Active Directory (AD) is an implementation of LDAP-like^[1][2] directory services by Microsoft for use primarily in Windows environments. The Lightweight Directory Access Protocol, or LDAP (ˈɛl dæp is an Application protocol for querying and modifying Directory services running over In software engineering a directory is similar to a dictionary it enables the look up of a name and information associated with that name Microsoft Corporation is an American multinational Computer technology Corporation, which rose to dominate the Home computer Microsoft Windows is a series of Software Operating systems and Graphical user interfaces produced by Microsoft. Its main purpose is to provide central authentication and authorization services for Windows-based computers. Authentication (from Greek αυθεντικός real or genuine from authentes author is the act of establishing or confirming something (or someone as Active Directory also allows administrators to assign policies, deploy software, and apply critical updates to an organization. Active Directory stores information and settings in a central database. Active Directory networks can vary from a small installation with a few hundred objects, to a large installation with millions of objects (though not easily ^[3]).

Active Directory was previewed in 1996, released first with Windows 2000 Server edition, and revised to extend functionality and improve administration in Windows Server 2003. Windows 2000 (also referred to as Win2K) is a preemptive, interruptible graphical and business-oriented Operating system designed to work with Windows Server 2003 (also referred to as Win2K3 is a server Operating system produced by Microsoft. Additional improvements were made in both Windows Server 2003 R2 and Windows Server 2008. Windows Server 2003 (also referred to as Win2K3 is a server Operating system produced by Microsoft. Windows Server 2008 is the most recent release of Microsoft Windows ' server line of Operating systems Released to manufacturing on 4 February

Active Directory was called NTDS (NT Directory Service) in older Microsoft documents. Windows NT is a family of Operating systems produced by Microsoft, the first version of which was released in July 1993 This name can still be seen in some AD binaries. In Computing, an executable (file causes a computer "to perform indicated tasks according to encoded instructions," as opposed to a file that only contains

There is a common misconception that Active Directory provides software distribution. Software distribution is run by a separate service that uses additional proprietary schema attributes that work in conjunction with the LDAP protocol. The Lightweight Directory Access Protocol, or LDAP (ˈɛl dæp is an Application protocol for querying and modifying Directory services running over Active Directory does not automate software distribution, but provides a mechanism by which other services can provide software distribution.

Contents 1 Structure 1.1 Objects 1.2 Forests, trees, and domains 2 FSMO Roles 3 Naming 4 Trust 4.1 Trusts in Windows 2000 (native mode) 5 ADAM 6 Integrating Unix into Active Directory 7 See also 8 Notes 9 External links

Structure

Objects

Active Directory is a directory service used to store information about the network resources across a domain. A Windows Server domain is a logical group of computers running versions of the Microsoft Windows operating system that share a central directory database

An 'Active Directory' (AD) structure is a hierarchical framework of objects. In its simplest embodiment an object is an allocated region of storage The objects fall into 3 broad categories: resources (e. g. , printers), services (e. g. , email), and users (user accounts and groups). Electronic mail, often abbreviated to e-mail, email, or originally eMail, is a Store-and-forward method of writing sending receiving The AD provides information on the objects, organizes the objects, controls access and sets security.

Each object represents a single entity — whether a user, a computer, a printer, or a group — and its attributes. Certain objects can also be containers of other objects. An object is uniquely identified by its name and has a set of attributes — the characteristics and information that the object can contain — defined by a schema, which also determines the kind of objects that can be stored in the AD.

Each attribute object can be used in several different schema class objects. These schema objects exist to allow the schema to be extended or modified when necessary. However, because each schema object is integral to the definition of AD objects, deactivating or changing these objects can have serious consequences because it will fundamentally change the structure of AD itself. A schema object, when altered, will automatically propagate through Active Directory and once it is created it can only be deactivated — not deleted. Changing the schema usually requires a fair amount of planning. ^[4]

Forests, trees, and domains

The framework that holds the objects is viewed at a number of levels. At the top of the structure is the Forest - the collection of every object, its attributes, and rules (attribute syntax) in the AD. The forest holds one or more transitive, trust-linked Trees. A tree holds one or more Domains and domain trees, again linked in a transitive trust hierarchy. Domains are identified by their DNS name structure, the namespace. The Domain Name System (DNS is a hierarchical naming system for computers services or any resource participating in the Internet.

The objects held within a domain can be grouped into containers called Organizational Units (OUs). In Computing, an Organizational Unit (OU provides a way of classifying objects located in directories, or names in a Digital certificate Hierarchy OUs give a domain a hierarchy, ease its administration, and can give a semblance of the structure of the AD's company in organizational or geographical terms. OUs can contain OUs - indeed, domains are containers in this sense - and can hold multiple nested OUs. Microsoft recommends as few domains as possible in AD and a reliance on OUs to produce structure and improve the implementation of policies and administration. The OU is the common level at which to apply group policies, which are AD objects themselves called Group Policy Objects (GPOs), although policies can also be applied to domains or sites (see below). Group Policy is a feature of Microsoft Windows NT family of operating systems that provides centralized management and configuration of computers and remote users in an The OU is the level at which administrative powers are commonly delegated, but granular delegation can be performed on individual objects or attributes as well.

AD also supports the creation of Sites, which are physical, rather than logical, groupings defined by one or more IP subnets. Sites distinguish between locations connected by low-speed (e. g. , WAN, VPN) and high-speed (e. Wide Area Network ( WAN) is a Computer network that covers a broad area (i g. , LAN) connections. Sites are independent of the domain and OU structure and are common across the entire forest. Sites are used to control network traffic generated by replication and also to refer clients to the nearest domain controllers. Exchange 2007 also uses the site topology for mail routing. Microsoft Exchange Server is a Messaging and Collaborative software product developed by Microsoft. Policies can also be applied at the site level.

The actual division of the company's information infrastructure into a hierarchy of one or more domains and top-level OUs is a key decision. Common models are by business unit, by geographical location, by IT Service, or by object type. These models are also often used in combination. OUs should be structured primarily to facilitate administrative delegation, and secondarily, to facilitate group policy application. Although OUs form an administrative boundary, the only true security boundary is the forest itself and an administrator of any domain in the forest must be trusted across all domains in the forest.

Physically the Active Directory information is held on one or more equal peer domain controllers (DCs), replacing the NT PDC/BDC model. On Windows Server Systems a domain controller (DC is a server that responds to security authentication requests (logging in checking permissions etc Windows NT is a family of Operating systems produced by Microsoft, the first version of which was released in July 1993 A Primary Domain Controller (PDC is a server computer in a pre- Windows 2000 NT server Domain In Windows NT 4 server domains the Backup Domain Controller (BDC is a computer that has a copy of the user accounts database Each DC has a copy of the AD; changes on one computer being synchronized (converged) between all the DC computers by multi-master replication. Multi-master replication is a method of replication employed by Databases to transfer data or changes to data across multiple computers within a group Servers joined in to AD, which are not domain controllers, are called Member Servers. The AD database is split into different stores or partitions. Microsoft often refers to these partitions as 'naming contexts'. The 'Schema' partition contains the definition of object classes and attributes within the Forest. The 'Configuration' partition, contains information on the physical structure and configuration of the forest (such as the site topology). The 'Domain' partition holds all objects created in that domain. The first two partitions replicate to all domain controllers in the Forest. The Domain partition replicates only to Domain Controllers within its domain. A subset of objects in the domain partition are also replicated to domain controllers that are configured as global catalogs.

Unlike earlier versions of Windows which used NetBIOS to communicate, Active Directory is fully integrated with DNS and TCP/IP — indeed DNS is required. NetBIOS ( is an acronym for Network Basic Input/Output System. The Internet Protocol Suite (commonly TCP/IP) is the set of Communications protocols used for the Internet and other similar networks To be fully functional, the DNS server must support SRV resource records or service records. An SRV record or Service record is a category of data in the Internet Domain Name System specifying information on available services

AD replication is 'pull' rather than 'push'. The Knowledge Consistency Checker (KCC) creates a replication topology of site links using the defined sites to manage traffic. Intrasite replication is frequent and automatic as a result of change notification, which triggers peers to begin a pull replication cycle. Intersite replication intervals are less frequent and do not use change notification by default, although this is configurable and can be made identical to intrasite replication. A different 'cost' can be given to each link (e. g. , DS3, T1, ISDN etc. A Digital Signal 3 ( DS3) is a digital signal level 3 T-carrier. ) and the site link topology will be altered accordingly by the KCC. Replication between domain controllers may occur transitively through several site links on same-protocol site link bridges, if the 'cost' is low, although KCC automatically costs a direct site-to-site link lower than transitive connections. Site-to-site replication can be configured to occur between a bridgehead server in each site, which then replicates the changes to other DCs within the site.

In a multi-domain forest the AD database becomes partitioned. That is, each domain maintains a list of only those objects that belong in that domain. So, for example, a user created in Domain A would be listed only in Domain A's domain controllers. Global catalog (GC) servers are used to provide a global listing of all objects in the Forest. The Global catalog is held on domain controllers configured as global catalog servers. A catalog server provides a single point of access that allows users to centrally search for information across a distributed network Global Catalog servers replicate to themselves all objects from all domains and hence, provide a global listing of objects in the forest. However, in order to minimize replication traffic and to keep the GC's database small, only selected attributes of each object are replicated. This is called the partial attribute set (PAS). The PAS can be modified by modifying the schema and marking attributes for replication to the GC.

Replication of Active Directory uses Remote Procedure Calls(RPC over IP [RPC/IP]). Remote procedure call ( RPC) is an Inter-process communication technology that allows a Computer program to cause a Subroutine or procedure to Between Sites you can also choose to use SMTP for replication, but only for changes in the Schema or Configuration. Simple Mail Transfer Protocol ( SMTP) is a De facto standard for electronic mail (e-mail transmissions across the Internet. SMTP cannot be used for replicating the Domain partition. In other words, if a domain exists on both sides of a WAN connection, you must use RPCs for replication.

The AD database, the directory store, in Windows 2000 uses the JET Blue-based Extensible Storage Engine (ESE98), limited to 16 terabytes and 1 billion objects in each domain controller's database. A Computer Database is a structured collection of records or data that is stored in a computer system The Extensible Storage Engine ( ESE) also known as JET Blue is an Indexed Sequential Access Method ( ISAM) data storage technology from Microsoft. The Extensible Storage Engine ( ESE) also known as JET Blue is an Indexed Sequential Access Method ( ISAM) data storage technology from Microsoft. Microsoft has created NTDS databases with more than 2 billion objects. (NT4's Security Account Manager could support no more than 40,000 objects). The Security Accounts Manager (SAM is a database stored as a registry file in Windows NT, Windows 2000, and later versions of Windows Called NTDS. DIT, it has two main tables: the data table and the link table. In Windows 2003 a third main table was added for security descriptor single instancing. ^[5]

Active Directory is a necessary component for many Windows services in an organization such as Exchange.

FSMO Roles

Flexible Single Master Operations (FSMO sometimes pronounced "fizz-mo") roles are also known as operations master roles. Flexible single master operation (FSMO F is sometimes floating; pronounced Fiz-mo or just single master operation or operations master, is a feature Although the AD domain controllers operate in a multi-master model, i. e. updates can occur in multiple places at once, there are several roles that are necessarily single instance:

Role Name	Scope	Description
Schema Master	1 per forest	Controls updates to the Schema
Domain Naming Master	1 per forest	Controls the addition and removal of domains from the forest
PDC Emulator	1 per domain	Provides backwards compatibility for NT4 clients for PDC operations (like password changes). The PDCs also run domain specific processes such as the Security Descriptor Propagator (SDPROP), and is the master time server within the domain.
RID Master	1 per domain	Allocates pools of unique identifier to domain controllers for use when creating objects
Infrastructure Master	1 per domain	Synchronizes cross-domain group membership changes. The infrastructure master cannot run on a global catalog server (unless all DCs are also GCs. )

Naming

AD supports UNC (\), URL (/), and LDAP URL names for object access. A path is the general form of a file or directory name giving a file's name and its unique location in a File system. Uniform Resource Locator is an URI which also specifies where the identified resource is available and the protocol for retrieving it The Lightweight Directory Access Protocol, or LDAP (ˈɛl dæp is an Application protocol for querying and modifying Directory services running over AD internally uses the LDAP version of the X.500 naming structure. X500 is a series of computer networking standards covering electronic Directory services The X

Every object has a Distinguished name (DN), so a printer object called HPLaser3 in the OU Marketing and the domain foo. org, would have the DN: CN=HPLaser3,OU=Marketing,DC=foo,DC=org where CN is common name and DC is domain object class, DNs can have many more than four parts. The object can also have a Canonical name, essentially the DN in reverse, without identifiers, and using slashes: foo. org/Marketing/HPLaser3. To identify the object within its container the Relative distinguished name (RDN) is used: CN=HPLaser3. Each object also has a Globally Unique Identifier (GUID), a unique and unchanging 128-bit string which is used by AD for search and replication. A Globally Unique Identifier or GUID (ˈguːɪd or /ˈgwɪd/ is a special type of identifier used in Software applications in order to provide a reference number Certain objects also have a User principal name (UPN), an objectname@domain name form.

Trust

To allow users in one domain to access resources in another, AD uses trusts. Trusts inside a forest are automatically created when domains are created. The forest sets the default boundaries of trust, not the domain, and implicit, transitive trust is automatic for all domains within a forest. As well as two-way transitive trust, AD trusts can be shortcut (joins two domains in different trees, transitive, one- or two-way), forest (transitive, one- or two-way), realm (transitive or nontransitive, one- or two-way), or external (nontransitive, one- or two-way) in order to connect to other forests or non-AD domains.

Trusts in Windows 2000 (native mode)

• One-way trust - When one domain allows access to users on another domain, but the other domain does not allow access to users on the first domain.
• Two-way trust - When two domains allow access to users on the other domain.
• Trusting domain - The domain that allows access to users from a trusted domain.
• Trusted domain - The domain that is trusted; whose users have access to the trusting domain.
• Transitive trust - A trust that can extend beyond two domains to other trusted domains in the tree.
• Intransitive trust - A one way trust that does not extend beyond two domains.
• Explicit trust - A trust that an admin creates. It is not transitive and is one way only.
• Cross-link trust - An explicit trust between domains in different trees or in the same tree when a descendant/ancestor (child/parent) relationship does not exist between the two domains.

Windows 2000 - supports the following types of trusts:

• Two-way transitive trusts.
• One-way intransitive trusts.

Additional trusts can be created by administrators. These trusts can be:

• Shortcut

Windows 2003 offers a new trust type - the forest root trust. This type of trust can be used to connect Windows 2003 forests if they are operating at the 2003 forest functional level. Authentication across this type of trust is Kerberos based (as opposed to NTLM). Kerberos is a Computer network Authentication protocol, which allows individuals communicating over a non-secure network to prove their identity to one NTLM (NT LAN Manager (not to be confused with LAN Manager) is a Microsoft Authentication protocol used with the SMB protocol Forest trusts are also transitive for all the domains in the forests that are trusted.

ADAM

Active Directory Application Mode (ADAM) is a light-weight implementation of Active Directory. ADAM is capable of running as a service, on computers running Microsoft Windows Server 2003 or Windows XP Professional. On Microsoft Windows Operating systems a Windows service is a long-running executable that performs specific functions and which is designed not to require user intervention Windows Server 2003 (also referred to as Win2K3 is a server Operating system produced by Microsoft. Windows XP is a family of 32-bit and 64-bit Operating systems produced by Microsoft for use on Personal computers including home and ADAM shares the code base with Active Directory and provides the same functionality as Active Directory, including an identical API, but does not require the creation of domains or domain controllers.

Like Active Directory, ADAM provides a Data Store, which is a hierarchical datastore for storage of directory data, a Directory Service with an LDAP Directory Service Interface. Generally a directory, as used in Computing and Telephony, refers to a Repository or Database of information which is heavily optimised Unlike Active Directory, however, multiple ADAM instances can be run on the same server, with each instance having its own and required by applications making use of the ADAM directory service.

Integrating Unix into Active Directory

Many commercial vendors now offer Active Directory integration for Unix platforms (including UNIX, Linux, Mac OS X, and a number of Java- and UNIX-based applications). Some of these vendors include Thursby Software Systems (ADmitMac), Quest Software (Vintela Authentication Services), Centrify (DirectControl), and Likewise Software (Likewise Open and Likewise Enterprise). Microsoft is also in this market with their free Microsoft Windows Services for UNIX product. Microsoft Windows Services for UNIX ( SFU) is a software package produced by Microsoft which provides a Unix subsystem and other parts of a full Unix Recent versions of Linux and Unix operating systems provide varying levels of interoperability with Active Directory but lack advanced Active Directory capabilities such as Group Policy and support for one-way trusts. Group Policy is a feature of Microsoft Windows NT family of operating systems that provides centralized management and configuration of computers and remote users in an

The schema additions shipped with Windows server 2003 release 2 include attributes that map closely enough to RFC 2307 to be generally usable. Windows Server 2003 (also referred to as Win2K3 is a server Operating system produced by Microsoft. The reference implementation of RFC 2307, ndd_ldap and pam_ldap provided by PADL. com, contains support for using these attributes directly, provided they have been populated. The default Active Directory schema for group membership complies with the proposed extension, RFC 2307bis. RFC2307bis specifies storing Unix group membership using LDAP member attributes as opposed to the base RFC 2307 which specified storing group membership as a comma-separate list of user IDs (as was done in the Unix group file). Windows 2003R2 includes an MMC snap-in that creates and edits the attributes. The Microsoft Management Console (MMC is a component of Windows 2000 and later Windows NT-based Operating systems that provides system administrators and advanced

An alternate option is to use another directory service such as Fedora Directory Server (formerly Netscape Directory Server) or Sun Microsystems Sun Java System Directory Server, which can perform a two-way synchronization with Active Directory and thus provide a "deflected" integration with Active Directory as Unix and Linux clients will authenticate to FDS and Windows Clients will authenticate to Active Directory. The Fedora Directory Server (FDS is an LDAP ( Lightweight Directory Access Protocol) server developed by Red Hat, as part of Red Hat's community-supported The Sun Java System Directory Server is Sun Microsystems ' scalable LDAP directory server and a component of Java Enterprise System

A less intrusive option is to use OpenLDAP with its translucent overlay, which can extend entries in any remote LDAP server with additional attributes stored in a local database. OpenLDAP Software is a free, Open source implementation of the Lightweight Directory Access Protocol (LDAP developed by the OpenLDAP Project Clients pointed at the local database will see entries containing both the remote and local attributes, while the remote database remains completely untouched. Given how inflexible Active Directory is in regards to schema extensions, this is a safe and effective way of extending Active Directory without destabilizing it.

See also

• Active Directory Explorer
• Directory Services Restore Mode
• Flexible single master operation
• List of LDAP software

Notes

External links

• Microsoft's Active Directory Page
• Active Directory Application Mode (ADAM)

• Active Directory Explorer

---

© 2009 citizendia.org; parts available under the terms of GNU Free Documentation License, from http://en.wikipedia.org
Dapyx Software network: MP3 Explorer | Ebook Manager | Zenithic