third-party applications.
Active Directory Rights Management Services (AD RMS)
AD RMS manages data access rights at the content level. It actively encrypts content on servers — including emails, Word documents, and other files — so that only authorized users can open or modify them, regardless of where the files are stored or sent.
Key concepts in Active Directory
Domain
A domain is a logical grouping of objects — users, computers, devices — that share the same Active Directory database and DNS namespace. Everything within a domain shares the same security policies and authentication database. The domain is the fundamental administrative unit in AD.
Tree
When two or more domains are connected in a hierarchical chain, they form a tree. Domains in a tree share a contiguous namespace — for example, sales.company.com and hr.company.com both belong to the parent domain company.com. Domains in a tree automatically trust each other, which simplifies authentication across related parts of an organization.
Forest
A forest is the highest-level structure in Active Directory, consisting of one or more trees that share a common schema, global catalog, and directory configuration. All trees within a forest share a common trust relationship. Large organizations with multiple distinct business units often use separate trees within a single forest.
Organizational Unit (OU)
Organizational units are containers within a domain that hold users, computers, groups, and other OUs. They exist primarily to organize objects for administrative purposes and to apply Group Policy settings to specific subsets of users or machines. Unlike domains, OUs don’t establish trust relationships — they’re purely for administrative delegation and policy application.
Domain Controller (DC)
A domain controller is the server running Active Directory Domain Services. It authenticates logons, enforces security policies, and replicates directory information to other domain controllers in the domain. Most production environments run at least two domain controllers for redundancy — if one fails, the other continues to handle authentication without interruption.
Global Catalog
The global catalog is a distributed data repository that stores a partial replica of all objects in every domain within a forest. It enables fast, forest-wide searches — for example, finding a user by name when you don’t know which domain they belong to. At least one domain controller in each forest must hold the global catalog role.
LDAP
Lightweight Directory Access Protocol (LDAP) is the industry-standard protocol that Active Directory uses for communication between clients and the directory. LDAP is open and cross-platform, which is why many non-Microsoft applications can authenticate against Active Directory using LDAP — including Linux systems, network devices, and web applications.
DNS integration
Active Directory relies heavily on DNS. Domain controllers register their services as DNS Service Resource Records (SRV records), which client computers use to locate domain controllers on the network. Without functioning DNS, Active Directory authentication and replication fail. This is why AD environments almost always use internal DNS servers configured to manage AD-specific records.
Active Directory objects
Objects are the individual entries stored in Active Directory. Common object types include:
- User — stores account credentials, contact details, and group memberships for each person in the organization
- Computer — represents each machine joined to the domain, including its OS version and last logon information
- Group — a collection of users, computers, or other groups used to assign permissions to multiple accounts at once
- Contact — stores details for external parties (vendors, partners) who are not domain users but need to appear in the directory
- Shared Folder — a published pointer to a shared network folder that users can discover through AD searches
How Active Directory works in practice
When a user sits down at a domain-joined computer and types their username and password, the workstation contacts a domain controller and sends the credentials using the Kerberos authentication protocol. The domain controller validates the credentials against its copy of the AD database and issues a ticket that grants the user access to network resources for the duration of their session.
Group Policy Objects (GPOs) — sets of configuration rules applied through Active Directory — control the environment that user lands in: which desktop wallpaper appears, which applications they can install, which network drives map automatically, and which USB devices are permitted. GPOs can be applied at the domain, OU, or site level, giving administrators granular control over the user experience without touching each machine individually.
Managing the security posture of an AD environment is one of the more complex IT responsibilities an organization faces. If you’re thinking about broader cybersecurity practices beyond directory management, this guide on protecting your business from common cybersecurity threats covers complementary defensive measures.
Active Directory vs. Azure Active Directory
Azure Active Directory (Azure AD, now called Microsoft Entra ID) is Microsoft’s cloud-based identity platform. It handles authentication for Microsoft 365, Azure, and thousands of third-party SaaS applications. Despite the similar name, Azure AD is architecturally different from on-premises Active Directory — it doesn’t use domains, trees, forests, or Group Policy in the traditional sense.
Microsoft released Azure AD Connect in late 2016 to synchronize on-premises Active Directory with Azure AD, enabling SSO across both environments. Most hybrid organizations run both: on-premises AD for managing Windows servers and workstations, and Azure AD for cloud services and remote access. Azure AD Connect bridges those two identity stores so users need only one set of credentials.
Alternatives to Active Directory
Active Directory isn’t the only directory service available, though it dominates in Windows environments. Comparable options include:
- JumpCloud — a cloud-native directory platform designed to replace on-premises AD in organizations moving away from Windows-centric infrastructure
- Red Hat Directory Server — an LDAP-based directory service for Unix and Linux environments, supporting certificate-based authentication similar to AD
- Apache Directory Server — an open-source LDAP server for organizations that need a lightweight, self-managed directory
- OpenLDAP — the most widely used open-source LDAP implementation, often used in Linux environments and for custom application integration
Frequently asked questions about Active Directory
What is Active Directory used for?
Active Directory is used to manage users, computers, and permissions across a Windows network from a centralized location. Its primary functions are authentication — verifying who a user is — and authorization — determining what resources that user can access. It also enables administrators to apply configuration policies to groups of users and computers simultaneously through Group Policy.
What is the difference between a domain and a forest in Active Directory?
A domain is the basic administrative unit in Active Directory, containing users, computers, and objects that share a common database and security policy. A forest is the highest-level structure, consisting of one or more domains that share a common schema, global catalog, and trust relationship. A single-domain organization has one domain and one forest; large enterprises may have dozens of domains organized across multiple forests.
What is a Domain Controller?
A domain controller is a server running Active Directory Domain Services. It authenticates user logon requests, enforces security policies, and replicates directory data to other domain controllers in the domain. Organizations typically deploy at least two domain controllers per domain for redundancy — if one goes offline, the other continues to serve authentication requests without interruption.
What are Group Policy Objects?
Group Policy Objects (GPOs) are sets of configuration settings that administrators use to control the behavior of users and computers in an Active Directory environment. A GPO can enforce password complexity requirements, map network drives automatically, install software silently, restrict application access, and configure desktop settings — all applied centrally without touching individual machines.
What is LDAP in the context of Active Directory?
LDAP (Lightweight Directory Access Protocol) is the communication protocol that applications use to query and modify data stored in Active Directory. It’s an open standard, which means non-Windows systems and applications — including Linux servers, network printers, and web applications — can authenticate against Active Directory using LDAP, making AD useful in mixed-OS environments.
What is the difference between Active Directory and Azure Active Directory?
On-premises Active Directory manages users and computers in a Windows domain network using domains, forests, and Group Policy. Azure Active Directory (now Microsoft Entra ID) is a cloud-based identity service for Microsoft 365 and Azure that doesn’t use the same domain/forest structure. Most organizations run both and synchronize them using Azure AD Connect, giving users a single set of credentials for both on-premises and cloud resources.
