Active Directory Domain Services
   HOME

TheInfoList



OR:

Active Directory (AD) is a
directory service In computing, a directory service or name service maps the names of network resources to their respective network addresses. It is a shared information infrastructure for locating, managing, administering and organizing everyday items and network r ...
developed by
Microsoft Microsoft Corporation is an American multinational technology corporation producing computer software, consumer electronics, personal computers, and related services headquartered at the Microsoft Redmond campus located in Redmond, Washing ...
for
Windows domain A Windows domain is a form of a computer network in which all user accounts, computers, printers and other Principal (computer security), security principals, are registered with a central database located on one or more clusters of central compu ...
networks. It is included in most
Windows Server Windows Server (formerly Windows NT Server) is a group of operating systems (OS) for servers that Microsoft has been developing since July 27, 1993. The first OS that was released for this platform was Windows NT 3.1 Advanced Server. With the r ...
operating system An operating system (OS) is system software that manages computer hardware, software resources, and provides common services for computer programs. Time-sharing operating systems schedule tasks for efficient use of the system and may also in ...
s as a set of processes and services. Initially, Active Directory was used only for centralized domain management. However, Active Directory eventually became an umbrella title for a broad range of directory-based identity-related services. A server running the Active Directory Domain Service (AD DS) role is called a
domain controller A domain controller (DC) is a server computer that responds to security authentication requests within a computer network domain. It is a network server that is responsible for allowing host access to domain resources. It authenticates users, store ...
. It authenticates and authorizes all users and computers in a
Windows Windows is a group of several proprietary graphical operating system families developed and marketed by Microsoft. Each family caters to a certain sector of the computing industry. For example, Windows NT for consumers, Windows Server for serv ...
domain type network, assigning and enforcing security policies for all computers, and installing or updating software. For example, when a user logs into a computer that is part of a Windows domain, Active Directory checks the submitted username and password and determines whether the user is a system administrator or normal user. Also, it allows management and storage of information, provides authentication and authorization mechanisms and establishes a framework to deploy other related services: Certificate Services,
Active Directory Federation Services Active Directory Federation Services (AD FS), a software component developed by Microsoft, can run on Windows Server operating systems to provide users with single sign-on access to systems and applications located across organizational boundaries. ...
, Lightweight Directory Services, and Rights Management Services. Active Directory uses
Lightweight Directory Access Protocol The Lightweight Directory Access Protocol (LDAP ) is an open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network. Directory servi ...
(LDAP) versions 2 and 3, Microsoft's version of Kerberos, and
DNS The Domain Name System (DNS) is a hierarchical and distributed naming system for computers, services, and other resources in the Internet or other Internet Protocol (IP) networks. It associates various information with domain names assigned to ...
.


History

Like many information-technology efforts, Active Directory originated out of a democratization of design using
Request for Comments A Request for Comments (RFC) is a publication in a series from the principal technical development and standards-setting bodies for the Internet, most prominently the Internet Engineering Task Force (IETF). An RFC is authored by individuals or g ...
(RFCs). The
Internet Engineering Task Force The Internet Engineering Task Force (IETF) is a standards organization for the Internet and is responsible for the technical standards that make up the Internet protocol suite (TCP/IP). It has no formal membership roster or requirements and a ...
(IETF), which oversees the RFC process, has accepted numerous RFCs initiated by widespread participants. For example, LDAP underpins Active Directory. Also,
X.500 X.500 is a series of computer networking standards covering electronic directory services. The X.500 series was developed by the ITU-T, Telecommunication Standardization Sector of the International Telecommunication Union (ITU-T). ITU-T was former ...
directories and the
Organizational Unit In computing, an organizational unit (OU) provides a way of classifying objects located in directories, or names in a digital certificate hierarchy, typically used either to differentiate between objects with the same name (John Doe in OU "marketi ...
preceded the Active Directory concept that makes use of those methods. The LDAP concept began to emerge even before the founding of Microsoft in April 1975, with RFCs as early as 1971. RFCs contributing to LDAP include RFC 1823 (on the LDAP API, August 1995), RFC 2307, RFC 3062, and RFC 4533. Microsoft previewed Active Directory in 1999, released it first with
Windows 2000 Windows 2000 is a major release of the Windows NT operating system developed by Microsoft and oriented towards businesses. It was the direct successor to Windows NT 4.0, and was Software release life cycle#Release to manufacturing (RTM), releas ...
Server edition, and revised it to extend functionality and improve administration in Windows Server 2003. Active Directory support was also added to Windows 95, Windows 98 and Windows NT 4.0 via patch, with some features being unsupported. Additional improvements came with subsequent versions of
Windows Server Windows Server (formerly Windows NT Server) is a group of operating systems (OS) for servers that Microsoft has been developing since July 27, 1993. The first OS that was released for this platform was Windows NT 3.1 Advanced Server. With the r ...
. In Windows Server 2008, additional services were added to Active Directory, such as
Active Directory Federation Services Active Directory Federation Services (AD FS), a software component developed by Microsoft, can run on Windows Server operating systems to provide users with single sign-on access to systems and applications located across organizational boundaries. ...
. The part of the directory in charge of the management of domains, which was previously a core part of the operating system, was renamed Active Directory Domain Services (ADDS) and became a server role like others. "Active Directory" became the umbrella title of a broader range of directory-based services. According to Byron Hynes, everything related to identity was brought under Active Directory's banner.


Active Directory Services

Active Directory Services consist of multiple directory services. The best known is Active Directory Domain Services, commonly abbreviated as AD DS or simply AD.


Domain Services

Active Directory Domain Services (AD DS) is the foundation of every
Windows domain A Windows domain is a form of a computer network in which all user accounts, computers, printers and other Principal (computer security), security principals, are registered with a central database located on one or more clusters of central compu ...
network. It stores information about members of the domain, including devices and users, verifies their credentials and defines their access rights. The server running this service is called a
domain controller A domain controller (DC) is a server computer that responds to security authentication requests within a computer network domain. It is a network server that is responsible for allowing host access to domain resources. It authenticates users, store ...
. A domain controller is contacted when a user logs into a device, accesses another device across the network or runs a line-of-business Metro-style app sideloaded into a device. Other Active Directory services (excluding LDS, as described below) as well as most of Microsoft server technologies rely on or use Domain Services; examples include Group Policy, Encrypting File System, BitLocker,
Domain Name Services The Domain Name System (DNS) is a hierarchical and distributed naming system for computers, services, and other resources in the Internet or other Internet Protocol (IP) networks. It associates various information with domain names assigned t ...
,
Remote Desktop Services Remote Desktop Services (RDS), known as Terminal Services in Windows Server 2008 and earlier, is one of the components of Microsoft Windows that allow a user to initiate and control an interactive session on a remote computer or virtual machine ...
, Exchange Server and
SharePoint Server SharePoint is a web-based collaborative platform that integrates natively with Microsoft Office. Launched in 2001, SharePoint is primarily sold as a document management and storage system, but the product is highly configurable and its usage v ...
. The self-managed Active Directory DS must not be confused with managed Azure AD DS, which is a cloud product.


Lightweight Directory Services

Active Directory Lightweight Directory Services (''AD LDS''), formerly known as ''Active Directory Application Mode'' (ADAM), is an implementation of the LDAP protocol for AD DS. AD LDS runs as a
service Service may refer to: Activities * Administrative service, a required part of the workload of university faculty * Civil service, the body of employees of a government * Community service, volunteer service for the benefit of a community or a pu ...
on
Windows Server Windows Server (formerly Windows NT Server) is a group of operating systems (OS) for servers that Microsoft has been developing since July 27, 1993. The first OS that was released for this platform was Windows NT 3.1 Advanced Server. With the r ...
. AD LDS shares the code base with AD DS and provides the same functionality, including an identical
API An application programming interface (API) is a way for two or more computer programs to communicate with each other. It is a type of software Interface (computing), interface, offering a service to other pieces of software. A document or standa ...
, but does not require the creation of domains or domain controllers. It provides a ''Data Store'' for the storage of directory data and a ''
Directory Service In computing, a directory service or name service maps the names of network resources to their respective network addresses. It is a shared information infrastructure for locating, managing, administering and organizing everyday items and network r ...
'' with an LDAP ''Directory Service Interface''. Unlike AD DS, however, multiple AD LDS instances can run on the same server.


Certificate Services

Active Directory Certificate Services (AD CS) establishes an on-premises
public key infrastructure A public key infrastructure (PKI) is a set of roles, policies, hardware, software and procedures needed to create, manage, distribute, use, store and revoke digital certificates and manage public-key encryption. The purpose of a PKI is to facilit ...
. It can create, validate, revoke and perform other similar actions,
public key certificate In cryptography, a public key certificate, also known as a digital certificate or identity certificate, is an electronic document used to prove the validity of a public key. The certificate includes information about the key, information about the ...
s for internal uses of an organization. These certificates can be used to encrypt files (when used with Encrypting File System), emails (per S/MIME standard), and network traffic (when used by
virtual private network A virtual private network (VPN) extends a private network across a public network and enables users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network. The be ...
s,
Transport Layer Security Transport Layer Security (TLS) is a cryptographic protocol designed to provide communications security over a computer network. The protocol is widely used in applications such as email, instant messaging, and voice over IP, but its use in securi ...
protocol or
IPSec In computing, Internet Protocol Security (IPsec) is a secure network protocol suite that authenticates and encrypts packets of data to provide secure encrypted communication between two computers over an Internet Protocol network. It is used in ...
protocol). AD CS predates Windows Server 2008, but its name was simply Certificate Services. AD CS requires an AD DS infrastructure.


Federation Services

Active Directory Federation Services (AD FS) is a single sign-on service. With an AD FS infrastructure in place, users may use several web-based services (e.g.
internet forum An Internet forum, or message board, is an online discussion site where people can hold conversations in the form of posted messages. They differ from chat rooms in that messages are often longer than one line of text, and are at least temporar ...
,
blog A blog (a truncation of "weblog") is a discussion or informational website published on the World Wide Web consisting of discrete, often informal diary-style text entries (posts). Posts are typically displayed in reverse chronological order ...
,
online shopping Online shopping is a form of electronic commerce which allows consumers to directly buy goods or services from a seller over the Internet using a web browser or a mobile app. Consumers find a product of interest by visiting the website of the r ...
,
webmail Webmail (or web-based email) is an email service that can be accessed using a standard web browser. It contrasts with email service accessible through a specialised email client software. Examples of webmail providers are 1&1 Ionos, AOL Mail, G ...
) or network resources using only one set of credentials stored at a central location, as opposed to having to be granted a dedicated set of credentials for each service. AD FS uses many popular open standards to pass token credentials such as
SAML Security Assertion Markup Language (SAML, pronounced ''SAM-el'', ) is an open standard for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. SAML is an XML-based m ...
,
OAuth OAuth (short for "Open Authorization") is an open standard for access delegation, commonly used as a way for internet users to grant websites or applications access to their information on other websites but without giving them the passwords. T ...
or
OpenID Connect OpenID is an open standard and decentralized authentication protocol promoted by the non-profit OpenID Foundation. It allows users to be authenticated by co-operating sites (known as relying parties, or RP) using a third-party identity provider ...
. AD FS supports encryption and signing of
SAML Security Assertion Markup Language (SAML, pronounced ''SAM-el'', ) is an open standard for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. SAML is an XML-based m ...
assertions. AD FS's purpose is an extension of that of AD DS: The latter enables users to authenticate with and use the devices that are part of the same network, using one set of credentials. The former enables them to use the same set of credentials in a different network. As the name suggests, AD FS works based on the concept of federated identity. AD FS requires an AD DS infrastructure, although its federation partner may not.


Rights Management Services

Active Directory Rights Management Services (AD RMS, known as Rights Management Services or RMS before Windows Server 2008) is a server software for
information rights management Information rights management (IRM) is a subset of digital rights management (DRM), technologies that protect sensitive information from unauthorized access. It is sometimes referred to as E-DRM or Enterprise Digital Rights Management. This can ca ...
shipped with
Windows Server Windows Server (formerly Windows NT Server) is a group of operating systems (OS) for servers that Microsoft has been developing since July 27, 1993. The first OS that was released for this platform was Windows NT 3.1 Advanced Server. With the r ...
. It uses encryption and a form of selective functionality denial for limiting access to documents such as corporate e-mails, Microsoft Word documents, and web pages, and the operations authorized users can perform on them. These operations can include viewing, editing, copying, saving as or printing for example. IT administrators can create pre-set templates for the convenience of the end user if required. However, end users can still define who can access the content in question and set what they can do.


Logical structure

As a directory service, an Active Directory instance consists of a database and corresponding
executable code In computing, executable code, an executable file, or an executable program, sometimes simply referred to as an executable or binary, causes a computer "to perform indicated tasks according to encoded instructions", as opposed to a data file ...
responsible for servicing requests and maintaining the database. The executable part, known as Directory System Agent, is a collection of
Windows service In Windows NT operating systems, a Windows service is a computer program that operates in the background. It is similar in concept to a Unix daemon. A Windows service must conform to the interface rules and protocols of the Service Control Manager ...
s and processes that run on Windows 2000 and later. Objects in Active Directory databases can be accessed via LDAP, ADSI (a component object model interface), messaging API and
Security Accounts Manager The Security Account Manager (SAM) is a database file in Windows XP, Windows Vista, Windows 7, 8.1, 10 and 11 that stores users' passwords. It can be used to authenticate local and remote users. Beginning with Windows 2000 SP4, Active Directory a ...
services.


Objects

Active Directory structures are arrangements of information about
objects Object may refer to: General meanings * Object (philosophy), a thing, being, or concept ** Object (abstract), an object which does not exist at any particular time or place ** Physical object, an identifiable collection of matter * Goal, an ...
. The objects fall into two broad categories: resources (e.g., printers) and
security principal A principal in computer security is an entity that can be authenticated by a computer system or network. It is referred to as a security principal in Java and Microsoft literature.
s (user or computer accounts and groups). Security principals are assigned unique security identifiers (SIDs). Each object represents a single entity—whether a user, a computer, a printer, or a group—and its attributes. Certain objects can contain other objects. An object is uniquely identified by its name and has a set of attributes—the characteristics and information that the object represents— defined by a
schema The word schema comes from the Greek word ('), which means ''shape'', or more generally, ''plan''. The plural is ('). In English, both ''schemas'' and ''schemata'' are used as plural forms. Schema may refer to: Science and technology * SCHEMA ...
, which also determines the kinds of objects that can be stored in the Active Directory. The schema object lets administrators extend or modify the schema when necessary. However, because each schema object is integral to the definition of Active Directory objects, deactivating or changing these objects can fundamentally change or disrupt a deployment. Schema changes automatically propagate throughout the system. Once created, an object can only be deactivated—not deleted. Changing the schema usually requires planning.


Forests, trees, and domains

The Active Directory framework that holds the objects can be viewed at a number of levels. The forest, tree, and domain are the logical divisions in an Active Directory network. Within a deployment, objects are grouped into domains. The objects for a single domain are stored in a single database (which can be replicated). Domains are identified by their
DNS The Domain Name System (DNS) is a hierarchical and distributed naming system for computers, services, and other resources in the Internet or other Internet Protocol (IP) networks. It associates various information with domain names assigned to ...
name structure, the namespace. A domain is defined as a logical group of network objects (computers, users, devices) that share the same Active Directory database. A tree is a collection of one or more domains and domain trees in a contiguous namespace and is linked in a transitive trust hierarchy. At the top of the structure is the ''forest.'' A forest is a collection of trees that share a common global catalog, directory schema, logical structure, and directory configuration. The forest represents the security boundary within which users, computers, groups, and other objects are accessible.


Organizational units

The objects held within a domain can be grouped into
organizational unit In computing, an organizational unit (OU) provides a way of classifying objects located in directories, or names in a digital certificate hierarchy, typically used either to differentiate between objects with the same name (John Doe in OU "marketi ...
s (OUs). OUs can provide hierarchy to a domain, ease its administration, and can resemble the organization's structure in managerial or geographical terms. OUs can contain other OUs—domains are containers in this sense. Microsoft recommends using OUs rather than domains for structure and simplifying the implementation of policies and administration. The OU is the recommended level at which to apply
group policies Group Policy is a feature of the Microsoft Windows NT family of operating systems (including Windows 7, Windows 8.1, Windows 10, Windows 11, and Windows Server 2003+) that controls the working environment of user accounts and computer accounts. G ...
, which are Active Directory objects formally named group policy objects (GPOs), although policies can also be applied to domains or sites (see below). The OU is the level at which administrative powers are commonly delegated, but delegation can be performed on individual objects or attributes as well. Organizational units do not each have a separate namespace. As a consequence, for compatibility with Legacy NetBios implementations, user accounts with an identical sAMAccountName are not allowed within the same domain even if the accounts objects are in separate OUs. This is because sAMAccountName, a user object attribute, must be unique within the domain. However, two users in different OUs can have the same common name (CN), the name under which they are stored in the directory itself such as "fred.staff-ou.domain" and "fred.student-ou.domain", where "staff-ou" and "student-ou" are the OUs. In general, the reason for this lack of allowance for duplicate names through hierarchical directory placement is that Microsoft primarily relies on the principles of NetBIOS, which is a flat-namespace method of network object management that, for Microsoft software, goes all the way back to
Windows NT 3.1 Windows NT 3.1 is the first major release of the Windows NT operating system developed by Microsoft, released on July 27, 1993. At the time of Windows NT's release, Microsoft's Windows 3.1 desktop environment had established brand recognition ...
and
MS-DOS MS-DOS ( ; acronym for Microsoft Disk Operating System, also known as Microsoft DOS) is an operating system for x86-based personal computers mostly developed by Microsoft. Collectively, MS-DOS, its rebranding as IBM PC DOS, and a few ope ...
LAN Manager. Allowing for duplication of object names in the directory, or completely removing the use of NetBIOS names, would prevent backward compatibility with legacy software and equipment. However, disallowing duplicate object names in this way is a violation of the LDAP RFCs on which Active Directory is supposedly based. As the number of users in a domain increases, conventions such as "first initial, middle initial, last name" ( Western order) or the reverse (Eastern order) fail for common family names like ''Li'' (李), ''Smith'' or ''Garcia''. Workarounds include adding a digit to the end of the username. Alternatives include creating a separate ID system of unique employee/student ID numbers to use as account names in place of actual users' names and allowing users to nominate their preferred word sequence within an acceptable use policy. Because duplicate usernames cannot exist within a domain, account name generation poses a significant challenge for large organizations that cannot be easily subdivided into separate domains, such as students in a public school system or university who must be able to use any computer across the network.


=Shadow groups

= In Microsoft's Active Directory, OUs do not confer access permissions, and objects placed within OUs are not automatically assigned access privileges based on their containing OU. This is a design limitation specific to Active Directory. Other competing directories such as Novell
NDS NDS may stand for: * Low German ( nl, Nedersaksisch, links=no, german: Niederdeutsche Sprache, links=no, ISO 639-2 language code: nds), a West Germanic language native to Northern Germany, Denmark and the Netherlands * Lower Saxony (german: Niedersa ...
can assign access privileges through object placement within an OU. Active Directory requires a separate step for an administrator to assign an object in an OU as a member of a group also within that OU. Relying on OU location alone to determine access permissions is unreliable, because the object may not have been assigned to the group object for that OU. A common workaround for an Active Directory administrator is to write a custom PowerShell or
Visual Basic Visual Basic is a name for a family of programming languages from Microsoft. It may refer to: * Visual Basic .NET (now simply referred to as "Visual Basic"), the current version of Visual Basic launched in 2002 which runs on .NET * Visual Basic (cl ...
script to automatically create and maintain a ''user group'' for each OU in their directory. The scripts are run periodically to update the group to match the OU's account membership but are unable to instantly update the security groups anytime the directory changes, as occurs in competing directories where security is directly implemented into the directory itself. Such groups are known as ''shadow groups''. Once created, these shadow groups are selectable in place of the OU in the administrative tools. Microsoft refers to shadow groups in the Server 2008 Reference documentation but does not explain how to create them. There are no built-in server methods or console snap-ins for managing shadow groups. The division of an organization's information infrastructure into a hierarchy of one or more domains and top-level OUs is a key decision. Common models are by business unit, by geographical location, by IT Service, or by object type and hybrids of these. OUs should be structured primarily to facilitate administrative delegation, and secondarily, to facilitate group policy application. Although OUs form an administrative boundary, the only true security boundary is the forest itself and an administrator of any domain in the forest must be trusted across all domains in the forest.


Partitions

The Active Directory database is organized in ''partitions'', each holding specific object types and following a specific replication pattern. Microsoft often refers to these partitions as 'naming contexts'. The 'Schema' partition contains the definition of object classes and attributes within the Forest. The 'Configuration' partition contains information on the physical structure and configuration of the forest (such as the site topology). Both replicate to all domains in the Forest. The 'Domain' partition holds all objects created in that domain and replicates only within its domain.


Physical structure

''Sites'' are physical (rather than logical) groupings defined by one or more IP subnets. AD also holds the definitions of connections, distinguishing low-speed (e.g., WAN, VPN) from high-speed (e.g.,
LAN Lan or LAN may also refer to: Science and technology * Local asymptotic normality, a fundamental property of regular models in statistics * Longitude of the ascending node, one of the orbital elements used to specify the orbit of an object in sp ...
) links. Site definitions are independent of the domain and OU structure and are common across the forest. Sites are used to control network traffic generated by replication and also to refer clients to the nearest
domain controller A domain controller (DC) is a server computer that responds to security authentication requests within a computer network domain. It is a network server that is responsible for allowing host access to domain resources. It authenticates users, store ...
s (DCs). Microsoft Exchange Server 2007 uses the site topology for mail routing. Policies can also be defined at the site level. Physically, the Active Directory information is held on one or more peer
domain controller A domain controller (DC) is a server computer that responds to security authentication requests within a computer network domain. It is a network server that is responsible for allowing host access to domain resources. It authenticates users, store ...
s, replacing the NT PDC/ BDC model. Each DC has a copy of the Active Directory. Servers joined to Active Directory that is not domain controllers are called Member Servers. A subset of objects in the domain partition replicate to domain controllers that are configured as global catalogs. Global catalog (GC) servers provide a global listing of all objects in the Forest. Global Catalog servers replicate to themselves all objects from all domains and, hence, provide a global listing of objects in the forest. However, to minimize replication traffic and keep the GC's database small, only selected attributes of each object are replicated. This is called the ''partial attribute set'' (PAS). The PAS can be modified by modifying the schema and marking attributes for replication to the GC. Earlier versions of Windows used NetBIOS to communicate. Active Directory is fully integrated with DNS and requires
TCP/IP The Internet protocol suite, commonly known as TCP/IP, is a framework for organizing the set of communication protocols used in the Internet and similar computer networks according to functional criteria. The foundational protocols in the suit ...
—DNS. To be fully functional, the DNS server must support SRV resource records, also known as service records.


Replication

Active Directory synchronizes changes using '' multi-master replication''. Replication by default is 'pull' rather than 'push', meaning that replicas pull changes from the server where the change was effected. The ''Knowledge Consistency Checker'' (KCC) creates a replication topology of ''site links'' using the defined ''sites'' to manage traffic. Intra-site replication is frequent and automatic as a result of change notification, which triggers peers to begin a pull replication cycle. Inter-site replication intervals are typically less frequent and do not use change notification by default, although this is configurable and can be made identical to intra-site replication. Each link can have a 'cost' (e.g., DS3, T1, ISDN, etc.) and the KCC alters the site link topology accordingly. Replication may occur transitively through several site links on same-protocol ''site link bridges'', if the cost is low, although KCC automatically costs a direct site-to-site link lower than transitive connections. Site-to-site replication can be configured to occur between a ''bridgehead server'' in each site, which then replicates the changes to other DCs within the site. Replication for Active Directory zones is automatically configured when DNS is activated in the domain-based by the site. Replication of Active Directory uses
Remote Procedure Call In distributed computing, a remote procedure call (RPC) is when a computer program causes a procedure (subroutine) to execute in a different address space (commonly on another computer on a shared network), which is coded as if it were a normal (l ...
s (RPC) over IP (RPC/IP). Between Sites, SMTP can be used for replication, but only for changes in the Schema, Configuration, or Partial Attribute Set (Global Catalog) GCs. SMTP cannot be used for replicating the default Domain partition.


Implementation

In general, a network utilizing Active Directory has more than one licensed Windows server computer. Backup and restore of Active Directory is possible for a network with a single domain controller, but Microsoft recommends more than one domain controller to provide automatic
failover Failover is switching to a redundant or standby computer server, system, hardware component or network upon the failure or abnormal termination of the previously active application, server, system, hardware component, or network in a computer net ...
protection of the directory. Domain controllers are also ideally single-purpose for directory operations only, and should not run any other software or role. Certain Microsoft products such as SQL Server and Exchange can interfere with the operation of a domain controller, necessitating isolation of these products on additional Windows servers. Combining them can make configuration or troubleshooting of either the domain controller or the other installed software more difficult. A business intending to implement Active Directory is therefore recommended to purchase a number of Windows server licenses, to provide for at least two separate domain controllers, and optionally, additional domain controllers for performance or redundancy, a separate file server, a separate Exchange server, a separate SQL Server, and so forth to support the various server roles. Physical hardware costs for the many separate servers can be reduced through the use of
virtualization In computing, virtualization or virtualisation (sometimes abbreviated v12n, a numeronym) is the act of creating a virtual (rather than actual) version of something at the same abstraction level, including virtual computer hardware platforms, stor ...
, although for proper failover protection, Microsoft recommends not running multiple virtualized domain controllers on the same physical hardware.


Database

The Active-Directory
database In computing, a database is an organized collection of data stored and accessed electronically. Small databases can be stored on a file system, while large databases are hosted on computer clusters or cloud storage. The design of databases sp ...
, the ''directory store'', in Windows 2000 Server uses the JET Blue-based Extensible Storage Engine (ESE98) and is limited to 16 terabytes and 2 billion objects (but only 1 billion security principals) in each domain controller's database. Microsoft has created NTDS databases with more than 2 billion objects. (NT4's
Security Account Manager The Security Account Manager (SAM) is a database file in Windows XP, Windows Vista, Windows 7, 8.1, 10 and 11 that stores users' passwords. It can be used to authenticate local and remote users. Beginning with Windows 2000 SP4, Active Directory a ...
could support no more than 40,000 objects). Called NTDS.DIT, it has two main tables: the ''data table'' and the ''link table''. Windows Server 2003 added a third main table for security descriptor single instancing. Programs may access the features of Active Directory via the COM interfaces provided by ''Active Directory Service Interfaces''.


Trusting

To allow users in one domain to access resources in another, Active Directory uses trusts. Trusts inside a forest are automatically created when domains are created. The forest sets the default boundaries of trust, and implicit, transitive trust is automatic for all domains within a forest.


Terminology

;One-way trust :One domain allows access to users on another domain, but the other domain does not allow access to users on the first domain. ;Two-way trust :Two domains allow access to users on both domains. ;Trusted domain :The domain that is trusted; whose users have access to the trusting domain. ;Transitive trust :A trust that can extend beyond two domains to other trusted domains in the forest. ;Intransitive trust :A one way trust that does not extend beyond two domains. ;Explicit trust :A trust that an admin creates. It is not transitive and is one way only. ;Cross-link trust :An explicit trust between domains in different trees or the same tree when a descendant/ancestor (child/parent) relationship does not exist between the two domains. ;Shortcut :Joins two domains in different trees, transitive, one- or two-way. ;Forest trust :Applies to the entire forest. Transitive, one- or two-way. ;Realm :Can be transitive or nontransitive (intransitive), one- or two-way. ;External :Connect to other forests or non-Active Directory domains. Nontransitive, one- or two-way. ;PAM trust :A one-way trust used by
Microsoft Identity Manager Microsoft Corporation is an American multinational corporation, multinational technology company, technology corporation producing Software, computer software, consumer electronics, personal computers, and related services headquartered at th ...
from a (possibly low-level) production forest to a (
Windows Server 2016 Windows Server 2016 is the eighth release of the Windows Server server operating system developed by Microsoft as part of the Windows NT family of operating systems. It was developed concurrently with Windows 10 and is the successor to the Wind ...
functionality level) 'bastion' forest, which issues time-limited group memberships.


Management tools

Microsoft Active Directory management tools include: *Active Directory Administrative Center (Introduced with Windows Server 2012 and above), *Active Directory Users and Computers, *Active Directory Domains and Trusts, *Active Directory Sites and Services, *ADSI Edit, *Local Users and Groups, *Active Directory Schema snap-ins for Microsoft Management Console (MMC), * SysInternals ADExplorer These management tools may not provide enough functionality for efficient workflow in large environments. Some third-party tools extend the administration and management capabilities. They provide essential features for a more convenient administration process, such as automation, reports, integration with other services, etc.


Unix integration

Varying levels of interoperability with Active Directory can be achieved on most
Unix-like A Unix-like (sometimes referred to as UN*X or *nix) operating system is one that behaves in a manner similar to a Unix system, although not necessarily conforming to or being certified to any version of the Single UNIX Specification. A Unix-li ...
operating systems (including
Unix Unix (; trademarked as UNIX) is a family of multitasking, multiuser computer operating systems that derive from the original AT&T Unix, whose development started in 1969 at the Bell Labs research center by Ken Thompson, Dennis Ritchie, and ot ...
,
Linux Linux ( or ) is a family of open-source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991, by Linus Torvalds. Linux is typically packaged as a Linux distribution, which ...
,
Mac OS X macOS (; previously OS X and originally Mac OS X) is a Unix operating system developed and marketed by Apple Inc. since 2001. It is the primary operating system for Apple's Mac (computer), Mac computers. Within the market of ...
or Java and Unix-based programs) through standards-compliant LDAP clients, but these systems usually do not interpret many attributes associated with Windows components, such as Group Policy and support for one-way trusts. Third parties offer Active Directory integration for Unix-like platforms, including: * ''PowerBroker Identity Services'', formerly ''Likewise'' ( BeyondTrust, formerly Likewise Software) – Allows a non-Windows client to join Active Directory * ''ADmitMac'' (Thursby Software Systems) * ''
Samba Samba (), also known as samba urbano carioca (''urban Carioca samba'') or simply samba carioca (''Carioca samba''), is a Brazilian music genre that originated in the Afro-Brazilian communities of Rio de Janeiro in the early 20th century. Havin ...
'' (
free software Free software or libre software is computer software distributed under terms that allow users to run the software for any purpose as well as to study, change, and distribute it and any adapted versions. Free software is a matter of liberty, no ...
under
GPLv3 The GNU General Public License (GNU GPL or simply GPL) is a series of widely used free software licenses that guarantee end users the four freedoms to run, study, share, and modify the software. The license was the first copyleft for general us ...
) – Can act as a domain controller The schema additions shipped with
Windows Server 2003 R2 Windows Server 2003 is the sixth version of Windows Server operating system produced by Microsoft. It is part of the Windows NT family of operating systems and was released to manufacturing on March 28, 2003 and generally available on April 24, 2 ...
include attributes that map closely enough to RFC 2307 to be generally usable. The reference implementation of RFC 2307, nss_ldap and pam_ldap provided by PADL.com, support these attributes directly. The default schema for group membership complies with RFC 2307bis (proposed). Windows Server 2003 R2 includes a Microsoft Management Console snap-in that creates and edits the attributes. An alternative option is to use another directory service as non-Windows clients authenticate to this while Windows Clients authenticate to Active Directory. Non-Windows clients include
389 Directory Server The 389 Directory Server (previously Fedora Directory Server) is a Lightweight Directory Access Protocol (LDAP) server developed by Red Hat as part of the community-supported Fedora Project. The name "389" derives from the port number used by LDA ...
(formerly Fedora Directory Server, FDS), ViewDS v7.2
XML Enabled Directory XML Enabled Directory (XED) is a framework for managing objects represented using the Extensible Markup Language (XML). XED builds on X.500 and LDAP directory services technologies. XED was originally designed in 2003 by Steven Legg of (form ...
, and Sun Microsystems
Sun Java System Directory Server The Sun Java System Directory Server is a discontinued LDAP directory server and DSML server written in C and originally developed by Sun Microsystems. The Java System Directory Server is a component of the Java Enterprise System. Earlier iteratio ...
. The latter two are both able to perform two-way synchronization with Active Directory and thus provide a "deflected" integration. Another option is to use
OpenLDAP OpenLDAP is a free, open-source implementation of the Lightweight Directory Access Protocol (LDAP) developed by the OpenLDAP Project. It is released under its own BSD-style license called the OpenLDAP Public License. LDAP is a platform-independe ...
with its ''translucent'' overlay, which can extend entries in any remote LDAP server with additional attributes stored in a local database. Clients pointed at the local database see entries containing both the remote and local attributes, while the remote database remains completely untouched. Administration (querying, modifying, and monitoring) of Active Directory can be achieved via many scripting languages, including PowerShell,
VBScript VBScript (''"Microsoft Visual Basic Scripting Edition"'') is an Active Scripting language developed by Microsoft that is modeled on Visual Basic. It allows Microsoft Windows system administrators to generate powerful tools for managing computers w ...
, JScript/JavaScript,
Perl Perl is a family of two high-level, general-purpose, interpreted, dynamic programming languages. "Perl" refers to Perl 5, but from 2000 to 2019 it also referred to its redesigned "sister language", Perl 6, before the latter's name was offici ...
,
Python Python may refer to: Snakes * Pythonidae, a family of nonvenomous snakes found in Africa, Asia, and Australia ** ''Python'' (genus), a genus of Pythonidae found in Africa and Asia * Python (mythology), a mythical serpent Computing * Python (pro ...
, and
Ruby A ruby is a pinkish red to blood-red colored gemstone, a variety of the mineral corundum ( aluminium oxide). Ruby is one of the most popular traditional jewelry gems and is very durable. Other varieties of gem-quality corundum are called sa ...
. Free and non-free Active Directory administration tools can help to simplify and possibly automate Active Directory management tasks. Since October 2017 Amazon
AWS Amazon Web Services, Inc. (AWS) is a subsidiary of Amazon that provides on-demand cloud computing platforms and APIs to individuals, companies, and governments, on a metered pay-as-you-go basis. These cloud computing web services provide di ...
offers integration with Microsoft Active Directory.


See also

*
AGDLP AGDLP (an abbreviation of "account, global, domain local, permission") briefly summarizes Microsoft's recommendations for implementing role-based access controls (RBAC) using nested groups in a native-mode Active Directory (AD) domain: User and comp ...
(implementing
role based access control In computer systems security, role-based access control (RBAC) or role-based security is an approach to restricting system access to authorized users. It is an approach to implement mandatory access control (MAC) or discretionary access control ( ...
s using nested groups) * Apple Open Directory * Flexible single master operation *
FreeIPA FreeIPA is a free and open source identity management system. FreeIPA is the upstream open-source project foRed Hat Identity Management Overview FreeIPA aims to provide a centrally managed Identity, Policy, and Audit (IPA) system. It uses ...
*
List of LDAP software The following is a list of software programs that can communicate with and/or host directory services via the Lightweight Directory Access Protocol (LDAP). Client software Cross-platform * Admin4 - an open source LDAP browser and directory cl ...
*
System Security Services Daemon The System Security Services Daemon (SSSD) is software originally developed for the Linux operating system (OS) that provides a set of daemons to manage access to remote directory services and authentication mechanisms. The beginnings of SSSD l ...
(SSSD) *
Univention Corporate Server Univention Corporate Server (UCS) is a server operating system derived from Debian with an integrated management system for the central and cross-platform administration of servers, services, clients, desktops and users as well as virtualized comp ...


References


External links

* Microsoft Technet: White paper
Active Directory Architecture
(Single technical document that gives an overview about Active Directory.) * Microsoft Technet: Detailed description o
Active Directory on Windows Server 2003
* Microsoft MSDN Library
[MS-ADTS
Active Directory Technical Specification">S-ADTS">[MS-ADTS
Active Directory Technical Specification
(part of the Microsoft Open Specification Promise)
Active Directory Application Mode (ADAM)
* Microsoft MSDN
D-LDS">[AD-LDS
Active Directory Lightweight Directory Services* Microsoft TechNet
[AD-LDS
Active Directory Lightweight Directory Services">D-LDS">[AD-LDS
Active Directory Lightweight Directory Services
* Microsoft MSDN
Active Directory Schema
* Microsoft TechNet
Understanding Schema
* Microsoft TechNet Magazine
Extending the Active Directory Schema
* Microsoft MSDN
Active Directory Certificate Services
* Microsoft TechNet
Active Directory Certificate Services
{{Windows Components Directory services">Active Directory"> Directory services Public key infrastructure Microsoft server technology Windows components Windows 2000