Active Directory Architecture

	Read Document Microsoft Word Version adarch.doc 645 KB Word 2000 file 5 min @ 28.8 kbps Office File Viewers Download Compressed Word Document adarch.exe 256 KB executable file 2 min @ 28.8 kbps Office File Viewers

Summary

To use the Microsoft® Windows® 2000 Server operating system with maximum effectiveness, you must first understand what the Active Directory^TM service is. Active Directory, new in the Windows 2000 operating system, plays a major role in implementing your organization’s network and therefore in accomplishing its business goals.

This paper introduces network administrators to Active Directory, explains its architecture, and describes how it interoperates with applications and other directory services. Gaining an understanding of the Active Directory^TM service is the first step in understanding how the Windows® 2000 operating system functions and what it can do to help you meet your enterprise goals. This paper looks at Active Directory from the following three perspectives:

• Store. Active Directory, the Windows 2000 Server directory service, hierarchically stores information about network objects and makes this information available to administrators, users, and applications. The first section of this paper explains what a directory service is, the integration of Active Directory service with the Internet’s Domain Name System (DNS), and how Active Directory is actualized when you designate a server as a domain controller.
• Structure. Using Active Directory, the network and its objects are organized by constructs such as domains, trees, forests, trust relationships, organizational units (OUs), and sites. The next section in this paper describes the structure and function of these Active Directory components, and how this architecture lets administrators manage the network so that users can accomplish business objectives.
• Inter-communicate. Because Active Directory is based on standard directory access protocols, it can interoperate with other directory services and can be accessed by third-party applications that follow these protocols. The final section describes how Active Directory can communicate with a wide variety of other technologies.

Active Directory Benefits

The introduction of Active Directory in the Windows 2000 operating system provides the following benefits:

• Integration with DNS. Active Directory uses the Domain Name System (DNS). DNS is an Internet standard service that translates human-readable computer names (such as mycomputer.microsoft.com) to computer-readable numeric Internet Protocol (IP) addresses (four numbers separated by periods). This lets processes running on computers in TCP/IP networks identify and connect to one another.
• Flexible querying. Users and administrators can use the Search command on the Start menu, the My Network Places icon on the desktop, or the Active Directory Users and Computers snap-in to quickly find an object on the network using object properties. For example, you can find a user by first name, last name, e-mail name, office location, or other properties of that person's user account. Finding information is optimized by use of the global catalog.
• Extensibility. Active Directory is extensible, which means that administrators can add new classes of objects to the schema and can add new attributes to existing classes of objects. The schema contains a definition of each object class, and each object class’s attributes, that can be stored in the directory. For example, you could add a Purchase Authority attribute to the User object and then store each user's purchase authority limit as part of the user's account.
• Policy-based administration. Group Policies are configuration settings applied to computers or users as they are initialized. All Group Policy settings are contained in Group Policy Objects (GPOs) applied to Active Directory sites, domains, or organizational units. GPO settings determine access to directory objects and domain resources, what domain resources (such as applications) are available to users, and how these domain resources are configured for use.
• Scalability. Active Directory includes one or more domains, each with one or more domain controllers, enabling you to scale the directory to meet any network requirements. Multiple domains can be combined into a domain tree and multiple domain trees can be combined into a forest. In the simplest structure, a single-domain network is simultaneously a single tree and a single forest.
• Information Replication. Active Directory uses multimaster replication, which lets you update the directory at any domain controller. Deploying multiple domain controllers in one domain provides fault tolerance and load balancing. If one domain controller within a domain slows, stops, or fails, other domain controllers within the same domain can provide necessary directory access, since they contain the same directory data.
• Information security. Management of user authentication and access control, both fully integrated with Active Directory, are key security features in the Windows 2000 operating system. Active Directory centralizes authentication. Access control can be defined not only on each object in the directory, but also on each property of each object. In addition, Active Directory provides both the store and the scope of application for security policies. (For more about Active Directory logon authentication and access control, see the “For More Information” section at the end of this paper.)
• Interoperability. Because Active Directory is based on standard directory access protocols, such as Lightweight Directory Access Protocol (LDAP), it can interoperate with other directory services employing these protocols. Several application programming interfaces (APIs)—such as Active Directory Service Interfaces (ADSI)—give developers access to these protocols.

At the end of this document, "Appendix A: Tools" provides a brief overview of the software tools you use to perform the tasks associated with Active Directory.