To make it easy to directory-enable any application, Microsoft has provided Active Directory Service Interfaces (ADSI). ADSI is a collection of several interfaces that can be used to access the Active Directory from within executable application programs. Programmers might want to use ADSI instead of the LDAP C API because ADSI makes it possible to write an application that can access directory services from multiple providers. If the directory service provider has designed its directory service product to be compliant with at least version 2.0 of LDAP, ADSI should be capable of providing an interface into the directory. The current version of ADSI is 2.5, and it is included with Windows 2000/2003. In addition to providing access to Microsoft directory products, such as Exchange Server 5.5, ADSI has been tested by Microsoft against the following:
ADSI provides an interface that allows all the functionality of the LDAP C API, but does so in a manner that is easier to understand and write code for. Another reason for using ADSI in application development is that ADSI can be used by many higher-level programming languages, including Microsoft Visual BASIC, Perl, Rexx, and C or C++. ADSI uses the Component Object Model (COM) interface to allow programmers to access and manipulate the underlying directory objects found in multiple directory services. A program written using ADSI should function correctly with any directory service for which ADSI has a provider interface. Directory-Aware Application ProgrammingADSI is one of the features of Microsoft's development of Active Directory Services that might benefit large enterprises the greatest. If the Active Directory were limited to specific types of objects or attributes that could be stored in the directory, and if only programs supplied by Microsoft were able to access and manipulate the directory store, there wouldn't be much to say about Active Directory beyond its being a major improvement in the administration of Windows servers and clients. However, if it's properly employed, using ADSI to incorporate application program configuration information into the directory database along with other types of data can produce real cost benefits in a large network. For example:
Many types of applications can benefit from using the Active Directory. Human resource departments and security departments can share a common user database resource by storing information in the directory. System management products can be written to access the information already contained in directory user and computer objects. Now It's Just Domain Controllers and Member ServersWhen you create a domain controller for a Windows server, you are no longer required to do so during the installation of the operating system, which was the case with Windows NT. And to make things even easier, you no longer must create primary and backup domain controllers. In Windows Server, no distinction is made as to primary or backup domain controllers. Instead, each domain controller in a domain (and there can be as many as you need) holds a complete copy of the domain's partition of the Active Directory. Updates can be made at any domain controller, and updates are propagated using multimaster replication to all other domain controllers in the domain. Remember that in the Active Directory domain, names are expressed as DNS-style names. That is, instead of naming a domain acme, for example, it is now named acme.com, which is a DNS-style name. When you create a tree of domains in the Active Directory, you must use a hierarchical DNS naming scheme so that you maintain a contiguous namespace. Each domain in the tree is a subdomain of the topmost domain. The domain tree provides a two-way transitive trust relationship between all domains that exist in the tree. Inheritance of security rights flows downward from the top of the tree, so you can assign users administrative access rights and permissions at a single point in the tree, and therefore grant them the same rights for child objects farther down the tree. When you have a network that is composed of disparate namespaces, you can create separate trees and group them into a forest. Recall that a forest is a collection of domain trees. In this type of organization, each domain tree represents a contiguous namespace, but other disjointed namespaces are in the network. A domain forest is used in a similar manner to a domain tree, in that users can still be granted access rights in domains that are contained in other domain trees. The main difference between a domain tree and a forest is the disjointed namespaces. |