The amount of businesses out there that own and run windows 2000, windows 2003, or windows 2008 servers is mind boggling. Thousands, if not millions of companies utilise Windows Server in their everyday environments all over the world. What is more astounding though, is the amount of companies that do not utilise the best feature of the Windows Server world - Active Directory, and why not? I don't know. I am guessing there is a mixture of not understanding what AD is, and why it should be used. Beyond that, I could not even start to guess - it is simply beyond me

So, what is Active Directory and why am I so passionate about the need for it to be used? Let me outline briefly what it is, and then the advantages of utilizing such a powerful tool for your business, whether or not you have business using one server and 2 clients, or 1000 Servers and 50000 Clients. Active Directory is a Scalable tool suited to businesses of all sizes, bar none.

			1. WHAT IS ACTIVE DIRECTORY

Active Directory is in short, A centralised Directory, or Database, for all your security principles. What is a security principle? A security principle is anything from a user object (account), a group (that contains user accounts), a Group Policy (a single point to control all machines under it, via registry changes), a Computer Share (yes, NTFS File Shares), DNS (Domain Naming Service), and Scripts, through to objects such as Printers. It is one single, central repository to administer all your accounts and security from. AD is also a building block for many other Microsoft and 3rd party vendors applications to authenticate against for Single Sign On (SSO) capabilities.

AD is a security Boundary dividing networks into forests and domains. Forests and Domains are the logical way of segmenting your business in the Active Directory Schema. You can read more on this in my article on AD design here http://www.block.net.au/help/ad-architecture/

Active Directory now also extends to support for integration between Windows and 3rd party Operating Systems such as Novel, UNIX, and Macintosh Platforms.

			2. WHAT DO YOU GAIN FROM ACTIVE DIRECTORY?

So now we have touched lightly on what Active Directory is, its time to look at what you gain from Active Directory and how it can improve productivity and decrease tedious and tiring administration overheads in your LAN/WAN Environments.

			2A. SINGLE POINT OF ADMINISTRATION FOR ALL USER ACCOUNTS AND GROUPS

In a typical workgroup environment, each machine utilises a SAM database, this database is stored on each machine and is unique on each machine. There is no sharing, and no easy way of making mass changes on all machines. The SAM Database is also insecure, and at the best of times, a nightmare to administer when dealing in Windows Networking.

Active Directory takes over the SAM Database at a server level, and creates its own Directory Service where all your user accounts are stored. The SAM Database still exists on each machine, but becomes an irrelevant tool when dealing in authentication and logons. This is all handled through Active Directory. When a user in the domain logs on to his or her machine, they authenticate against the Active Directory Server (A Domain Controller), which then permits or denies, and sets the appropriate permissions for the users session on the machine.

Active Directory also utilises a Group Object, which contains user accounts in the domain. These groups can then be assigned to NTFS File Shares, can be used as Distribution Groups within an Exchange Server Environment, as well as all sorts of other neat things when utilising additional technologies.

			2B. GROUP POLICIES FOR BULK USER AND COMPUTER SECURITY AND CONFIGURATION CHANGES

Group policies are the inbuilt way in Active Directory to make bulk changes, or control the user environment at either a User or Computer level.

Group Polices are basically a nice user friendly interface to change registry keys on a local machine. I might decide that I want certain aspects of windows to be locked down on all machines in my domain, I do this via Group Policies. I may also decide that I only want some users to be able to access certain features on certain machines, again, I would control this all through Group Policies.

Group Policies are also the best and simplest way to standardise a configuration and security across all machines in the Domain.

A great guide to Group Policies can be found here

http://www.windowsnetworking.com/articles_tutorials/Best-Practices-Designing-Group-Policy.html
http://www.adminprep.com/articles/default.asp?action=show&articleid=55
http://msdn.microsoft.com/en-us/library/aa374177.aspx

			2C. SOFTWARE DEPLOYMENT VIA GPO

Gone are the days where you need to walk to every machine in the company and install new software or upgrades to existing Software packages, Active Directory can utilise Group Policy to roll out new software or upgrade packages, to all, or selected machines within your environment. Its an extremely simply and easy process, reducing administration time drastically.

More Information on Software Deployment and a hands on guide can be found here
http://www.windowsnetworking.com/articles_tutorials/Group-Policy-Deploy-Applications.html

			2D. DELEGATION OF CONTROL

Delegation of control is a powerful feature allowing you to delegate responsibilities and permissions to certain staff in your team, without the need to grant enterprise or Domain Administration rights.

Delegation of control allows you to segment the appropriate duties across multiple staff, and reduce the administration Burden on one person, without compromising security.

You can read more on Delegation of Control in more detail here
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/activedirectory/stepbystep/ctrlwiz.mspx

			2E. SECURITY AND ENCRYPTION

Once you implement AD into your environment, you have automatically implemented Kerberos, an Authentication Protocol utilised by Active Directory and Windows machines when communicating with each other. Kerberos is the underlying foundation for all Authentication of machines either between each other, or between clients and server

Kerberos provides a way of a machine proving who it is, without having to send detailed information - or shared secrets, across the network. It does this by using a security Key.

A good simple guide to Kerberos can be found here - a nice read
http://www.isi.edu/~brian/security/kerberos.html

As well as Kerberos for Authentication, AD allows the implementation of IPSEC for encryption of all traffic between your LAN - a not heavily used technology, but an important and powerful one nonetheless.

			2F. REDUNDANCY AND MULTIPLE SITES

Active Directory Supports the ability for multiple Servers hosting a replica of your Active Directory Database, it will also load balance the Authentication Load across Domain Controllers when it see's fit.
In the event of a Server Failure, any other Domain Controllers in the Domain Can take over the role of Authentication and Authorisation.

As well as providing redundancy, AD can replicate to offsite servers, allowing localised logons and authentication, whilst still providing a centralised Directory for all Security.

			2G. PASSWORD POLICIES

Active Directory supports password policies, guaranteeing that users must meet a certain password complexity standard, as well as changing passwords regularly, an interval determined by your security administrator

Password Policies are administered and configured in a Group Policy and affect all users in the Domain.

			2H. LEVERAGE TOOLS SUCH AS WSUS

Software Updates - always fun in a Large Environment, often a large burden and administration overhead, as well as being costly on bandwidth and hard to control. No longer a problem when you introduce Active Directory into the environment.

With AD as a backbone, you can utilise Windows Software Update Services (WSUS). This service provides you a single point of call for all windows updates. you download the update package once, and once only, and distribute as you see fit to all machines, or just some machines. The control is completely in your hands, allowing for testing and strategic rollout. Using Groups and Machine Accounts within AD, along with Group Policy for configuration, Windows Updates become a simple and easy issue to deal with.

			2I. PURE INTEGRATION WITH EXCHANGE

Thinking about implementing Microsoft Exchange Server? Guess What? It relies 100% on Active Directory as a backend for all users and security. More and more technologies are supporting the integration of their service, with Active Directory. Its the way of the future and a way of the past, at least since Windows 2000 anyway :)

			2J. DNS INTEGRATION

In my previous Article about DNS configuration, I mentioned numerous times the benefit of Active Directory Integrated DNS Zones.
http://www.block.net.au/help/dns-basics/

Active Directory, as mentioned before, supports replicating its database across multiple Domain Controllers. To take this a step further, DNS can also be integrated into Active Directory, again, allowing for multiple Servers to host on single DNS zone - providing load balancing and redundancy. It also allows DNS to be secured properly protecting you against attacks and DNS poisoning.

			2K. AUTOMATION VIA SCRIPTS

Vbs script and powershell are two of an Admins best friends. The automation and configuration that can be done with these tools is almost limitless. Active Directory allows you to assign logon or logoff scripts to user Accounts, allowing you to perform pre or post logon tasks.

			2L. ROAMING PROFILES AND FOLDER REDIRECTION

Have roaming users that use multiple machines in the environment? Currently have to configure a profile for them every time they change machines? Forget that. Active Directory allows for Roaming Profiles, where instead of the profile being stored on a local machine, it is stored on a set share on a server in your environment. A user changes computers, they get the same profile every time - no more administration time there

Or alternatively, and a more common practice, Folder Redirection, Allowing you to redirect items like "My Documents" to a server, for backup and control purposes. Less Network Overhead from a traffic point of view, and you still get the benefits of centralised Storage.

Configuration and Detailed Information on these technologies can be found here
http://www.windowsnetworking.com/articles_tutorials/Profile-Folder-Redirection-Windows-Server-2003.html

			2M. AUDITING

One of the most powerful tools in the AD world is the ability to Audit Users and Shares. Using group policy, as well as advanced NTFS settings on shares, you can enable auditing on virtually any object in the domain, allowing you to trace and track problems and security breaches within your environment, as well as forcefully enforcing IT policies within your Organisation.

			3. CONCLUSION

So with all the above benefits outlined, and these just touching on what you can do with your environment by utilising Active Directory, you have to ask yourself not why should you use Active Directory, but why not? Why would you not take advantage of all these technologies and capabilities, when they all come at zero cost. Once you have purchase Windows Server, you have purchased all these tools with it. So why not use them?

Active Directory will reduce your Administration overhead beyond belief, your ability to make changes efficiently and controlled, whilst providing a more secure and standardised environment is unrivalled, and the pure pleasure of a single point of control is more than enough justification for any administrator or IT Manager to start making use of a such a powerful tool.