A directory, in the most generic sense, is a comprehensive listing of objects. A phone book is a type of directory that stores information about people, businesses, and government organizations. Phone books typically record names, addresses, and phone numbers. Active Directory is similar to a phone book in several ways, and it is far more flexible. Active Directory will store information about organizations, sites, systems, users, shares, and just about any other network object that you can imagine. Not all objects are as similar to each other as those stored in the phone book, so Active Directory includes the ability to record different types of information about different objects. <\/span><\/span><\/span><\/p>\n Active Directory stores information about network components. It allows clients to find objects within its\u00a0<\/span><\/span><\/span>namespace<\/span><\/span><\/span><\/em>. The term namespace (also known as\u00a0<\/span><\/span><\/span>console tree<\/span><\/span><\/span><\/em>) refers to the area in which a network component can be located. For example, the table of contents of this book forms a namespace in which chapters can be resolved to page numbers. <\/span><\/span><\/span><\/p>\n DNS is a namespace that resolves host names to IP addresses. Telephone books provide a namespace for resolving names to telephone numbers. Active Directory provides a namespace for resolving the names of network objects to the objects themselves. Active Directory can resolve a wide range of objects, including users, systems, and services on a network.<\/span><\/span><\/span><\/p>\n Everything that Active Directory tracks is considered an\u00a0<\/span><\/span><\/span>object<\/span><\/span><\/span><\/em>. <\/span><\/span><\/span><\/p>\n Each object in an Active Directory has a\u00a0<\/span><\/span><\/span>name<\/span><\/span><\/span><\/em>. These are not the names that you are accustomed to, like \u201cDavid\u201d or \u201cEric.\u201d They are LDAP\u00a0<\/span><\/span><\/span>distinguished names<\/span><\/span><\/span><\/em>. LDAP distinguished names are complicated, but they allow any object within a directory to be identified uniquely regardless of its type. My distinguished name on the Microsoft network is \u201c\/O=Internet\/DC=COM\/DC=Microsoft\/ DC=MSPress\/CN=Users\/CN=David Lovera\u201d\u2026but you can call me David.<\/span><\/span><\/span><\/p>\n The term\u00a0<\/span><\/span><\/span>tree<\/b><\/span><\/span><\/span><\/em>\u00a0is used to describe a set of objects within Active Directory. When containers and objects are combined hierarchically, they tend to form branches\u2014hence the term. A related term is\u00a0<\/span><\/span><\/span>contiguous subtree<\/span><\/span><\/span><\/em>, which refers to an unbroken branch of the tree.<\/span><\/span><\/span><\/p>\n Continuing the tree metaphor, the term\u00a0<\/span><\/span><\/span>forest<\/span><\/span><\/span><\/em>\u00a0describes trees that are not part of the same namespace but that share a common schema, configuration, and global catalog. Trees in a forest all trust each other, so objects in these trees are available to all users if the security allows it. Organizations that are divided into multiple domains should group the trees into a single forest.<\/span><\/span><\/span><\/p>\n A\u00a0<\/span><\/span><\/span>site<\/span><\/span><\/span><\/em>\u00a0is a geographical location, as defined within Active Directory. Sites correspond to logical IP subnets, and as such, they can be used by applications to locate the closest server on a network. Using site information from Active Directory can profoundly reduce the traffic on wide area networks.<\/span><\/span><\/span><\/p>\n Active Directory plays an important role in the future of Windows networking. Administrators must be able to protect their directory from attackers and users, while delegating tasks to other administrators where necessary. This is all possible using the Active Directory security model, which associates an access control list (ACL) with each container, object, and object attribute within the directory.<\/span><\/span><\/span><\/p>\n This high level of control allows an administrator to grant individual users and groups varying levels of permissions for objects and their properties. Administrators can even add attributes to objects and hide those attributes from certain groups of users. For example, the administrator could set the ACLs such that only managers can view the home phone numbers of other users. Nonmanagers would not even know that the attribute existed. <\/span><\/span><\/span><\/p>\n Domain Name System, or DNS, is necessary to any Internet-connected organization. DNS provides name resolution between common names, such as mspress.microsoft.com, and the raw IP addresses that network layer components use to communicate. Active Directory makes extensive use of DNS technology and relies on DNS to locate objects within Active Directory. This is a substantial change from previous Windows operating systems that require NetBIOS names to be resolved to IP addresses, and to rely on WINS or another NetBIOS name resolution technique.<\/span><\/span><\/span><\/p>\n Active Directory provides a\u00a0<\/span><\/span><\/span>global catalog\u00a0<\/span><\/span><\/span><\/em>(GC). No, this does not mean that you can find any piece of information on the planet\u2014but it is still very significant. Active Directory provides a single source to locate any object within an organization\u2019s network.<\/span><\/span><\/span><\/p>\n Administrators who implement Active Directory will quickly discover that their network relies heavily on its services. This reliance means that Active Directory must be available on multiple servers\u2014so that if a single server fails, clients can contact a server with duplicate services and information.\u00a0<\/span><\/span><\/span><\/p>\n One of the most complex parts of making redundant servers work properly is replicating the information and ensuring that all servers have the most up-to-date content. Active Directory uses\u00a0multimaster replication,<\/em>\u00a0which is another way of stating that updates can occur on any Active Directory server. Each server keeps track of which updates it has received from which servers, and can intelligently request only necessary updates in case of a failure. <\/span><\/span><\/span><\/p>\n As I defined the term earlier, a schema is a set of attributes used to describe a particular object class in Active Directory. Different types of information need to be tracked for different object classes, and that\u2019s why the schema is so important. For example, the Users object class needs attributes for a first name, last name, phone number, e-mail address, and mailing address. The Printer object class must have many different attributes\u2014users will want to know how fast a printer is and whether it can duplex or print in color.\u00a0<\/span><\/span><\/span><\/p>\n Many people are initially confused by the relationship between object classes, attributes, and the objects themselves. Objects are created based on an object class. Attributes describe an object class. When an object is created, it inherits all the attributes of its object class. Here\u2019s where it gets tricky:\u00a0<\/span><\/span><\/span>object classes and attributes are also objects in Active Directory.\u00a0<\/span><\/span><\/span><\/em>Fortunately, most user interfaces hide this fact.<\/span><\/span><\/span><\/p>\n Active Directory reflects Microsoft\u2019s trend toward relying on standard protocols. The Lightweight Directory Access Protocol (LDAP) is a product of the IETF (Internet Engineering Task Force). It defines how clients and servers exchange information about a directory. LDAP version 2 and version 3 are used by Windows 2000 Server\u2019s Active Directory.<\/span><\/span><\/span><\/p>\n It is very important to understand the structure of distinguished names, as you will be referring to them often in the course of your job. My distinguished name is \/O=Internet\/DC=COM\/DC=Microsoft\/ DC=MSPress\/CN=Users\/CN=David Lovera.<\/span><\/span><\/span><\/p>\n![\"\"](\"https:\/\/i0.wp.com\/imalogic.com\/blog\/wp-content\/uploads\/2017\/06\/microsoft-active-directory_102642.png?ssl=1\")
<\/a><\/h3>\n\n
\n
\n
<\/a> Security<\/h3>\n
<\/a> Use of DNS (Domain Name System)<\/h3>\n
<\/a> Global Catalog<\/h3>\n
<\/a> Replication<\/h3>\n
<\/a> Schema: Attributes and Object Classes<\/h3>\n
<\/a> Objects<\/h3>\n
<\/a>Lightweight Directory Access Protocol (LDAP)<\/h3>\n
Distinguished Names<\/h3>\n
<\/a>ADSI (Active Directory Service Interface)<\/h3>\n