Active Directory

From Wikipedia, the free encyclopedia

Jump to: navigation, search Active Directory (AD) is a directory service created by Microsoft. Active Directory uses a number of standardized protocols to provide a variety of network services, including:

Lightweight Directory Access Protocol LDAP, the industry standard directory access protocol, compatible with many management and query applications. Active Directory supports LDAPv3 and LDAPv2. Optional Kerberos-based authentication DNS-based naming and other network information

Features include:

Central location for network administration and security[1] Information security and single sign-on for user access to networked resources[1] The ability to scale up or down easily[1] Standardizing access to application data[1] Synchronization of directory updates across servers[1]

Active Directory stores all information and settings for a deployment in a central database. Active Directory allows administrators to assign policies, deploy and update software. Active Directory networks can vary from a small installation with a few computers, users and printers to tens of thousands of users, many different network domains and large server farms spanning many geographical locations.

History
Active Directory was previewed in 1999, released first with Windows 2000 Server edition, and revised to extend functionality and improve administration in Windows Server 2003. Additional improvements were made in Windows Server 2003 R2, Windows Server 2008 and Windows Server 2008 R2 and was renamed Active Directory Domain Services. Active Directory was called NTDS (NT Directory Service) in older Microsoft documents. This name can still be seen in some Active Directory binaries.

[edit] Structure
[edit] Objects

An Active Directory structure is a hierarchical arrangement of information about objects. The objects fall into two broad categories: resources (e.g., printers) and security principals (user or computer accounts and groups). Security principals are assigned unique security identifiers (SIDs). Each object represents a single entitywhether a user, a computer, a printer, or a groupand its attributes. Certain objects can contain other objects. An object is uniquely identified by its name and has a set of attributesthe characteristics and information that the object represents defined by a schema, which also determines the kinds of objects that can be stored in Active Directory. Each attribute object can be used to define multiple schema objects. The schema object allows the schema to be extended or modified when necessary. However, because each schema object is integral to the definition of Active Directory objects, deactivating or changing these objects can fundamentally change and/or disrupt a deployment. Schema changes automatically propagate throughout the system. Once created, an object can only be deactivatednot deleted. Changing the schema usually requires planning.[2]
[edit] Sites

A Site object in Active Directory represents a geographic location that hosts networks. Sites contain objects called subnets.[3]
[edit] Forests, trees, and domains

The Active Directory framework that holds the objects can be viewed at a number of levels. The forest, tree, and domain are the logical divisions in an Active Directory network. Within a deployment, objects are grouped into domains. The objects for a single domain are stored in a single database (which can be replicated). Domains are identified by their DNS name structure, the namespace. A tree is a collection of one or more domains and domain trees in a contiguous namespace, linked in a transitive trust hierarchy. At the top of the structure is the forest. A forest is a collection of trees that share a common global catalog, directory schema, logical structure, and directory configuration. The forest represents the security boundary within which users, computers, groups, and other objects are accessible.
Domain-

Fo re st W id g et s C or p Tree-Eastern DomainBoston DomainNew York DomainPhilly Tree-Southern DomainAtlanta DomainDallas

Dallas OUMarketing Hewitt Aon Steve OU-Sales Bill Ralph

Example of the geographical organizing of zones of interest within trees and domains.

[edit] Organizational units

The objects held within a domain can be grouped into Organizational Units (OUs).[4] OUs can provide hierarchy to a domain, ease its administration, and can resemble the organization's structure in managerial or geographical terms. OUs can contain other OUsdomains are containers in this sense. Microsoft recommends using OUs rather than domains for structure and to simplify the implementation of policies and administration. The OU is the recommended level at which to apply group policies, which are Active Directory objects formally named Group Policy Objects (GPOs), although policies can also be applied to domains or sites (see below).

The OU is the level at which administrative powers are commonly delegated, but delegation can be performed on individual objects or attributes as well. Organizational Units are an abstraction for the administrator and do not function as containers; the underlying domain is the true container. It is not possible, for example, to create user accounts with an identical username (sAMAccountName) in separate OUs, such as "fred.staffou.domain" and "fred.student-ou.domain", where "staff-ou" and "student-ou" are the OUs. This is so because sAMAccountName, a user object attribute, must be unique within the domain. As the number of users in a domain increases, conventions such as "first initial, middle initial, last name" will fail for common names like Smith, Garcia, or Lee. Workarounds include adding a digit to the end of the username or using the unique employee/student id number. Because duplicate usernames cannot exist within a domain, account name generation poses a significant challenge for large organizations that cannot be easily subdivided into separate domains, such as students in a public school system or university who must be able to use any computer across the network.