Active Directory (AD) is Microsoft's implementation of a Directory Service. DSs store data in an organized format and can publish and access the data. AD isnít a Microsoft innovation but is an implementation of an existing model (i.e., X.500), communication mechanism (i.e., Lightweight Directory Access ProtocolóLDAP), and location technology (i.e., DNS).
To understand AD, you must understand what it is supposed to achieve. A directory is simply a container for other information.
A telephone directory is an example of a DS, because a telephone directory contains data and a means to access and use the data. For example, a telephone directory has various entries, and each entry has values. A telephone directory entry consists of name, address, and telephone number values. A large directory might group entries by location (e.g., city) or type (e.g., lawyers), or by both. Thus a hierarchy of types could exist for each location. You might also consider a telephone operator a DS, because the operator has access to the data. You can request data, and the operator presents the answer to your query.
AD is a type of DS that holds information about all the resources on a network. Clients can query AD for information about any aspect of the network. ADís features include the following.
Although AD partitions directory information into different stores, you can still query AD for information from other domains. GCs contain information about every object in the enterprise forest, so that you can perform a forestwide search.
When you run DCPROMO on a Windows 2000 machine for the first time to create a new domain, DCPROMO creates a domain on the DNS server. A client then contacts the DNS server to look up the client's domain. The DNS server will discover not only the domain, but also the domainís DCs. The server then sends the client the closest DCís address. The client in turn connects and accesses the AD domain database on the closest DC to find objects (e.g., printers, file servers, users, groups, organizational unitsóOUs) in the domain. Because each DC stores links to other domains in the tree, the client can search an entire tree of domains.
A version of AD that lists all the objects in the forest is also available in case you need to perform a search beyond the client's tree of domains. This version is the GC. You can store the GC on any or all of the DCs in the forest.
The GC provides shorthand access to objects anywhere in the forest. However, the GC contains only some of an objectís attributes. For the whole object, you must go to the domain AD (which is on a DC in the domain). You can configure the GC to provide the object attributes you want.
To help you create AD objects, the DC maintains a copy of the classes and hierarchy of classes for the whole forest. AD stores class structures in the schema. The schema is extensible, which means that you can add classes to it.
The schema is part of Win2Kís configuration namespace, which all the DCs in a forest maintain. A namespace is a range of labels. Win2Kís configuration namespace consists of several defined items such as physical locations, Win2K sites, and subnets. A site is a child of a forest; a site can contain machines from any domain, but all the machines in a site must have fast and reliable connections for DC replication. A subnet is an IP address grouping assigned to a site; subnets help speed up AD replication among DCs.
Because DCs store records in an LDAP distinguished name format, AD uses LDAP to access the records. In case an application uses a name format other than the LDAP distinguished name, you can also use the LDAP URL or AD canonical name formats to access AD.