What is Active Directory?
Active Directory (AD) is Microsoft's implementation of a Directory Service.
DSs store data in an organized format and can publish and access the data. AD
isnít a Microsoft innovation but is an implementation of an existing model
(i.e., X.500), communication mechanism (i.e., Lightweight Directory Access
ProtocolóLDAP), and location technology (i.e., DNS).
To understand AD, you must understand what it is supposed to achieve. A
directory is simply a container for other information.
A telephone directory is an example of a DS, because a telephone directory
contains data and a means to access and use the data. For example, a telephone
directory has various entries, and each entry has values. A telephone directory
entry consists of name, address, and telephone number values. A large directory
might group entries by location (e.g., city) or type (e.g., lawyers), or by
both. Thus a hierarchy of types could exist for each location. You might also
consider a telephone operator a DS, because the operator has access to the data.
You can request data, and the operator presents the answer to your query.
AD is a type of DS that holds information about all the resources on a
network. Clients can query AD for information about any aspect of the network.
ADís features include the following.
- Secure information storage. Each object in AD has an ACL with a list of
resources that can access the object and to what degree.
- A flexible query mechanism based on an AD-generated Global Catalog (GC).
Any client that supports AD can query the catalog.
- Directory replication to all domain controllers (DCs) in the domain, for
easy accessibility, high availability, and fault tolerance.
- An extensible design that lets you add new object types or build on
existing objects. For example, you could add a salary attribute to
the user object.
- Multiple-protocol communication. ADís X.500 foundation lets you
communicate over various protocols, such as LDAPv2, LDAPv3, and HTTP.
- DNS rather than NetBIOS names for DC naming and location.
- Directory information partitioned by domain to avoid replicating an
excessive amount of information.
Although AD partitions directory information into different stores, you can
still query AD for information from other domains. GCs contain information about
every object in the enterprise forest, so that you can perform a forestwide
When you run DCPROMO on a Windows 2000 machine for the first time to create a
new domain, DCPROMO creates a domain on the DNS server. A client then contacts
the DNS server to look up the client's domain. The DNS server will discover not
only the domain, but also the domainís DCs. The server then sends the client
the closest DCís address. The client in turn connects and accesses the AD
domain database on the closest DC to find objects (e.g., printers, file servers,
users, groups, organizational unitsóOUs) in the domain. Because each DC stores
links to other domains in the tree, the client can search an entire tree of
A version of AD that lists all the objects in the forest is also available in
case you need to perform a search beyond the client's tree of domains. This
version is the GC. You can store the GC on any or all of the DCs in the forest.
The GC provides shorthand access to objects anywhere in the forest. However,
the GC contains only some of an objectís attributes. For the whole object, you
must go to the domain AD (which is on a DC in the domain). You can configure the
GC to provide the object attributes you want.
To help you create AD objects, the DC maintains a copy of the classes and
hierarchy of classes for the whole forest. AD stores class structures in the
schema. The schema is extensible, which means that you can add classes to it.
The schema is part of Win2Kís configuration namespace, which all the DCs in
a forest maintain. A namespace is a range of labels. Win2Kís configuration
namespace consists of several defined items such as physical locations, Win2K
sites, and subnets. A site is a child of a forest; a site can contain machines
from any domain, but all the machines in a site must have fast and reliable
connections for DC replication. A subnet is an IP address grouping assigned to a
site; subnets help speed up AD replication among DCs.
Because DCs store records in an LDAP distinguished name format, AD uses LDAP
to access the records. In case an application uses a name format other than the
LDAP distinguished name, you can also use the LDAP URL or AD canonical name
formats to access AD.
Windows Privacy Tools - http//www.privacywindows.com