1

CSIT 320
Just as the combination of a database and a database
management system collects and organizes
information about an institution/company/ as well
as manages access to that information, Active
Directory collects, organizes and manages access to
information about network objects such as
computers, servers, printers, users, groups, etc.
For instance, one component is a Directory Service
Often likened to a phone book which one to look up
numbers (from names) or services (yellow pages)
Active Directory is often just called AD
For example AD-DS is active
2
CSIT 320
Active Directory is based upon some of the
following standards (though not fully compliant
with all of them)
DNS AD needs DNS to work, follows its organization
and naming conventions
X.500 directory service protocol based on the OSI
model (AD does not use the full X.500 standard)
LDAP (Lightweight Directory Access Protocol )
part of the X.500 standard was Directory Access
Protocol LDAP is a scaled down, easier version of that
Kerberos network authentication protocol adds the
security to AD
3
CSIT 320
Whereas a database has a relational structure, the
objects in AD have a hierarchical, tree-like structure.
Thus there is a root
Every object other than the root has one and only one
parent.
However, it can get complicated in that there are various
levels (domains, organizational units, groups) as well as
distinctions between logical separations and physical
separations.
4
CSIT 320
A domain is one of the main organizational units in
Active Directory.
It collects resources and manages access to them for a
set of users.
For instance users being logged in the same domain
typically implies that those users will for the most part
have access to the same resources and follow the same
policies
In Active Directory diagrams , domains are represented
by triangles.
5
CSIT 320
An AD domain must have at least one AD domain
controller.
The domain controller manages the authentication of
users granting them access to the domain and the
resources it contains.
Best Practices suggests that there are at least two
domain controllers in a domain so that access to the
domain can still be granted if one controller is down.
6
CSIT 320
A tree is a set of domains that obey a DNS-type
hierarchical naming structure. They belong to the
same namespace.
A namespace provides a context in which a name has a
well defined meaning.
7
CSIT 320
lasalle.edu
student.lasalle.edu
luna.lasalle.edu
As the name suggests a forest is a collection of trees.
Each tree has a its own namespace, but the different
trees in the forest have different namespaces. However
you may want them to be connected in some way
have some kind of trust relationship, some sharing of
resources or just want to administer them as a unit.


8
CSIT 320
lasalle.edu
lasalle.museum
student.lasalle.edu
The trees in a forest still share a common root.
The first tree in the forest serves as the root.
It will have (at least initially) the global catalog the
collection of definitions, how the forests are
organized, what the trust relationships are, names for
all of the objects, etc.
9
CSIT 320
If two domains have a trust relationship, it means that
users from one domain can access resources from
another domain.
That way an administrator does not have to give users
accounts in both domains.
The domain with the resource is said to be trusting
and the domain with the user is said to be trusted.
Trust can be but doesnt have to be a two-way street.
CSIT 320
10
Before we were moving up in the hierarchy from the
original concept of a domain, an organizational unit
on the other hand is lower in the hierarchy (farther
from the root)
It is a container within a domain resources like
printers and file shares organized into smaller
containers.
Example within the student.lasalle.edu domain,
science students may be access to different shares and
different printers from business students, etc.
11
CSIT 320
In a large company a logical container such as a
domain might cover multiple physical locations.
This can cause a problem because a lot of information
is passed between domain controllers.
So AD has the notion of a site to correspond to
physical differences rather than logical differences
A site can have multiple domains
A domain may be spread over multiple sites
12
CSIT 320
User
Group
Computer
Printer
Distribution Lists
System Policies
13
CSIT 320
Just like in a database, Active Directory has a schema.
Definition of all AD objects,
For example , it will define a User, what attributes a User
must have, what attributes a User might have,
relationships between Users and Groups, etc.
ONE schema for a forest
Extensible
While a default set of definitions gets one started with
AD, one can extend or create new objects
14
CSIT 320
A distributed data repository containing a searchable,
partial representation of every object in every domain
in a forest.
Answers AD Search Queries
Must be present to successfully logon
Holds a copy of all Objects of the whole Forest
...but holds only a subset of the Attribute
15
CSIT 320
Member Server server on a domain offering a non-
active directory service
Domain Controller as the name suggests its manages
access to the resources within a domain
Global Catalog while a domain controller stores the
objects for the domain it controls, a global catalog
server stores the objects from all domains in the forest.
A global catalog server is a domain controller, but a
domain controller may not be a global catalog server
16
CSIT 320
Updates can be applied to ANY Domain Controller
Will be Replicated to each other Domain Controls
(inside that Domain) within 15 Minutes
Optimized Algorithm reduces Replication Traffic
Not time based (triggered on demand, only)!
17
CSIT 320
Improved Authentication
Permissions applied via ACLs
To Objects as whole
To specific Attributes
Fine-Tuning of Access Permissions possible
18
CSIT 320
Windows Server 2008 R2 Unleashed, Rand Morimoto,
Michael Noel, Omar Droubi, Ross Mistry and Chris
Amaris, SAMS.
Active Directory for Dummies, Steve Clines and
Marcia Loughry, Wiley.
http://www.tech-faq.com/active-directory-
terminology-and-concepts.html
19
CSIT 320