A directory service (DS) is a software

application- or a set of applications - that stores

and organizes information about a computer
network's users and network resources.

Allows network administrators to manage

users' access to the resources

Act as an abstraction layer between users

and shared resources
 Provide file shares.

Authenticate users
Provide services, such as Email, Access to the
Print services etc.
Control access to services and shares.
Active Directory is Microsofts version
of an LDAP based network directory
service.

Active Directory allows administrators to

define, arrange and manage objects, such
as user data, printers and servers, so they
are available to users and applications
throughout the organization.
 Microsofts directory service which is included
in the Windows 2000 and Windows Server 2003
operating system versions.

Is an implementation of LDAP directory

services.

Called: ADS,NTDS

Goals and Benefits

Open Standards
High Scalability
Simplified Administration
 Hierarchical
Base object Domain

Domain
Tree
Forest

OU
Domain
Domain
Domain OU OU

Tree

Domain Domain
Objects
 old Friends
User
Group
Computer
New Elements
Distribution Lists
System Policies
Application defined custom
objects
Described in the Schema
 Definition of all AD
Object-Types (Classes)
Attributes

Data-Types (Syntaxes)

Can be compared to a Database

Schema
ONE consistent Schema inside a
single Forest

 AD Base Element (Building Block)

NT 4 Compatible

Physically Implemented on Domain

Controllers (DC)

Border for
- Replication Traffic
- System Policies
- Administration
 BISKRA BATNA

Admin Sales Admin Sales

Implements a Structure inside a Domain

Can be nested as needed
Can not be assigned any rights
Typically used for Administrative Reasons
e.g. System Policies
 Hierarchical Domain Structure
inside a single Namespace
- adiscon.com
- la.adiscon.com
- ny.adiscon.com
Transitive Trusts created
automatically
Sub-Domain must be added to adiscon.com
Root-Domain otherwise there will
Tree
be no tree
la.adiscon.com ny.adiscon.com
 Combination of Trees
Disjunct Namespaces
- adiscon.de
- adiscon.com
Transitive Trusts created
automatically
There is one single tree-root!
Sub-Tree must be added to Root-
Tree,
otherwise no Forest will be created
 Site: A site is a physical location, or LAN.
This is different from a web site, which is an
organizations internet presence.

Domain:
- A sub-network comprised of a group of
clients and servers under the control of one
security database. Dividing LANs into
domains improves performance and security.
- All resources under the control of a single
computer system.
 Lightweight Directory Access
Protocol (LDAP) -- a protocol used
to access a directory service.

Lightweight Access Directory

Protocol is the primary access
protocol for Active Directory.
 The global catalog is the
mechanism that tracks all of the
objects managed across the
network, across all domains within
the organization.

Elements of the catalog are

replicated across all of the domain
controllers within all domains
across the org.
 For Active Directory to function
properly, DNS servers must support
Service Location (SRV) resource records.

SRV resource records map the name of

a service to the name of a server
offering that service. Active Directory
clients and domain controllers use SRV
resource records to determine the IP
addresses of domain controllers.
 Active Directory replicates its
administration information across domain
controllers throughout the forest utilizing
a multi-master approach.

Multi-master replication among peer

domain controllers is impractical for some
types changes, so only one domain
controller, called the operations master,
accepts requests for such changes.
Each domain controller has information for
the entire forest to support authentication
and access control.

This provides the ability for local domain

controllers (the tree) to provide a quick
local lookup of authority.

Not just users but every object

authenticating to Active Directory must
reference the global catalog server,
including every computer that boots up
 Stores a physical Copy of the
Active Directory Database
- Currently a single Domain per DC
supported!
- ESE95 Database (MS Exchange)
Logon Services
- Kerberos
- LAN Manager Authentication
Its always recommended to
have at least 2 Domain
 Updates can be applied to ANY Domain
Controller

Will be Replicated to each other Domain

Controls (inside that Domain) within 15
Minutes

Optimized Algorithm reduces Replication

Traffic

Not time based (triggered on demand,

 All Domain Databases involved
Changes are transmitted compressed
via IP (RPC) or SMTP
-SMTP not within a single domain!
Time Replication occurs can be configured
Volume of Replication Traffic can not be
restricted!
Have an Eye on GCs!
 Improved Authentication
Permissions applied via ACLs
- To Objects as whole
- To specific Attributes
Fine-Tuning of Access
Permissions possible
Tool-Support to visualize
Security Settings . currently
weak (try Visio!)
 Time Savings

Repository of
Information

Increased Security
 DNS Dependency
No Merge-Tree
No Partitioning (only a single
Domain per . Domain Controller)
Limited Tool-Support
Forest Global Schema
Schema-Modifications can not be
undone
 Applications directly using and accessing
the Active . Directory
- e.g. Exchange 2000
- Many more expected!
Typically extend the Schema
May dramatically change usage pattern
for Active . Directory Resources
- Replication Traffic
(new Objects, Attributes)
- AD Queries (GCs!)