Understanding Active Directory in Windows Server 2000

Windows Server 2000 introduced a new concept called Active Directory (AD for short) that improves the way users and computers can be managed centrally. Instead of separate user and machine lists on each server, you now have a centralized directory service.

Active Directory stores information about users, computers, and resources in a structured way. You can manage authentication, authorization, and policies from one place.

At the core are a few key concepts: domains, controller, units and policies. Here is a quick summary of each:

• Domain
• A logical boundary for users, computers, and policies
• Managed by domain controllers
• Domain Controller (DC)
• Server running Active Directory services
• Handles logon and directory queries
• Organizational Unit (OU)
• Container for grouping objects
• Used to apply policies and delegate administration
• Group Policy
• Central way to configure user and computer settings

Compared to Windows NT domains (sometimes called LANMans or workgroups), Active Directory introduces a hierarchical structure and centralized management. You can organize objects in OUs and apply policies at different levels.

One important change is how authentication works. Active Directory uses Kerberos by default, instead of NTLM. This improves security and supports features like single sign-on.

Replication is also built in. Multiple domain controllers keep the directory synchronized with copies of the data, which in turn improves availability and reduces single points of failure.

For administrators and developers coming from NT 4.0, the biggest shift is thinking in terms of structure and policy instead of individual server configuration.