Understanding the Development of Active Directory

Introduced with Windows 2000, Active Directory (commonly referred to as AD) has achieved wide industry recognition and acceptance and has proven itself in reliability, scalability, and performance. The introduction of AD served to address some limitations in the NT 4.0 domain structure design and also allowed for future Microsoft products to tie into a common interface.

The Limitations of NT 4.0 Domains

Windows NT 4.0 domains, while possessing enhanced security over previous Windows Workgroup models, have several functional shortcomings that have limited their use as enterprise directories. The Windows NT domain is basically a flat namespace that stores very little information about a user beyond the basic username, password, and so on. In addition, further organization of users beyond the domain level is essentially not possible.

In addition, a typical NT 4.0 domain has basically two types of users: full-blown administrators and standard users. In a nutshell, you were either a super administrator of the domain or just a simple network user. This kept delegation of administration simple but didn't provide for the type of granular security required by many larger organizations. These organizations needed administrative tasks to be subdivided and strictly defined, and Windows NT domains did not provide these capabilities. To get around this problem, many organizations set up multiple resource and user domains, dividing them by geographical location and/or political subdivision. The resulting special administrative issues could confuse even a seasoned NT guru. Often, one individual had several user accounts in multiple domains with multiple passwords. Needless to say, this drawback has been addressed in the granular administrative design within Active Directory.

Connectivity between NT 4.0 domains was accomplished through the manual setup of one- or two-way trusts between the domains. The domain trusts allowed for the domain controllers in the "trusting" domain to accept credentials that were validated by domain controllers in the "trusted" domain. The trusts were not transitive, however, which meant that if Domain A trusts Domain B, and Domain B trusts Domain C, Domain A does not trust Domain C unless you specifically create a trust between Domain A and Domain C. The problem with this model was that multiple domain trusts between several domains started to look like a "spaghetti" domain structure similar to the trust configuration shown in Figure 4.1.

This type of domain structure, as any NT 4.0 administrator can attest, becomes frustratingly difficult to administer and troubleshoot, as new administrators must determine what is meant by "trusted" and "trusting" domains and even veterans have a hard time visualizing their trust relationships from memory.

In addition to the complicated trust schemes, the Windows NT primary domain controller (PDC) is a single point of failure within an NT domain. If the PDC went down for whatever reason, it would severely affect domain functionality. Large organizations were likewise limited by the object limitations of NT 4.0 domains, which could not scale higher than 44,000 objects in any one domain.

These limitations were aggressively addressed with the development of Windows 2000 and Active Directory. Windows Server 2003 expands upon the functionality of Windows 2000 and takes the administrative capabilities of Active Directory even further.

Microsoft's Adoption of Internet Standards

Since the early development of Windows 2000, and subsequently Windows Server 2003, Microsoft has strived to make all its products embrace the Internet. Standards that before had been options or previously incompatible were subsequently woven into the software as primary methods of communication and operability. All applications and operating systems became TCP/IP compliant, and proprietary protocols such as NetBEUI were phased out. With the introduction of Windows Server 2003, the Internet readiness of the Microsoft environment reaches new levels of functionality.