Open main menu
Home
Random
Recent changes
Special pages
Community portal
Preferences
About Wikipedia
Disclaimers
Incubator escapee wiki
Search
User menu
Talk
Dark mode
Contributions
Create account
Log in
Editing
Active Directory
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
{{short description|Directory service, created by Microsoft for Windows domain networks}} {{Hatnote|This article is about Microsoft's on-premises directory service. For their cloud-based system formerly known as Azure Active Directory, see [[Microsoft Entra ID]].}} {{Use dmy dates|date=June 2020}} '''Active Directory''' ('''AD''') is a [[directory service]] developed by [[Microsoft]] for [[Windows domain]] networks. [[Windows Server]] [[operating system]]s include it as a set of [[Process (computing)|processes]] and [[Windows service|services]].{{r|DSA-MSDN|WI4}} Originally, only centralized domain management used Active Directory. However, it ultimately became an umbrella title for various directory-based identity-related services.<ref name=":1">{{Cite web |last=Hynes |first=Byron |date=November 2006 |title=The Future of Windows: Directory Services in Windows Server "Longhorn" |url=https://technet.microsoft.com/en-us/magazine/2006.11.futureofwindows.aspx |url-status=live |archive-url=https://web.archive.org/web/20200430162954/https://docs.microsoft.com/en-us/previous-versions/technet-magazine/cc160894(v=msdn.10)?redirectedfrom=MSDN |archive-date=30 April 2020 |access-date=30 April 2020 |website=[[TechNet Magazine]] |publisher=[[Microsoft]]}}</ref> A domain controller is a server running the '''Active Directory Domain Services''' ('''AD DS''') role. It [[Authentication|authenticates]] and [[Authorization|authorizes]] all users and computers in a [[Microsoft Windows|Windows]] domain-type network, assigning and enforcing security policies for all computers and installing or updating software. For example, when a user [[Login|logs into]] a computer which is part of a Windows domain, Active Directory checks the submitted username and password and determines whether the user is a [[system administrator]] or a non-admin user.<ref name="adw2k3">{{Cite web |date=13 March 2003 |title=Active Directory on a Windows Server 2003 Network |url=https://technet.microsoft.com/en-us/library/cc780036(WS.10).aspx#w2k3tr_ad_over_qbjd |url-status=live |archive-url=https://web.archive.org/web/20200430163301/https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc780036(v=ws.10)?redirectedfrom=MSDN |archive-date=30 April 2020 |access-date=25 December 2010 |work=Active Directory Collection |publisher=[[Microsoft]]}}</ref> Furthermore, it allows the management and storage of information, provides authentication and authorization mechanisms, and establishes a framework to deploy other related services: Certificate Services, [[Active Directory Federation Services]], Lightweight Directory Services, and [[Active Directory Rights Management Services|Rights Management Services]].<ref>{{Cite web |last=Rackspace Support |date=27 April 2016 |title=Install Active Directory Domain Services on Windows Server 2008 R2 Enterprise 64-bit. |url=https://support.rackspace.com/how-to/installing-active-directory-on-windows-server-2012/ |url-status=live |archive-url=https://web.archive.org/web/20200430163406/https://support.rackspace.com/how-to/installing-active-directory-on-windows-server-2012/ |archive-date=30 April 2020 |access-date=22 September 2016 |website=Rackspace |publisher=Rackspace US, Inc.}}</ref> Active Directory uses [[Lightweight Directory Access Protocol]] (LDAP) versions 2 and 3, Microsoft's version of [[Kerberos (protocol)|Kerberos]],<ref>{{Cite web|url=https://docs.microsoft.com/en-us/windows/win32/secauthn/microsoft-kerberos|title=Microsoft Kerberos - Win32 apps|website=docs.microsoft.com|date=7 January 2021 }}</ref> and [[Domain Name System|DNS]].<ref>{{Cite web|url=https://docs.microsoft.com/en-us/windows-server/networking/dns/dns-top|title=Domain Name System (DNS)|website=docs.microsoft.com|date=10 January 2022 }}</ref> Robert R. King defined it in the following way:<ref>{{Cite book |last=King |first=Robert |title=Mastering Active directory for Windows server 2003 |date=2003 |publisher=Sybex |isbn=978-0-7821-5201-2 |edition=3rd |location=Alameda, Calif. |page=159 |oclc=62876800}}</ref> {{Blockquote|"A domain represents a database. That database holds records about network services-things like computers, users, groups and other things that use, support, or exist on a network. The domain database is, in effect, Active Directory."}} ==History== Like many information-technology efforts, Active Directory originated out of a democratization of design using [[Request for Comments|Requests for Comments]] (RFCs). The [[Internet Engineering Task Force]] (IETF) oversees the RFC process and has accepted numerous RFCs initiated by widespread participants. For example, LDAP underpins Active Directory. Also, [[X.500]] directories and the [[Organizational Unit]] preceded the Active Directory concept that uses those methods. The LDAP concept began to emerge even before the founding of Microsoft in April 1975, with RFCs as early as 1971. RFCs contributing to LDAP include <nowiki>RFC 1823</nowiki> (on the LDAP API, August 1995),<ref>{{cite web |last1=Howes |first1=T. |last2=Smith |first2=M. |date=August 1995 |title=The LDAP Application Program Interface |url=http://www.ietf.org/rfc/rfc1823.txt |url-status=live |archive-url=https://web.archive.org/web/20200430164500/https://www.ietf.org/rfc/rfc1823.txt |archive-date=2020-04-30 |access-date=2013-11-26 |website=The Internet Engineering Task Force (IETF)}}</ref> <nowiki>RFC 2307</nowiki>, <nowiki>RFC 3062</nowiki>, and <nowiki>RFC 4533</nowiki>.<ref>{{cite web |last=Howard |first=L. |date=March 1998 |title=An Approach for Using LDAP as a Network Information Service |url=http://www.ietf.org/rfc/rfc2307.txt |url-status=live |archive-url=https://web.archive.org/web/20200430164234/https://www.ietf.org/rfc/rfc2307.txt |archive-date=30 April 2020 |access-date=26 November 2013 |website=Internet Engineering Task Force (IETF)}}</ref><ref>{{cite web |last=Zeilenga |first=K. |date=February 2001 |title=LDAP Password Modify Extended Operation |url=http://www.ietf.org/rfc/rfc3062.txt |url-status=live |archive-url=https://web.archive.org/web/20200430194523/https://www.ietf.org/rfc/rfc3062.txt |archive-date=30 April 2020 |access-date=26 November 2013 |website=The Internet Engineering Task Force (IETF)}}</ref><ref>{{cite web |last1=Zeilenga |first1=K. |last2=Choi |first2=J.H. |date=June 2006 |title=The Lightweight Directory Access Protocol (LDAP) Content Synchronization Operation |url=http://www.ietf.org/rfc/rfc4533.txt |url-status=live |archive-url=https://web.archive.org/web/20200430194756/https://www.ietf.org/rfc/rfc4533.txt |archive-date=30 April 2020 |access-date=26 November 2013 |website=The Internet Engineering Task Force (IETF)}}</ref> Microsoft previewed Active Directory in 1999, released it first with [[Windows 2000]] Server edition, and revised it to extend functionality and improve administration in [[Windows Server 2003]]. Active Directory support was also added to Windows 95, Windows 98, and Windows NT 4.0 via patch, with some unsupported features.<ref>{{Cite web |author=Daniel Petri |date=January 8, 2009 |title=Active Directory Client (dsclient) for Win98/NT |url=https://petri.com/dsclient_for_win98_nt}}</ref><ref>{{Cite web |date=5 June 2003 |title=Dsclient.exe connects Windows 9x/NT PCs to Active Directory |url=https://www.techrepublic.com/article/dsclientexe-connects-windows-9x-nt-pcs-to-active-directory/}}</ref> Additional improvements came with subsequent versions of [[Windows Server]]. In [[Windows Server 2008]], Microsoft added further services to Active Directory, such as [[Active Directory Federation Services]].<ref name=":0">{{Cite web |last=Thomas |first=Guy |date=29 November 2000 |title=Windows Server 2008 - New Features |url=http://www.computerperformance.co.uk/Longhorn/longhorn_new_features.htm |url-status=live |archive-url=https://web.archive.org/web/20190902044655/https://www.computerperformance.co.uk/longhorn/longhorn-new-features/ |archive-date=2 September 2019 |access-date=30 April 2020 |website=ComputerPerformance.co.uk |publisher=Computer Performance Ltd}}</ref> The part of the directory in charge of managing domains, which was a core part of the operating system,<ref name=":0" /> was renamed Active Directory Domain Services (ADDS) and became a server role like others.<ref name=":1" /> "Active Directory" became the umbrella title of a broader range of directory-based services.<ref>{{Cite web |title=What's New in Active Directory in Windows Server |url=https://technet.microsoft.com/en-us/library/dn268294.aspx |website=Windows Server 2012 R2 and Windows Server 2012 Tech Center |date=31 August 2016 |publisher=[[Microsoft]]}}</ref> According to Byron Hynes, everything related to identity was brought under Active Directory's banner.<ref name=":1" /> ==Active Directory Services== Active Directory Services consist of multiple directory services. The best known is Active Directory Domain Services, commonly [[abbreviation|abbreviated]] as AD DS or simply AD. ===Domain Services=== Active Directory Domain Services (AD DS) is the foundation of every [[Windows domain]] network. It stores information about domain members, including devices and users, [[Authentication|verifies their credentials]], and [[Authorization|defines their access rights]]. The server running this service is called a [[domain controller]]. A domain controller is contacted when a user logs into a device, accesses another device across the network, or runs a line-of-business [[Metro-style app]] [[Sideloading|sideloaded]] into a machine. Other Active Directory services (excluding [[#ADAM|LDS]], as described below) and most Microsoft server technologies rely on or use Domain Services; examples include [[Group Policy]], [[Encrypting File System]], [[BitLocker]], [[Domain Name Services]], [[Remote Desktop Services]], [[Exchange Server]], and [[SharePoint Server]]. The self-managed Active Directory DS must be distinct from managed [[Microsoft Azure Active Directory|Azure AD DS]], a cloud product.<ref>{{Cite web |title=Compare Active Directory-based services in Azure |url=https://docs.microsoft.com/en-us/azure/active-directory-domain-services/compare-identity-solutions |website=docs.microsoft.com|date=3 April 2023 }}</ref> ==={{anchor|ADAM}} Lightweight Directory Services=== Active Directory Lightweight Directory Services (AD LDS), previously called ''Active Directory Application Mode'' (ADAM),<ref name="Active Directory Lightweight Directory Services">{{cite web |title=AD LDS |url=http://msdn.microsoft.com/en-us/library/aa705886(VS.85).aspx |access-date=28 April 2009 |publisher=Microsoft}}</ref> implements the [[LDAP]] protocol for AD DS.<ref name="Active Directory Lightweight Directory Services versus AD DS">{{cite web |title=AD LDS versus AD DS | date=2 July 2012 |url=https://technet.microsoft.com/en-us/library/cc755080(v=ws.10).aspx |access-date=25 February 2013 |publisher=Microsoft}}</ref> It runs as a [[Windows service|service]] on [[Windows Server]] and offers the same functionality as AD DS, including an equal [[API]]. However, AD LDS does not require the creation of domains or domain controllers. It provides a Data Store for storing directory data and a [[Directory (database)|''Directory Service'']] with an LDAP Directory Service Interface. Unlike AD DS, multiple AD LDS instances can operate on the same server. ===Certificate Services=== Active Directory Certificate Services (AD CS) establishes an [[On-premises software|on-premises]] [[public key infrastructure]]. It can create, validate, revoke and perform other similar actions, [[public key certificate]]s for internal uses of an organization. These certificates can be used to encrypt files (when used with [[Encrypting File System]]), emails (per [[S/MIME]] standard), and network traffic (when used by [[virtual private network]]s, [[Transport Layer Security]] protocol or [[IPSec]] protocol). AD CS predates Windows Server 2008, but its name was simply Certificate Services.<ref>{{cite book|last1=Zacker|first1=Craig|editor1-last=Harding|editor1-first=Kathy|editor2-last=Jean|editor2-first=Trenary|editor3-last=Linda|editor3-first=Zacker|title=Planning and Maintaining a Microsoft Windows server 2003 Network Infrastructure|date=2003|publisher=Microsoft Press|location=Redmond, WA|isbn=0-7356-1893-3|pages=[https://archive.org/details/mcsaselfpacedtra00micr/page/11 11β16<!--This is a single page's number!-->]|chapter=11: Creating and Managing Digital Certificates|chapter-url-access=registration|chapter-url=https://archive.org/details/mcsaselfpacedtra00micr/page/11}}</ref> AD CS requires an AD DS infrastructure.<ref>{{cite web|title=Active Directory Certificate Services Overview|url=https://technet.microsoft.com/en-us/library/cc731564%28v=ws.10%29.aspx|website=[[Microsoft TechNet]]|publisher=[[Microsoft]]|access-date=24 November 2015}}</ref> ===Federation Services=== {{Main|Active Directory Federation Services}} Active Directory Federation Services (AD FS) is a [[single sign-on]] service. With an AD FS infrastructure in place, users may use several web-based services (e.g. [[internet forum]], [[blog]], [[online shopping]], [[webmail]]) or network resources using only one set of credentials stored at a central location, as opposed to having to be granted a dedicated set of credentials for each service. AD FS uses many popular open standards to pass token credentials such as [[SAML]], [[OAuth]] or [[OpenID Connect]].<ref>{{cite web|title=Overview of authentication in Power Apps portals|url=https://docs.microsoft.com/en-us/powerapps/maker/portals/configure/configure-portal-authentication|website=[[Microsoft Docs]]|publisher=[[Microsoft]]|access-date=30 January 2022}}</ref> AD FS supports encryption and signing of [[SAML]] assertions.<ref>{{cite web|title=How to Replace the SSL, Service Communications, Token-Signing, and Token-Decrypting Certificates|url=https://social.technet.microsoft.com/wiki/contents/articles/2554.ad-fs-how-to-replace-the-ssl-service-communications-token-signing-and-token-decrypting-certificates.aspx|website=[[Microsoft TechNet|TechNet]]|publisher=[[Microsoft]]|access-date=30 January 2022}}</ref> AD FS's purpose is an extension of that of AD DS: The latter enables users to authenticate with and use the devices that are part of the same network, using one set of credentials. The former enables them to use the same set of credentials in a different network. As the name suggests, AD FS works based on the concept of [[federated identity]]. AD FS requires an AD DS infrastructure, although its federation partner may not.<ref>{{cite web|title=Step 1: Preinstallation Tasks|url=https://technet.microsoft.com/en-us/library/cc771806%28v=ws.10%29.aspx|website=[[Microsoft TechNet|TechNet]]|publisher=[[Microsoft]]|access-date=21 October 2021}}</ref> ===Rights Management Services=== {{Main|Active Directory Rights Management Services}} '''Active Directory Rights Management Services''' ('''AD RMS'''), previously known as Rights Management Services or RMS before [[Windows Server 2008]], is server software that allows for [[information rights management]], included with [[Windows Server]]. It uses encryption and selective denial to restrict access to various documents, such as corporate [[e-mail]]s, [[Microsoft Word]] documents, and [[web page]]s. It also limits the operations authorized users can perform on them, such as viewing, editing, copying, saving, or printing. IT administrators can create pre-set templates for end users for convenience, but end users can still define who can access the content and what actions they can take.<ref>{{cite web |title=Test Lab Guide: Deploying an AD RMS Cluster |url=https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj134037(v=ws.11) |access-date=30 January 2022 |website=[[Microsoft Docs]] | date=31 August 2016 |publisher=[[Microsoft]]}}</ref> ==Logical structure== Active Directory is a service comprising a database and [[executable code]]. It is responsible for managing requests and maintaining the database. The Directory System Agent is the executable part, a set of [[Windows service]]s and [[Process (computing)|processes]] that run on Windows 2000 and later.<ref name="DSA-MSDN">{{cite web |title=Directory System Agent |url=http://msdn.microsoft.com/en-us/library/ms675902%28v=vs.85%29.aspx |access-date=23 April 2014 |work=[[MSDN#Library|MSDN Library]] |publisher=[[Microsoft]]}}</ref> Accessing the objects in Active Directory databases is possible through various interfaces such as LDAP, ADSI, [[messaging API]], and [[Security Accounts Manager]] services.<ref name="WI4">{{cite book |last1=Solomon |first1=David A. |url=https://archive.org/details/isbn_9780735619173/page/840 |title=Microsoft Windows Internals: Microsoft Windows Server 2003, Windows XP, and Windows 2000 |last2=Russinovich |first2=Mark |date=2005 |publisher=[[Microsoft Press]] |isbn=0-7356-1917-4 |edition=4th |location=Redmond, Washington |page=[https://archive.org/details/isbn_9780735619173/page/840 840] |chapter=Chapter 13 |author-link=David A. Solomon |author-link2=Mark Russinovich |url-access=registration}}</ref> ===Objects used=== [[File:Publishing Company Network Diagram.png|thumb|A simplified example of a publishing company's internal network. The company has four groups with varying permissions to the three shared folders on the network.]]Active Directory structures consist of information about [[Object (computing)|objects]] classified into two categories: resources (such as printers) and [[security principal]]s (which include user or computer accounts and groups). Each security principal is assigned a unique [[security identifier]] (SID). An object represents a single entity, such as a user, computer, printer, or group, along with its attributes. Some objects may even contain other objects within them. Each object has a unique name, and its definition is a set of characteristics and information by a [[Database schema|schema]], which determines the storage in the Active Directory. Administrators can extend or modify the schema using the [[schema object]] when needed. However, because each schema object is integral to the definition of Active Directory objects, deactivating or changing them can fundamentally alter or disrupt a deployment. Modifying the schema affects the entire system automatically, and new objects cannot be deleted, only deactivated. Changing the schema usually requires planning.<ref>{{Cite book |title=Windows Server 2003: Active Directory Infrastructure |publisher=Microsoft Press |year=2003 |pages=1β8β1β9}}</ref> ===Forests, trees, and domains=== In an Active Directory network, the framework that holds objects has different levels: the forest, tree, and domain. Domains within a deployment contain objects stored in a single replicable database, and the [[Domain Name System|DNS]] name structure identifies their domains, the [[namespace]]. A domain is a logical group of network objects such as computers, users, and devices that share the same Active Directory database. On the other hand, a tree is a collection of domains and domain trees in a contiguous namespace linked in a transitive trust hierarchy. The forest is at the top of the structure, a collection of trees with a standard global catalog, directory schema, logical structure, and directory configuration. The forest is a secure boundary that limits access to users, computers, groups, and other objects. {| style="width:300px; float:right; border:1px solid #ccc; background:#f9f9f9; font-size:88%; line-height:1.5em; margin:5px;" |- || <!-- Table within a table, starts on next line --> {| style="margin:auto; border:1px solid darkgrey;" |- |- | || || [[File:Icons-mini-page url.gif]] ||| Domain-Boston |- | || || [[File:Icons-mini-page url.gif]] ||| Domain-New York |- | || || [[File:Icons-mini-page url.gif]] ||| Domain-Philly |- | || [[File:Icons-mini-page tree.gif]] || colspan="2" | Tree-Southern |- | || || [[File:Icons-mini-page url.gif]] ||| Domain-Atlanta |- | || || [[File:Icons-mini-page url.gif]] ||| Domain-Dallas |} || <!-- Table within a table, starts on next line --> {| style="margin:auto; border:1px solid darkgrey;" |- |[[File:Icons-mini-page url.gif]] | colspan="3" | Domain-Dallas |- | || [[File:Icons-mini-folder.gif]] || colspan="2" | OU-Marketing |- | || || [[File:Icons-mini-icon user.gif]] || Hewitt |- | || || [[File:Icons-mini-icon user.gif]] || Aon |- | || || [[File:Icons-mini-icon user.gif]] || Steve |- | || [[File:Icons-mini-folder.gif]] || colspan="2" | OU-Sales |- | || || [[File:Icons-mini-icon user.gif]] || Bill |- | || || [[File:Icons-mini-icon user.gif]] || Ralph |} |- | colspan="2"| Example of the geographical organizing of zones of interest within trees and domains |} ====Organizational units==== The objects held within a domain can be grouped into [[organizational unit]]s (OUs).<ref>{{Cite web | title = Organizational Units | url = https://technet.microsoft.com/en-us/library/cc978003.aspx | work = Distributed Systems Resource Kit ([[Microsoft TechNet|TechNet]]) | publisher = Microsoft | quote = An organizational unit in '''Active Directory''' is analogous to a directory in the file system | year = 2011 }}</ref> OUs can provide hierarchy to a domain, ease its administration, and can resemble the organization's structure in managerial or geographical terms. OUs can contain other OUsβdomains are containers in this sense. Microsoft recommends using OUs rather than domains for structure and simplifying the implementation of policies and administration. The OU is the recommended level at which to apply [[group policies]], which are Active Directory objects formally named group policy objects (GPOs), although policies can also be applied to domains or sites (see below). The OU is the level at which administrative powers are commonly delegated, but delegation can be performed on individual objects or attributes as well. Organizational units do not each have a separate namespace. As a consequence, for compatibility with Legacy NetBios implementations, user accounts with an identical SamAccountName are not allowed within the same domain even if the accounts objects are in separate OUs. This is because SamAccountName, a user object attribute, must be unique within the domain.<ref>{{cite web |date=4 January 2012 |title=SamAccountName is always unique in a Windows domain... or is it? |url=http://blog.joeware.net/2012/01/04/2357/ |access-date=18 September 2013 |publisher=Joeware |quote=examples of how multiple AD objects can be created with the same SamAccountName}} </ref> However, two users in different OUs can have the same common name (CN), the name under which they are stored in the directory itself such as "fred.staff-ou.domain" and "fred.student-ou.domain", where "staff-ou" and "student-ou" are the OUs. In general, the reason for this lack of allowance for duplicate names through hierarchical directory placement is that Microsoft primarily relies on the principles of [[NetBIOS]], which is a flat-namespace method of network object management that, for Microsoft software, goes all the way back to [[Windows NT 3.1]] and [[MS-DOS]] [[LAN Manager]]. Allowing for duplication of object names in the directory, or completely removing the use of NetBIOS names, would prevent backward compatibility with legacy software and equipment. However, disallowing duplicate object names in this way is a violation of the LDAP RFCs on which Active Directory is supposedly based. As the number of users in a domain increases, conventions such as "first initial, middle initial, last name" ([[Name order|Western order]]) or the reverse (Eastern order) fail for common [[family names]] like ''Li'' (ζ), ''Smith'' or ''Garcia''. Workarounds include adding a digit to the end of the username. Alternatives include creating a separate ID system of unique employee/student ID numbers to use as account names in place of actual users' names and allowing users to nominate their preferred word sequence within an [[acceptable use policy]]. Because duplicate usernames cannot exist within a domain, account name generation poses a significant challenge for large organizations that cannot be easily subdivided into separate domains, such as students in a public school system or university who must be able to use any computer across the network. =====Shadow groups===== [[File:Active directory - OUs can not be given rights to objects.png|thumb|In Active Directory, organizational units (OUs) cannot be assigned as owners or trustees. Only groups are selectable, and members of OUs cannot be collectively assigned rights to directory objects.]] In Microsoft's Active Directory, OUs do not confer access permissions, and objects placed within OUs are not automatically assigned access privileges based on their containing OU. It represents a design limitation specific to Active Directory, and other competing directories, such as Novell [[Novell eDirectory|NDS]], can set access privileges through object placement within an OU. Active Directory requires a separate step for an administrator to assign an object in an OU as a group member also within that OU. Using only the OU location to determine access permissions is unreliable since the entity might not have been assigned to the group object for that OU yet. A common workaround for an Active Directory administrator is to write a custom [[PowerShell]] or [[Visual Basic]] script to automatically create and maintain a ''user group'' for each OU in their Directory. The scripts run periodically to update the group to match the OU's account membership. However, they cannot instantly update the security groups anytime the directory changes, as occurs in competing directories, as security is directly implemented into the Directory. Such groups are known as ''shadow groups''. Once created, these shadow groups are selectable in place of the OU in the administrative tools. Microsoft's Server 2008 reference documentation mentions shadow groups but does not provide instructions on creating them. Additionally, there are no available server methods or console snap-ins for managing these groups.<ref>Microsoft Server 2008 Reference, discussing shadow groups used for fine-grained password policies: https://technet.microsoft.com/en-us/library/cc770394%28WS.10%29.aspx</ref> An organization must determine the structure of its information infrastructure by dividing it into one or more domains and top-level OUs. This decision is critical and can base on various models such as business units, geographical locations, IT service, object type, or a combination of these models. The immediate purpose of organizing OUs is to simplify administrative delegation and, secondarily, to apply group policies. While OUs serve as an administrative boundary, the forest itself is the only security boundary. All other domains must trust any administrator in the forest to maintain security.<ref>{{Cite web | title = Specifying Security and Administrative Boundaries | url = https://technet.microsoft.com/en-us/library/cc755979(WS.10).aspx | publisher = Microsoft Corporation | quote = However, service administrators have abilities that cross domain boundaries. For this reason, the forest is the ultimate security boundary, not the domain. | date = 23 January 2005}}</ref> ===Partitions=== The Active Directory database is organized in ''partitions'', each holding specific object types and following a particular replication pattern. Microsoft often refers to these partitions as 'naming contexts.<ref>{{cite web |author=Andreas Luther |title=Active Directory Replication Traffic |date=9 December 2009 |url=https://technet.microsoft.com/en-us/library/bb742457.aspx |access-date=26 May 2010 |publisher=Microsoft Corporation |quote=The Active Directory is made up of one or more naming contexts or partitions.}}</ref> The 'Schema' partition defines object classes and attributes within the forest. The 'Configuration' partition contains information on the physical structure and configuration of the forest (such as the site topology). Both replicate all domains in the forest. The 'Domain' partition holds all objects created in that domain and replicates only within it. ==Physical structure== ''Sites'' are physical (rather than logical) groupings defined by one or more [[Internet Protocol|IP]] subnets.<ref> {{cite web |date=21 January 2005 |title=Sites overview |url=https://technet.microsoft.com/en-us/library/cc782048(WS.10).aspx |publisher=Microsoft Corporation |quote=A site is a set of well-connected subnets.}} </ref> AD also defines connections, distinguishing low-speed (e.g., [[Wide area network|WAN]], [[Virtual private network|VPN]]) from high-speed (e.g., [[Local area network|LAN]]) links. Site definitions are independent of the domain and OU structure and are shared across the forest. Sites play a crucial role in managing network traffic created by replication and directing clients to their nearest [[domain controller]]s (DCs). [[Microsoft Exchange Server|Microsoft Exchange Server 2007]] uses the site topology for mail routing. Administrators can also define policies at the site level. The Active Directory information is physically held on one or more peer [[domain controller]]s, replacing the [[Windows NT|NT]] [[Primary Domain Controller|PDC]]/[[Backup Domain Controller|BDC]] model. Each DC has a copy of the Active Directory. Member servers joined to Active Directory that are not domain controllers are called Member Servers.<ref>{{cite web | title = Planning for domain controllers and member servers | url = https://technet.microsoft.com/en-us/library/cc737059(WS.10).aspx | publisher = Microsoft Corporation | quote = [...] member servers, [...] belong to a domain but do not contain a copy of the Active Directory data. | date = 21 January 2005 }} </ref> In the domain partition, a group of objects acts as copies of domain controllers set up as global catalogs. These global catalog servers offer a comprehensive list of all objects in the forest.<ref>{{cite web | title = What Is the Global Catalog? | url = https://technet.microsoft.com/en-us/library/cc728188(WS.10).aspx | publisher = Microsoft Corporation | date = 10 December 2009 | quote = [...] a domain controller can locate only the objects in its domain. [...] The global catalog provides the ability to locate objects from any domain [...] }}</ref><ref>{{cite web | title = Global Catalog | url = https://msdn.microsoft.com/en-us/library/ms676908%28v=vs.85%29.aspx | publisher = Microsoft Corporation }}</ref> Global Catalog servers replicate all objects from all domains to themselves, providing an international listing of entities in the forest. However, to minimize replication traffic and keep the GC's database small, only selected attributes of each object are replicated, called the ''partial attribute set'' (PAS). The PAS can be modified by modifying the schema and marking features for replication to the GC.<ref>{{cite web |date=26 August 2010 |title=Attributes Included in the Global Catalog |url=http://msdn.microsoft.com/en-us/library/ms675160%28VS.85%29.aspx |publisher=Microsoft Corporation |quote=The isMemberOfPartialAttributeSet attribute of an attributeSchema object is set to TRUE if the attribute is replicated to the global catalog. [...] When deciding whether or not to place an attribute in the global catalog remember that you are trading increased replication and increased disk storage on global catalog servers for, potentially, faster query performance.}}</ref> Earlier versions of Windows used [[NetBIOS]] to communicate. Active Directory is fully integrated with DNS and requires [[TCP/IP]]βDNS. To fully operate, the DNS server must support [[SRV record|SRV resource records]], also known as service records. ===Replication=== Active Directory uses [[multi-master replication]] to synchronize changes,<ref>{{cite web |date=21 January 2005 |title=Directory data store |url=https://technet.microsoft.com/en-us/library/cc736627(WS.10).aspx |publisher=Microsoft Corporation |quote=Active Directory uses four distinct directory partition types to store [...] data. Directory partitions contain domain, configuration, schema, and application data.}}</ref> meaning replicas pull changes from the server where the change occurred rather than being pushed to them.<ref>{{cite web |date=28 March 2003 |title=What Is the Active Directory Replication Model? |url=https://technet.microsoft.com/en-us/library/cc737314(WS.10).aspx |publisher=Microsoft Corporation |quote=Domain controllers request (pull) changes rather than send (push) changes that might not be needed.}} </ref> The Knowledge Consistency Checker (KCC) uses defined sites to manage traffic and create a replication topology of site links. Intra-site replication occurs frequently and automatically due to change notifications, which prompt peers to begin a pull replication cycle. Replication intervals between different sites are usually less consistent and don't usually use change notifications. However, it's possible to set it up to be the same as replication between locations on the same network if needed. Each [[Digital Signal 3|DS3]], [[Digital Signal 1|T1]], and [[ISDN]] link can have a cost, and the KCC alters the site link topology accordingly. Replication may occur transitively through several site links on same-protocol ''site link bridges'' if the price is low. However, KCC automatically costs a direct site-to-site link lower than transitive connections. A bridgehead server in each zone can send updates to other DCs in the exact location to replicate changes between sites. To configure replication for Active Directory zones, activate DNS in the domain based on the site. To replicate Active Directory, [[Remote procedure call|Remote Procedure Calls]] (RPC) over IP (RPC/IP) are used. [[Simple Mail Transfer Protocol|SMTP]] is used to replicate between sites but only for modifications in the Schema, Configuration, or Partial Attribute Set (Global Catalog) GCs. It's not suitable for reproducing the default Domain partition.<ref>{{cite web | title = What Is Active Directory Replication Topology? | url = https://technet.microsoft.com/en-us/library/cc775549(WS.10).aspx | publisher = Microsoft Corporation | date = 28 March 2003 | quote = SMTP can be used to transport nondomain replication [...] }}</ref> ==Implementation== Generally, a network utilizing Active Directory has more than one licensed Windows server computer. Backup and restore of Active Directory are possible for a network with a single domain controller.<ref>{{Cite web |title=Active Directory Backup and Restore |url=https://technet.microsoft.com/en-us/library/bb727048.aspx |access-date=5 February 2014 |work=[[Microsoft TechNet|TechNet]] |date=9 December 2009 |publisher=[[Microsoft]]}}</ref> However, Microsoft recommends more than one domain controller to provide automatic [[failover]] protection of the directory.<ref>{{cite web |title=AD DS: All domains should have at least two functioning domain controllers for redundancy |url=https://technet.microsoft.com/en-us/library/dd378865%28v=ws.10%29.aspx |access-date=5 February 2014 |work=[[Microsoft TechNet|TechNet]] |publisher=[[Microsoft]]}}</ref> Domain controllers are ideally single-purpose for directory operations only and should not run any other software or role.<ref>{{cite web |last=Posey |first=Brien |date=23 August 2010 |title=10 tips for effective Active Directory design |url=http://www.techrepublic.com/blog/10-things/10-tips-for-effective-active-directory-design |access-date=5 February 2014 |work=[[TechRepublic]] |publisher=[[CBS Interactive]] |quote=Whenever possible, your domain controllers should run on dedicated servers (physical or virtual).}}</ref> Since certain Microsoft products, like SQL Server<ref>{{Cite web |date=7 January 2013 |title=You may encounter problems when installing SQL Server on a domain controller (Revision 3.0) |url=http://support.microsoft.com/kb/2032911 |access-date=5 February 2014 |work=Support |publisher=[[Microsoft]]}}</ref><ref>{{Cite web |last=Degremont |first=Michel |date=30 June 2011 |title=Can I install SQL Server on a domain controller? |url=http://blogs.technet.com/b/mdegre/archive/2011/07/01/can-i-install-sql-server-on-a-domain-controller.aspx |access-date=5 February 2014 |work=Microsoft SQL Server blog |quote=For security and performance reasons, we recommend that you do not install a standalone SQL Server on a domain controller.}}</ref> and Exchange,<ref>{{Cite web |date=22 March 2013 |title=Installing Exchange on a domain controller is not recommended |url=https://technet.microsoft.com/en-us/library/ms.exch.setupreadiness.warninginstallexchangerolesondomaincontroller%28v=exchg.150%29.aspx |access-date=5 February 2014 |work=[[Microsoft TechNet|TechNet]] |publisher=[[Microsoft]]}}</ref> can interfere with the operation of a domain controller, isolation of these products on additional Windows servers is advised. Combining them can complicate the configuration and troubleshooting of the domain controller or the other installed software more complex.<ref>{{Cite web |title=Security Considerations for a SQL Server Installation |url=https://technet.microsoft.com/en-us/library/ms144228.aspx |access-date=5 February 2014 |work=[[Microsoft TechNet|TechNet]] |publisher=[[Microsoft]] |quote=After SQL Server is installed on a computer, you cannot change the computer from a domain controller to a domain member. You must uninstall SQL Server before you change the host computer to a domain member.}}</ref> If planning to implement Active Directory, a business should purchase multiple Windows server licenses to have at least two separate domain controllers. Administrators should consider additional domain controllers for performance or redundancy and individual servers for tasks like file storage, Exchange, and SQL Server<ref>{{Cite web |title=Exchange Server Analyzer |url=https://technet.microsoft.com/en-us/library/aa997379%28v=exchg.80%29.aspx |access-date=5 February 2014 |work=[[Microsoft TechNet|TechNet]] |publisher=[[Microsoft]] |quote=Running SQL Server on the same computer as a production Exchange mailbox server is not recommended.}}</ref> since this will guarantee that all server roles are adequately supported. One way to lower the physical hardware costs is by using [[virtualization]]. However, for proper failover protection, Microsoft recommends not running multiple virtualized domain controllers on the same physical hardware.<ref>{{Cite web |quote=You should attempt to avoid creating potential single points of failure when you plan your virtual domain controller deployment.frank |title=Running Domain Controllers in Hyper-V |work=[[Microsoft TechNet|TechNet]] |publisher=[[Microsoft]] |url=https://technet.microsoft.com/en-us/library/d2cae85b-41ac-497f-8cd1-5fbaa6740ffe%28v=ws.10%29#bkmk1_planning_to_virtualize_domain_controllers |at=Planning to Virtualize Domain Controllers |access-date=5 February 2014}}</ref> ==Database== The Active-Directory [[database]], the ''directory store'', in Windows 2000 Server uses the [[Microsoft JET Blue|JET Blue]]-based [[Extensible Storage Engine]] (ESE98). Each domain controller's database is limited to 16 terabytes and 2 billion objects (but only 1 billion security principals). Microsoft has created NTDS databases with more than 2 billion objects.<ref name="blogs.technet.com">{{cite web |author=efleis |date=8 June 2006 |title=Large AD database? Probably not this large |url=http://blogs.technet.com/efleis/archive/2006/06/08/434255.aspx |archive-url=https://web.archive.org/web/20090817132033/http://blogs.technet.com/efleis/archive/2006/06/08/434255.aspx |archive-date=17 August 2009 |access-date=20 November 2011 |publisher=Blogs.technet.com}}</ref> NT4's [[Security Account Manager]] could support up to 40,000 objects. It has two main tables: the ''data table'' and the ''link table''. Windows Server 2003 added a third main table for [[security descriptor]] single instancing.<ref name="blogs.technet.com"/> Programs may access the features of Active Directory<ref>{{cite web | last=Berkouwer | first=Sander| title=Active Directory basics | url=http://www.veeam.com/wp-active-directory-basics.html | publisher=[[Veeam Software]]}}</ref> via the [[Component Object Model|COM interfaces]] provided by ''Active Directory Service Interfaces''.<ref> [http://msdn.microsoft.com/en-us/library/aa772170%28VS.85%29.aspx Active Directory Service Interfaces], Microsoft</ref> ==Trusting== To allow users in one domain to access resources in another, Active Directory uses trusts.<ref>{{cite web | title = Domain and Forest Trusts Technical Reference | url = https://technet.microsoft.com/en-us/library/cc738955(WS.10).aspx | publisher = Microsoft Corporation | date = 28 March 2003 | quote = Trusts enable [...] authentication and [...] sharing resources across domains or forests}}</ref> Trusts inside a forest are automatically created when domains are created. The forest sets the default boundaries of trust, and implicit, transitive trust is automatic for all domains within a forest. ===Terminology=== ;One-way trust :One domain allows access to users on another domain, but the other domain does not allow access to users on the first domain. ;Two-way trust :Two domains allow access to users on both domains. ;Trusted domain :The domain that is trusted; whose users have access to the trusting domain. ;Transitive trust :A trust that can extend beyond two domains to other trusted domains in the forest. ;Intransitive trust :A one way trust that does not extend beyond two domains. ;Explicit trust :A trust that an admin creates. It is not transitive and is one way only. ;Cross-link trust :An explicit trust between domains in different trees or the same tree when a descendant/ancestor (child/parent) relationship does not exist between the two domains. ;Shortcut :Joins two domains in different trees, transitive, one- or two-way. ;Forest trust :Applies to the entire forest. Transitive, one- or two-way. ;Realm :Can be transitive or nontransitive (intransitive), one- or two-way. ;External :Connect to other forests or non-Active Directory domains. Nontransitive, one- or two-way.<ref>{{cite web | title =Domain and Forest Trusts Work | url = https://technet.microsoft.com/en-us/library/cc773178(WS.10).aspx | publisher = Microsoft Corporation | date = 11 December 2012 | access-date = 29 January 2013 | quote = Defines several kinds of trusts. (automatic, shortcut, forest, realm, external)}}</ref> ;PAM trust :A one-way trust used by [[Microsoft Identity Manager]] from a (possibly low-level) production forest to a ([[Windows Server 2016]] functionality level) 'bastion' forest, which issues time-limited group memberships.<ref>{{Cite web|url=https://docs.microsoft.com/en-us/microsoft-identity-manager/pam/privileged-identity-management-for-active-directory-domain-services|title=Privileged Access Management for Active Directory Domain Services|website=docs.microsoft.com|date=8 February 2023 }}</ref><ref>{{Cite web|url=https://social.technet.microsoft.com/wiki/contents/articles/33363.mim-2016-privileged-access-management-pam-faq.aspx|title=TechNet Wiki|website=social.technet.microsoft.com|date=17 January 2024 }}</ref> ==Management tools== Microsoft Active Directory management tools include: *Active Directory Administrative Center (Introduced with Windows Server 2012 and above), *Active Directory Users and Computers, *Active Directory Domains and Trusts, *Active Directory Sites and Services, *ADSI Edit, *Local Users and Groups, *Active Directory Schema snap-ins for [[Microsoft Management Console]] (MMC), *[[SysInternals]] ADExplorer. These management tools may not provide enough functionality for efficient workflow in large environments. Some third-party tools extend the administration and management capabilities. They provide essential features for a more convenient administration process, such as automation, reports, integration with other services, etc. ==Unix integration== Varying levels of interoperability with Active Directory can be achieved on most [[Unix-like]] operating systems (including [[Unix]], [[Linux]], [[Mac OS X]] or Java and Unix-based programs) through standards-compliant LDAP clients, but these systems usually do not interpret many attributes associated with Windows components, such as [[Group Policy]] and support for one-way trusts. Third parties offer Active Directory integration for Unix-like platforms, including: * ''PowerBroker Identity Services'', formerly ''Likewise'' ([[BeyondTrust]], formerly Likewise Software) β Allows a non-Windows client to join Active Directory<ref name="EMAG">{{cite book |last1=Edge |first1=Charles S. Jr |first2=Zack |last2=Smith |first3=Beau |last3=Hunter |title=Enterprise Mac Administrator's Guide |url=https://archive.org/details/enterprisemacadm0000edge |url-access=registration |year=2009 |publisher=[[Apress]] |location=New York City |isbn=978-1-4302-2443-3 |chapter = Chapter 3: Active Directory}}</ref> * ''ADmitMac'' ([[Thursby Software Systems]])<ref name="EMAG" /> * ''[[Samba (software)|Samba]]'' ([[free software]] under [[GPLv3]]) β Can act as a fully functional Active Directory<ref>{{cite web|url=https://www.samba.org/samba/history/samba-4.0.0.html|title=Samba 4.0.0 Available for Download |access-date=9 August 2016|work=SambaPeople|publisher=SAMBA Project| archive-url= https://web.archive.org/web/20101115160233/http://wiki.samba.org/index.php/Samba4/Releases/4.0.0alpha13| archive-date= 15 November 2010 | url-status= live}}</ref><ref name="Samba Plugfest Report">{{cite web | url=http://people.samba.org/people/2009/10/05#drs-success | title=The great DRS success! | access-date=2 November 2009 | date=5 October 2009 | work=SambaPeople | publisher=SAMBA Project | archive-url=https://web.archive.org/web/20091013094528/http://people.samba.org/people/2009/10/05#drs-success | archive-date=13 October 2009 }}</ref> The schema additions shipped with [[Windows Server 2003 R2]] include attributes that map closely enough to RFC 2307 to be generally usable. The reference implementation of RFC 2307, nss_ldap and pam_ldap provided by PADL.com, support these attributes directly. The default schema for group membership complies with RFC 2307bis (proposed).<ref>{{cite web|url=http://www.padl.com/~lukeh/rfc2307bis.txt |title=RFC 2307bis |access-date=20 November 2011 |archive-url=https://web.archive.org/web/20110927182939/http://www.padl.com/~lukeh/rfc2307bis.txt |archive-date=27 September 2011 }}</ref> Windows Server 2003 R2 includes a [[Microsoft Management Console]] snap-in that creates and edits the attributes. An alternative option is to use another directory service as non-Windows clients authenticate to this while Windows Clients authenticate to Active Directory. Non-Windows clients include [[389 Directory Server]] (formerly Fedora Directory Server, FDS), ViewDS v7.2 [[XML Enabled Directory]], and Sun Microsystems [[Sun Java System Directory Server]]. The latter two are both able to perform two-way synchronization with Active Directory and thus provide a "deflected" integration. Another option is to use [[OpenLDAP]] with its ''translucent'' overlay, which can extend entries in any remote LDAP server with additional attributes stored in a local database. Clients pointed at the local database see entries containing both the remote and local attributes, while the remote database remains completely untouched.{{Citation needed|date=March 2011}} Administration (querying, modifying, and monitoring) of Active Directory can be achieved via many scripting languages, including [[PowerShell]], [[VBScript]], [[JavaScript|JScript/JavaScript]], [[Perl]], [[Python (programming language)|Python]], and [[Ruby (programming language)|Ruby]].<ref>{{cite web|title=Active Directory Administration with Windows PowerShell|url=https://technet.microsoft.com/en-us/library/dd378937%28WS.10%29.aspx|publisher=Microsoft|access-date=7 June 2011}}</ref><ref>{{cite web|title=Using Scripts to Search Active Directory|date=26 May 2010 |url=https://technet.microsoft.com/library/ee692830.aspx|publisher=Microsoft|access-date=22 May 2012}}</ref><ref>{{cite web|title=ITAdminTools Perl Scripts Repository|url=http://www.itadmintools.com/2011/09/itadmintools-perl-script-repository.html|publisher=ITAdminTools.com|access-date=22 May 2012}}</ref><ref>{{cite web|title=Win32::OLE|url=https://metacpan.org/module/Win32::OLE|publisher=Perl Open-Source Community|access-date=22 May 2012}}</ref> Free and non-free Active Directory administration tools can help to simplify and possibly automate Active Directory management tasks. Since October 2017 Amazon [[Amazon Web Services|AWS]] offers integration with Microsoft Active Directory.<ref>{{Cite web|url=https://aws.amazon.com/blogs/security/introducing-aws-directory-service-for-microsoft-active-directory-standard-edition/|title=Introducing AWS Directory Service for Microsoft Active Directory (Standard Edition)|date=24 October 2017|website=Amazon Web Services}}</ref> ==See also== * [[AGDLP]] (implementing [[role based access control]]s using nested groups) * [[Apple Open Directory]] * [[Flexible single master operation]] * [[FreeIPA]] * [[List of LDAP software]] * [[System Security Services Daemon]] (SSSD) * [[Univention Corporate Server]] ==References== {{reflist|30em}} ==External links== {{Wikiversity | Active Directory}} * Microsoft Technet: White paper: [https://web.archive.org/web/20170723214323/https://technet.microsoft.com/en-us/library/bb727030.aspx Active Directory Architecture] (Single technical document that gives an overview about Active Directory.) * Microsoft Technet: Detailed description of [https://web.archive.org/web/20160415041807/https://technet.microsoft.com/en-us/library/cc782657(WS.10).aspx Active Directory on Windows Server 2003] * Microsoft MSDN Library: [http://msdn.microsoft.com/en-us/library/cc223122.aspx <nowiki>[MS-ADTS]: Active Directory Technical Specification</nowiki>] (part of the [[Microsoft Open Specification Promise]]) * [https://technet.microsoft.com/en-us/library/cc736765%28v=ws.10%29.aspx Active Directory Application Mode (ADAM)] * Microsoft MSDN: [https://msdn.microsoft.com/en-us/library/bb897400.aspx <nowiki>[AD-LDS]: Active Directory Lightweight Directory Services</nowiki>] * Microsoft TechNet: [https://technet.microsoft.com/en-us/library/cc754361%28v=ws.10%29.aspx <nowiki>[AD-LDS]: Active Directory Lightweight Directory Services</nowiki>] * Microsoft MSDN: [http://msdn.microsoft.com/en-us/library/ms675085(VS.85).aspx Active Directory Schema] * Microsoft TechNet: [https://technet.microsoft.com/en-us/library/cc739086(WS.10).aspx Understanding Schema] * Microsoft TechNet Magazine: [https://technet.microsoft.com/en-us/magazine/2008.05.schema.aspx?pr=blog Extending the Active Directory Schema] * Microsoft MSDN: [https://msdn.microsoft.com/en-us/library/ff630887.aspx Active Directory Certificate Services] * Microsoft TechNet: [https://technet.microsoft.com/en-us/windowsserver/dd448615.aspx Active Directory Certificate Services] {{Microsoft products}} {{Windows Components}} [[Category:Active Directory| ]] [[Category:Directory services]] [[Category:Public key infrastructure]] [[Category:Microsoft server technology]] [[Category:Windows components]] [[Category:Windows 2000]]
Edit summary
(Briefly describe your changes)
By publishing changes, you agree to the
Terms of Use
, and you irrevocably agree to release your contribution under the
CC BY-SA 4.0 License
and the
GFDL
. You agree that a hyperlink or URL is sufficient attribution under the Creative Commons license.
Cancel
Editing help
(opens in new window)
Pages transcluded onto the current version of this page
(
help
)
:
Template:Anchor
(
edit
)
Template:Blockquote
(
edit
)
Template:Citation needed
(
edit
)
Template:Cite book
(
edit
)
Template:Cite web
(
edit
)
Template:Hatnote
(
edit
)
Template:Main
(
edit
)
Template:Microsoft products
(
edit
)
Template:R
(
edit
)
Template:Reflist
(
edit
)
Template:Short description
(
edit
)
Template:Use dmy dates
(
edit
)
Template:Wikiversity
(
edit
)
Template:Windows Components
(
edit
)