Summary: AD DS is Microsoft's directory service providing LDAP storage, Kerberos authentication, DNS integration, and Group Policy management for Windows domains.
Active Directory Domain Services (AD DS) is the centralised directory for Windows-based networks. It stores information about network objects — users, computers, groups, printers, services — and manages authentication and authorisation across a domain.
Core functions:
A logical grouping of computers and users sharing a common DNS namespace and security boundary. All objects within a domain trust each other by default.
A collection of one or more domains sharing a common schema, configuration partition, and global catalog. Forest is the outermost security boundary in AD DS.
A container within a domain for grouping objects for administration. OUs support Group Policy application and delegation of control. They do not create trust boundaries.
A server running AD DS that holds a copy of the directory database (NTDS.dit). All DCs are writeable by default (except RODCs). Changes originate on any DC and replicate to all others.
A DC that holds partial replicas of all objects in every domain in the forest. GCs are required for:
Every site should have at least one GC.
Defines all object classes (user, computer, group) and attributes (sAMAccountName, mail) for the entire forest. Schema is forest-wide and can only be extended, not reduced. Schema modifications require Schema Admin role.
| Trust Type | Direction | Transitivity | Description |
|---|---|---|---|
| Parent-child | Two-way | Transitive | Automatic between parent and child domain |
| Tree-root | Two-way | Transitive | Automatic between forest root and new tree |
| Forest trust | Two-way or one-way | Transitive (within forest) | Manual trust between forests |
| External trust | One-way or two-way | Non-transitive | Manual trust with external domain |
| Shortcut trust | One-way or two-way | Transitive | Optimises authentication path in deep trees |
Functional levels determine available features and require all DCs to run the minimum OS version:
| Level | Minimum DC OS | Key Features Added |
|---|---|---|
| Windows Server 2016 | Server 2016 | Privileged Access Management, authentication policies |
| Windows Server 2012 R2 | Server 2012 R2 | Protected Users group, authentication silos |
| Windows Server 2012 | Server 2012 | Dynamic Access Control, Kerberos armoring |
| Windows Server 2008 R2 | Server 2008 R2 | Recycle Bin, managed service accounts |
Raising functional level is irreversible — all DCs must meet the minimum OS version first.
Runs on every DC. Handles Kerberos AS (Authentication Service) for issuing TGTs and TGS (Ticket Granting Service) for issuing service tickets.
Manages DC location via DNS SRV records, domain member secure channel setup, and pass-through authentication to trusting domains.
AD DS requires DNS for DC location. DCs register SRV records (_kerberos._tcp, _ldap._tcp, _gc._tcp) so clients can find services. DNS is tightly integrated — Microsoft DNS with AD-integrated zones is standard.
Runs on every DC and automatically builds the replication topology between DCs. Runs every 15 minutes, creating NTDS Connection objects based on site link costs.
Replicates SYSVOL (Group Policy files) between DCs. Modern environments use DFSR (Distributed File System Replication); FRS is legacy.