Active Directory is a technology created by Microsoft that provides a variety of network services, including:
- LDAP-like directory services
- Kerberos-based authentication
- DNS-based naming and other network information
Using the same database, for use primarily in Windows environments, Active Directory also allows administrators to assign policies, deploy software, and apply critical updates to an organization. Active Directory stores information and settings in a central database. Active Directory networks can vary from a small installation with a few computers, users and printers to tens of thousands of users, many different domains and large server farms spanning many geographical locations.
Active Directory was previewed in 1999, released first with Windows 2000 Server edition, and revised to extend functionality and improve administration in Windows Server 2003. Additional improvements were made in Windows Server 2003 R2. Active Directory was refined further in Windows Server 2008 and Windows Server 2008 R2 and was renamed Active Directory Domain Services .
Active Directory was called NTDS (NT Directory Service) in older Microsoft documents. This name can still be seen in some Active Directory binaries.
There is a common misconception that Active Directory provides software distribution. Software distribution is run by a separate service that uses additional proprietary schema attributes that work in conjunction with the LDAP protocol. Active Directory does not automate software distribution, but provides a mechanism by which other services can provide software distribution.
Structure
Objects
Everything that ' Active Directory' tracks is considered an object. An object is any user, system, resource, or service tracked within Active Directory. The generic term object is used because Active Directory is capable of tracking a variety of items, and many objects can share common attributes
An ' Active Directory' structure is a hierarchical framework of objects. The objects fall into two broad categories: resources (e.g., printers) and security principals (user or computer accounts and groups). Security principals are Active Directory objects that are assigned unique security identifiers (SIDs) used to control access and set security.
Each object represents a single entity — whether a user, a computer, a printer, or a group — and its attributes. Certain objects can also be containers of other objects. An object is uniquely identified by its name and has a set of attributes — the characteristics and information that the object can contain — defined by a schema, which also determines the kind of objects that can be stored in Active Directory.
Each attribute object can be used in several different schema class objects. The schema object exists to allow the schema to be extended or modified when necessary. However, because each schema object is integral to the definition of Active Directory objects, deactivating or changing these objects can have serious consequences because it will fundamentally change the structure of Active Directory itself. A schema object, when altered, will automatically propagate through Active Directory and once it is created it can only be deactivated — not deleted. Changing the schema usually requires a fair amount of planning.
Sites
A Site object in Active Directory represents a physical geographic location that hosts networks. Sites contain objects called Subnets. Sites can be used to Assign Group Policy Objects, facilitate the discovery of resources, manage active directory replication, and manage network link traffic. Sites can be linked to other Sites. Site-linked objects may be assigned a cost value that represents the speed, reliability, availability, or other real property of a physical resource. Site Links may also be assigned a schedule.
Forests, trees, and domains
The Active Directory framework that holds the objects can be viewed at a number of levels. At the top of the structure is the forest. The forest is a collection of every object, its attributes, and rules (attribute syntax) in the Active Directory. The forest, tree, and domain are the logical parts in an Active Directory network.
The Active Directory forest contains one or more transitive, trust-linked trees . A tree is a collection of one or more domains and domain trees, again linked in a transitive trust hierarchy. Domains are identified by their DNS name structure, the namespace.
The objects held within a domain can be grouped into containers called Organizational Units (OUs). OUs give a domain a hierarchy, ease its administration, and can give a semblance of the structure of the organization in organizational or geographical terms. OUs can contain OUs – indeed, domains are containers in this sense – and can hold multiple nested OUs. Microsoft recommends as few domains as possible in Active Directory and a reliance on OUs to produce structure and improve the implementation of policies and administration. The OU is the common level at which to apply group policies, which are Active Directory objects themselves called Group Policy Objects (GPOs), although policies can also be applied to domains or sites (see below). The OU is the level at which administrative powers are commonly delegated, but granular delegation can be performed on individual objects or attributes as well.
Active Directory also supports the creation of Sites , which are physical, rather than logical, groupings defined by one or more IP subnets. Sites distinguish between locations connected by low-speed (e.g., WAN, VPN) and high-speed (e.g., LAN) connections. Sites are independent of the domain and OU structure and are common across the entire forest. Sites are used to control network traffic generated by replication and also to refer clients to the nearest domain controllers. Exchange 2007 also uses the site topology for mail routing. Policies can also be applied at the site level.
The actual division of an organization's information infrastructure into a hierarchy of one or more domains and top-level OUs is a key decision. Common models are by business unit, by geographical location, by IT Service, or by object type. These models are also often used in combination. OUs should be structured primarily to facilitate administrative delegation, and secondarily, to facilitate group policy application. Although OUs form an administrative boundary, the only true security boundary is the forest itself and an administrator of any domain in the forest must be trusted across all domains in the forest.
Physically the Active Directory information is held on one or more equal peer domain controllers (DCs), replacing the NT PDC/BDC model. Each DC has a copy of the Active Directory; changes on one computer being synchronized (converged) between all the DC computers by multi-master replication . Servers joined to Active Directory that are not domain controllers are called Member Servers. The Active Directory database is split into different stores or partitions . Microsoft often refers to these partitions as 'naming contexts'. The 'Schema' partition contains the definition of object classes and attributes within the Forest. The 'Configuration' partition contains information on the physical structure and configuration of the forest (such as the site topology). The 'Domain' partition holds all objects created in that domain. The first two partitions replicate to all domain controllers in the Forest. The Domain partition replicates only to Domain Controllers within its domain. A subset of objects in the domain partition are also replicated to domain controllers that are configured as global catalogs.
Unlike earlier versions of Windows which used NetBIOS to communicate, Active Directory is fully integrated with DNS and TCP/IP—indeed DNS is required . To be fully functional, the DNS server must support SRV resource records or service records.
Active Directory replication is 'pull' rather than 'push'. The Knowledge Consistency Checker (KCC) creates a replication topology of site links using the defined sites to manage traffic. Intrasite replication is frequent and automatic as a result of change notification, which triggers peers to begin a pull replication cycle. Intersite replication intervals are less frequent and do not use change notification by default, although this is configurable and can be made identical to intrasite replication. A different 'cost' can be given to each link (e.g., DS3, T1, ISDN etc.) and the site link topology will be altered accordingly by the KCC. Replication between domain controllers may occur transitively through several site links on same-protocol site link bridges , if the 'cost' is low, although KCC automatically costs a direct site-to-site link lower than transitive connections. Site-to-site replication can be configured to occur between a bridgehead server in each site, which then replicates the changes to other DCs within the site.
In a multi-domain forest the Active Directory database becomes partitioned. That is, each domain maintains a list of only those objects that belong in that domain. So, for example, a user created in Domain A would be listed only in Domain A's domain controllers. Global catalog (GC) servers are
Active Directory Users, Computers, and Groups
Operating System. Abstract. In the Microsoft® Windows® 2000 operating system, the Active Directory™ service provides user and computer accounts and distribution and security ...
Dial-In Tab in Active Directory-Users and Computers - Directory ...
Microsoft Most Valuable Professional MVP Ulf B. Simon-Weidner about Microsoft Directory Services and Windows Server in general
ADUC
Acronym Finder: ADUC stands for Active Directory Users and Computers
Working with Active Directory Users and Computers
You use Active Directory Users and Computers to manage recipients. Active Directory Users and Computers is an MMC snap-in that is a standard part of Microsoft Windows Server ...
Active Directory Users and Computers may stop responding when you use ...
Describes a problem in which Active Directory Users and Computers may stop responding if you use it on a non-Exchange server to modify a user's proxy address. To resolve this ...
Active Directory Users and Computers - Petri.co.il forums by Daniel ...
Active Directory Users and Computers Active Directory ... Welcome to the petri.co.il forums. You are currently viewing our boards as a guest which gives you limited access to view ...
Custom Property Page for Active Directory User and Computers to manage ...
I have been working on a C++ project to create a new property page that will show up in Active Directory Users & Computers when you view the properties of a user account.
Active Directory Users and Computers Icon Changes Based on Logged-On ...
When different users view user and computer objects in the Active Directory Users and Computers Microsoft Management Console (MMC) snap-in, they may see different icons ...
Active Directory Users and Computers Property Sheets (Windows)
The Active Directory Users and Computers MMC snap-in is designed to display a property sheet for various objects in an Active Directory server.
Active Directory Users and Computers : Error _ Access Is Denied ...
Active Directory Users and Computers : Error _ Access Is Denied SBS 2000/2003