HOME
The Info List - Active Directory


--- Advertisement ---



Active Directory
Active Directory
(AD) is a directory service that Microsoft
Microsoft
developed for Windows domain networks. It is included in most Windows Server operating systems as a set of processes and services.[1][2] Initially, Active Directory
Active Directory
was only in charge of centralized domain management. Starting with Windows Server
Windows Server
2008, however, Active Directory
Active Directory
became an umbrella title for a broad range of directory-based identity-related services.[3] A server running Active Directory
Active Directory
Domain Services (AD DS) is called a domain controller. It authenticates and authorizes all users and computers in a Windows domain type network—assigning and enforcing security policies for all computers and installing or updating software. For example, when a user logs into a computer that is part of a Windows domain, Active Directory
Active Directory
checks the submitted password and determines whether the user is a system administrator or normal user.[4] Also, it allows management and storage of information, provides authentication and authorization mechanisms, and establishes a framework to deploy other related services: Certificate Services, Federated Services, Lightweight Directory Services and Rights Management Services.[5] Active Directory
Active Directory
uses Lightweight Directory Access Protocol (LDAP) versions 2 and 3, Microsoft's version of Kerberos, and DNS.

Contents

1 History 2 Active Directory
Active Directory
Services

2.1 Domain Services 2.2 Lightweight Directory Services 2.3 Certificate Services 2.4 Federation Services 2.5 Rights Management Services

3 Logical structure

3.1 Objects 3.2 Forests, trees and domains

3.2.1 Organizational units

3.2.1.1 Shadow groups

3.3 Partitions

4 Physical structure

4.1 Replication

5 Implementation 6 Database 7 Single server operations 8 Trusting

8.1 Terminology

8.1.1 Forest trusts

9 Management solutions 10 Unix
Unix
integration 11 See also 12 References 13 External links

History[edit] Active Directory, like many information-technology efforts, originated out of a democratization of design using Request for Comments or RFCs. The Internet Engineering Task Force
Internet Engineering Task Force
(IETF), which oversees the RFC process, has accepted numerous RFCs initiated by widespread participants. Active Directory
Active Directory
incorporates decades of communication technologies into the overarching Active Directory
Active Directory
concept then makes improvements upon them.[citation needed] For example, LDAP underpins Active Directory. Also X.500 directories and the Organizational Unit preceded the Active Directory
Active Directory
concept that makes use of those methods. The LDAP concept began to emerge even before the founding of Microsoft in April 1975, with RFCs as early as 1971. RFCs contributing to LDAP include RFC 1823 (on the LDAP API, August 1995),[6]RFC 2307, RFC 3062, and RFC 4533.[7][8][9] Microsoft
Microsoft
previewed Active Directory
Active Directory
in 1999, released it first with Windows 2000
Windows 2000
Server edition, and revised it to extend functionality and improve administration in Windows Server
Windows Server
2003. Additional improvements came with subsequent versions of Windows Server. In Windows Server
Windows Server
2008, additional services were added to Active Directory, such as Active Directory
Active Directory
Federation Services.[10] The part of the directory in charge of management of domains, which was previously a core part of the operating system,[10] was renamed Active Directory Domain Services (ADDS) and became a server role like others.[3] "Active Directory" became the umbrella title of a broader range of directory-based services.[11] According to Bryon Hynes, everything related to identity was brought under Active Directory's banner.[3] Active Directory
Active Directory
Services[edit] Active Directory
Active Directory
Services consist of multiple directory services. The best known is Active Directory
Active Directory
Domain Services, commonly abbreviated as AD DS or simply AD.[12] Domain Services[edit] Active Directory
Active Directory
Domain Services (AD DS) is the cornerstone of every Windows domain network. It stores information about members of the domain, including devices and users, verifies their credentials and defines their access rights. The server (or the cluster of servers) running this service is called a domain controller. A domain controller is contacted when a user logs into a device, accesses another device across the network, or runs a line-of-business Metro-style app
Metro-style app
sideloaded into a device. Other Active Directory
Active Directory
services (excluding LDS, as described below) as well as most of Microsoft
Microsoft
server technologies rely on or use Domain Services; examples include Group Policy, Encrypting File
File
System, BitLocker, Domain Name Services, Remote Desktop Services, Exchange Server and SharePoint Server. Lightweight Directory Services[edit] Active Directory
Active Directory
Lightweight Directory Services (AD LDS), formerly known as Active Directory
Active Directory
Application Mode (ADAM),[13] is a light-weight implementation of AD DS.[14] AD LDS runs as a service on Windows Server. AD LDS shares the code base with AD DS and provides the same functionality, including an identical API, but does not require the creation of domains or domain controllers. It provides a Data Store for storage of directory data and a Directory Service with an LDAP Directory Service Interface. Unlike AD DS, however, multiple AD LDS instances can run on the same server. Certificate Services[edit] Active Directory
Active Directory
Certificate Services (AD CS) establishes an on-premises public key infrastructure. It can create, validate and revoke public key certificates for internal uses of an organization. These certificates can be used to encrypt files (when used with Encrypting File
File
System), emails (per S/MIME standard), and network traffic (when used by virtual private networks, Transport Layer Security protocol or IPSec protocol). AD CS predates Windows Server
Windows Server
2008, but its name was simply Certificate Services.[15] AD CS requires an AD DS infrastructure.[16] Federation Services[edit] Main article: Active Directory
Active Directory
Federation Services Active Directory Federation Services (AD FS) is a single sign-on service. With an AD FS infrastructure in place, users may use several web-based services (e.g. internet forum, blog, online shopping, webmail) or network resources using only one set of credentials stored at a central location, as opposed to having to be granted a dedicated set of credentials for each service. AD FS's purpose is an extension of that of AD DS: The latter enables users to authenticate with and use the devices that are part of the same network, using one set of credentials. The former enables them to use the same set of credentials in a different network. As the name suggests, AD FS works based on the concept of federated identity. AD FS requires an AD DS infrastructure, although its federation partner may not.[17] Rights Management Services[edit] Main article: Active Directory
Active Directory
Rights Management Services Active Directory
Active Directory
Rights Management Services (AD RMS, known as Rights Management Services or RMS before Windows Server
Windows Server
2008) is a server software for information rights management shipped with Windows Server. It uses encryption and a form of selective functionality denial for limiting access to documents such as corporate e-mails, Microsoft
Microsoft
Word documents, and web pages, and the operations authorized users can perform on them. Logical structure[edit] As a directory service, an Active Directory
Active Directory
instance consists of a database and corresponding executable code responsible for servicing requests and maintaining the database. The executable part, known as Directory System Agent, is a collection of Windows services and processes that run on Windows 2000
Windows 2000
and later.[1] Objects in Active Directory databases can be accessed via LDAP, ADSI (a component object model interface), messaging API and Security Accounts Manager services.[2] Objects[edit]

A simplified example of a publishing company's internal network. The company has four groups with varying permissions to the three shared folders on the network.

Active Directory
Active Directory
structures are arrangements of information about objects. The objects fall into two broad categories: resources (e.g., printers) and security principals (user or computer accounts and groups). Security principals are assigned unique security identifiers (SIDs). Each object represents a single entity—whether a user, a computer, a printer, or a group—and its attributes. Certain objects can contain other objects. An object is uniquely identified by its name and has a set of attributes—the characteristics and information that the object represents— defined by a schema, which also determines the kinds of objects that can be stored in Active Directory. The schema object lets administrators extend or modify the schema when necessary. However, because each schema object is integral to the definition of Active Directory
Active Directory
objects, deactivating or changing these objects can fundamentally change or disrupt a deployment. Schema changes automatically propagate throughout the system. Once created, an object can only be deactivated—not deleted. Changing the schema usually requires planning.[18] Forests, trees and domains[edit] The Active Directory
Active Directory
framework that holds the objects can be viewed at a number of levels. The forest, tree, and domain are the logical divisions in an Active Directory
Active Directory
network. Within a deployment, objects are grouped into domains. The objects for a single domain are stored in a single database (which can be replicated). Domains are identified by their DNS name structure, the namespace. A domain is defined as a logical group of network objects (computers, users, devices) that share the same Active Directory
Active Directory
database. A tree is a collection of one or more domains and domain trees in a contiguous namespace, linked in a transitive trust hierarchy. At the top of the structure is the forest. A forest is a collection of trees that share a common global catalog, directory schema, logical structure, and directory configuration. The forest represents the security boundary within which users, computers, groups, and other objects are accessible.

   

Domain-Boston

   

Domain-New York

   

Domain-Philly

 

Tree-Southern

   

Domain-Atlanta

   

Domain-Dallas

Domain-Dallas

 

OU-Marketing

   

Hewitt

   

Aon

   

Steve

 

OU-Sales

   

Bill

   

Ralph

Example of the geographical organizing of zones of interest within trees and domains.

Organizational units[edit] The objects held within a domain can be grouped into Organizational Units (OUs).[19] OUs can provide hierarchy to a domain, ease its administration, and can resemble the organization's structure in managerial or geographical terms. OUs can contain other OUs—domains are containers in this sense. Microsoft
Microsoft
recommends using OUs rather than domains for structure and to simplify the implementation of policies and administration. The OU is the recommended level at which to apply group policies, which are Active Directory
Active Directory
objects formally named Group Policy
Group Policy
Objects (GPOs), although policies can also be applied to domains or sites (see below). The OU is the level at which administrative powers are commonly delegated, but delegation can be performed on individual objects or attributes as well. Organizational units do not each have a separate namespace; e.g. user accounts with an identical username (sAMAccountName) in separate OUs within a domain are not allowed, such as "fred.staff-ou.domain" and "fred.student-ou.domain", where "staff-ou" and "student-ou" are the OUs. This is because sAMAccountName, a user object attribute, must be unique within the domain.[20] However, two users in different OUs can have the same Common Name (CN), the name under which they are stored in the directory itself. In general the reason for this lack of allowance for duplicate names through hierarchical directory placement, is that Microsoft
Microsoft
primarily relies on the principles of NetBIOS, which is a flat-file method of network object management that for Microsoft
Microsoft
software, goes all the way back to Windows NT 3.1
Windows NT 3.1
and MS-DOS
MS-DOS
LAN Manager. Allowing for duplication of object names in the directory, or completely removing the use of NetBIOS names, would prevent backward compatibility with legacy software and equipment. However, disallowing duplicate object names in this way is a violation of the LDAP RFCs on which Active Directory is supposedly based. As the number of users in a domain increases, conventions such as "first initial, middle initial, last name" (Western order) or the reverse (Eastern order) fail for common family names like Li (李), Smith or Garcia. Workarounds include adding a digit to the end of the username. Alternatives include creating a separate ID system of unique employee/student id numbers to use as account names in place of actual user's names, and allowing users to nominate their preferred word sequence within an acceptable use policy. Because duplicate usernames cannot exist within a domain, account name generation poses a significant challenge for large organizations that cannot be easily subdivided into separate domains, such as students in a public school system or university who must be able to use any computer across the network. Shadow groups[edit]

In Active Directory, organizational units cannot be assigned as owners or trustees. Only groups are selectable, and members of OUs cannot be collectively assigned rights to directory objects.

In Microsoft's Active Directory, OUs do not confer access permissions, and objects placed within OUs are not automatically assigned access privileges based on their containing OU. This is a design limitation specific to Active Directory. Other competing directories such as Novell NDS are able to assign access privileges through object placement within an OU. Active Directory
Active Directory
requires a separate step for an administrator to assign an object in an OU as a member of a group also within that OU. Relying on OU location alone to determine access permissions is unreliable, because the object may not have been assigned to the group object for that OU. A common workaround for an Active Directory
Active Directory
administrator is to write a custom PowerShell
PowerShell
or Visual Basic
Visual Basic
script to automatically create and maintain a user group for each OU in their directory. The scripts are run periodically to update the group to match the OU's account membership, but are unable to instantly update the security groups anytime the directory changes, as occurs in competing directories where security is directly implemented into the directory itself. Such groups are known as Shadow Groups. Once created, these shadow groups are selectable in place of the OU in the administrative tools. Microsoft
Microsoft
refers to shadow groups in the Server 2008 Reference documentation, but does not explain how to create them. There are no built-in server methods or console snap-ins for managing shadow groups.[21] The division of an organization's information infrastructure into a hierarchy of one or more domains and top-level OUs is a key decision. Common models are by business unit, by geographical location, by IT Service, or by object type and hybrids of these. OUs should be structured primarily to facilitate administrative delegation, and secondarily, to facilitate group policy application. Although OUs form an administrative boundary, the only true security boundary is the forest itself and an administrator of any domain in the forest must be trusted across all domains in the forest.[22] Partitions[edit] The Active Directory
Active Directory
database is organized in partitions, each holding specific object types and following a specific replication pattern. Microsoft
Microsoft
often refers to these partitions as 'naming contexts'.[23] The 'Schema' partition contains the definition of object classes and attributes within the Forest. The 'Configuration' partition contains information on the physical structure and configuration of the forest (such as the site topology). Both replicate to all domains in the Forest. The 'Domain' partition holds all objects created in that domain and replicates only within its domain. Physical structure[edit] Sites are physical (rather than logical) groupings defined by one or more IP subnets.[24] AD also holds the definitions of connections, distinguishing low-speed (e.g., WAN, VPN) from high-speed (e.g., LAN) links. Site definitions are independent of the domain and OU structure and are common across the forest. Sites are used to control network traffic generated by replication and also to refer clients to the nearest domain controllers (DCs). Microsoft
Microsoft
Exchange Server 2007 uses the site topology for mail routing. Policies can also be defined at the site level. Physically, the Active Directory
Active Directory
information is held on one or more peer domain controllers, replacing the NT PDC/BDC model. Each DC has a copy of the Active Directory. Servers joined to Active Directory
Active Directory
that are not domain controllers are called Member Servers.[25] A subset of objects in the domain partition replicate to domain controllers that are configured as global catalogs. Global catalog (GC) servers provide a global listing of all objects in the Forest.[26][27] Global Catalog servers replicate to themselves all objects from all domains and hence, provide a global listing of objects in the forest. However, to minimize replication traffic and keep the GC's database small, only selected attributes of each object are replicated. This is called the partial attribute set (PAS). The PAS can be modified by modifying the schema and marking attributes for replication to the GC.[28] Earlier versions of Windows used NetBIOS to communicate. Active Directory
Active Directory
is fully integrated with DNS and requires TCP/IP—DNS. To be fully functional, the DNS server must support SRV resource records, also known as service records. Replication[edit] Active Directory
Active Directory
synchronizes changes using multi-master replication.[29] Replication by default is 'pull' rather than 'push', meaning that replicas pull changes from the server where the change was effected.[30] The Knowledge Consistency Checker (KCC) creates a replication topology of site links using the defined sites to manage traffic. Intrasite replication is frequent and automatic as a result of change notification, which triggers peers to begin a pull replication cycle. Intersite replication intervals are typically less frequent and do not use change notification by default, although this is configurable and can be made identical to intrasite replication. Each link can have a 'cost' (e.g., DS3, T1, ISDN
ISDN
etc.) and the KCC alters the site link topology accordingly. Replication may occur transitively through several site links on same-protocol site link bridges, if the cost is low, although KCC automatically costs a direct site-to-site link lower than transitive connections. Site-to-site replication can be configured to occur between a bridgehead server in each site, which then replicates the changes to other DCs within the site. Replication for Active Directory
Active Directory
zones is automatically configured when DNS is activated in the domain based by site. Replication of Active Directory
Active Directory
uses Remote Procedure Calls (RPC) over IP (RPC/IP). Between Sites SMTP
SMTP
can be used for replication, but only for changes in the Schema, Configuration, or Partial Attribute Set (Global Catalog) GCs. SMTP
SMTP
cannot be used for replicating the default Domain partition.[31] Implementation[edit] In general, a network utilizing Active Directory
Active Directory
has more than one licensed Windows server computer. Backup and restore of Active Directory is possible for a network with a single domain controller,[32] but Microsoft
Microsoft
recommends more than one domain controller to provide automatic failover protection of the directory.[33] Domain controllers are also ideally single-purpose for directory operations only, and should not run any other software or role.[34] Certain Microsoft
Microsoft
products such as SQL Server[35][36] and Exchange[37] can interfere with the operation of a domain controller, necessitating isolation of these products on additional Windows servers. Combining them can make configuration or troubleshooting of either the domain controller or the other installed software more difficult.[38] A business intending to implement Active Directory
Active Directory
is therefore recommended to purchase a number of Windows server licenses, to provide for at least two separate domain controllers, and optionally, additional domain controllers for performance or redundancy, a separate file server, a separate Exchange server, a separate SQL Server,[39] and so forth to support the various server roles. Physical hardware costs for the many separate servers can be reduced through the use of virtualization, although for proper failover protection, Microsoft
Microsoft
recommends not running multiple virtualized domain controllers on the same physical hardware.[40] Database[edit] The Active-Directory database, the directory store, in Windows 2000 Server uses the JET Blue-based Extensible Storage Engine (ESE98) and is limited to 16 terabytes and 2 billion objects (but only 1 billion security principals) in each domain controller's database. Microsoft has created NTDS databases with more than 2 billion objects.[41] (NT4's Security Account Manager could support no more than 40,000 objects). Called NTDS.DIT, it has two main tables: the data table and the link table. Windows Server
Windows Server
2003 added a third main table for security descriptor single instancing.[41] Programs may access the features of Active Directory[42] via the COM interfaces provided by Active Directory
Active Directory
Service Interfaces.[43] Single server operations[edit] Flexible Single Master Operations Roles (FSMO, pronounced "fizz-mo") operations are also known as operations master roles. Although domain controllers allow simultaneous updates in multiple places, certain operations are supported only on a single server. These operations are performed using the roles listed below:

Role name Scope Description

Schema Master 1 per forest Schema modifications

Domain Naming Master 1 per forest Addition and removal of domains if present in root domain

PDC Emulator 1 per domain Provides backwards compatibility for NT4 clients for PDC operations (like password changes). The PDC runs domain specific processes such as the Security Descriptor Propagator (SDP), and is the master time server within the domain. It also handles external trusts, the DFS consistency check, holds current passwords and manages all GPOs as default server.

RID Master 1 per domain Allocates pools of unique identifiers to domain controllers for use when creating objects

Infrastructure Master 1 per domain/partition Synchronizes cross-domain group membership changes. The infrastructure master should not be run on a global catalog server (GCS) unless all DCs are also GCs, or the environment consists of a single domain. The Infrastructure Master role as described above is only for the domain partition (default naming context), netdom query fsmo and ntdsutil will only query the domain partition. However, every application partition, including Forest and Domain-level DNS domain zones has its own Infrastructure Master. The holder of this role is stored in the fSMORoleOwner attribute of the Infrastructure object in the root of the partition, it can be modified with ADSIEdit, for example one can modify the fSMORoleOwner attribute of the CN=Infrastructure,DC=DomainDnsZones,DC=yourdomain,DC=tld object to CN=NTDSSettings,CN=Name_of_DC,CN=Servers,CN=DRSite,CN=Sites,CN=Configuration,DC=Yourdomain,DC=TLD.[44]

Trusting[edit] To allow users in one domain to access resources in another, Active Directory uses trusts.[45] Trusts inside a forest are automatically created when domains are created. The forest sets the default boundaries of trust, and implicit, transitive trust is automatic for all domains within a forest. Terminology[edit]

One-way trust One domain allows access to users on another domain, but the other domain does not allow access to users on the first domain. Two-way trust Two domains allow access to users on both domains. Trusted domain The domain that is trusted; whose users have access to the trusting domain. Transitive trust A trust that can extend beyond two domains to other trusted domains in the forest. Intransitive trust A one way trust that does not extend beyond two domains. Explicit trust A trust that an admin creates. It is not transitive and is one way only. Cross-link trust An explicit trust between domains in different trees or in the same tree when a descendant/ancestor (child/parent) relationship does not exist between the two domains. Shortcut Joins two domains in different trees, transitive, one- or two-way. Forest trust Applies to the entire forest. Transitive, one- or two-way. Realm Can be transitive or nontransitive (intransitive), one- or two-way. External Connect to other forests or non-AD domains. Nontransitive, one- or two-way.[46] PAM trust A one-way trust used by Microsoft
Microsoft
Identity Manager from a (possibly low-level) production forest to a ( Windows Server
Windows Server
2016 functionality level) 'bastion' forest, which issues time-limited group memberships.[47][48]

Forest trusts[edit] Windows Server
Windows Server
2003 introduced the forest root trust. This trust can be used to connect Windows Server
Windows Server
2003 forests if they are operating at the 2003 forest functional level. Authentication
Authentication
across this type of trust is Kerberos-based (as opposed to NTLM). Forest trusts are transitive for all the domains within the trusted forests. However, forest trusts are not transitive between forests. Example: Suppose that a two-way transitive forest trust exists between the forest root domains in Forest A and Forest B, and another two-way transitive forest trust exists between the forest root domains in Forest B and Forest C. Such a configuration lets users in Forest B access resources in any domain in either Forest A or Forest C, and users in Forest A or C can access resources in any domain in Forest B. However, it does not let users in Forest A access resources in Forest C, or vice versa. To let users in Forest A and Forest C share resources, a two-way transitive trust must exist between both forests. Management solutions[edit] Microsoft
Microsoft
Active Directory
Active Directory
management tools include:

Active Directory
Active Directory
Users and Computers, Active Directory
Active Directory
Domains and Trusts, Active Directory
Active Directory
Sites and Services, ADSI Edit, Local Users and Groups, Active Directory
Active Directory
Schema snap-ins for Microsoft
Microsoft
Management Console (MMC),

These management tools may not provide enough functionality for efficient workflow in large environments. Some third-party solutions extend the administration and management capabilities. They provide essential features for a more convenient administration processes, such as automation, reports, integration with other services, etc. Unix
Unix
integration[edit] Varying levels of interoperability with Active Directory
Active Directory
can be achieved on most Unix-like
Unix-like
operating systems (including Unix, Linux, Mac OS X
Mac OS X
or Java and Unix-based programs) through standards-compliant LDAP clients, but these systems usually do not interpret many attributes associated with Windows components, such as Group Policy and support for one-way trusts. Third parties offer Active Directory
Active Directory
integration for Unix-like platforms, including:

Centrify
Centrify
DirectControl (Centrify) – Active Directory-compatible centralized authentication and access control[49] PowerBroker Identity Services, formerly Likewise (BeyondTrust, formerly Likewise Software) – Allows a non-Windows client to join Active Directory[49] ADmitMac (Thursby Software Systems)[49] Samba – Can act as a domain controller[50][51]

The schema additions shipped with Windows Server
Windows Server
2003 R2 include attributes that map closely enough to RFC 2307 to be generally usable. The reference implementation of RFC 2307, nss_ldap and pam_ldap provided by PADL.com, support these attributes directly. The default schema for group membership complies with RFC 2307bis (proposed).[52] Windows Server
Windows Server
2003 R2 includes a Microsoft
Microsoft
Management Console snap-in that creates and edits the attributes. An alternative option is to use another directory service as non-Windows clients authenticate to this while Windows Clients authenticate to AD. Non-Windows clients include 389 Directory Server (formerly Fedora Directory Server, FDS), ViewDS Identity Solutions - ViewDS v7.2 XML Enabled Directory and Sun Microsystems Sun Java System Directory Server. The latter two both being able to perform two-way synchronization with AD and thus provide a "deflected" integration. Another option is to use OpenLDAP with its translucent overlay, which can extend entries in any remote LDAP server with additional attributes stored in a local database. Clients pointed at the local database see entries containing both the remote and local attributes, while the remote database remains completely untouched.[citation needed] Administration (querying, modifying, and monitoring) of Active Directory can be achieved via many scripting languages, including PowerShell, VBScript, JScript/JavaScript, Perl, Python, and Ruby.[53][54][55][56] Free and non-free AD administration tools can help to simplify and possibly automate AD management tasks. See also[edit]

Active Directory
Active Directory
Explorer AGDLP (implementing role based access controls using nested groups) Flexible single master operation FreeIPA List of LDAP software Univention Corporate Server

References[edit]

^ a b "Directory System Agent". MSDN Library. Microsoft. Retrieved 23 April 2014.  ^ a b Solomon, David A.; Russinovich, Mark (2005). "Chapter 13". Microsoft
Microsoft
Windows Internals: Microsoft
Microsoft
Windows Server
Windows Server
2003, Windows XP, and Windows 2000
Windows 2000
(4th ed.). Redmond, Washington: Microsoft
Microsoft
Press. p. 840. ISBN 0-7356-1917-4.  ^ a b c Hynes, Byron (November 2006). "The Future Of Windows: Directory Services in Windows Server
Windows Server
"Longhorn"". TechNet Magazine. Microsoft.  ^ " Active Directory
Active Directory
on a Windows Server
Windows Server
2003 Network". Active Directory Collection. Microsoft. 13 March 2003. Retrieved 25 December 2010.  ^ "Install Active Directory
Active Directory
Domain Services on Windows Server
Windows Server
2008 R2 Enterprise 64-bit". 2016-04-27. Retrieved 2016-09-22.  ^ "The LDAP Application Program Interface". Retrieved 2013-11-26.  ^ "An Approach for Using LDAP as a Network Information Service". Retrieved 2013-11-26.  ^ "LDAP Password Modify Extended Operation". Retrieved 2013-11-26.  ^ "The Lightweight Directory Access Protocol (LDAP) Content Synchronization Operation". Retrieved 2013-11-26.  ^ a b Thomas, Guy. " Windows Server
Windows Server
2008 - New Features". ComputerPerformance.co.uk. Computer Performance Ltd.  ^ "What's New in Active Directory
Active Directory
in Windows Server". Windows Server 2012 R2 and Windows Server
Windows Server
2012 Tech Center. Microsoft.  ^ Active Directory
Active Directory
Services technet.microsoft.com ^ "AD LDS". Microsoft. Retrieved 28 April 2009.  ^ "AD LDS versus AD DS". Microsoft. Retrieved 25 February 2013.  ^ Zacker, Craig (2003). "11: Creating and Managing Digital Certificates". In Harding, Kathy; Jean, Trenary; Linda, Zacker. Planning and Maintaining a Microsoft
Microsoft
Windows server 2003 Network Infrastructure. Redmond, WA: Microsoft
Microsoft
Press. pp. 11–16. ISBN 0-7356-1893-3.  ^ " Active Directory
Active Directory
Certificate Services Overview". Microsoft
Microsoft
TechNet. Microsoft. Retrieved 24 November 2015.  ^ "Step 1: Preinstallation Tasks". TechNet. Microsoft. Retrieved 24 November 2015.  ^ Windows Server
Windows Server
2003: Active Directory
Active Directory
Infrastructure. Microsoft Press. 2003. pp. 1–8–1–9.  ^ "Organizational Units". Distributed Systems Resource Kit (TechNet). Microsoft. 2011. An organizational unit in Active Directory
Active Directory
is analogous to a directory in the file system  ^ "sAMAccountName is always unique in a Windows domain… or is it?". Joeware. 4 January 2012. Retrieved 18 September 2013. examples of how multiple AD objects can be created with the same sAMAccountName  ^ Microsoft
Microsoft
Server 2008 Reference, discussing shadow groups used for fine-grained password policies: https://technet.microsoft.com/en-us/library/cc770394%28WS.10%29.aspx ^ "Specifying Security and Administrative Boundaries". Microsoft Corporation. 23 January 2005. However, service administrators have abilities that cross domain boundaries. For this reason, the forest is the ultimate security boundary, not the domain.  ^ Andreas Luther. " Active Directory
Active Directory
Replication Traffic". Microsoft Corporation. Retrieved 26 May 2010. The Active Directory
Active Directory
is made up of one or more naming contexts or partitions.  ^ "Sites overview". Microsoft
Microsoft
Corporation. 21 January 2005. A site is a set of well-connected subnets.  ^ "Planning for domain controllers and member servers". Microsoft Corporation. 21 January 2005. [...] member servers, [...] belong to a domain but do not contain a copy of the Active Directory
Active Directory
data.  ^ "What Is the Global Catalog?". Microsoft
Microsoft
Corporation. 10 December 2009. [...] a domain controller can locate only the objects in its domain. [...] The global catalog provides the ability to locate objects from any domain [...]  ^ "Global Catalog". Microsoft
Microsoft
Corporation.  ^ "Attributes Included in the Global Catalog". Microsoft
Microsoft
Corporation. 26 August 2010. The isMemberOfPartialAttributeSet attribute of an attribute Schema object is set to TRUE if the attribute is replicated to the global catalog. [...] When deciding whether or not to place an attribute in the global catalog remember that you are trading increased replication and increased disk storage on global catalog servers for, potentially, faster query performance.  ^ "Directory data store". Microsoft
Microsoft
Corporation. 21 January 2005. Active Directory
Active Directory
uses four distinct directory partition types to store [...] data. Directory partitions contain domain, configuration, schema, and application data.  ^ "What Is the Active Directory
Active Directory
Replication Model?". Microsoft Corporation. 28 March 2003. Domain controllers request (pull) changes rather than send (push) changes that might not be needed.  ^ "What Is Active Directory
Active Directory
Replication Topology?". Microsoft Corporation. 28 March 2003. SMTP
SMTP
can be used to transport nondomain replication [...]  ^ " Active Directory
Active Directory
Backup and Restore". TechNet. Microsoft. Retrieved 5 February 2014.  ^ "AD DS: All domains should have at least two functioning domain controllers for redundancy". TechNet. Microsoft. Retrieved 5 February 2014.  ^ Posey, Brien (23 August 2010). "10 tips for effective Active Directory design". TechRepublic. CBS Interactive. Retrieved 5 February 2014. Whenever possible, your domain controllers should run on dedicated servers (physical or virtual).  ^ "You may encounter problems when installing SQL Server on a domain controller (Revision 3.0)". Support. Microsoft. 7 January 2013. Retrieved 5 February 2014.  ^ Degremont, Michel (30 Jun 2011). "Can I install SQL Server on a domain controller?". Microsoft
Microsoft
SQL Server blog. Retrieved 5 February 2014. For security and performance reasons, we recommend that you do not install a standalone SQL Server on a domain controller.  ^ "Installing Exchange on a domain controller is not recommended". TechNet. Microsoft. 22 March 2013. Retrieved 5 February 2014.  ^ "Security Considerations for a SQL Server Installation". TechNet. Microsoft. Retrieved 5 February 2014. After SQL Server is installed on a computer, you cannot change the computer from a domain controller to a domain member. You must uninstall SQL Server before you change the host computer to a domain member.  ^ " Exchange Server Analyzer". TechNet. Microsoft. Retrieved 5 February 2014. Running SQL Server on the same computer as a production Exchange mailbox server is not recommended.  ^ "Running Domain Controllers in Hyper-V". TechNet. Microsoft. Planning to Virtualize Domain Controllers. Retrieved 5 February 2014. You should attempt to avoid creating potential single points of failure when you plan your virtual domain controller deployment.frank  ^ a b efleis (8 June 2006). "Large AD database? Probably not this large". Blogs.technet.com. Retrieved 20 November 2011.  ^ Berkouwer, Sander. " Active Directory
Active Directory
basics". Veeam Software.  ^ Active Directory
Active Directory
Service Interfaces, Microsoft ^ TechNet: ForestDNSZones and DomainDNSZones have wrong infrastructure role record ^ "Domain and Forest Trusts Technical Reference". Microsoft Corporation. 28 March 2003. Trusts enable [...] authentication and [...] sharing resources across domains or forests  ^ "How Domain and Forest Trusts Work". Microsoft
Microsoft
Corporation. 11 December 2012. Retrieved 29 January 2013. Defines several kinds of trusts. (automatic, shortcut, forest, realm, external)  ^ Microsoft
Microsoft
Identity Manager: Privileged Access Management for Active Directory Domain Services ^ TechNet: MIM 2016: Privileged Access Management (PAM) - FAQ ^ a b c Edge, Charles S., Jr; Smith, Zack; Hunter, Beau (2009). "Chapter 3: Active Directory". Enterprise Mac Administrator's Guide. New York City: Apress. ISBN 978-1-4302-2443-3.  ^ "Samba 4.0.0 Available for Download". SambaPeople. SAMBA Project. Archived from the original on 15 November 2010. Retrieved 9 August 2016.  ^ "The great DRS success!". SambaPeople. SAMBA Project. 5 October 2009. Archived from the original on 13 October 2009. Retrieved 2 November 2009.  ^ "RFC 2307bis". Archived from the original on 27 September 2011. Retrieved 20 November 2011.  ^ " Active Directory
Active Directory
Administration with Windows PowerShell". Microsoft. Retrieved 7 June 2011.  ^ "Using Scripts to Search Active Directory". Microsoft. Retrieved 22 May 2012.  ^ "ITAdminTools Perl
Perl
Scripts Repository". ITAdminTools.com. Retrieved 22 May 2012.  ^ "Win32::OLE". Perl
Perl
Open-Source Community. Retrieved 22 May 2012. 

External links[edit]

Wikiversity has learning resources about Active Directory

Microsoft
Microsoft
Technet: White paper: Active Directory
Active Directory
Architecture (Single technical document that gives an overview about Active Directory.) Microsoft
Microsoft
Technet: Detailed description of Active Directory
Active Directory
on Windows Server 2003 Microsoft
Microsoft
MSDN Library: [MS-ADTS]: Active Directory
Active Directory
Technical Specification (part of the Microsoft
Microsoft
Open Specification Promise) Active Directory
Active Directory
Application Mode (ADAM) Microsoft
Microsoft
MSDN: [AD-LDS]: Active Directory
Active Directory
Lightweight Directory Services Microsoft
Microsoft
TechNet: [AD-LDS]: Active Directory
Active Directory
Lightweight Directory Services Microsoft
Microsoft
MSDN: Active Directory
Active Directory
Schema Microsoft
Microsoft
TechNet: Understanding Schema Microsoft
Microsoft
TechNet Magazine: Extending the Active Directory
Active Directory
Schema Microsoft
Microsoft
MSDN: Active Directory
Active Directory
Certificate Services Microsoft
Microsoft
TechNet: Active Directory
Active Directory
Certificate Services

v t e

Microsoft

History Outline

People

Founders

Bill Gates Paul Allen

Board of directors

John W. Thompson
John W. Thompson
(Chairman) Satya Nadella
Satya Nadella
(CEO) Dina Dublon Maria Klawe David Marquardt Charles Noski Helmut Panke Mason Morfit John W. Stanton

Senior leadership team

Satya Nadella
Satya Nadella
(CEO) Scott Guthrie Amy Hood (CFO) Terry Myerson Harry Shum Phil Spencer

Corporate VPs

Gabe Aul
Gabe Aul
(VP) Joe Belfiore Richard Rashid
Richard Rashid
(SVP) S. Somasegar
S. Somasegar
(SVP)

Divisions

Engineering groups

Mobile Skype
Skype
unit

Digital Crimes Unit Garage Press Research Studios .NET Foundation Outercurve Foundation

Estates

Microsoft
Microsoft
Redmond campus Microsoft
Microsoft
Talo Microsoft
Microsoft
Algeria Microsoft
Microsoft
Egypt Microsoft
Microsoft
India Microsoft
Microsoft
Japan

Product families

Operating systems

Windows

Software

Office Servers Visual Studio

Hardware

HoloLens Surface Xbox

Web properties

Azure Bing Channel 9 CodePlex Developer Network MSN Mixer Office.com OneDrive Outlook.com Store TechNet

Conferences

Build Inspire MIX PDC TechEd WinHEC

Campaigns

Where do you want to go today?
Where do you want to go today?
(1994) Champagne (2002) Mojave Experiment (2006) I'm a PC
I'm a PC
(2008) Scroogled (2012)

Criticism

Bundling of Microsoft
Microsoft
Windows Clippy iLoo Internet Explorer Microsoft
Microsoft
Bob _NSAKEY Windows

XP Vista 10

Litigation

Alcatel-Lucent v. Microsoft Apple v. Microsoft European Union Microsoft
Microsoft
competition case Microsoft
Microsoft
v. Lindows Microsoft
Microsoft
vs. MikeRoweSoft Microsoft
Microsoft
v. Shah United States v. Microsoft
Microsoft
(2001 antitrust case) Microsoft
Microsoft
Ireland case

Acquisitions

6Wunderkinder Altamira Software AltspaceVR aQuantive Azyxxi The Blue Ribbon SoundWorks Beam Bungie Calista Technologies Colloquis Connectix Consumers Software Danger Farecast FASA Studio Fast Search & Transfer Firefly Forethought GIANT Company Software GreenButton Groove Networks High Heat Major League Baseball Hotmail Jellyfish.com LinkedIn LinkExchange Lionhead Studios Maluuba Massive Incorporated Mobile Data Labs Mojang Nokia Devices and Services Onfolio Pando Networks Perceptive Pixel PlaceWare Powerset ProClarity Rare Revolution Analytics ScreenTonic Secure Islands Simplygon Skype Sunrise Atelier SwiftKey Winternals Software Teleo Telekinesys Research Tellme Networks Twisted Pixel Games Vermeer Technologies Visio Corporation Vivaty VoloMetrix VXtreme WebTV Networks Xamarin Yammer Yupi

Category Portal

v t e

Microsoft
Microsoft
Windows components

Management tools

App Installer Command Prompt Control Panel

Applets

Device Manager Disk Cleanup Disk Defragmenter Driver Verifier Event Viewer IExpress Management Console Netsh Performance Monitor Recovery Console Resource Monitor Settings Sysprep System Configuration System File
File
Checker System Information System Policy Editor System Restore Task Manager Windows Error Reporting Windows Ink Windows Installer PowerShell Windows Update

Windows Insider

WinRE WMI

Apps

Alarms & Clock Calculator Calendar Camera Character Map Cortana Edge Fax and Scan Feedback Hub Get Help Groove Music Magnifier Mail Messaging Maps Media Player Movies & TV Mobility Center Money News Narrator Notepad OneDrive OneNote Paint Paint 3D People Phone Companion Photos Quick Assist Snipping Tool Speech Recognition Skype Sports Sticky Notes View 3D Store Tips Voice Recorder Wallet Weather Windows To Go Windows Story Remix WordPad Xbox

Shell

Action Center Aero AutoPlay AutoRun ClearType Explorer Search

Indexing Service IFilter Saved search Namespace Special
Special
folder

Start menu Taskbar Task View Windows Spotlight Windows XP visual styles

Services

Service Control Manager BITS CLFS Multimedia Class Scheduler Shadow Copy Task Scheduler Error Reporting Wireless Zero Configuration

File
File
systems

CDFS DFS exFAT IFS FAT NTFS

Hard link Junction point Mount Point Reparse point Symbolic link TxF EFS

ReFS UDF

Server

Domains Active Directory DNS Group Policy Roaming user profiles Folder redirection Distributed Transaction Coordinator MSMQ Windows Media Services Rights Management Services IIS Remote Desktop Services WSUS SharePoint Network Access Protection PWS DFS Replication Remote Differential Compression Print Services for UNIX Remote Installation Services Windows Deployment Services System Resource Manager Hyper-V Server Core

Architecture

Architecture of Windows NT Startup process

NT Vista

CSRSS Desktop Window Manager Portable Executable

EXE DLL

Enhanced Write Filter Graphics Device Interface hal.dll I/O request packet Imaging Format Kernel Transaction Manager Library files Logical Disk Manager LSASS MinWin NTLDR Ntoskrnl.exe Object Manager Open XML Paper Specification Registry Resource Protection Security Account Manager Server Message Block Shadow Copy SMSS System Idle Process USER WHEA Win32 console Winlogon WinUSB

Security

Security and Maintenance BitLocker Data Execution Prevention Family Safety Kernel Patch Protection Mandatory Integrity Control Protected Media Path User Account Control User Interface Privilege Isolation Windows Defender Windows Firewall

Compatibility

COMMAND.COM Virtual DOS machine Windows on Windows WoW64 Windows Subsystem for Linux

API

Active Scripting

WSH VBScript JScript

COM

ActiveX ActiveX
ActiveX
Document COM Structured storage DCOM OLE OLE Automation Transaction Server

DirectX .NET Framework Universal Windows Platform Windows Mixed Reality Windows Runtime WinUSB

Games

Solitaire Collection

Discontinued

Games

3D Pinball Chess Titans FreeCell Hearts InkBall Hold 'Em Purble Place Reversi Spider Solitaire Solitaire Tinker

Apps

ActiveMovie Anytime Upgrade Address Book Backup and Restore Cardfile CardSpace Contacts Desktop Gadgets Diagnostics DriveSpace DVD Maker Easy Transfer Fax File
File
Manager Food & Drink Help and Support Center Health & Fitness HyperTerminal Internet Explorer Journal Media Center Meeting Space Messaging Messenger Mobile Device Center Movie Maker MSN
MSN
Dial-up NetMeeting NTBackup Outlook Express Travel Photo Gallery Photo Viewer Program Manager Steps Recorder WinHelp Write

Others

ScanDisk File
File
Protection Media Control Interface Next-Generation Secure Computing Base POSIX subsystem Interix Video for Windows Windows SideShow Windows Services for UNIX Windows System Assessment Tool WinFS

Spun off to Microsoft
Microsoft
Store

DVD Player Hover! M

.