What is an Active Directory? The easiest answer to this question is a database. In a broad sense, it’s a database of everything: user names, computers, printers, shared resources (in other words, shared folders), etc. Why was it invented? To answer this question, let us remember how it all started.
In the beginning, personal computers appeared. Then these computers began to be united into local computer networks. But even physically united these computers practically did not interact with each other in any way. This was hindered both by the computers’ parameters themselves and lack of possibilities of operating systems of that time. And numerous third-party software did not provide such possibilities. The first growth of interaction appeared with the moment of appearance of Windows NT4 operating system. It was for the mass user that NT4 became the first multi-user operating system that allowed the real use of the computer by several users. A further step in the development of interaction between users in the local network was the emergence of such a system as Active Directory. Now, I am going to try to show you in a simplified and schematic way what the Active Directory system is all about.
As I mentioned earlier, most personal computer operating systems before Windows NT4 involved one user working on one computer. The computer was simply loaded and the user was offered to run the programs he needed. As the power of personal computers increased, new opportunities opened up for programmers of operating systems, to replace the «text» operating systems began to come operating systems with a window interface. This was a very big step forward, as the window interface allowed to standardize the type of programs very much. The user did not need to teach the commands of different programs. Now most actions are STANDARD.
Rapid growth in processor processing power, hard disk capacity and etc. have led to the emergence of multi-user operating systems. Now it is possible that the computer was not just loaded but the operating system clearly identified the user by his name and password. This feature allowed to logically divide the physical resources of the computer for several users, creating a hierarchy of privileges. Users began to be divided into administrators, users, advanced users, back-up operators, etc. Using one physical computer, users had access only to those resources that were available to them. For example. On the hard drive, it became possible to specify specific access rights to files and folders for specific users, some folders could only be viewed by the user, others could only be changed, and some access was completely prohibited. The same could be done with printers, scanners and other devices. One user could print to a printer, and another user could not access it!
Although the situation had improved significantly, there was still a huge problem in the interaction between computers and users on the local network. The reason for this situation was that the list of users who had access to the computer was stored on the computer itself. Imagine that you have two computers on your network, each with three users.
On «Computer 1» there is a public folder «Public folder 1», which should be accessible from «Computer 2» for users «Kolya» and «Dasha» for reading, and for user «Zhora» for writing. The task, in such configuration, is obviously impossible, because there are no such users in the list of users of «Computer 1», «Computer 1» knows only the users «Vasya», «Petya» and «Masha». The dialog between two computers will look like this:
Computer 2. Hey, Computer 1, I need access to Shared Folder 1.
Computer 1. And who are you?
Computer 2. I’m «Kolya.»
Computer 1. (Looking for a Kolya user on his user list and can’t find one.) I don’t know that. You’ll be as a Guest.
And as a result, working on «Computer 2» «Kolya» will get access to «Public folder 1» on «Computer 1», which is installed for the user «Guest». And if the user Guest is denied access to Computer 1, he will not be granted access at all.
The only way out of this situation is to bring all users of «Computer 2» to «Computer 1», then the view of the schematic drawing will be about this:
That is, the dialogue between the two computers will already change to this one:
Computer 2. Hey, Computer 1, I need access to Shared Folder 1.
Computer 1. And who are you ?
Computer 2. I’m Kolya.
Computer 1. (Looking for «Kolya» on your user list, finds.) «Kolya» tell me your password ?
Computer 2. That’s the password!
Computer 1. (checks password) Excellent! Password fits! (provides access to «Shared Folder 1»)
And now imagine how to solve the problem on a hundred computers, a thousand, tens of thousands and even spread around the world geographically. Can you imagine?
That’s why we created the Active Directory system to solve such problems. What is the essence of the solution I will try to show in the schematic drawing:
While previously user lists were stored on each computer, in Active Directory all user lists are stored on servers. These servers are called domain controllers. The user lists and other information (computers, printers, shared folders, etc.) are duplicated on all of the domain controllers. Duplication increases the reliability of the storage, a failure of one of the servers does not cause the entire system to fail. Now when a user logs in to a computer, they are not authorized on that computer, but on one of the domain controllers. This way, centralized storage of the user list solves many issues, one of which is access to shared resources.
Another important feature of Active Directory is a mechanism such as group policies. Simply put, this is a detailed set of rules that the computers and users are following. For many of us, the existence of this rule set remains a mystery, and many people simply do not notice or know that it exists, even though these rules do exist and work for computers that are not connected to Active Directory.
When you include the computer in Active Directory, the local rule set is replaced by a centralized rule set (Group Policy). This happens each time the computer loads up, and at specific intervals. This replacement of rules allows you to find and correct the situation when a user has changed any centralized rules to their own. This way, computers that are included in Active Directory can be centrally configured, maintained, diagnosed and so on.
I also want to speak about time separately. Time is the foundation of Active Directory. Since all processes must be synchronized, time is very important! The computers that are connected to Active Directory are automatically synchronized with the domain controllers in terms of time. If there is a significant time difference between the computer and the domain controller (5 minutes or more) when computer is turned on, then the user will not be able to log in the computer. This is how you can schematically depict an Active Directory system.