You are on page 1of 12

10/10/2016

ActiveDirectoryWikipedia,thefreeencyclopedia

ActiveDirectory
FromWikipedia,thefreeencyclopedia

ActiveDirectory(AD)isadirectoryservicethatMicrosoftdevelopedforWindowsdomainnetworks.Itis
includedinmostWindowsServeroperatingsystemsasasetofprocessesandservices.[1][2]Initially,Active
Directorywasonlyinchargeofcentralizeddomainmanagement.StartingwithWindowsServer2008,however,
ActiveDirectorybecameanumbrellatitleforabroadrangeofdirectorybasedidentityrelatedservices.[3]
AserverrunningActiveDirectoryDomainServices(ADDS)iscalledadomaincontroller.Itauthenticatesand
authorizesallusersandcomputersinaWindowsdomaintypenetworkassigningandenforcingsecuritypolicies
forallcomputersandinstallingorupdatingsoftware.Forexample,whenauserlogsintoacomputerthatispartof
aWindowsdomain,ActiveDirectorychecksthesubmittedpasswordanddetermineswhethertheuserisasystem
administratorornormaluser.[4]Also,itallowsmanagementandstorageofinformationatadminlevelandprovides
authenticationandauthorizationmechanismsandaframeworktodeployotherrelatedservices(ADCertificate
Services,ADFederatedServices,etc.).[5]
ActiveDirectoryusesLightweightDirectoryAccessProtocol(LDAP)versions2and3,Microsoft'sversionof
Kerberos,andDNS.

Contents
1 History
2 ActiveDirectoryServices
2.1 DomainServices
2.2 LightweightDirectoryServices
2.3 CertificateServices
2.4 FederationServices
2.5 RightsManagementServices
3 Logicalstructure
3.1 Objects
3.2 Forests,trees,anddomains
3.3 Partitions
4 Physicalstructure
4.1 Replication
5 Implementation
6 Database
7 Singleserveroperations
8 Trusting
8.1 Terminology
9 Managementsolutions
10 Unixintegration
11 Seealso
12 References
13 Externallinks

History
https://en.wikipedia.org/wiki/Active_Directory

1/12

10/10/2016

ActiveDirectoryWikipedia,thefreeencyclopedia

ActiveDirectory,likemanyinformationtechnologyefforts,originatedoutofademocratizationofdesignusing
RequestforCommentsorRFCs.TheInternetEngineeringTaskForce(IETF),whichoverseestheRFCprocess,
hasacceptednumerousRFCsinitiatedbywidespreadparticipants.ActiveDirectoryincorporatesdecadesof
communicationtechnologiesintotheoverarchingActiveDirectoryconceptthenmakesimprovementsuponthem.
Forexample,LDAPunderpinsActiveDirectory.AlsoX.500directoriesandtheOrganizationalUnitprecededthe
ActiveDirectoryconceptthatmakesuseofthosemethods.TheLDAPconceptbegantoemergeevenbeforethe
foundingofMicrosoftinApril1975,withRFCsasearlyas1971.RFCscontributingtoLDAPincludeRFC1823
(ontheLDAPAPI,August1995),[6]RFC2307,RFC3062,andRFC4533.[7][8][9]
MicrosoftpreviewedActiveDirectoryin1999,releaseditfirstwithWindows2000Serveredition,andrevisedit
toextendfunctionalityandimproveadministrationinWindowsServer2003.Additionalimprovementscamewith
subsequentversionsofWindowsServer.InWindowsServer2008,additionalserviceswereaddedtoActive
Directory,suchasActiveDirectoryFederationServices.[10]Thepartofthedirectoryinchargeofmanagementof
domains,whichwaspreviouslyacorepartoftheoperatingsystem,[10]wasrenamedActiveDirectoryDomain
Services(ADDS)andbecameaserverrolelikeothers.[3]"ActiveDirectory"becametheumbrellatitleofabroader
rangeofdirectorybasedservices.[11]AccordingtoBryonHynes,everythingrelatedtoidentitywasbroughtunder
ActiveDirectory'sbanner.[3]

ActiveDirectoryServices
ActiveDirectoryServicesconsistofmultipledirectoryservices.ThebestknownisActiveDirectoryDomain
Services.CommonlyabbreviatedasADDSorsimplyAD.[12]

DomainServices
ActiveDirectoryDomainServices(ADDS)isthecornerstoneofeveryWindowsdomainnetwork.Itstores
informationaboutmembersofthedomain,includingdevicesandusers,verifiestheircredentialsanddefinestheir
accessrights.Theserver(ortheclusterofservers)runningthisserviceiscalledadomaincontroller.Adomain
controlleriscontactedwhenauserlogsintoadevice,accessesanotherdeviceacrossthenetwork,orrunsalineof
businessMetrostyleappsideloadedintoadevice.
OtherActiveDirectoryservices(excludingLDS,asdescribedbelow)aswellasmostofMicrosoftserver
technologiesrelyonoruseDomainServicesexamplesincludeGroupPolicy,EncryptingFileSystem,BitLocker,
DomainNameServices,RemoteDesktopServices,ExchangeServerandSharePointServer.

LightweightDirectoryServices
ActiveDirectoryLightweightDirectoryServices(ADLDS),formerlyknownasActiveDirectoryApplication
Mode(ADAM),[13]isalightweightimplementationofADDS.[14]ADLDSrunsasaserviceonWindowsServer.
ADLDSsharesthecodebasewithADDSandprovidesthesamefunctionality,includinganidenticalAPI,but
doesnotrequirethecreationofdomainsordomaincontrollers.ItprovidesaDataStoreforstorageofdirectory
dataandaDirectoryServicewithanLDAPDirectoryServiceInterface.UnlikeADDS,however,multipleAD
LDSinstancescanrunonthesameserver.

CertificateServices
ActiveDirectoryCertificateServices(ADCS)establishesanonpremisespublickeyinfrastructure.Itcancreate,
validateandrevokepublickeycertificatesforinternalusesofanorganization.Thesecertificatescanbeusedto
encryptfiles(whenusedwithEncryptingFileSystem),emails(perS/MIMEstandard),networktraffic(whenused
https://en.wikipedia.org/wiki/Active_Directory

2/12

10/10/2016

ActiveDirectoryWikipedia,thefreeencyclopedia

byvirtualprivatenetworks,TransportLayerSecurityprotocolorIPSecprotocol).
ADCSpredatesWindowsServer2008,butitsnamewassimplyCertificateServices.[15]
ADCSrequiresanADDSinfrastructure.[16]

FederationServices
ActiveDirectoryFederationServices(ADFS)isasinglesignonservice.WithanADFSinfrastructureinplace,
usersmayuseseveralwebbasedservice(e.g.internetforum,blog,onlineshopping,webmail)ornetwork
resourcesusingonlyonesetofcredentialsstoredatacentrallocation,asopposedtohavingtobegranteda
dedicatedsetofcredentialsforeachservice.ADFS'spurposeisanextensionofthatofADDS:Thelatterenables
userstoauthenticatewithandusethedevicesthatarepartofthesamenetwork,usingonesetofcredentials.The
formerenablesthemusethissamesetinadifferentnetwork.
Asthenamesuggests,ADFSworksbasedontheconceptoffederatedidentity.
ADFSrequiresanADDSinfrastructure,althoughitsfederationpartnermaynot.[17]

RightsManagementServices
ActiveDirectoryRightsManagementServices(ADRMS,knownasRightsManagementServicesorRMS
beforeWindowsServer2008)isaserversoftwareforinformationrightsmanagementshippedwithWindows
Server.Itusesencryptionandaformofselectivefunctionalitydenialforlimitingaccesstodocumentssuchas
corporateemails,MicrosoftWorddocuments,andwebpages,andtheoperationsauthorizeduserscanperformon
them.

Logicalstructure
Asadirectoryservice,anActiveDirectoryinstanceconsistsofadatabaseandcorrespondingexecutablecode
responsibleforservicingrequestsandmaintainingthedatabase.Theexecutablepart,knownasDirectorySystem
Agent,isacollectionofWindowsservicesandprocessesthatrunonWindows2000andlater.[1]ObjectsinActive
DirectorydatabasescanbeaccessedviaLDAP,ADSI(acomponentobjectmodelinterface),messagingAPIand
SecurityAccountsManagerservices.[2]

Objects
ActiveDirectorystructuresarearrangementsofinformationaboutobjects.Theobjectsfallintotwobroad
categories:resources(e.g.,printers)andsecurityprincipals(userorcomputeraccountsandgroups).Security
principalsareassigneduniquesecurityidentifiers(SIDs).
Eachobjectrepresentsasingleentitywhetherauser,acomputer,aprinter,oragroupanditsattributes.Certain
objectscancontainotherobjects.Anobjectisuniquelyidentifiedbyitsnameandhasasetofattributesthe
characteristicsandinformationthattheobjectrepresentsdefinedbyaschema,whichalsodeterminesthekinds
ofobjectsthatcanbestoredinActiveDirectory.
Theschemaobjectletsadministratorsextendormodifytheschemawhennecessary.However,becauseeach
schemaobjectisintegraltothedefinitionofActiveDirectoryobjects,deactivatingorchangingtheseobjectscan
fundamentallychangeordisruptadeployment.Schemachangesautomaticallypropagatethroughoutthesystem.
Oncecreated,anobjectcanonlybedeactivatednotdeleted.Changingtheschemausuallyrequiresplanning.[18]
https://en.wikipedia.org/wiki/Active_Directory

3/12

10/10/2016

ActiveDirectoryWikipedia,thefreeencyclopedia

Forests,trees,anddomains
TheActiveDirectoryframeworkthatholdstheobjectscanbeviewedata
numberoflevels.Theforest,tree,anddomainarethelogicaldivisionsin
anActiveDirectorynetwork.
Withinadeployment,objectsaregroupedintodomains.Theobjectsfora
singledomainarestoredinasingledatabase(whichcanbereplicated).
DomainsareidentifiedbytheirDNSnamestructure,thenamespace.
Adomainisdefinedasalogicalgroupofnetworkobjects(computers,
users,devices)thatsharethesameActiveDirectorydatabase.
Atreeisacollectionofoneormoredomainsanddomaintreesina
contiguousnamespace,linkedinatransitivetrusthierarchy.

Asimplifiedexampleofapublishing
company'sinternalnetwork.The
companyhasfourgroupswith
varyingpermissionstothethree
sharedfoldersonthenetwork.

Atthetopofthestructureistheforest.Aforestisacollectionoftreesthat
shareacommonglobalcatalog,directoryschema,logicalstructure,anddirectoryconfiguration.Theforest
representsthesecurityboundarywithinwhichusers,computers,groups,andotherobjectsareaccessible.
Organizationalunits
Theobjectsheldwithinadomaincanbegroupedinto
OrganizationalUnits(OUs).[19]OUscanprovidehierarchytoa
domain,easeitsadministration,andcanresemblethe
organization'sstructureinmanagerialorgeographicalterms.OUs
cancontainotherOUsdomainsarecontainersinthissense.
MicrosoftrecommendsusingOUsratherthandomainsfor
structureandtosimplifytheimplementationofpoliciesand
administration.TheOUistherecommendedlevelatwhichto
applygrouppolicies,whichareActiveDirectoryobjectsformally
namedGroupPolicyObjects(GPOs),althoughpoliciescanalso
beappliedtodomainsorsites(seebelow).TheOUisthelevelat
whichadministrativepowersarecommonlydelegated,but
delegationcanbeperformedonindividualobjectsorattributesas
well.

DomainDallas

DomainBoston

Domain
NewYork

DomainPhilly

TreeSouthern

OU
Marketing

Hewitt

Aon

Steve

DomainAtlanta

OUSales

DomainDallas

Bill

Ralph

Exampleofthegeographicalorganizingofzones
ofinterestwithintreesanddomains.

Organizationalunitsdonoteachhaveaseparatenamespacee.g.useraccountswithanidenticalusername
(sAMAccountName)inseparateOUswithinadomainarenotallowed,suchas"fred.staffou.domain"and
"fred.studentou.domain",where"staffou"and"studentou"aretheOUs.ThisisbecausesAMAccountName,a
userobjectattribute,mustbeuniquewithinthedomain.[20]However,twousersindifferentOUscanhavethesame
CommonName(CN),thenameunderwhichtheyarestoredinthedirectoryitself.
Ingeneralthereasonforthislackofallowanceforduplicatenamesthroughhierarchicaldirectoryplacement,is
thatMicrosoftprimarilyreliesontheprinciplesofNetBIOS,whichisaflatfilemethodofnetworkobject
managementthatforMicrosoftsoftware,goesallthewaybacktoWindowsNT3.1andMSDOSLANManager.
Allowingforduplicationofobjectnamesinthedirectory,orcompletelyremovingtheuseofNetBIOSnames,
wouldpreventbackwardcompatibilitywithlegacysoftwareandequipment.However,disallowingduplicateobject
namesinthiswayisaviolationoftheLDAPRFCsonwhichActiveDirectoryissupposedlybased.

https://en.wikipedia.org/wiki/Active_Directory

4/12

10/10/2016

ActiveDirectoryWikipedia,thefreeencyclopedia

Asthenumberofusersinadomainincreases,conventionssuchas"firstinitial,middleinitial,lastname"(Western
order)orthereverse(Easternorder)failforcommonfamilynameslikeLi(),SmithorGarcia.Workarounds
includeaddingadigittotheendoftheusername.AlternativesincludecreatingaseparateIDsystemofunique
employee/studentidnumberstouseasaccountnamesinplaceofactualuser'snames,andallowingusersto
nominatetheirpreferredwordsequencewithinanacceptableusepolicy.
Becauseduplicateusernamescannotexistwithinadomain,accountnamegenerationposesasignificantchallenge
forlargeorganizationsthatcannotbeeasilysubdividedintoseparatedomains,suchasstudentsinapublicschool
systemoruniversitywhomustbeabletouseanycomputeracrossthenetwork.
Shadowgroups

InMicrosoft'sActiveDirectory,OUsdonotconferaccesspermissions,and
objectsplacedwithinOUsarenotautomaticallyassignedaccessprivileges
basedontheircontainingOU.ThisisadesignlimitationspecifictoActive
Directory.OthercompetingdirectoriessuchasNovellNDSareableto
assignaccessprivilegesthroughobjectplacementwithinanOU.
ActiveDirectoryrequiresaseparatestepforanadministratortoassignan
objectinanOUasamemberofagroupalsowithinthatOU.Relyingon
OUlocationalonetodetermineaccesspermissionsisunreliable,because
theobjectmaynothavebeenassignedtothegroupobjectforthatOU.

InActiveDirectory,organizational
unitscannotbeassignedasownersor
trustees.Onlygroupsareselectable,
andmembersofOUscannotbe
collectivelyassignedrightsto
directoryobjects.

AcommonworkaroundforanActiveDirectoryadministratoristowritea
customPowerShellorVisualBasicscripttoautomaticallycreateand
maintainausergroupforeachOUintheirdirectory.Thescriptsarerun
periodicallytoupdatethegrouptomatchtheOU'saccountmembership,
butareunabletoinstantlyupdatethesecuritygroupsanytimethedirectory
changes,asoccursincompetingdirectorieswheresecurityisdirectly
implementedintothedirectoryitself.SuchgroupsareknownasShadowGroups.Oncecreated,theseshadow
groupsareselectableinplaceoftheOUintheadministrativetools.

MicrosoftreferstoshadowgroupsintheServer2008Referencedocumentation,butdoesnotexplainhowtocreate
them.Therearenobuiltinservermethodsorconsolesnapinsformanagingshadowgroups.[21]
Thedivisionofanorganization'sinformationinfrastructureintoahierarchyofoneormoredomainsandtoplevel
OUsisakeydecision.Commonmodelsarebybusinessunit,bygeographicallocation,byITService,orbyobject
typeandhybridsofthese.OUsshouldbestructuredprimarilytofacilitateadministrativedelegation,and
secondarily,tofacilitategrouppolicyapplication.AlthoughOUsformanadministrativeboundary,theonlytrue
securityboundaryistheforestitselfandanadministratorofanydomainintheforestmustbetrustedacrossall
domainsintheforest.[22]

Partitions
TheActiveDirectorydatabaseisorganizedinpartitions,eachholdingspecificobjecttypesandfollowinga
specificreplicationpattern.Microsoftoftenreferstothesepartitionsas'namingcontexts'.[23]The'Schema'
partitioncontainsthedefinitionofobjectclassesandattributeswithintheForest.The'Configuration'partition
containsinformationonthephysicalstructureandconfigurationoftheforest(suchasthesitetopology).Both
replicatetoalldomainsintheForest.The'Domain'partitionholdsallobjectscreatedinthatdomainandreplicates
onlywithinitsdomain.
https://en.wikipedia.org/wiki/Active_Directory

5/12

10/10/2016

ActiveDirectoryWikipedia,thefreeencyclopedia

Physicalstructure
Sitesarephysical(ratherthanlogical)groupingsdefinedbyoneormoreIPsubnets.[24]ADalsoholdsthe
definitionsofconnections,distinguishinglowspeed(e.g.,WAN,VPN)fromhighspeed(e.g.,LAN)links.Site
definitionsareindependentofthedomainandOUstructureandarecommonacrosstheforest.Sitesareusedto
controlnetworktrafficgeneratedbyreplicationandalsotoreferclientstothenearestdomaincontrollers(DCs).
MicrosoftExchangeServer2007usesthesitetopologyformailrouting.Policiescanalsobedefinedatthesite
level.
Physically,theActiveDirectoryinformationisheldononeormorepeerdomaincontrollers,replacingtheNT
PDC/BDCmodel.EachDChasacopyoftheActiveDirectory.ServersjoinedtoActiveDirectorythatarenot
domaincontrollersarecalledMemberServers.[25]Asubsetofobjectsinthedomainpartitionreplicatetodomain
controllersthatareconfiguredasglobalcatalogs.Globalcatalog(GC)serversprovideagloballistingofallobjects
intheForest.[26][27]GlobalCatalogserversreplicatetothemselvesallobjectsfromalldomainsandhence,provide
agloballistingofobjectsintheforest.However,tominimizereplicationtrafficandkeeptheGC'sdatabasesmall,
onlyselectedattributesofeachobjectarereplicated.Thisiscalledthepartialattributeset(PAS).ThePAScanbe
modifiedbymodifyingtheschemaandmarkingattributesforreplicationtotheGC.[28]Earlierversionsof
WindowsusedNetBIOStocommunicate.ActiveDirectoryisfullyintegratedwithDNSandrequiresTCP/IP
DNS.Tobefullyfunctional,theDNSservermustsupportSRVresourcerecords,alsoknownasservicerecords.

Replication
ActiveDirectorysynchronizeschangesusingmultimasterreplication.[29]Replicationbydefaultis'pull'rather
than'push',meaningthatreplicaspullchangesfromtheserverwherethechangewaseffected.[30]TheKnowledge
ConsistencyChecker(KCC)createsareplicationtopologyofsitelinksusingthedefinedsitestomanagetraffic.
Intrasitereplicationisfrequentandautomaticasaresultofchangenotification,whichtriggerspeerstobeginapull
replicationcycle.Intersitereplicationintervalsaretypicallylessfrequentanddonotusechangenotificationby
default,althoughthisisconfigurableandcanbemadeidenticaltointrasitereplication.
Eachlinkcanhavea'cost'(e.g.,DS3,T1,ISDNetc.)andtheKCCaltersthesitelinktopologyaccordingly.
Replicationmayoccurtransitivelythroughseveralsitelinksonsameprotocolsitelinkbridges,ifthecostislow,
althoughKCCautomaticallycostsadirectsitetositelinklowerthantransitiveconnections.Sitetositereplication
canbeconfiguredtooccurbetweenabridgeheadserverineachsite,whichthenreplicatesthechangestoother
DCswithinthesite.ReplicationforActiveDirectoryzonesisautomaticallyconfiguredwhenDNSisactivatedin
thedomainbasedbysite.
ReplicationofActiveDirectoryusesRemoteProcedureCalls(RPC)overIP(RPC/IP).BetweenSitesSMTPcan
beusedforreplication,butonlyforchangesintheSchema,Configuration,orPartialAttributeSet(Global
Catalog)GCs.SMTPcannotbeusedforreplicatingthedefaultDomainpartition.[31]

Implementation
Ingeneral,anetworkutilizingActiveDirectoryhasmorethanonelicensedWindowsservercomputer.Backupand
restoreofActiveDirectoryispossibleforanetworkwithasingledomaincontroller,[32]butMicrosoftrecommends
morethanonedomaincontrollertoprovideautomaticfailoverprotectionofthedirectory.[33]Domaincontrollers
arealsoideallysinglepurposefordirectoryoperationsonly,andshouldnotrunanyothersoftwareorrole.[34]

https://en.wikipedia.org/wiki/Active_Directory

6/12

10/10/2016

ActiveDirectoryWikipedia,thefreeencyclopedia

CertainMicrosoftproductssuchasSQLServer[35][36]andExchange[37]caninterferewiththeoperationofa
domaincontroller,necessitatingisolationoftheseproductsonadditionalWindowsservers.Combiningthemcan
makeconfigurationortroubleshootingofeitherthedomaincontrollerortheotherinstalledsoftwaremore
difficult.[38]AbusinessintendingtoimplementActiveDirectoryisthereforerecommendedtopurchaseanumber
ofWindowsserverlicenses,toprovideforatleasttwoseparatedomaincontrollers,andoptionally,additional
domaincontrollersforperformanceorredundancy,aseparatefileserver,aseparateExchangeserver,aseparate
SQLServer,[39]andsoforthtosupportthevariousserverroles.
Physicalhardwarecostsforthemanyseparateserverscanbereducedthroughtheuseofvirtualization,although
forproperfailoverprotection,Microsoftrecommendsnotrunningmultiplevirtualizeddomaincontrollersonthe
samephysicalhardware.[40]

Database
TheActiveDirectorydatabase,thedirectorystore,inWindows2000ServerusestheJETBluebasedExtensible
StorageEngine(ESE98)andislimitedto16terabytesand2billionobjects(butonly1billionsecurityprincipals)
ineachdomaincontroller'sdatabase.MicrosofthascreatedNTDSdatabaseswithmorethan2billionobjects.[41]
(NT4'sSecurityAccountManagercouldsupportnomorethan40,000objects).CalledNTDS.DIT,ithastwomain
tables:thedatatableandthelinktable.WindowsServer2003addedathirdmaintableforsecuritydescriptor
singleinstancing.[41]
ProgramsmayaccessthefeaturesofActiveDirectory[42]viatheCOMinterfacesprovidedbyActiveDirectory
ServiceInterfaces.[43]

Singleserveroperations
FlexibleSingleMasterOperationsRoles(FSMO,pronounced"fizzmo")operationsarealsoknownasoperations
masterroles.Althoughdomaincontrollersallowsimultaneousupdatesinmultipleplaces,certainoperationsare
supportedonlyonasingleserver.Theseoperationsareperformedusingtheroleslistedbelow:
Rolename

Scope

Description

SchemaMaster

1perforest

Schemamodifications

DomainNaming
Master

1perforest

Additionandremovalofdomainsifpresentinrootdomain

PDCEmulator

1perdomain

ProvidesbackwardscompatibilityforNT4clientsforPDC
operations(likepasswordchanges).ThePDCrunsdomainspecific
processessuchastheSecurityDescriptorPropagator(SDP),andis
themastertimeserverwithinthedomain.Italsohandlesexternal
trusts,theDFSconsistencycheck,holdscurrentpasswordsand
managesallGPOsasdefaultserver.

RIDMaster

1perdomain

Allocatespoolsofuniqueidentifierstodomaincontrollersforuse
whencreatingobjects

1per
domain/partition

Synchronizescrossdomaingroupmembershipchanges.The
infrastructuremastershouldnotberunonaglobalcatalogserver
(GCS)unlessallDCsarealsoGCs,ortheenvironmentconsistsofa
singledomain.

InfrastructureMaster

https://en.wikipedia.org/wiki/Active_Directory

7/12

10/10/2016

ActiveDirectoryWikipedia,thefreeencyclopedia

Trusting
Toallowusersinonedomaintoaccessresourcesinanother,ActiveDirectoryusestrusts.[44]
Trustsinsideaforestareautomaticallycreatedwhendomainsarecreated.Theforestsetsthedefaultboundariesof
trust,andimplicit,transitivetrustisautomaticforalldomainswithinaforest.

Terminology
Onewaytrust
Onedomainallowsaccesstousersonanotherdomain,buttheotherdomaindoesnotallowaccesstousers
onthefirstdomain.
Twowaytrust
Twodomainsallowaccesstousersonbothdomains.
Trusteddomain
Thedomainthatistrustedwhoseusershaveaccesstothetrustingdomain.
Transitivetrust
Atrustthatcanextendbeyondtwodomainstoothertrusteddomainsintheforest.
Intransitivetrust
Aonewaytrustthatdoesnotextendbeyondtwodomains.
Explicittrust
Atrustthatanadmincreates.Itisnottransitiveandisonewayonly.
Crosslinktrust
Anexplicittrustbetweendomainsindifferenttreesorinthesametreewhenadescendant/ancestor
(child/parent)relationshipdoesnotexistbetweenthetwodomains.
Shortcut
Joinstwodomainsindifferenttrees,transitive,oneortwoway.
Foresttrust
Appliestotheentireforest.Transitive,oneortwoway.
Realm
Canbetransitiveornontransitive(intransitive),oneortwoway.
External
ConnecttootherforestsornonADdomains.Nontransitive,oneortwoway.[45]
Foresttrusts
WindowsServer2003introducedtheforestroottrust.ThistrustcanbeusedtoconnectWindowsServer2003
forestsiftheyareoperatingatthe2003forestfunctionallevel.AuthenticationacrossthistypeoftrustisKerberos
based(asopposedtoNTLM).
Foresttrustsaretransitiveforallthedomainswithinthetrustedforests.However,foresttrustsarenottransitive
betweenforests.
Example:SupposethatatwowaytransitiveforesttrustexistsbetweentheforestrootdomainsinForestAand
ForestB,andanothertwowaytransitiveforesttrustexistsbetweentheforestrootdomainsinForestBandForest
C.SuchaconfigurationletsusersinForestBaccessresourcesinanydomainineitherForestAorForestC,and
usersinForestAorCcanaccessresourcesinanydomaininForestB.However,itdoesnotletusersinForestA
accessresourcesinForestC,orviceversa.ToletusersinForestAandForestCshareresources,atwoway
transitivetrustmustexistbetweenbothforests.

Managementsolutions
https://en.wikipedia.org/wiki/Active_Directory

8/12

10/10/2016

ActiveDirectoryWikipedia,thefreeencyclopedia

MicrosoftActiveDirectorymanagementtoolsinclude:
ActiveDirectoryUsersandComputers,
ActiveDirectoryDomainsandTrusts,
ActiveDirectorySitesandServices,
ADSIEdit,
LocalUsersandGroups,
ActiveDirectorySchemasnapinsforMicrosoftManagementConsole(MMC),
Thesemanagementtoolsmaynotprovideenoughfunctionalityforefficientworkflowinlargeenvironments.Some
thirdpartysolutionsextendtheadministrationandmanagementcapabilities.Theyprovideessentialfeaturesfora
moreconvenientadministrationprocesses,suchasautomation,reports,integrationwithotherservices,etc.

Unixintegration
VaryinglevelsofinteroperabilitywithActiveDirectorycanbeachievedonmostUnixlikeoperatingsystems
(includingUnix,Linux,MacOSXorJavaandUnixbasedprograms)throughstandardscompliantLDAPclients,
butthesesystemsusuallydonotinterpretmanyattributesassociatedwithWindowscomponents,suchasGroup
Policyandsupportforonewaytrusts.
ThirdpartiesofferActiveDirectoryintegrationforUnixlikeplatforms,including:
FoxTechnologiesandtheproductFoxTServerControl(software)implementsADBridgingcapabilitiesthat
allowsUnixlikesystemstojoinActiveDirectoryandenablestheuseoftheKerberosforauthenticationof
users
CentrifyDirectControl(Centrify)ActiveDirectorycompatiblecentralizedauthenticationandaccess
control[46]
CentrifyExpress(Centrify)AsuiteoffreeActiveDirectorycompliantservicesforcentralized
authentication,monitoring,filesharingandremoteaccess
UNAB(ComputerAssociates)
TrustBroker(CyberSafeLimited)AnimplementationofKerberos
PowerBrokerIdentityServices,formerlyLikewise(BeyondTrust,formerlyLikewiseSoftware)Allowsa
nonWindowsclienttojoinActiveDirectory[46]
QuestAuthenticationServices(http://www.quest.com/authenticationservices/)(NowpartofDell)
(Formerly,Quest,Vintela)ADauthentication,GroupPolicymanagement,User/GroupMigrationtools,
AuditingandReporting
ADmitMac(ThursbySoftwareSystems)[46]
Frostale(https://rubygems.org/gems/frostale/)ARubygemthatallowsRubyapplicationstobeaccessed
viaActiveDirectory.
SambaCanactasadomaincontroller[47][48]
TheschemaadditionsshippedwithWindowsServer2003R2includeattributesthatmapcloselyenoughtoRFC
2307tobegenerallyusable.ThereferenceimplementationofRFC2307,nss_ldapandpam_ldapprovidedby
PADL.com,supporttheseattributesdirectly.ThedefaultschemaforgroupmembershipcomplieswithRFC
2307bis(proposed).[49]WindowsServer2003R2includesaMicrosoftManagementConsolesnapinthatcreates
andeditstheattributes.
AnalternateoptionistouseanotherdirectoryserviceasnonWindowsclientsauthenticatetothiswhileWindows
ClientsauthenticatetoAD.NonWindowsclientsinclude389DirectoryServer(formerlyFedoraDirectoryServer,
FDS),ViewDSIdentitySolutionsViewDSv7.2XMLEnabledDirectoryandSunMicrosystemsSunJavaSystem
DirectoryServer.ThelattertwobothbeingabletoperformtwowaysynchronizationwithADandthusprovidea
"deflected"integration.
https://en.wikipedia.org/wiki/Active_Directory

9/12

10/10/2016

ActiveDirectoryWikipedia,thefreeencyclopedia

AnotheroptionistouseOpenLDAPwithitstranslucentoverlay,whichcanextendentriesinanyremoteLDAP
serverwithadditionalattributesstoredinalocaldatabase.Clientspointedatthelocaldatabaseseeentries
containingboththeremoteandlocalattributes,whiletheremotedatabaseremainscompletelyuntouched.
Administration(querying,modifying,andmonitoring)ofActiveDirectorycanbeachievedviamanyscripting
languages,includingPowerShell,VBScript,JScript/JavaScript,Perl,Python,andRuby.[50][51][52][53]Usingfree
ADadministrationtools[54]canhelptosimplifyADmanagementtasks.

Seealso
ActiveDirectoryExplorer
AGDLP(implementingrolebasedaccesscontrolsusingnestedgroups)
Flexiblesinglemasteroperation
FreeIPA
ListofLDAPsoftware
UniventionCorporateServer

References
1."DirectorySystemAgent".MSDNLibrary.Microsoft.Retrieved23April2014.
2.Solomon,DavidA.Russinovich,Mark(2005)."Chapter13".MicrosoftWindowsInternals:MicrosoftWindowsServer
2003,WindowsXP,andWindows2000(4thed.).Redmond,Washington:MicrosoftPress.p.840.ISBN0735619174.
3.Hynes,Byron(November2006)."TheFutureOfWindows:DirectoryServicesinWindowsServer"Longhorn" ".
TechNetMagazine.Microsoft.
4."ActiveDirectoryonaWindowsServer2003Network".ActiveDirectoryCollection.Microsoft.13March2003.
Retrieved25December2010.
5."ActiveDirectoryinstallation".20160427.Retrieved20160922.
6."TheLDAPApplicationProgramInterface".Retrieved20131126.
7."AnApproachforUsingLDAPasaNetworkInformationService".Retrieved20131126.
8."LDAPPasswordModifyExtendedOperation".Retrieved20131126.
9."TheLightweightDirectoryAccessProtocol(LDAP)ContentSynchronizationOperation".Retrieved20131126.
10.Thomas,Guy."WindowsServer2008NewFeatures".ComputerPerformance.co.uk.ComputerPerformanceLtd.
11."What'sNewinActiveDirectoryinWindowsServer".WindowsServer2012R2andWindowsServer2012TechCenter.
Microsoft.
12.ActiveDirectoryServicestechnet.microsoft.com(https://technet.microsoft.com/enus/library/dd578336%28v=ws.10%29.
aspx)
13."ADLDS".Microsoft.Retrieved28April2009.
14."ADLDSversusADDS".Microsoft.Retrieved25February2013.
15.Zacker,Craig(2003)."11:CreatingandManagingDigitalCertificates".InHarding,KathyJean,TrenaryLinda,Zacker.
PlanningandMaintainingaMicrosoftWindowsserver2003NetworkInfrastructure.Redmond,WA:MicrosoftPress.
pp.1116.ISBN0735618933.
16."ActiveDirectoryCertificateServicesOverview".MicrosoftTechNet.Microsoft.Retrieved24November2015.
17."Step1:PreinstallationTasks".TechNet.Microsoft.Retrieved24November2015.
18.WindowsServer2003:ActiveDirectoryInfrastructure.MicrosoftPress.2003.pp.1819.
19."OrganizationalUnits".DistributedSystemsResourceKit(TechNet).Microsoft.2011."AnorganizationalunitinActive
Directoryisanalogoustoadirectoryinthefilesystem"
20."sAMAccountNameisalwaysuniqueinaWindowsdomainorisit?".Joeware.4January2012.Retrieved
18September2013."examplesofhowmultipleADobjectscanbecreatedwiththesamesAMAccountName"
21.MicrosoftServer2008Reference,discussingshadowgroupsusedforfinegrainedpasswordpolicies:
http://technet.microsoft.com/enus/library/cc770394%28WS.10%29.aspx
22."SpecifyingSecurityandAdministrativeBoundaries".MicrosoftCorporation.23January2005."However,service
administratorshaveabilitiesthatcrossdomainboundaries.Forthisreason,theforestistheultimatesecurityboundary,
notthedomain."
23.AndreasLuther."ActiveDirectoryReplicationTraffic".MicrosoftCorporation.Retrieved26May2010."TheActive
Directoryismadeupofoneormorenamingcontextsorpartitions."
https://en.wikipedia.org/wiki/Active_Directory
10/12

10/10/2016

ActiveDirectoryWikipedia,thefreeencyclopedia

Directoryismadeupofoneormorenamingcontextsorpartitions."
24."Sitesoverview".MicrosoftCorporation.21January2005."Asiteisasetofwellconnectedsubnets."
25."Planningfordomaincontrollersandmemberservers".MicrosoftCorporation.21January2005."[...]memberservers,
[...]belongtoadomainbutdonotcontainacopyoftheActiveDirectorydata."
26."WhatIstheGlobalCatalog?".MicrosoftCorporation.10December2009."[...]adomaincontrollercanlocateonlythe
objectsinitsdomain.[...]Theglobalcatalogprovidestheabilitytolocateobjectsfromanydomain[...]"
27."GlobalCatalog".MicrosoftCorporation.
28."AttributesIncludedintheGlobalCatalog".MicrosoftCorporation.26August2010."The
isMemberOfPartialAttributeSetattributeofanattributeSchemaobjectissettoTRUEiftheattributeisreplicatedtothe
globalcatalog.[...]Whendecidingwhetherornottoplaceanattributeintheglobalcatalogrememberthatyouaretrading
increasedreplicationandincreaseddiskstorageonglobalcatalogserversfor,potentially,fasterqueryperformance."
29."Directorydatastore".MicrosoftCorporation.21January2005."ActiveDirectoryusesfourdistinctdirectorypartition
typestostore[...]data.Directorypartitionscontaindomain,configuration,schema,andapplicationdata."
30."WhatIstheActiveDirectoryReplicationModel?".MicrosoftCorporation.28March2003."Domaincontrollersrequest
(pull)changesratherthansend(push)changesthatmightnotbeneeded."
31."WhatIsActiveDirectoryReplicationTopology?".MicrosoftCorporation.28March2003."SMTPcanbeusedto
transportnondomainreplication[...]"
32."ActiveDirectoryBackupandRestore".TechNet.Microsoft.Retrieved5February2014.
33."ADDS:Alldomainsshouldhaveatleasttwofunctioningdomaincontrollersforredundancy".TechNet.Microsoft.
Retrieved5February2014.
34.Posey,Brien(23August2010)."10tipsforeffectiveActiveDirectorydesign".TechRepublic.CBSInteractive.Retrieved
5February2014."Wheneverpossible,yourdomaincontrollersshouldrunondedicatedservers(physicalorvirtual)."
35."YoumayencounterproblemswheninstallingSQLServeronadomaincontroller(Revision3.0)".Support.Microsoft.7
January2013.Retrieved5February2014.
36.Degremont,Michel(30Jun2011)."CanIinstallSQLServeronadomaincontroller?".MicrosoftSQLServerblog.
Retrieved5February2014."Forsecurityandperformancereasons,werecommendthatyoudonotinstallastandalone
SQLServeronadomaincontroller."
37."InstallingExchangeonadomaincontrollerisnotrecommended".TechNet.Microsoft.22March2013.Retrieved
5February2014.
38."SecurityConsiderationsforaSQLServerInstallation".TechNet.Microsoft.Retrieved5February2014."AfterSQL
Serverisinstalledonacomputer,youcannotchangethecomputerfromadomaincontrollertoadomainmember.You
mustuninstallSQLServerbeforeyouchangethehostcomputertoadomainmember."
39."ExchangeServerAnalyzer".TechNet.Microsoft.Retrieved5February2014."RunningSQLServeronthesame
computerasaproductionExchangemailboxserverisnotrecommended."
40."RunningDomainControllersinHyperV".TechNet.Microsoft.PlanningtoVirtualizeDomainControllers.Retrieved
5February2014."Youshouldattempttoavoidcreatingpotentialsinglepointsoffailurewhenyouplanyourvirtual
domaincontrollerdeployment.frank"
41.efleis(8June2006)."LargeADdatabase?Probablynotthislarge".Blogs.technet.com.Retrieved20November2011.
42.Berkouwer,Sander."ActiveDirectorybasics".VeeamSoftware.
43.ActiveDirectoryServiceInterfaces(http://msdn.microsoft.com/enus/library/aa772170%28VS.85%29.aspx),Microsoft
44."DomainandForestTrustsTechnicalReference".MicrosoftCorporation.28March2003."Trustsenable[...]
authenticationand[...]sharingresourcesacrossdomainsorforests"
45."HowDomainandForestTrustsWork".MicrosoftCorporation.11December2012.Retrieved29January2013.
"Definesseveralkindsoftrusts.(automatic,shortcut,forest,realm,external)"
46.Edge,CharlesS.,JrSmith,ZackHunter,Beau(2009)."Chapter3:ActiveDirectory".EnterpriseMacAdministrator's
Guide.NewYorkCity:Apress.ISBN9781430224433.
47.SambaPeople.SAMBAProjecthttps://www.samba.org/samba/history/samba4.0.0.html.Archivedfromtheoriginalon
15November2010.Retrieved9August2016.Missingorempty|title=(help)
48."ThegreatDRSsuccess!".SambaPeople.SAMBAProject.5October2009.Archivedfromtheoriginalon13October
2009.Retrieved2November2009.
49."RFC2307bis".Retrieved20November2011.
50."ActiveDirectoryAdministrationwithWindowsPowerShell".Microsoft.Retrieved7June2011.
51."UsingScriptstoSearchActiveDirectory".Microsoft.Retrieved22May2012.
52."ITAdminToolsPerlScriptsRepository".ITAdminTools.com.Retrieved22May2012.
53."Win32::OLE".PerlOpenSourceCommunity.Retrieved22May2012.
54."DownloadFreeTrials&ToolsfromSolarWinds".SolarWinds.January2012.
https://en.wikipedia.org/wiki/Active_Directory

11/12

10/10/2016

ActiveDirectoryWikipedia,thefreeencyclopedia

Externallinks
MicrosoftTechnet:Whitepaper:ActiveDirectoryArchitecture(htt
Wikiversityhaslearning
p://technet.microsoft.com/enus/library/bb727030.aspx)(Single
materialsaboutActive
technicaldocumentthatgivesanoverviewaboutActiveDirectory.)
Directory
MicrosoftTechnet:DetaileddescriptionofActiveDirectoryon
WindowsServer2003(http://technet.microsoft.com/enus/library/cc782657(WS.10).aspx)
MicrosoftMSDNLibrary:[MSADTS]:ActiveDirectoryTechnicalSpecification(http://msdn.microsoft.co
m/enus/library/cc223122.aspx)(partoftheMicrosoftOpenSpecificationPromise)
ActiveDirectoryApplicationMode(ADAM)(https://technet.microsoft.com/enus/library/cc736765%28v=
ws.10%29.aspx)
MicrosoftMSDN:[ADLDS]:ActiveDirectoryLightweightDirectoryServices(https://msdn.microsoft.co
m/enus/library/bb897400.aspx)
MicrosoftTechNet:[ADLDS]:ActiveDirectoryLightweightDirectoryServices(https://technet.microsoft.c
om/enus/library/cc754361%28v=ws.10%29.aspx)
MicrosoftMSDN:ActiveDirectorySchema(http://msdn.microsoft.com/enus/library/ms675085(VS.85).asp
x)
MicrosoftTechNet:UnderstandingSchema(http://technet.microsoft.com/enus/library/cc739086(WS.10).as
px)
MicrosoftTechNetMagazine:ExtendingtheActiveDirectorySchema(http://technet.microsoft.com/enus/
magazine/2008.05.schema.aspx?pr=blog)
MicrosoftMSDN:ActiveDirectoryCertificateServices(https://msdn.microsoft.com/enus/library/ff630887.
aspx)
MicrosoftTechNet:ActiveDirectoryCertificateServices(https://technet.microsoft.com/enus/windowsserv
er/dd448615.aspx)
Retrievedfrom"https://en.wikipedia.org/w/index.php?title=Active_Directory&oldid=743017714"
Categories: ActiveDirectory Directoryservices Microsoftservertechnology Windowscomponents
Windows2000
Thispagewaslastmodifiedon7October2016,at08:00.
TextisavailableundertheCreativeCommonsAttributionShareAlikeLicenseadditionaltermsmayapply.
Byusingthissite,youagreetotheTermsofUseandPrivacyPolicy.Wikipediaisaregisteredtrademark
oftheWikimediaFoundation,Inc.,anonprofitorganization.

https://en.wikipedia.org/wiki/Active_Directory

12/12