Lesson 14 of 60 intermediate

What Active Directory Actually Does

Why AD is the backbone of most enterprises

Open interactive version (quiz + challenge)

Real-world analogy

Active Directory is the company’s phonebook + badge office + policy manual, all in one. Every person, every device, every group, every rule — stored centrally, authenticated against, and logged.

What is it?

Active Directory Domain Services (AD DS) is Microsoft’s directory for identities, devices, groups, and policies. It enables centralized authentication, authorization, and configuration across a Windows enterprise.

Real-world relevance

A bank has 200 branches. Without AD, each branch manages its own users. With AD, a single account grants access everywhere it should and nowhere it shouldn’t — and policy changes propagate to all 10,000 machines in hours.

Key points

Domain, Forest, Tree — vocabulary first — A domain is an administrative boundary (contoso.local). A tree is one or more domains sharing a namespace. A forest is one or more trees sharing a schema and global catalog. Most companies run ONE domain in ONE forest.
Domain Controller (DC) — A server running AD DS that authenticates logins, stores directory data, and replicates with other DCs. Multiple DCs provide redundancy. If all DCs die, logins stop across the company.
Objects — users, computers, groups, OUs — Users (people), Computers (joined devices), Groups (collections for permissioning), OUs (organizational units — containers for structure and policy targeting).
Authentication vs authorization — AuthN: proving who you are (Kerberos tickets, NTLM fallback). AuthZ: deciding what you can do (group memberships, ACLs). AD handles both, but they are different questions.
Global Catalog, sites, replication — high level — GC holds a partial copy of all domain objects for cross-domain lookups. Sites model physical network locations. Replication moves changes between DCs — broken replication = inconsistent auth.
Entra ID (the cloud cousin) — Microsoft Entra ID (formerly Azure AD) is cloud identity for M365/Azure. It’s NOT the same as AD DS — different protocols, different structure. Hybrid identity syncs on-prem AD → Entra via Entra Connect.
Why AD is an interview staple — It underlies logon, GPO, file access, email access, Kerberos, DNS, and most enterprise tooling. If you can’t explain AD clearly, most infra/support interviews stall early.

Code example

// AD building blocks (mental model)

Forest
 └── Tree (one namespace)
      └── Domain  (contoso.local)
           ├── OU=Headquarters
           │    ├── OU=Users
           │    └── OU=Computers
           ├── OU=Branches
           ├── Groups (Global / Domain Local / Universal)
           └── Domain Controllers
                ├── DC01  (Authoritative)
                └── DC02  (Replica)

Authentication paths:
  Kerberos (primary)   -> tickets, tight clock tolerance
  NTLM     (fallback)  -> weaker, phased out where possible

Policy:
  GPO linked to OU  -> applies to users/computers within

Line-by-line walkthrough

1. Mental model diagram of AD
2. Forest wraps everything
3. Tree — one namespace
4. Domain — administrative boundary
5. Organizational Unit for HQ
6. Users OU under HQ
7. Computers OU under HQ
8. OU for branch sites
9. Groups of different scopes
10. Domain Controllers container
11. Primary DC
12. Replica DC
13. Blank separator
14. Authentication paths header
15. Kerberos primary path
16. NTLM fallback
17. Blank separator
18. Policy container explanation
19. GPO application rule

Spot the bug

A company has 1 domain, 1 DC, and no backup DC.
DC01 hard disk fails on Friday night.
On Monday, no user can log in to their Windows machines.

Need a hint?

What was the structural mistake, and what is the right design?

Show answer

Single DC is a single point of failure. Best practice: at least 2 DCs per site, proper replication, regular System State backups, and documented AD recovery procedure. Treat the recovered DC as priority-1 incident; meanwhile local cached credentials may allow some logins but not new ones.

Explain like I'm 5

AD is one big company address book that everyone must agree with: who you are, what team you’re on, which doors open for you, and what rules your laptop follows.

Fun fact

Kerberos — the primary AD authentication protocol — is named after the three-headed dog guarding the underworld in Greek myth. It has three ‘heads’: client, service, and key distribution center (KDC).

Hands-on challenge

Sketch the forest/domain/OU structure of a fictional mid-size bank with HQ and 5 branches. Mark where DCs live, which OU holds which users and computers, and which groups control file-share access.

More resources

AD DS overview (Microsoft Learn)
Entra ID documentation (Microsoft Learn)
Active Directory in 60 minutes (John Savill)

Open interactive version (quiz + challenge) ← Back to course: IT Jobs Bootcamp