Active Directory has numerous advantages, not the least of which is that it can handle any size of installation, from a single server with a few hundred objects to thousands of servers and millions of objects. Active Directory also greatly simplifies the process of locating resources across a large network. The Active Directory Service Interfaces (ADSI) allows developers to "directory-enable" their applications, giving users a single point of access to multiple directories, whether those directories are based on LDAP, NDS, or NT Directory Services (NTDS).
In Windows 2000, Active Directory integrates the Internet concept of a namespace with the operating system's directory services. This combination allows the unification of multiple namespaces in, for example, the mixed software and hardware environments of corporate networks—even across operating system boundaries. The ability to subsume individual corporate directories into a general-purpose directory means that Active Directory can greatly reduce the costs of administering multiple namespaces.
Active Directory is not an X.500 directory. Instead, it uses LDAP as the access protocol and supports the X.500 information model without requiring systems to host the entire X.500 overhead. LDAP is based on TCP/IP and is considerably simpler than the X.500 DAP. Like X.500, LDAP bases its directory model on entries, where the distinguished name (see the next section) is used to refer to an entry without ambiguity. But rather than using the highly structured X.500 data encoding, LDAP adopts a simple, string-based approach for representing directory entries. LDAP uses many of the directory-access techniques specified in the X.500 DAP standard but requires fewer client resources, making it more practical for mainstream use over a TCP/IP link.
Active Directory also directly supports Hypertext Transfer Protocol (HTTP). Every object in Active Directory can be displayed as a Hypertext Markup Language (HTML) page in a Web browser. Directory support extensions to Microsoft Internet Information Services (IIS) translate HTTP requests for directory objects into HTML pages for viewing in any HTML client.
Active Directory allows a single point of administration for all published resources, which can include files, peripheral devices, host connections, databases, Web access, users, other arbitrary objects, services, and so forth. It uses the Internet DNS as its locator service, organizes objects in domains into a hierarchy of organizational units (OUs), and allows multiple domains to be connected into a tree structure. The concepts of primary domain controller (PDC) and backup domain controller (BDC) no longer exist. Active Directory uses domain controllers only, and all domain controllers are peers. An administrator can make changes to any domain controllers, and the updates are replicated on all other domain controllers.
Some of the terms used to describe concepts in Active Directory have been around for a while in other contexts, so it's important to understand what they mean when used specifically in reference to Active Directory. This section covers these basic terms and concepts.
"Namespace" is perhaps an unfamiliar term for a very familiar concept. Every directory service is a namespace—a circumscribed area in which a name can be resolved. A television listing forms a namespace in which the names of television shows can be resolved to channel numbers. A computer's file system forms a namespace in which the name of a file can be resolved to the file itself.
Active Directory forms a namespace in which the name of an object in the directory can be resolved to the object itself. Name resolution is the process of translating a name into some object or information that the name represents.
Each piece of information that describes some aspect of an entry is called an attribute. An attribute comprises an attribute type and one or more attribute values. An example of an attribute type might be a telephone number, and an example of a telephone number attribute value might be 345-555-0112.
An object is a particular set of attributes that represents something concrete, such as a user, a printer, or an application. The attributes hold data describing the thing that is identified by the directory object. Attributes of a user might include the user's given name, surname, and e-mail address. The classification of the object defines which types of attributes are used. For example, the objects classified as users might allow the use of attribute types like common name, telephone number, and e-mail address, whereas the object class organization would allow attribute types like organization name and business category. An attribute can take one or more values, depending on its type.
Every object in Active Directory has a unique identity. Objects can be moved or renamed, but their identity never changes. Objects are known internally by their identity, not their current name. An object's identity is a globally unique identifier (GUID), which is assigned by the Directory System Agent (DSA) when the object is created. The GUID is stored in an attribute, objectGUID, that is part of every object. The objectGUID attribute can't be modified or deleted. When storing a reference to an Active Directory object in an external store (for example, a database), you should use objectGUID because, unlike a name, it won't change.
A container resembles an object in that it has attributes and is part of the Active Directory namespace. However, unlike an object, a container doesn't represent anything concrete. It is a holder of objects and other containers.
A tree in Active Directory is just an extension of the idea of a directory tree. It's a hierarchy of objects and containers that demonstrates how objects are connected, or the path from one object to another. Endpoints on the tree are usually objects.
A subtree is any unbroken path in the tree, including all of the members of any containers in that path. Figure 2-1 shows a tree structure for microsoft.com. Any of the unbroken paths (for example, from nw.sales.seattle.microsoft.com to microsoft.com) is a subtree. Trees and forests are discussed in more detail in Chapter 3.
Figure 2-1. A tree structure with subtrees.
Every object in Active Directory has what's called a distinguished name (DN). In this context, "distinguished" means the qualities that make the name distinct. The distinguished name identifies the domain that holds the object as well as the complete path through the container hierarchy used to reach the object. A typical DN might be CN=Mary Perez,OU=Research,DC=scribes,DC=com. This DN identifies the "Mary Perez" user object in the Research organizational unit, in the scribes.com domain.
CN translates as common name, OU stands for organizational unit, and DC means domain controller. Some attributes are derived from the X.500 model; an administrator can define others.
Active Directory also uses a relative distinguished name (RDN), which is the part of the DN that is an attribute of the object itself. In the previous example, the RDN of the user object is CN=Mary Perez. The RDN of the parent object is OU=Research.
The DC= portion of a DN allows X.500 directories to plug in to the DNS namespace, which is also what Active Directory does. The root of the global namespace for Active Directory is the DNS namespace. Thus, DNS domain names merge within the Active Directory naming scheme. For example, scribes.com is a valid DNS domain name and could be the name of an Active Directory domain as well. This DNS integration means that Active Directory fits naturally into Internet and intranet environments. Active Directory servers can be connected directly to the Internet to simplify secure communications and electronic commerce with customers and partners.
"Schema" is a term commonly used in database work. In the context of Active Directory, the schema is all of the pieces that make up your Active Directory: the objects, attributes, containers, and so forth. Active Directory has a default schema that defines the most common object classes, such as users, groups, computers, OUs, security policies, and domains.
The Active Directory schema can be updated dynamically. That is, an application can extend the schema with new attributes and classes and use the extensions immediately. Schema updates are done by creating or altering the schema objects stored in the directory. ACLs protect schema objects, so that only authorized users can modify the schema.