Definition of Active Directory
Active Directory is Microsoft's directory service and Enterprise Network Operating System (ENOS) for Windows 2000 Server and Windows Server 2003. Active Directory is an integral part of the Windows server product, in that you cannot purchase or install it separately. Any Windows 2000/2003 server (besides the Web Edition) can be "promoted" to be an Active Directory domain controller. Active Directory serves as the store for user and computer accounts within an organization, as well as many other types of objects.
It is not possible to explain something like Active Directory thoroughly in just a few paragraphs. Some fantastic books already cover the subject in detail, such as Active Directory, Third Edition.[1] However, a few key concepts are especially relevant to developers.
[1] Allen, R., and J. Richards. 2006. Active Directory, Third Edition. Sebastopol, Calif: O'Reilly.
Domain
The domain is the fundamental organizing concept for objects in Active Directory. A domain defines a directory partition or naming context (discussed shortly) where objects such as users, groups, and computers are stored and organized in a hierarchy. The domain also forms a replication boundary, in that the objects in a domain replicate only with other domain controllers for that domain.
Domain Tree
A domain tree is a collection of domains organized in a hierarchy and sharing the same DNS namespace. A domain tree also shares a common security relationship through trust relationships.
Forest
A forest is essentially a collection of domain trees that share a common schema, global catalog, and security relationship via trust relationships. We like to say that a forest is an Active Directory. Note that a forest need not contain more than one domain, but may contain many domains that can have complex hierarchical relationships to each other. Forests also do not need to have a contiguous namespace. For example, a forest can include two domain trees, such as "bigcompany.biz" and "mydomain.com".
Domain Controller
A domain controller is a Windows server that is specifically designated to provide directory services to a particular domain. Some directory services provided by the domain controller include LDAP access to the directory store, a Kerberos Key Distribution Center (KDC) for Kerberos authentication services, and replication services to synchronize information in the directory with other domain controllers in the domain. A domain controller provides other directory services, such as DNS, but we are primarily interested in LDAP from a programming perspective.
A domain controller has at least three directory partitions, or naming contexts, that can be searched via LDAP. In addition to the domain partition that contains familiar objects such as users, groups, and computers, a domain controller has a configuration partition and a schema partition. As their names imply, the configuration partition contains configuration information such as replication topology, and the schema partition contains a description of the schema. Note that the configuration and schema partitions are replicated throughout the whole forest, unlike the domain partition, which is replicated only to other domain controllers in its domain.
Global Catalog
The global catalog provides a mechanism that enables us to search the entire forest at once instead of searching in a specific domain. It exists to solve the problem of "I know the object is in the forest somewhere, but I have no idea which domain it is actually in." The global catalog contains a partial replica of every object in every domain in the forest that includes the data we are most likely to want to use in a search. Global catalog searches are essentially just LDAP searches on a different TCP/IP port. Note that not every domain controller is a global catalog server, although that is certainly possible. We definitely need to have at least one!