Active Directory (AD) is a database and set of services that connect userswith the network resources they need to get their work done.

You are watching: In a windows domain, where is the centralized database kept?

The database (or directory) contains critical information about yourenvironment, including what users and computers there are and who’sallowed to do what. For example, the database might list 100 user accountswith details like each person’s job title, phone number and password. Itwill also record their permissions.

The services control much of the activity that goes on in your ITenvironment. In particular, they make sure each person is who they claim to be(authentication), usually by checking the user ID and password they enter, andallow them to access only the data they’re allowed to use(authorization).

Read on to learn more about the benefits of Active Directory, how it worksand what’s in an Active Directory database.

Active Directory simplifies life for administrators and end users whileenhancing security for organizations. Administrators enjoy centralized userand rights management, as well as centralized control over computer and user configurations through the AD Group Policy feature. Users can authenticateonce and then seamlessly access any resources in the domain for whichthey’re authorized (single sign-on). Plus, files are stored in a centralrepository where they can be shared with other users to ease collaboration,and backed up properly by IT teams to ensure business continuity.


The main Active Directory service is Active Directory Domain Services (AD DS), which is part of the Windows Server operating system. The servers thatrun AD DS are called domain controllers (DCs). Organizations normally havemultiple DCs, and each one has a copy of the directory for the entire domain.Changes made to the directory on one domain controller — such aspassword update or the deletion of a user account — are replicated tothe other DCs so they all stay up to date. A Global Catalog server is a DCthat stores a complete copy of all objects in the directory of its domain anda partial copy of all objects of all other domains in the forest; this enablesusers and applications to find objects in any domain of their forest.Desktops, laptops and other devices running Windows (rather than WindowsServer) can be part of an Active Directory environment but they do not run ADDS. AD DS relies on several established protocols and standards, includingLDAP (Lightweight Directory Access Protocol), Kerberos and DNS (Domain NameSystem).

It’s important to understand that Active Directory is only foron-premises Microsoft environments. Microsoft environments in the cloud useAzure Active Directory, which serves the same purposes as its on-premnamesake. AD and Azure AD are separate but can work together to some degree ifyour organization has both on-premises and cloud IT environments (a hybriddeployment).


AD has three main tiers: domains, trees and forests. A domain is a group ofrelated users, computers and other AD objects, such as all the AD objects foryour company’s head office. Multiple domains can be combined into atree, and multiple trees can be grouped into a forest.

Keep in mind that a domain is a management boundary. The objects for a given domain are stored in a single database and can be managed together. A forest is a security boundary. Objects in different forests are not able to interact with each other unless the administrators of each forest create a trust between them. For instance, if you have multiple disjointed business units, you probably want to create multiple forests.


The Active Directory database (directory) contains information about the AD objects in the domain. Common types of AD objects include users, computers, applications, printers and shared folders. Some objects can contain other objects (which is why you’ll see AD described as “hierarchical”). In particular, organizations often simplify administration by organizing AD objects into organizational units (OUs) and streamline security by putting users into groups. These OUs and groups are themselves objects stored in the directory.

Objects have attributes. Some attributes are obvious and some are more behind the scenes. For example, a user object typically has attributes like the person’s name, password, department and email address, but also attributes most people never see, such as its unique Globally Unique Identifier (GUID), Security Identifier (SID), last logon time and group membership.

Databases are structured, which means there is a design that determines what types of data they store and how that data is organized. This design is called a schema. Active Directory is no exception: Its schema contains formal definitions of every object class that can be created in the Active Directory forest and every attribute that can exist in an Active Directory object. AD comes with a default schema, but administrators can modify it to suit business needs. The key thing to know is that it’s best to plan the schema carefully up front; because of the central role AD plays in authentication and authorizations, changing the schema of the AD database later can dramatically disrupt your business.

* is the go-to vendor for Active Directory solutions. We can help youmanage, secure, migrate and report on your AD environment to drive yourbusiness forward. Here’s where you can learn more:

Learn More


Gartner Report: Protect, Detect and Recover From Ransomware White Paper

Gartner Report: Protect, Detect and Recover From Ransomware Software helps you protect AD backups from malware and minimize the impact of ransomware attacks with the latest release of Recovery Manager for Active Directory Disaster Recovery Edition and the new Secure Storage capability. Read White Paper
On-Demand Webcast: Best Practices to Avoid Common Active Directory Migration Mistakes On Demand Webcast
On-Demand Webcast: Best Practices to Avoid Common Active Directory Migration Mistakes Mergers, acquisitions, and divestitures are common business activities that can have a huge impact on your Microsoft 365 tenant. These events come with complicated legal maneuvers and rigid timelines. Watch Webcast
Be Prepared for Ransomware Attacks with Active Directory Disaster Recovery Planning Reduce your organization’s risk with an effective Active Directory recovery strategy. Read White Paper
Colonial Pipeline Ransomware and MITRE ATT&CK Tactic TA0040 Ransomware attacks are exploiting Active Directory. This security-expert-led webcast explores a 3-prong defense against them. Watch Webcast
M&A IT Integration Checklist: Active Directory If your organization is involved in a merger and acquisition, the impending IT integration project might seem overwhelming. But it needn’t be. In fact, the project can be the perfect opportunity to clean up, consolidate and modernize your Microsoft IT infrastructure to meet the business requir Read Technical Brief
Nine Best Practices to Improve Active Directory Security and Cyber Resilience This ebook explores the anatomy of an AD insider threat and details the best defense strategies against it. Read E-book
Five Ways to Secure Your Group Policy Discover how to dramatically improve security by ensuring proper GPO governance. Read E-book
Protect Your Active Directory from Ransomware using the NIST Cybersecurity Framework On Demand Webcast
Protect Your Active Directory from Ransomware using the NIST Cybersecurity Framework Learn guidance on how to identify, protect, detect, respond to, and recover from ransomware cyberattacks. Watch Webcast
Azure AD Conditional Access: What is it? Do we need it?

Learn what Azure AD Conditional Access is, who needs to use it and how to set it up.

Zero trust: What it is, why you need it, and how to get started

Everyone’s talking about Zero Trust security. Learn what it is, the benefits and downsides, and steps your organization can take to get started.

10 Microsoft service account best practices

Microsoft service accounts are a critical part of your Windows ecosystem. Learn what they are and 10 best practices for managing them efficiently.

How hackers exploit Group Policy Objects (GPOs) to attack your Active Directory

Group Policy objects (GPOs) are prime targets for hackers. Learn how and why they target this critical feature of your Active Directory environment.

Azure AD Connect: How it works and best practices for synchronizing your data

Learn how Azure AD Connect works, what data it syncs and best practices to apply when using it in your Active Directory environments.

See more: What Is Mr Avery'S Claim To Fame, In Chapter 6 Of To Kill A Mockingbird, What Is Mr

What is KRBTGT and why should you change the password?

Learn what KRBTGT is, when to update it and get answers to the toughest usmam.orgions about how to minimize your organization’s authentication vulnerabilities.