Introduction of Active Directory domain services

Active Directory (AD) is a Microsoft technology used to manage computers and

other devices on a network. It is a primary feature of Windows Server, an
operating system that runs both local and Internet-based servers.

Active Directory take care of this by using Kerberos Authentication and Single
Sign-On (SSO). SSO means ability of Kerberos to provide a user with one set of
credentials and grant them access across a range of resources and services with
that same set of credentials. Kerberos authenticates the credentials and issues
the user a ticket with which the user gains access to the resources and services
that support Kerberos.

AD uses LDAP as its access protocol. AD relies on DNS as its locator service,
enabling clients to locate domain controllers through DNS queries.

Benefits of Active Directory –

 Hierarchical organizational structure.

 Multi master Authentication & Multi master replication (the ability to access
and modify AD DS from multiple points of administration)
 A single point of access to network resources.
 Ability to create trust relationships with external networks running previous
versions of Active Directory and even Unix.

Active Directory provides several different services, which fall under the umbrella
of “Active Directory Domain Services, ” or AD DS. These services include:

1. Domain Services –
Stores centralized data and manages communication between users and
domains; includes login authentication and search functionality
2. Certificate Services –
It generates, manages and shares certificates. A certificate uses encryption
to enable a user to exchange information over the internet securely with a
public key.

3. Lightweight Directory Services –

Supports directory-enabled applications using the open (LDAP) protocol.

4. Directory Federation Services –

Provides single-sign-on (SSO) to authenticate a user in multiple web
applications in a single session.
 5. Rights Management –
It controls information rights and management. AD RMS encrypts content,
such as email or Word documents, on a server to limit access.

Domain Controllers –

A server that is running AD DS is called a domain controller.Domain controllers

host and replicate the directory service database inside the forest. The directory
service also provides services for managing and authenticating resources in the
forest.These servers host essential services in AD DS, including the following:

– Kerberos Key Distribution Center (kdc)

– NetLogon (Netlogon)
– Windows Time (W32time)
– Intersite Messaging (IsmServ)

Active Directory Objects:

1. Container Objects –
These objects can contain other objects inside them, and we can make
collection from them. For Ex- Forest, Tree, Domains, Organisational Units.
2. Leaf Objects –
These objects can not contain other objects inside them. For Ex- users,
computers, printers, etc.

Common Terminologies and Active Directory Concepts:

 Schema –
A set of rules, the schema, that defines the classes of objects and attributes
contained in the directory, the constraints and limits on instances of these
objects, and the format of their names.
 Global catalog –
A global catalog that contains information about every object in the
directory. This allows users and administrators to find directory information
regardless of which domain in the directory actually contains the data. For
more information about the global catalog, see The role of the global
catalog.

 Forest Root Domain –

The first domain that is installed in an Active Directory Forest is referred to
as the root domain.

 Sites –
Sites in AD DS represent the physical structure, or topology, of your
 network. AD DS uses network topology information, which is stored in the
directory as site, subnet, and site link objects, to build
the most efficient replication topology.

 Lightweight Directory Access Protocol –

AD is based on the Lightweight Directory Access Protocol (LDAP). This
protocol provides a common language for clients and servers to speak to
one another.

LDAP (Lightweight Directory Access Protocol)

LDAP (Lightweight Directory Access Protocol) is a software protocol for enabling

anyone to locate organizations, individuals, and other resources such as files and
devices in a network, whether on the public Internet or on a corporate intranet.
LDAP is a "lightweight" (smaller amount of code) version of Directory Access
Protocol (DAP), which is part of X.500, a standard for directory services in a
network.

In a network, a directory tells you where in the network something is located. On

TCP/IP networks (including the Internet), the domain name system (DNS) is the
directory system used to relate the domain name to a specific network address (a
unique location on the network). However, you may not know the domain name.
LDAP allows you to search for an individual without knowing where they're located
(although additional information will help with the search).

An LDAP directory is organized in a simple "tree" hierarchy consisting of the

following levels:

 The root directory (the starting place or the source of the tree), which
branches out to
 Countries, each of which branches out to
 Organizations, which branch out to
 Organizational units (divisions, departments, and so forth), which branches
out to (includes an entry for)
 Individuals (which includes people, files, and shared resources such as
printers)

An LDAP directory can be distributed among many servers. Each server can have
a replicated version of the total directory that is synchronized periodically. An
LDAP server is called a Directory System Agent (DSA). An LDAP server that
receives a request from a user takes responsibility for the request, passing it to
other DSAs as necessary, but ensuring a single coordinated response for the user.

LDAP and Active Directory

Lightweight Directory Access Protocol is the protocol that Exchange Server uses to
communicate with Active Directory. To really understand what LDAP is and what it
does, it is important to understand the basic concept behind Active Directory as it
relates to Exchange.

Active Directory contains information regarding every user account on the entire
network (among other things). It treats each user account as an object. Each user
object also has multiple attributes. An example of an attribute is the user's first
name, last name, or e-mail address. All of this information exists within a huge,
cryptic database on a domain controller (Active Directory). The challenge is to
extract information in a usable format. This is LDAP's job.

LDAP uses a relatively simple, string-based query to extract information from

Active Directory. The nice part is that this all happens behind the scenes. A
regular end user will never have to manually perform an LDAP query, because
Outlook is LDAP-enabled and knows how perform all the necessary queries on its
own.

Advantage of LDAP
 LDAP relies on the TCP/IP stack rather than the OSI stack
 Integrate with IP and enable IP clients to use LDAP to query directory
services.

 LDAP can perform hyper-searches. Giving one directory the ability to defer
to another to provide requested data.

 LDAP’s API is C-based

 Like X.500, LDAP uses an inverted-tree hierarchical structure

 LDAP supports Kerberos authentication, Simple Authentication Security

Layer (SASL), and Secure Sockets Layer (SSL)

 Simple Authentication and Security Layer (SASL) is a framework for

authentication and data security in Internet protocols.