Microsoft Active Directory

Active Directory is a directory services system, similar in nature to Novell's eDirectory, which allows network objects such as users and groups to be placed into logical areas of a database. This database can then be distributed among various serversall of which participate in the Active Directory structure. Because all the network object information is placed in a single database, albeit a distributed one, it can be used by any network application or subsystem, eliminating the need for duplicate information to be held on each server of the network. In the case of Microsoft server operating systems, Windows 2000 was the first network operating system to take this approach. Previous to this, user accounts on Windows servers were stored on each server, and special relationships called trusts had to be set up in order to allow users on one server to access resources in another. In Active Directory, trusts still exist, though their role is somewhat different.

Windows servers on a network can either be domain controllers or member servers. Domain controllers are servers that have Active Directory installed and hold a copy of the Active Directory database. The term domain is used to describe a logical section of the Active Directory database. Domain controllers store user account information, so they can provide network authentication. An Active Directory domain can have several domain controllers, with each one having a read/write copy of the Active Directory database. In fact, for fault-tolerant reasons, this is a good strategy to employ.

Member servers are not involved in the authentication of network users and do not take part in the Active Directory replication process. Member servers are commonly employed as file and print servers, or with additional software, as database servers, Web servers, firewalls, or servers for other important network services such as DHCP and DNS.

Windows Authentication

The authentication process facilitated by a Windows server allows users logging on to the network to identify themselves to the Active Directory, and subsequently to access all the network resources to which they have permissions. This means that it is necessary to log on only once to access all the resources on the network. The nature of directory services means that other applications, such as a Web server, can interface with the directory and use the same authentication information.

In addition to the standard authentication mechanism of usernames and passwords, Windows server platforms also support other authentication systems such as smartcards and biometrics. Implementation of these methods requires additional hardware and software.