A directory service (DS) is a s o ftw a re a pplic a tio n - o r a s e t

o f a pplic a tio n s - th a t s to re s a n d o rga n ize s in fo rma tio n

a bo ut a c o mpute r n e tw o rk's users and network resources.

A llo w s n e tw o rk a d min is tra to rs to ma n a ge us e rs '

a c c e s s to th e re s o urc e s

A c t a s a n a bs tra c tio n la y e r be tw e e n us e rs a n d
s h a re d re s o urc e s
 Pro v id e file s h a re s .

A uth e n tic a te us e rs
Pro v id e s e rv ic e s , s uc h a s Ema il, A c c e s s to th e in te rn e t
Prin t s e rv ic e s e tc .
Co n tro l a c c e s s to s e rv ic e s a n d s h a re s .
A c tiv e Dire c to ry is Mic ro s o fts v e rs io n o f a n
LDA P ba s e d n e tw o rk d ire c to ry s e rv ic e .

A c tiv e Dire c to ry a llo w s a d min is tra to rs to d e fin e ,

a rra n ge a n d ma n a ge o bje c ts , s uc h a s us e r d a ta ,
prin te rs a n d s e rv e rs , s o th e y a re a v a ila ble to us e rs
a n d a pplic a tio n s th ro ugh o ut th e o rga n iza tio n .
 Mic ro s o fts d ire c to ry s e rv ic e w h ic h is in c lud e d in th e
W in d o w s 2000 a n d W in d o w s Se rv e r 2003 o pe ra tin g s y s te m
v e rs io n s .

Is a n imple me n ta tio n o f LDA P d ire c to ry s e rv ic e s .

Ca lle d : A DS,NTDS

Go a ls a n d Be n e fits
O pe n Sta n d a rd s
High Sc a la bility
Simplifie d A d min is tra tio n
 Hie ra rc h ic a l
Ba s e o bje c t Domain
Do ma in
Tree
Forest

OU
Domain
Domain
Domain OU OU

Tree

Domain Domain
Objects
 old Friends
User
Group
Computer
New Elements
Distribution Lists
System Policies
Application defined custom objects
Described in the Schema
 Definition of all AD
Object-Types (Classes)
Attributes

Data-Types (Syntaxes)

Can be compared to a Database Schema

ONE consistent Schema inside a single Forest
Extensible
 AD Base Element (Building Block)

NT 4 Compatible

Physically Implemented on Domain Controllers (DC)

Border for
- Replication Traffic
- System Policies
- Administration
 BISKRA BATNA

Admin Sales Admin Sales

Implements a Structure inside a Domain

Can be nested as needed
Can not be assigned any rights
Typically used for Administrative Reasons
e.g. System Policies
 Hie ra rch ica l Doma in Structure ins ide a
s ingle Na me s pa ce
- a dis con.com
- la .a dis con.com
- ny.a dis con.com
T ra ns itive T rus ts cre a te d a utoma tica lly
Sub-Doma in mus t be a dde d to Root-Doma in
oth e rwis e th e re will be no tre e adiscon.com

Tree
 Combina tion of T re e s
Dis junct Na me s pa ce s
- a dis con.de
- a dis con.com
T ra ns itive T rus ts cre a te d a utoma tica lly
T h e re is one s ingle tre e -root!
Sub-T re e mus t be a dde d to Root-T re e ,
oth e rwis e no Fore s t will be cre a te d
 Site: A s ite is a ph ys ica l loca tion, or LAN. T h is is diffe re nt
from a we b s ite , wh ich is a n orga niza tions inte rne t pre s e nce .

Domain:
- A s ub-ne twork compris e d of a group of clie nts a nd s e rve rs
unde r th e control of one s e curity da ta ba s e . Dividing LANs into
doma ins improve s pe rforma nce a nd s e curity.
- All re s ource s unde r th e control of a s ingle compute r s ys te m.
 Lightweight Directory Access Protocol (LDAP) -- a
protocol us e d to a cce s s a dire ctory s e rvice .

Ligh twe igh t Acce s s Dire ctory Protocol is th e

prima ry a cce s s protocol for Active Dire ctory.
 T h e globa l ca ta log is th e me ch a nis m th a t
tra cks a ll of th e obje cts ma na ge d a cros s th e
ne twork, a cros s a ll doma ins with in th e
orga niza tion.

Ele me nts of th e ca ta log a re re plica te d a cros s

a ll of th e doma in controlle rs with in a ll doma ins
a cros s th e org.
 For Active Dire ctory to function prope rly, DNS s e rve rs
mus t s upport Se rvice Loca tion (SRV) re s ource re cords .

SRV re s ource re cords ma p th e na me of a s e rvice to

th e na me of a s e rve r offe ring th a t s e rvice . Active
Dire ctory clie nts a nd doma in controlle rs us e SRV
re s ource re cords to de te rmine th e IP a ddre s s e s of
doma in controlle rs .
 Active Dire ctory re plica te s its a dminis tra tion informa tion
a cros s doma in controlle rs th rough out th e fore s t utilizing a
multi-ma s te r a pproa ch .

Multi-ma s te r re plica tion a mong pe e r doma in controlle rs is

impra ctica l for s ome type s ch a nge s , s o only one doma in
controlle r, ca lle d th e ope ra tions ma s te r, a cce pts re que s ts
for s uch ch a nge s .
Ea ch doma in controlle r h a s informa tion for th e e ntire
fore s t to s upport a uth e ntica tion a nd a cce s s control.

T h is provide s th e a bility for loca l doma in controlle rs (th e

tre e ) to provide a quick loca l lookup of a uth ority.

Not jus t us e rs but e ve ry obje ct a uth e ntica ting to Active

Dire ctory mus t re fe re nce th e globa l ca ta log s e rve r, including
e ve ry compute r th a t boots up
 Stores a physical Copy of the Active Directory Database
- Curre ntly a s ingle Doma in pe r DC s upporte d!
- ESE95 Da ta ba s e (MS Exch a nge )
Logon Services
- Ke rbe ros
- LAN Ma na ge r Auth e ntica tion
Its always recommended to have at least 2 Domain
Controllers!
 Upda te s ca n be a pplie d to ANY Doma in Controlle r

W ill be Re plica te d to e a ch oth e r Doma in Controls (ins ide

th a t Doma in) with in 15 Minute s

Optimize d Algorith m re duce s Re plica tion T ra ffic

Not time ba s e d (trigge re d on de ma nd, only)!

 All Doma in Da ta ba s e s involve d
Ch a nge s a re tra ns mitte d compre s s e d
via IP (RPC) or SMT P
-SMT P not with in a s ingle doma in!
T ime Re plica tion occurs ca n be configure d
Volume of Re plica tion T ra ffic ca n not be re s tricte d!
Ha ve a n Eye on GCs !
 Improved Authentication
Permissions applied via ACLs
- To Objects as whole
- To specific Attributes
Fine-Tuning of Access Permissions possible
Tool-Support to visualize Security Settings . currently
weak (try Visio!)
 T ime Sa vings

Re pos itory of Informa tion

Incre a s e d Se curity
 DNS De pe nde ncy
No Me rge -T re e
No Pa rtitioning (only a s ingle Doma in pe r .
Doma in Controlle r)
Limite d Tool-Support
Fore s t Globa l Sch e ma
Sch e ma -Modifica tions ca n not be undone
 Applica tions dire ctly us ing a nd a cce s s ing th e Active .
Dire ctory
- e .g. Exch a nge 2000
- Ma ny more e xpe cte d!
T ypica lly e xte nd th e Sch e ma
Ma y dra ma tica lly ch a nge us a ge pa tte rn for Active .
Dire ctory Re s ource s
- Re plica tion T ra ffic
(ne w Obje cts , Attribute s )
- AD Que rie s (GCs !)