Active Directory FAQs

Here is a collection of frequently asked question from our readers concerning Microsoft Active Directory. Browse the list below to find information and resources on Active Directory basics, with details on DNS, replication, security and more.

Don't see what you're looking for here? Check out our Active Directory topics page for more information, or pose a question to our IT Knowledge Exchange forum.

FREQUENTLY ASKED QUESTIONS: Active Directory

1. What is Microsoft Active Directory?
   Active Directory is Microsoft's directory service for the Windows architecture. It is a centralized and standardized system that automates network management of user data, security and distributed resources and enables interoperation with other directories.

   First introduced with Windows 2000 Server, Active Directory is designed especially for distributed networking environments, and provides a single hierarchical view from which to access and manage all network resources.

   You can find a more detailed explanation of what Active Directory does from our Active Directory tutorial.

2. What are the benefits of Active Directory over Windows NT 4.0 directory services?
   Active Directory marked a shift in the way that Microsoft manages directory services, moving from the flat and fairly restrictive namespaces used by NT4 domains toward an actual hierarchical directory structure. There's a sample chapter from the Windows 2000 technical reference that provides a good introduction into the major differences between the NT4 and Active Directory directory services.

3. What is the difference between Windows 2000 Active Directory and Windows 2003 Active Directory?
   Windows 2003 Active Directory introduced a number of new security features, as well as convenience features such as the ability to rename a domain controller and even an entire domain. This article breaks down some of the key AD enhancements included with Windows Server 2003.

   The release of Windows Server 2003 SP1 included more improvements to Active Directory, including changes to default tombstone lifetimes, simpler troubleshooting and the ability to run domain controllers using virtualization technology.

4. Is there any difference in Windows 2000 and 2003 group polices?
   Windows Server 2003 introduced numerous changes to the default settings that can be affected by Group Policy. You can see a detailed list of each available setting and which OS is required to support it by downloading the Group Policy Settings Reference.

5. What is the role of DNS in Active Directory?
   Active Directory relies heavily on DNS (domain name system) to function, but not just any DNS. Active Directory is highly dependent on the Microsoft DNS service found on Windows server systems or equivalents. However, though not highly recommended, it is possible integrate a non-Microsoft DNS to use with Active Directory.

   Check out this article for a more detailed explanation of how DNS works.

6. When setting up a DNS server, can I give a DNS zone and an Active Directory domain the same name?
   Not only can you, it's actually the preferred way to go if at all possible. You can install and configure DNS before installing Active Directory, or you can allow the Active Directory Installation Wizard (dcpromo) itself install DNS on your server in the background.

7. How do I design two domains with DNS and Active Directory?
   For Windows Server 2003, your best bet is going to be the Deployment Kit, which is available online from Microsoft's website. The section on "Deploying Network Services" will assist you in designing and installing your DNS servers, and the section on "Designing and Deploying Directory and Security Services" will assist you with deploying Active Directory and configuring trust relationships.

8. Why is replication important to Active Directory?
   Replication is the process of sending update information for data that has changed in the directory to other domain controllers. It is key to the health and stability of an Active Directory environment, as without proper and timely replication, a domain will be unable to function effectively.

   There are three main elements or components that are replicated between domain controllers: the domain partition replica, the global catalog and the schema. It is important to have a firm understanding of replication and how it takes place, both within the domain and in multiple-site environments.

   For a more detailed explanation of how replication works in AD, see our Active Directory replication guide.

9. Are there any security best practices for Active Directory design?
   Layered security is the best method to use when planning and designing a security solution. This involves placing your valued assets at the center of your environment and building or deploying multiple concentric circles or rings of protection around those assets. Thus, violations to confidentiality, integrity, or availability must overcome numerous security restrictions, precautions and protections before being able to affect your assets.

   While Microsoft has increased the default security within Active Directory for Windows Server 2003 and 2008 installations, you still need to consider additional security settings after it is installed. This tutorial provides more security best practices for Active Directory.

10. What's new in Active Directory for Windows Server 2008?
    Windows 2008 Active Directory includes several new features, including read-only domain controllers, new roles for Server Core and a restartable AD.