Active Directory

"Like many information-technology efforts, Active Directory originated out of a democratization of design using Requests for Comments (RFCs).

The Internet Engineering Task Force (IETF) oversees the RFC process and has accepted numerous RFCs initiated by widespread participants.

It stores information about domain members, including devices and users, verifies their credentials, and defines their access rights.

[19] It runs as a service on Windows Server and offers the same functionality as AD DS, including an equal API.

Active Directory Certificate Services (AD CS) establishes an on-premises public key infrastructure.

It can create, validate, revoke and perform other similar actions, public key certificates for internal uses of an organization.

With an AD FS infrastructure in place, users may use several web-based services (e.g. internet forum, blog, online shopping, webmail) or network resources using only one set of credentials stored at a central location, as opposed to having to be granted a dedicated set of credentials for each service.

AD FS uses many popular open standards to pass token credentials such as SAML, OAuth or OpenID Connect.

[1] Accessing the objects in Active Directory databases is possible through various interfaces such as LDAP, ADSI, messaging API, and Security Accounts Manager services.

[2] Active Directory structures consist of information about objects classified into two categories: resources (such as printers) and security principals (which include user or computer accounts and groups).

Each object has a unique name, and its definition is a set of characteristics and information by a schema, which determines the storage in the Active Directory.

[26] In an Active Directory network, the framework that holds objects has different levels: the forest, tree, and domain.

A domain is a logical group of network objects such as computers, users, and devices that share the same Active Directory database.

[27] OUs can provide hierarchy to a domain, ease its administration, and can resemble the organization's structure in managerial or geographical terms.

In general, the reason for this lack of allowance for duplicate names through hierarchical directory placement is that Microsoft primarily relies on the principles of NetBIOS, which is a flat-namespace method of network object management that, for Microsoft software, goes all the way back to Windows NT 3.1 and MS-DOS LAN Manager.

However, disallowing duplicate object names in this way is a violation of the LDAP RFCs on which Active Directory is supposedly based.

[30] The Active Directory database is organized in partitions, each holding specific object types and following a particular replication pattern.

Sites play a crucial role in managing network traffic created by replication and directing clients to their nearest domain controllers (DCs).

The Active Directory information is physically held on one or more peer domain controllers, replacing the NT PDC/BDC model.

[34][35] Global Catalog servers replicate all objects from all domains to themselves, providing an international listing of entities in the forest.

A bridgehead server in each zone can send updates to other DCs in the exact location to replicate changes between sites.

SMTP is used to replicate between sites but only for modifications in the Schema, Configuration, or Partial Attribute Set (Global Catalog) GCs.

[46] If planning to implement Active Directory, a business should purchase multiple Windows server licenses to have at least two separate domain controllers.

However, for proper failover protection, Microsoft recommends not running multiple virtualized domain controllers on the same physical hardware.

[48] The Active-Directory database, the directory store, in Windows 2000 Server uses the JET Blue-based Extensible Storage Engine (ESE98).

They provide essential features for a more convenient administration process, such as automation, reports, integration with other services, etc.

Varying levels of interoperability with Active Directory can be achieved on most Unix-like operating systems (including Unix, Linux, Mac OS X or Java and Unix-based programs) through standards-compliant LDAP clients, but these systems usually do not interpret many attributes associated with Windows components, such as Group Policy and support for one-way trusts.

[59] Windows Server 2003 R2 includes a Microsoft Management Console snap-in that creates and edits the attributes.

Another option is to use OpenLDAP with its translucent overlay, which can extend entries in any remote LDAP server with additional attributes stored in a local database.

[citation needed] Administration (querying, modifying, and monitoring) of Active Directory can be achieved via many scripting languages, including PowerShell, VBScript, JScript/JavaScript, Perl, Python, and Ruby.

A simplified example of a publishing company's internal network. The company has four groups with varying permissions to the three shared folders on the network.
In Active Directory, organizational units (OUs) cannot be assigned as owners or trustees. Only groups are selectable, and members of OUs cannot be collectively assigned rights to directory objects.