Active Directory (AD) is a directory service that
Windows domain networks. It is included in most Windows Server
operating systems as a set of processes and services. Initially,
Active Directory was only in charge of centralized domain management.
Windows Server 2008, however,
Active Directory became an
umbrella title for a broad range of directory-based identity-related
A server running
Active Directory Domain Services (AD DS) is called a
domain controller. It authenticates and authorizes all users and
computers in a
Windows domain type network—assigning and enforcing
security policies for all computers and installing or updating
software. For example, when a user logs into a computer that is part
of a Windows domain,
Active Directory checks the submitted password
and determines whether the user is a system administrator or normal
user. Also, it allows management and storage of information,
provides authentication and authorization mechanisms, and establishes
a framework to deploy other related services: Certificate Services,
Federated Services, Lightweight Directory Services and Rights
Active Directory uses
Lightweight Directory Access Protocol (LDAP)
versions 2 and 3, Microsoft's version of Kerberos, and DNS.
Active Directory Services
2.1 Domain Services
2.2 Lightweight Directory Services
2.3 Certificate Services
2.4 Federation Services
2.5 Rights Management Services
3 Logical structure
3.2 Forests, trees and domains
3.2.1 Organizational units
220.127.116.11 Shadow groups
4 Physical structure
7 Single server operations
8.1.1 Forest trusts
9 Management solutions
11 See also
13 External links
Active Directory, like many information-technology efforts, originated
out of a democratization of design using
Request for Comments or RFCs.
Internet Engineering Task Force
Internet Engineering Task Force (IETF), which oversees the RFC
process, has accepted numerous RFCs initiated by widespread
Active Directory incorporates decades of communication
technologies into the overarching
Active Directory concept then makes
improvements upon them. For example, LDAP underpins
Active Directory. Also
X.500 directories and the Organizational Unit
Active Directory concept that makes use of those methods.
The LDAP concept began to emerge even before the founding of Microsoft
in April 1975, with RFCs as early as 1971. RFCs contributing to LDAP
include RFC 1823 (on the LDAP API, August 1995),RFC 2307, RFC 3062,
and RFC 4533.
Active Directory in 1999, released it first with
Windows 2000 Server edition, and revised it to extend functionality
and improve administration in
Windows Server 2003. Additional
improvements came with subsequent versions of Windows Server. In
Windows Server 2008, additional services were added to Active
Directory, such as
Active Directory Federation Services. The part
of the directory in charge of management of domains, which was
previously a core part of the operating system, was renamed Active
Directory Domain Services (ADDS) and became a server role like
others. "Active Directory" became the umbrella title of a broader
range of directory-based services. According to Bryon Hynes,
everything related to identity was brought under Active Directory's
Active Directory Services
Active Directory Services consist of multiple directory services. The
best known is
Active Directory Domain Services, commonly abbreviated
as AD DS or simply AD.
Active Directory Domain Services (AD DS) is the cornerstone of every
Windows domain network. It stores information about members of the
domain, including devices and users, verifies their credentials and
defines their access rights. The server (or the cluster of servers)
running this service is called a domain controller. A domain
controller is contacted when a user logs into a device, accesses
another device across the network, or runs a line-of-business
Metro-style app sideloaded into a device.
Active Directory services (excluding LDS, as described below) as
well as most of
Microsoft server technologies rely on or use Domain
Services; examples include Group Policy, Encrypting
BitLocker, Domain Name Services, Remote Desktop Services, Exchange
Server and SharePoint Server.
Lightweight Directory Services
Active Directory Lightweight Directory Services (AD LDS), formerly
Active Directory Application Mode (ADAM), is a
light-weight implementation of AD DS. AD LDS runs as a service on
Windows Server. AD LDS shares the code base with AD DS and provides
the same functionality, including an identical API, but does not
require the creation of domains or domain controllers. It provides a
Data Store for storage of directory data and a Directory Service with
an LDAP Directory Service Interface. Unlike AD DS, however, multiple
AD LDS instances can run on the same server.
Active Directory Certificate Services (AD CS) establishes an
on-premises public key infrastructure. It can create, validate and
revoke public key certificates for internal uses of an organization.
These certificates can be used to encrypt files (when used with
File System), emails (per
S/MIME standard), and network
traffic (when used by virtual private networks, Transport Layer
Security protocol or
AD CS predates
Windows Server 2008, but its name was simply
AD CS requires an AD DS infrastructure.
Active Directory Federation Services
Active Directory Federation Services (AD FS) is a single sign-on
service. With an AD FS infrastructure in place, users may use several
web-based services (e.g. internet forum, blog, online shopping,
webmail) or network resources using only one set of credentials stored
at a central location, as opposed to having to be granted a dedicated
set of credentials for each service. AD FS's purpose is an extension
of that of AD DS: The latter enables users to authenticate with and
use the devices that are part of the same network, using one set of
credentials. The former enables them to use the same set of
credentials in a different network.
As the name suggests, AD FS works based on the concept of federated
AD FS requires an AD DS infrastructure, although its federation
partner may not.
Rights Management Services
Active Directory Rights Management Services
Rights Management Services (AD RMS, known as Rights
Management Services or RMS before
Windows Server 2008) is a server
software for information rights management shipped with Windows
Server. It uses encryption and a form of selective functionality
denial for limiting access to documents such as corporate e-mails,
Microsoft Word documents, and web pages, and the operations authorized
users can perform on them.
As a directory service, an
Active Directory instance consists of a
database and corresponding executable code responsible for servicing
requests and maintaining the database. The executable part, known as
Directory System Agent, is a collection of Windows services and
processes that run on
Windows 2000 and later. Objects in Active
Directory databases can be accessed via LDAP, ADSI (a component object
model interface), messaging
API and Security Accounts Manager
A simplified example of a publishing company's internal network. The
company has four groups with varying permissions to the three shared
folders on the network.
Active Directory structures are arrangements of information about
objects. The objects fall into two broad categories: resources (e.g.,
printers) and security principals (user or computer accounts and
groups). Security principals are assigned unique security identifiers
Each object represents a single entity—whether a user, a computer, a
printer, or a group—and its attributes. Certain objects can contain
other objects. An object is uniquely identified by its name and has a
set of attributes—the characteristics and information that the
object represents— defined by a schema, which also determines the
kinds of objects that can be stored in Active Directory.
The schema object lets administrators extend or modify the schema when
necessary. However, because each schema object is integral to the
Active Directory objects, deactivating or changing these
objects can fundamentally change or disrupt a deployment. Schema
changes automatically propagate throughout the system. Once created,
an object can only be deactivated—not deleted. Changing the schema
usually requires planning.
Forests, trees and domains
Active Directory framework that holds the objects can be viewed at
a number of levels. The forest, tree, and domain are the logical
divisions in an
Active Directory network.
Within a deployment, objects are grouped into domains. The objects for
a single domain are stored in a single database (which can be
replicated). Domains are identified by their DNS name structure, the
A domain is defined as a logical group of network objects (computers,
users, devices) that share the same
Active Directory database.
A tree is a collection of one or more domains and domain trees in a
contiguous namespace, linked in a transitive trust hierarchy.
At the top of the structure is the forest. A forest is a collection of
trees that share a common global catalog, directory schema, logical
structure, and directory configuration. The forest represents the
security boundary within which users, computers, groups, and other
objects are accessible.
Example of the geographical organizing of zones of interest within
trees and domains.
The objects held within a domain can be grouped into Organizational
Units (OUs). OUs can provide hierarchy to a domain, ease its
administration, and can resemble the organization's structure in
managerial or geographical terms. OUs can contain other OUs—domains
are containers in this sense.
Microsoft recommends using OUs rather
than domains for structure and to simplify the implementation of
policies and administration. The OU is the recommended level at which
to apply group policies, which are
Active Directory objects formally
Group Policy Objects (GPOs), although policies can also be
applied to domains or sites (see below). The OU is the level at which
administrative powers are commonly delegated, but delegation can be
performed on individual objects or attributes as well.
Organizational units do not each have a separate namespace; e.g. user
accounts with an identical username (sAMAccountName) in separate OUs
within a domain are not allowed, such as "fred.staff-ou.domain" and
"fred.student-ou.domain", where "staff-ou" and "student-ou" are the
OUs. This is because sAMAccountName, a user object attribute, must be
unique within the domain. However, two users in different OUs can
have the same Common Name (CN), the name under which they are stored
in the directory itself.
In general the reason for this lack of allowance for duplicate names
through hierarchical directory placement, is that
relies on the principles of NetBIOS, which is a flat-file method of
network object management that for
Microsoft software, goes all the
way back to
Windows NT 3.1
Windows NT 3.1 and
MS-DOS LAN Manager. Allowing for
duplication of object names in the directory, or completely removing
the use of
NetBIOS names, would prevent backward compatibility with
legacy software and equipment. However, disallowing duplicate object
names in this way is a violation of the LDAP RFCs on which Active
Directory is supposedly based.
As the number of users in a domain increases, conventions such as
"first initial, middle initial, last name" (Western order) or the
reverse (Eastern order) fail for common family names like Li (李),
Smith or Garcia. Workarounds include adding a digit to the end of the
username. Alternatives include creating a separate ID system of unique
employee/student id numbers to use as account names in place of actual
user's names, and allowing users to nominate their preferred word
sequence within an acceptable use policy.
Because duplicate usernames cannot exist within a domain, account name
generation poses a significant challenge for large organizations that
cannot be easily subdivided into separate domains, such as students in
a public school system or university who must be able to use any
computer across the network.
In Active Directory, organizational units cannot be assigned as owners
or trustees. Only groups are selectable, and members of OUs cannot be
collectively assigned rights to directory objects.
In Microsoft's Active Directory, OUs do not confer access permissions,
and objects placed within OUs are not automatically assigned access
privileges based on their containing OU. This is a design limitation
specific to Active Directory. Other competing directories such as
Novell NDS are able to assign access privileges through object
placement within an OU.
Active Directory requires a separate step for an administrator to
assign an object in an OU as a member of a group also within that OU.
Relying on OU location alone to determine access permissions is
unreliable, because the object may not have been assigned to the group
object for that OU.
A common workaround for an
Active Directory administrator is to write
Visual Basic script to automatically create and
maintain a user group for each OU in their directory. The scripts are
run periodically to update the group to match the OU's account
membership, but are unable to instantly update the security groups
anytime the directory changes, as occurs in competing directories
where security is directly implemented into the directory itself. Such
groups are known as Shadow Groups. Once created, these shadow groups
are selectable in place of the OU in the administrative tools.
Microsoft refers to shadow groups in the Server 2008 Reference
documentation, but does not explain how to create them. There are no
built-in server methods or console snap-ins for managing shadow
The division of an organization's information infrastructure into a
hierarchy of one or more domains and top-level OUs is a key decision.
Common models are by business unit, by geographical location, by IT
Service, or by object type and hybrids of these. OUs should be
structured primarily to facilitate administrative delegation, and
secondarily, to facilitate group policy application. Although OUs form
an administrative boundary, the only true security boundary is the
forest itself and an administrator of any domain in the forest must be
trusted across all domains in the forest.
Active Directory database is organized in partitions, each holding
specific object types and following a specific replication pattern.
Microsoft often refers to these partitions as 'naming contexts'.
The 'Schema' partition contains the definition of object classes and
attributes within the Forest. The 'Configuration' partition contains
information on the physical structure and configuration of the forest
(such as the site topology). Both replicate to all domains in the
Forest. The 'Domain' partition holds all objects created in that
domain and replicates only within its domain.
Sites are physical (rather than logical) groupings defined by one or
more IP subnets. AD also holds the definitions of connections,
distinguishing low-speed (e.g., WAN, VPN) from high-speed (e.g., LAN)
links. Site definitions are independent of the domain and OU structure
and are common across the forest. Sites are used to control network
traffic generated by replication and also to refer clients to the
nearest domain controllers (DCs).
Exchange Server 2007 uses
the site topology for mail routing. Policies can also be defined at
the site level.
Active Directory information is held on one or more
peer domain controllers, replacing the NT PDC/BDC model. Each DC has a
copy of the Active Directory. Servers joined to
Active Directory that
are not domain controllers are called Member Servers. A subset of
objects in the domain partition replicate to domain controllers that
are configured as global catalogs. Global catalog (GC) servers provide
a global listing of all objects in the Forest. Global Catalog
servers replicate to themselves all objects from all domains and
hence, provide a global listing of objects in the forest. However, to
minimize replication traffic and keep the GC's database small, only
selected attributes of each object are replicated. This is called the
partial attribute set (PAS). The PAS can be modified by modifying the
schema and marking attributes for replication to the GC. Earlier
versions of Windows used
NetBIOS to communicate.
Active Directory is
fully integrated with DNS and requires TCP/IP—DNS. To be fully
functional, the DNS server must support SRV resource records, also
known as service records.
Active Directory synchronizes changes using multi-master
replication. Replication by default is 'pull' rather than 'push',
meaning that replicas pull changes from the server where the change
was effected. The Knowledge Consistency Checker (KCC) creates a
replication topology of site links using the defined sites to manage
traffic. Intrasite replication is frequent and automatic as a result
of change notification, which triggers peers to begin a pull
replication cycle. Intersite replication intervals are typically less
frequent and do not use change notification by default, although this
is configurable and can be made identical to intrasite replication.
Each link can have a 'cost' (e.g., DS3, T1,
ISDN etc.) and the KCC
alters the site link topology accordingly. Replication may occur
transitively through several site links on same-protocol site link
bridges, if the cost is low, although KCC automatically costs a direct
site-to-site link lower than transitive connections. Site-to-site
replication can be configured to occur between a bridgehead server in
each site, which then replicates the changes to other DCs within the
site. Replication for
Active Directory zones is automatically
configured when DNS is activated in the domain based by site.
Active Directory uses Remote Procedure Calls (RPC) over
IP (RPC/IP). Between Sites
SMTP can be used for replication, but only
for changes in the Schema, Configuration, or Partial Attribute Set
(Global Catalog) GCs.
SMTP cannot be used for replicating the default
In general, a network utilizing
Active Directory has more than one
licensed Windows server computer. Backup and restore of Active
Directory is possible for a network with a single domain
Microsoft recommends more than one domain
controller to provide automatic failover protection of the
directory. Domain controllers are also ideally single-purpose for
directory operations only, and should not run any other software or
Microsoft products such as SQL Server and Exchange
can interfere with the operation of a domain controller, necessitating
isolation of these products on additional Windows servers. Combining
them can make configuration or troubleshooting of either the domain
controller or the other installed software more difficult. A
business intending to implement
Active Directory is therefore
recommended to purchase a number of Windows server licenses, to
provide for at least two separate domain controllers, and optionally,
additional domain controllers for performance or redundancy, a
separate file server, a separate Exchange server, a separate SQL
Server, and so forth to support the various server roles.
Physical hardware costs for the many separate servers can be reduced
through the use of virtualization, although for proper failover
Microsoft recommends not running multiple virtualized
domain controllers on the same physical hardware.
The Active-Directory database, the directory store, in Windows 2000
Server uses the JET Blue-based
Extensible Storage Engine (ESE98) and
is limited to 16 terabytes and 2 billion objects (but only 1 billion
security principals) in each domain controller's database. Microsoft
has created NTDS databases with more than 2 billion objects.
Security Account Manager could support no more than 40,000
objects). Called NTDS.DIT, it has two main tables: the data table and
the link table.
Windows Server 2003 added a third main table for
security descriptor single instancing.
Programs may access the features of Active Directory via the COM
interfaces provided by
Active Directory Service Interfaces.
Single server operations
Flexible Single Master Operations Roles (FSMO, pronounced "fizz-mo")
operations are also known as operations master roles. Although domain
controllers allow simultaneous updates in multiple places, certain
operations are supported only on a single server. These operations are
performed using the roles listed below:
1 per forest
Domain Naming Master
1 per forest
Addition and removal of domains if present in root domain
1 per domain
Provides backwards compatibility for NT4 clients for PDC operations
(like password changes). The PDC runs domain specific processes such
as the Security Descriptor Propagator (SDP), and is the master time
server within the domain. It also handles external trusts, the DFS
consistency check, holds current passwords and manages all GPOs as
1 per domain
Allocates pools of unique identifiers to domain controllers for use
when creating objects
1 per domain/partition
Synchronizes cross-domain group membership changes. The infrastructure
master should not be run on a global catalog server (GCS) unless all
DCs are also GCs, or the environment consists of a single domain.
The Infrastructure Master role as described above is only for the
domain partition (default naming context), netdom query fsmo and
ntdsutil will only query the domain partition. However, every
application partition, including Forest and Domain-level DNS domain
zones has its own Infrastructure Master. The holder of this role is
stored in the fSMORoleOwner attribute of the Infrastructure object in
the root of the partition, it can be modified with ADSIEdit, for
example one can modify the fSMORoleOwner attribute of the
CN=Infrastructure,DC=DomainDnsZones,DC=yourdomain,DC=tld object to
To allow users in one domain to access resources in another, Active
Directory uses trusts.
Trusts inside a forest are automatically created when domains are
created. The forest sets the default boundaries of trust, and
implicit, transitive trust is automatic for all domains within a
One domain allows access to users on another domain, but the other
domain does not allow access to users on the first domain.
Two domains allow access to users on both domains.
The domain that is trusted; whose users have access to the trusting
A trust that can extend beyond two domains to other trusted domains in
A one way trust that does not extend beyond two domains.
A trust that an admin creates. It is not transitive and is one way
An explicit trust between domains in different trees or in the same
tree when a descendant/ancestor (child/parent) relationship does not
exist between the two domains.
Joins two domains in different trees, transitive, one- or two-way.
Applies to the entire forest. Transitive, one- or two-way.
Can be transitive or nontransitive (intransitive), one- or two-way.
Connect to other forests or non-AD domains. Nontransitive, one- or
A one-way trust used by
Microsoft Identity Manager from a (possibly
low-level) production forest to a (
Windows Server 2016 functionality
level) 'bastion' forest, which issues time-limited group
Windows Server 2003 introduced the forest root trust. This trust can
be used to connect
Windows Server 2003 forests if they are operating
at the 2003 forest functional level.
Authentication across this type
of trust is Kerberos-based (as opposed to NTLM).
Forest trusts are transitive for all the domains within the trusted
forests. However, forest trusts are not transitive between forests.
Example: Suppose that a two-way transitive forest trust exists between
the forest root domains in Forest A and Forest B, and another two-way
transitive forest trust exists between the forest root domains in
Forest B and Forest C. Such a configuration lets users in Forest B
access resources in any domain in either Forest A or Forest C, and
users in Forest A or C can access resources in any domain in Forest B.
However, it does not let users in Forest A access resources in Forest
C, or vice versa. To let users in Forest A and Forest C share
resources, a two-way transitive trust must exist between both forests.
Active Directory management tools include:
Active Directory Users and Computers,
Active Directory Domains and Trusts,
Active Directory Sites and Services,
Local Users and Groups,
Active Directory Schema snap-ins for
Microsoft Management Console
These management tools may not provide enough functionality for
efficient workflow in large environments. Some third-party solutions
extend the administration and management capabilities. They provide
essential features for a more convenient administration processes,
such as automation, reports, integration with other services, etc.
Varying levels of interoperability with
Active Directory can be
achieved on most
Unix-like operating systems (including Unix, Linux,
Mac OS X
Mac OS X or Java and Unix-based programs) through standards-compliant
LDAP clients, but these systems usually do not interpret many
attributes associated with Windows components, such as Group Policy
and support for one-way trusts.
Third parties offer
Active Directory integration for Unix-like
Centrify DirectControl (Centrify) – Active Directory-compatible
centralized authentication and access control
PowerBroker Identity Services, formerly Likewise (BeyondTrust,
formerly Likewise Software) – Allows a non-Windows client to join
ADmitMac (Thursby Software Systems)
Samba – Can act as a domain controller
The schema additions shipped with
Windows Server 2003 R2 include
attributes that map closely enough to RFC 2307 to be generally usable.
The reference implementation of RFC 2307, nss_ldap and pam_ldap
provided by PADL.com, support these attributes directly. The default
schema for group membership complies with RFC 2307bis (proposed).
Windows Server 2003 R2 includes a
Microsoft Management Console snap-in
that creates and edits the attributes.
An alternative option is to use another directory service as
non-Windows clients authenticate to this while Windows Clients
authenticate to AD. Non-Windows clients include 389 Directory Server
(formerly Fedora Directory Server, FDS), ViewDS Identity Solutions -
XML Enabled Directory and Sun Microsystems Sun Java System
Directory Server. The latter two both being able to perform two-way
synchronization with AD and thus provide a "deflected" integration.
Another option is to use
OpenLDAP with its translucent overlay, which
can extend entries in any remote LDAP server with additional
attributes stored in a local database. Clients pointed at the local
database see entries containing both the remote and local attributes,
while the remote database remains completely untouched.[citation
Administration (querying, modifying, and monitoring) of Active
Directory can be achieved via many scripting languages, including
Ruby. Free and non-free AD administration tools can
help to simplify and possibly automate AD management tasks.
Active Directory Explorer
AGDLP (implementing role based access controls using nested groups)
Flexible single master operation
List of LDAP software
Univention Corporate Server
^ a b "Directory System Agent". MSDN Library. Microsoft. Retrieved 23
^ a b Solomon, David A.; Russinovich, Mark (2005). "Chapter 13".
Microsoft Windows Internals:
Windows Server 2003, Windows
Windows 2000 (4th ed.). Redmond, Washington:
p. 840. ISBN 0-7356-1917-4.
^ a b c Hynes, Byron (November 2006). "The Future Of Windows:
Directory Services in
Windows Server "Longhorn"". TechNet Magazine.
Active Directory on a
Windows Server 2003 Network". Active
Directory Collection. Microsoft. 13 March 2003. Retrieved 25 December
Active Directory Domain Services on
Windows Server 2008 R2
Enterprise 64-bit". 2016-04-27. Retrieved 2016-09-22.
^ "The LDAP Application Program Interface". Retrieved
^ "An Approach for Using LDAP as a Network Information Service".
^ "LDAP Password Modify Extended Operation". Retrieved
Lightweight Directory Access Protocol (LDAP) Content
Synchronization Operation". Retrieved 2013-11-26.
^ a b Thomas, Guy. "
Windows Server 2008 - New Features".
ComputerPerformance.co.uk. Computer Performance Ltd.
^ "What's New in
Active Directory in Windows Server". Windows Server
2012 R2 and
Windows Server 2012 Tech Center. Microsoft.
Active Directory Services technet.microsoft.com
^ "AD LDS". Microsoft. Retrieved 28 April 2009.
^ "AD LDS versus AD DS". Microsoft. Retrieved 25 February 2013.
^ Zacker, Craig (2003). "11: Creating and Managing Digital
Certificates". In Harding, Kathy; Jean, Trenary; Linda, Zacker.
Planning and Maintaining a
Microsoft Windows server 2003 Network
Infrastructure. Redmond, WA:
Microsoft Press. pp. 11–16.
Active Directory Certificate Services Overview".
Microsoft. Retrieved 24 November 2015.
^ "Step 1: Preinstallation Tasks". TechNet. Microsoft. Retrieved 24
Windows Server 2003:
Active Directory Infrastructure. Microsoft
Press. 2003. pp. 1–8–1–9.
^ "Organizational Units". Distributed Systems Resource Kit (TechNet).
Microsoft. 2011. An organizational unit in
Active Directory is
analogous to a directory in the file system
^ "sAMAccountName is always unique in a Windows domain… or is it?".
Joeware. 4 January 2012. Retrieved 18 September 2013. examples of how
multiple AD objects can be created with the same sAMAccountName
Microsoft Server 2008 Reference, discussing shadow groups used for
fine-grained password policies:
^ "Specifying Security and Administrative Boundaries". Microsoft
Corporation. 23 January 2005. However, service administrators have
abilities that cross domain boundaries. For this reason, the forest is
the ultimate security boundary, not the domain.
^ Andreas Luther. "
Active Directory Replication Traffic". Microsoft
Corporation. Retrieved 26 May 2010. The
Active Directory is made up of
one or more naming contexts or partitions.
^ "Sites overview".
Microsoft Corporation. 21 January 2005. A site is
a set of well-connected subnets.
^ "Planning for domain controllers and member servers". Microsoft
Corporation. 21 January 2005. [...] member servers, [...] belong to a
domain but do not contain a copy of the
Active Directory data.
^ "What Is the Global Catalog?".
Microsoft Corporation. 10 December
2009. [...] a domain controller can locate only the objects in its
domain. [...] The global catalog provides the ability to locate
objects from any domain [...]
^ "Global Catalog".
^ "Attributes Included in the Global Catalog".
26 August 2010. The isMemberOfPartialAttributeSet attribute of an
Schema object is set to TRUE if the attribute is replicated
to the global catalog. [...] When deciding whether or not to place an
attribute in the global catalog remember that you are trading
increased replication and increased disk storage on global catalog
servers for, potentially, faster query performance.
^ "Directory data store".
Microsoft Corporation. 21 January 2005.
Active Directory uses four distinct directory partition types to store
[...] data. Directory partitions contain domain, configuration,
schema, and application data.
^ "What Is the
Active Directory Replication Model?". Microsoft
Corporation. 28 March 2003. Domain controllers request (pull) changes
rather than send (push) changes that might not be needed.
^ "What Is
Active Directory Replication Topology?". Microsoft
Corporation. 28 March 2003.
SMTP can be used to transport nondomain
Active Directory Backup and Restore". TechNet. Microsoft. Retrieved
5 February 2014.
^ "AD DS: All domains should have at least two functioning domain
controllers for redundancy". TechNet. Microsoft. Retrieved 5 February
^ Posey, Brien (23 August 2010). "10 tips for effective Active
Directory design". TechRepublic. CBS Interactive. Retrieved 5 February
2014. Whenever possible, your domain controllers should run on
dedicated servers (physical or virtual).
^ "You may encounter problems when installing SQL Server on a domain
controller (Revision 3.0)". Support. Microsoft. 7 January 2013.
Retrieved 5 February 2014.
^ Degremont, Michel (30 Jun 2011). "Can I install SQL Server on a
Microsoft SQL Server blog. Retrieved 5 February
2014. For security and performance reasons, we recommend that you do
not install a standalone SQL Server on a domain controller.
^ "Installing Exchange on a domain controller is not recommended".
TechNet. Microsoft. 22 March 2013. Retrieved 5 February 2014.
^ "Security Considerations for a SQL Server Installation". TechNet.
Microsoft. Retrieved 5 February 2014. After SQL Server is installed on
a computer, you cannot change the computer from a domain controller to
a domain member. You must uninstall SQL Server before you change the
host computer to a domain member.
Exchange Server Analyzer". TechNet. Microsoft. Retrieved 5 February
2014. Running SQL Server on the same computer as a production Exchange
mailbox server is not recommended.
^ "Running Domain Controllers in Hyper-V". TechNet. Microsoft.
Planning to Virtualize Domain Controllers. Retrieved 5 February 2014.
You should attempt to avoid creating potential single points of
failure when you plan your virtual domain controller
^ a b efleis (8 June 2006). "Large AD database? Probably not this
large". Blogs.technet.com. Retrieved 20 November 2011.
^ Berkouwer, Sander. "
Active Directory basics". Veeam Software.
Active Directory Service Interfaces, Microsoft
^ TechNet: ForestDNSZones and DomainDNSZones have wrong infrastructure
^ "Domain and Forest Trusts Technical Reference". Microsoft
Corporation. 28 March 2003. Trusts enable [...] authentication and
[...] sharing resources across domains or forests
^ "How Domain and Forest Trusts Work".
Microsoft Corporation. 11
December 2012. Retrieved 29 January 2013. Defines several kinds of
trusts. (automatic, shortcut, forest, realm, external)
Microsoft Identity Manager: Privileged Access Management for Active
Directory Domain Services
^ TechNet: MIM 2016: Privileged Access Management (PAM) - FAQ
^ a b c Edge, Charles S., Jr; Smith, Zack; Hunter, Beau (2009).
"Chapter 3: Active Directory". Enterprise Mac Administrator's Guide.
New York City: Apress. ISBN 978-1-4302-2443-3.
^ "Samba 4.0.0 Available for Download". SambaPeople. SAMBA Project.
Archived from the original on 15 November 2010. Retrieved 9 August
^ "The great DRS success!". SambaPeople. SAMBA Project. 5 October
2009. Archived from the original on 13 October 2009. Retrieved 2
^ "RFC 2307bis". Archived from the original on 27 September 2011.
Retrieved 20 November 2011.
Active Directory Administration with Windows PowerShell".
Microsoft. Retrieved 7 June 2011.
^ "Using Scripts to Search Active Directory". Microsoft. Retrieved 22
Perl Scripts Repository". ITAdminTools.com. Retrieved
22 May 2012.
Perl Open-Source Community. Retrieved 22 May
Wikiversity has learning resources about Active Directory
Microsoft Technet: White paper:
Active Directory Architecture (Single
technical document that gives an overview about Active Directory.)
Microsoft Technet: Detailed description of
Active Directory on Windows
Microsoft MSDN Library: [MS-ADTS]:
Active Directory Technical
Specification (part of the
Microsoft Open Specification Promise)
Active Directory Application Mode (ADAM)
Microsoft MSDN: [AD-LDS]:
Active Directory Lightweight Directory
Microsoft TechNet: [AD-LDS]:
Active Directory Lightweight Directory
Active Directory Schema
Microsoft TechNet: Understanding Schema
Microsoft TechNet Magazine: Extending the
Active Directory Schema
Active Directory Certificate Services
Active Directory Certificate Services
Board of directors
John W. Thompson
John W. Thompson (Chairman)
Satya Nadella (CEO)
John W. Stanton
Senior leadership team
Satya Nadella (CEO)
Amy Hood (CFO)
Gabe Aul (VP)
Richard Rashid (SVP)
S. Somasegar (SVP)
Digital Crimes Unit
Microsoft Redmond campus
Where do you want to go today?
Where do you want to go today? (1994)
Mojave Experiment (2006)
I'm a PC
I'm a PC (2008)
Alcatel-Lucent v. Microsoft
Apple v. Microsoft
Microsoft competition case
Microsoft v. Lindows
Microsoft vs. MikeRoweSoft
Microsoft v. Shah
United States v.
Microsoft (2001 antitrust case)
Microsoft Ireland case
The Blue Ribbon SoundWorks
Fast Search & Transfer
GIANT Company Software
High Heat Major League Baseball
Mobile Data Labs
Nokia Devices and Services
Twisted Pixel Games
Microsoft Windows components
System Policy Editor
Windows Error Reporting
Alarms & Clock
Fax and Scan
Movies & TV
Windows To Go
Windows Story Remix
Windows XP visual styles
Service Control Manager
Multimedia Class Scheduler
Wireless Zero Configuration
Roaming user profiles
Distributed Transaction Coordinator
Windows Media Services
Rights Management Services
Remote Desktop Services
Network Access Protection
Remote Differential Compression
Print Services for UNIX
Remote Installation Services
Windows Deployment Services
System Resource Manager
Architecture of Windows NT
Desktop Window Manager
Enhanced Write Filter
Graphics Device Interface
I/O request packet
Kernel Transaction Manager
Logical Disk Manager
Open XML Paper Specification
Security Account Manager
Server Message Block
System Idle Process
Security and Maintenance
Data Execution Prevention
Kernel Patch Protection
Mandatory Integrity Control
Protected Media Path
User Account Control
User Interface Privilege Isolation
Virtual DOS machine
Windows on Windows
Windows Subsystem for Linux
COM Structured storage
Universal Windows Platform
Windows Mixed Reality
Backup and Restore
Food & Drink
Help and Support Center
Health & Fitness
Mobile Device Center
Media Control Interface
Next-Generation Secure Computing Base
Video for Windows
Windows Services for UNIX
Windows System Assessment Tool
Spun off to