10,000 feet view of Microsoft Active Directory

Non-technical colleagues, and friends who work with Microsoft products but outside of a corporate environment often ask me “what is Active Directory” (AD). As I’ve blogged a few 10,000 feet views of Microsoft technologies, I thought I’d produce one for AD.

At the Microsoft Technical Roadshow event last May, Paul Brombley (a messaging technology specialist for Microsoft UK) gave a presentation on Exchange and the Active Directory which included an “AD 101”. As I thought it was an excellent overview I haven’t re-invented the wheel and the following is taken from my notes from that presentation, with a few items added from my own experience.

Active Directory is basically a distributed database. It is hierarchical, with a permissions model, includes a common set of objects and is integrated with Windows Security as the primary means of authentication (and hence authorisation).

AD makes use of DNS as a name service. AD cannot be implemented without DNS although it does not require a Microsoft DNS service – in fact, any DNS server supporting SRV records (RFC 2782) and dynamic DNS updates (RFC 2136) can be used to support Active Directory although there are advantages to using the Windows DNS Server (e.g. AD-integrated DNS zones).

This reliance on DNS is apparent when the logical structure of AD is examined. As for Windows NT, domains can be linked using trust relationships. The main differences with AD are that instead of using NetBIOS names, DNS is the naming service for AD domain (with NetBIOS and WINS only supported for legacy purposes) and that default trusts are two-way transitive Kerberos trusts.

Each AD server is called a domain controller (DC) and all DCs can authenticate users.

Each domain must have at least one DC. One or more domains sharing a common schema are referred to as a forest. If these domains also have a contiguous namespace then they are called a tree, and each forest may contain multiple trees; however the first domain in the forest is always the forest root domain. These concepts are illustrated in the Windows 2000 Advanced Server help documentation: understanding domain trees and forests.

DCs replicate data using a multiple master model (although there are five roles known as operations masters, or FSMOs, which dictate the master server for certain operations at domain or forest level – for more information, see Daniel Petri’s description of the FSMO roles).

There are four naming contexts (NCs) which make up AD:

  • The schema NC contains a schema of object definitions. This is common throughout the entire directory and can be changed by a domain administrator running with local system privileges – hence the reason why a forest is a security boundary and not a domain (as is commonly misconceived). The schema NC is replicated between all domain controllers.
  • The configuration NC contains details of the replication technologies, domains and servers. This is replicated to all DCs within a forest.
  • The domain NC contains objects such as users, groups and contacts. This is replicated to all DCs within a domain; however a DC can also have an additional role of a global catalog (GC) server. The GC is a subset of each domain NC in the forest, merged to form a single view of the objects in the directory (albeit without all attributes). Applications such as Microsoft Exchange make heavy use of GC servers, e.g. to create a global address list.
  • The application NC is new to Windows Server 2003 AD and contains volatile application information. This is held on specific DCs within the forest.

An AD site is a group of servers with good connectivity (generally LAN connected). A site can span domains and a domain can cross a number of sites.

In addition to my earlier post on new features in Windows Server 2003 AD include:

  • Schema deactivation, whereby certain attributes (not those added by Exchange) can be blanked out (although they are not deleted and remain present in the database).
  • Group membership replication improvements, whereby only deltas are replicated (with Windows 2000 sometimes the replication took longer than the 15 minute replication interval).
  • Domain renaming (with restrictions).
  • Application naming context (discussed above).

(Some of these features require the domain or forest to be running at Windows Server 2003 domain or forest functional level).

So, that’s AD in a nutshell. For further reading, check out Microsoft’s Windows Server 2003 Active Directory pages or Active Directory forestry: investigating and managing objects and attributes for Windows 2000 and Windows Server 2003 by John Craddock and Sally Storey.

Leave a Reply