Active Directory Domain Services (AD DS) and its related services form the foundation for enterprise networks that run Windows® operating systems. The AD DS database is the central store of all the domain objects, such as user accounts, computer accounts, and groups. AD DS provides a searchable hierarchical directory, and provides a method for applying configuration and security settings for objects in the enterprise. This module covers the structure of AD DS and its various components, such as forest, domain, and organizational units (OUs).


The process of installing AD DS on a server is refined and improved with Windows Server 2012. This module examines some of the choices that are available with Windows Server 2012 for installing AD DS on a server.

The AD DS database stores information on user identity, computers, groups, services and resources. AD DS domain controllers also host the service that authenticates user and computer accounts when they log on to the domain. Because AD DS stores information about all of the objects in the domain, and all users and computers must connect to AD DS domain controllers when signing into the network, AD DS is the primary means by which you can configure and manage user and computer accounts on your network.

AD DS is composed of both physical and logical components. You need to understand the way the components of AD DS work together so that you can manage your network efficiently, and control what resources your users can access. In addition, you can use many other AD DS options, including installing and configuring of software and updates, managing the security infrastructure, enabling Remote Access and DirectAccess, and certificate handling.

One of the AD DS features is Group Policy, which enables you to configure centralized policies that you can use to manage most objects in AD DS. Understanding the various AD DS components is important to successfully using Group Policy.

What Are AD DS Domains?

An AD DS domain is a logical grouping of user, computer, and group objects for the purpose of management and security. All of these objects are stored in the AD DS database, and a copy of this database is stored on every domain controller in the AD DS domain.

There are several types of objects that can be stored in the AD DS database, including user accounts. User accounts provide a mechanism that you can use to authenticate and then authorize users to access resources on the network. Each domain-joined computer must have an account in AD DS. This enables domain administrators to use policies that are defined in the domain to manage the computers. The domain also stores groups, which are the mechanism for grouping together objects for administrative or security reasons—for instance, user accounts and computer accounts.

The AD DS domain is also a replication boundary. When changes are made to any object in the domain, that change is replicated automatically to all other domain controllers in the domain.

microsoft logo

An AD DS domain is an administrative center. It contains an Administrator account and a Domain Admins group, which both have full control over every object in the domain. Unless they are in the forest root domain, however, their range of control is limited to the domain. Password and account rules are managed at the domain level by default. The AD DS domain provides an authentication center. All user accounts and computer accounts in the domain are stored in the domain database, and users and computers must connect to a domain controller to authenticate.

A single domain can contain more than 1 million objects, so most organizations need to deploy only a single domain. Organizations that have decentralized administrative structures, or that are distributed across multiple locations, might instead implement multiple domains in the same forest.