Active Directory

Active Directory (AD) is a directory service developed by Microsoft for Windows domain networks. It is
included in most Windows Server operating systems as a set of processes and services.[1][2] Initially, Active
Directory was used only for centralized domain management. However, Active Directory eventually became
an umbrella title for a broad range of directory-based identity-related services.[3]

A server running the Active Directory Domain Service (AD DS) role is called a domain controller. It
authenticates and authorizes all users and computers in a Windows domain type network, assigning and
enforcing security policies for all computers, and installing or updating software. For example, when a user
logs into a computer that is part of a Windows domain, Active Directory checks the submitted password and
determines whether the user is a system administrator or normal user.[4] Also, it allows management and
storage of information, provides authentication and authorization mechanisms, and establishes a framework to
deploy other related services: Certificate Services, Active Directory Federation Services, Lightweight
Directory Services, and Rights Management Services.[5]

Active Directory uses Lightweight Directory Access Protocol (LDAP) versions 2 and 3, Microsoft's version of
Kerberos,[6] and DNS.[7]

Contents
History
Active Directory Services
Domain Services
Lightweight Directory Services
Certificate Services
Federation Services
Rights Management Services
Logical structure
Objects
Forests, trees, and domains
Organizational units
Shadow groups
Partitions
Physical structure
Replication
Implementation
Database
Trusting
Terminology
Management solutions
Unix integration
See also
References
External links

History
Like many information-technology efforts, originated out of a democratization of design using Request for
Comments (RFCs). The Internet Engineering Task Force (IETF), which oversees the RFC process, has
accepted numerous RFCs initiated by widespread participants. For example, LDAP underpins Active
Directory. Also X.500 directories and the Organizational Unit preceded the Active Directory concept that
makes use of those methods. The LDAP concept began to emerge even before the founding of Microsoft in
April 1975, with RFCs as early as 1971. RFCs contributing to LDAP include RFC 1823 (on the LDAP API,
August 1995),[8] RFC 2307, RFC 3062, and RFC 4533.[9][10][11]

Microsoft previewed Active Directory in 1999, released it first with Windows 2000 Server edition, and revised
it to extend functionality and improve administration in Windows Server 2003. Active Directory support was
also added to Windows 95, Windows 98 and Windows NT 4.0 via patch, with some features being
unsupported.[12][13] Additional improvements came with subsequent versions of Windows Server. In
Windows Server 2008, additional services were added to Active Directory, such as Active Directory
Federation Services.[14] The part of the directory in charge of management of domains, which was previously
a core part of the operating system,[14] was renamed Active Directory Domain Services (ADDS) and became
a server role like others.[3] "Active Directory" became the umbrella title of a broader range of directory-based
services.[15] According to Byron Hynes, everything related to identity was brought under Active Directory's
banner.[3]

Active Directory Services

Active Directory Services consist of multiple directory services. The best known is Active Directory Domain
Services, commonly abbreviated as AD DS or simply AD.[16]

Domain Services

Active Directory Domain Services (AD DS) is the foundation stone of every Windows domain network. It
stores information about members of the domain, including devices and users, verifies their credentials and
defines their access rights. The server running this service is called a domain controller. A domain controller is
contacted when a user logs into a device, accesses another device across the network, or runs a line-of-
business Metro-style app sideloaded into a device.

Other Active Directory services (excluding LDS, as described below) as well as most of Microsoft server
technologies rely on or use Domain Services; examples include Group Policy, Encrypting File System,
BitLocker, Domain Name Services, Remote Desktop Services, Exchange Server and SharePoint Server.

The self-managed AD DS must not be confused with managed Azure AD DS, which is a cloud product.[17]

Lightweight Directory Services

Active Directory Lightweight Directory Services (AD LDS), formerly known as Active Directory Application
Mode (ADAM),[18] is an implementation of LDAP protocol for AD DS.[19] AD LDS runs as a service on
Windows Server. AD LDS shares the code base with AD DS and provides the same functionality, including
an identical API, but does not require the creation of domains or domain controllers. It provides a Data Store
for storage of directory data and a Directory Service with an LDAP Directory Service Interface. Unlike AD
DS, however, multiple AD LDS instances can run on the same server.

Certificate Services

Active Directory Certificate Services (AD CS) establishes an on-premises public key infrastructure. It can
create, validate and revoke public key certificates for internal uses of an organization. These certificates can be
used to encrypt files (when used with Encrypting File System), emails (per S/MIME standard), and network
traffic (when used by virtual private networks, Transport Layer Security protocol or IPSec protocol).

AD CS predates Windows Server 2008, but its name was simply Certificate Services.[20]

AD CS requires an AD DS infrastructure.[21]

Federation Services

Active Directory Federation Services (AD FS) is a single sign-on service. With an AD FS infrastructure in
place, users may use several web-based services (e.g. internet forum, blog, online shopping, webmail) or
network resources using only one set of credentials stored at a central location, as opposed to having to be
granted a dedicated set of credentials for each service. AD FS's purpose is an extension of that of AD DS: The
latter enables users to authenticate with and use the devices that are part of the same network, using one set of
credentials. The former enables them to use the same set of credentials in a different network.

As the name suggests, AD FS works based on the concept of federated identity.

AD FS requires an AD DS infrastructure, although its federation partner may not.[22]

Rights Management Services

Active Directory Rights Management Services (AD RMS, known as Rights Management Services or
RMS before Windows Server 2008) is a server software for information rights management shipped with
Windows Server. It uses encryption and a form of selective functionality denial for limiting access to
documents such as corporate e-mails, Microsoft Word documents, and web pages, and the operations
authorized users can perform on them.

Logical structure
As a directory service, an Active Directory instance consists of a database and corresponding executable code
responsible for servicing requests and maintaining the database. The executable part, known as Directory
System Agent, is a collection of Windows services and processes that run on Windows 2000 and later.[1]
Objects in Active Directory databases can be accessed via LDAP, ADSI (a component object model
interface), messaging API and Security Accounts Manager services.[2]

Objects

Active Directory structures are arrangements of information about objects. The objects fall into two broad
categories: resources (e.g., printers) and security principals (user or computer accounts and groups). Security
principals are assigned unique security identifiers (SIDs).
Each object represents a single entity—whether a user, a computer, a
printer, or a group—and its attributes. Certain objects can contain
other objects. An object is uniquely identified by its name and has a
set of attributes—the characteristics and information that the object
represents— defined by a schema, which also determines the kinds of
objects that can be stored in Active Directory.

The schema object lets administrators extend or modify the schema

when necessary. However, because each schema object is integral to
the definition of Active Directory objects, deactivating or changing
these objects can fundamentally change or disrupt a deployment. A simplified example of a publishing
Schema changes automatically propagate throughout the system. company's internal network. The
Once created, an object can only be deactivated—not deleted. company has four groups with
Changing the schema usually requires planning.[23] varying permissions to the three
shared folders on the network.

Forests, trees, and domains

The Active Directory framework that holds the objects can be viewed at a number of levels. The forest, tree,
and domain are the logical divisions in an Active Directory network.

Within a deployment, objects are grouped into domains. The objects for a single domain are stored in a single
database (which can be replicated). Domains are identified by their DNS name structure, the namespace.

A domain is defined as a logical group of network objects (computers, users, devices) that share the same
Active Directory database.

A tree is a collection of one or more domains and domain trees in a contiguous namespace, and is linked in a
transitive trust hierarchy.

At the top of the structure is the forest. A forest is a collection of trees that share a common global catalog,
directory schema, logical structure, and directory configuration. The forest represents the security boundary
within which users, computers, groups, and other objects are accessible.

Organizational units Domain-Dallas

Domain-Boston OU-
The objects held within a domain can be grouped into Marketing
Domain-
organizational units (OUs).[24] OUs can provide hierarchy to
a domain, ease its administration, and can resemble the New York Hewitt
organization's structure in managerial or geographical terms. Domain-Philly Aon
OUs can contain other OUs—domains are containers in this Tree-Southern Steve
sense. Microsoft recommends using OUs rather than domains
for structure and to simplify the implementation of policies Domain-Atlanta OU-Sales
and administration. The OU is the recommended level at Domain-Dallas Bill
which to apply group policies, which are Active Directory Ralph
objects formally named group policy objects (GPOs),
although policies can also be applied to domains or sites (see Example of the geographical organizing of
below). The OU is the level at which administrative powers zones of interest within trees and domains.
are commonly delegated, but delegation can be performed on
individual objects or attributes as well.
Organizational units do not each have a separate namespace. As a consequence, for compatibility with Legacy
NetBios implementations, user accounts with an identical sAMAccountName are not allowed within the same
domain even if the accounts objects are in separate OUs. This is because sAMAccountName, a user object
attribute, must be unique within the domain.[25] However, two users in different OUs can have the same
common name (CN), the name under which they are stored in the directory itself such as "fred.staff-
ou.domain" and "fred.student-ou.domain", where "staff-ou" and "student-ou" are the OUs.

In general the reason for this lack of allowance for duplicate names through hierarchical directory placement is
that Microsoft primarily relies on the principles of NetBIOS, which is a flat-namespace method of network
object management that, for Microsoft software, goes all the way back to Windows NT 3.1 and MS-DOS
LAN Manager. Allowing for duplication of object names in the directory, or completely removing the use of
NetBIOS names, would prevent backward compatibility with legacy software and equipment. However,
disallowing duplicate object names in this way is a violation of the LDAP RFCs on which Active Directory is
supposedly based.

As the number of users in a domain increases, conventions such as "first initial, middle initial, last name"
李
(Western order) or the reverse (Eastern order) fail for common family names like Li ( ), Smith or Garcia.
Workarounds include adding a digit to the end of the username. Alternatives include creating a separate ID
system of unique employee/student ID numbers to use as account names in place of actual users' names, and
allowing users to nominate their preferred word sequence within an acceptable use policy.

Because duplicate usernames cannot exist within a domain, account name generation poses a significant
challenge for large organizations that cannot be easily subdivided into separate domains, such as students in a
public school system or university who must be able to use any computer across the network.

Shadow groups

In Microsoft's Active Directory, OUs do not confer access

permissions, and objects placed within OUs are not automatically
assigned access privileges based on their containing OU. This is a
design limitation specific to Active Directory. Other competing
directories such as Novell NDS are able to assign access privileges
through object placement within an OU.

Active Directory requires a separate step for an administrator to assign

an object in an OU as a member of a group also within that OU. In Active Directory, organizational
Relying on OU location alone to determine access permissions is units (OUs) cannot be assigned as
unreliable, because the object may not have been assigned to the owners or trustees. Only groups are
group object for that OU. selectable, and members of OUs
cannot be collectively assigned
A common workaround for an Active Directory administrator is to rights to directory objects.
write a custom PowerShell or Visual Basic script to automatically
create and maintain a user group for each OU in their directory. The
scripts are run periodically to update the group to match the OU's account membership, but are unable to
instantly update the security groups anytime the directory changes, as occurs in competing directories where
security is directly implemented into the directory itself. Such groups are known as shadow groups. Once
created, these shadow groups are selectable in place of the OU in the administrative tools.

Microsoft refers to shadow groups in the Server 2008 Reference documentation, but does not explain how to
create them. There are no built-in server methods or console snap-ins for managing shadow groups.[26]
The division of an organization's information infrastructure into a hierarchy of one or more domains and top-
level OUs is a key decision. Common models are by business unit, by geographical location, by IT Service, or
by object type and hybrids of these. OUs should be structured primarily to facilitate administrative delegation,
and secondarily, to facilitate group policy application. Although OUs form an administrative boundary, the
only true security boundary is the forest itself and an administrator of any domain in the forest must be trusted
across all domains in the forest.[27]

Partitions

The Active Directory database is organized in partitions, each holding specific object types and following a
specific replication pattern. Microsoft often refers to these partitions as 'naming contexts'.[28] The 'Schema'
partition contains the definition of object classes and attributes within the Forest. The 'Configuration' partition
contains information on the physical structure and configuration of the forest (such as the site topology). Both
replicate to all domains in the Forest. The 'Domain' partition holds all objects created in that domain and
replicates only within its domain.

Physical structure
Sites are physical (rather than logical) groupings defined by one or more IP subnets.[29] AD also holds the
definitions of connections, distinguishing low-speed (e.g., WAN, VPN) from high-speed (e.g., LAN) links.
Site definitions are independent of the domain and OU structure and are common across the forest. Sites are
used to control network traffic generated by replication and also to refer clients to the nearest domain
controllers (DCs). Microsoft Exchange Server 2007 uses the site topology for mail routing. Policies can also
be defined at the site level.

Physically, the Active Directory information is held on one or more peer domain controllers, replacing the NT
PDC/BDC model. Each DC has a copy of the Active Directory. Servers joined to Active Directory that are
not domain controllers are called Member Servers.[30] A subset of objects in the domain partition replicate to
domain controllers that are configured as global catalogs. Global catalog (GC) servers provide a global listing
of all objects in the Forest.[31][32] Global Catalog servers replicate to themselves all objects from all domains
and, hence, provide a global listing of objects in the forest. However, to minimize replication traffic and keep
the GC's database small, only selected attributes of each object are replicated. This is called the partial
attribute set (PAS). The PAS can be modified by modifying the schema and marking attributes for replication
to the GC.[33] Earlier versions of Windows used NetBIOS to communicate. Active Directory is fully
integrated with DNS and requires TCP/IP—DNS. To be fully functional, the DNS server must support SRV
resource records, also known as service records.

Replication

Active Directory synchronizes changes using multi-master replication.[34] Replication by default is 'pull' rather
than 'push', meaning that replicas pull changes from the server where the change was effected.[35] The
Knowledge Consistency Checker (KCC) creates a replication topology of site links using the defined sites to
manage traffic. Intrasite replication is frequent and automatic as a result of change notification, which triggers
peers to begin a pull replication cycle. Intersite replication intervals are typically less frequent and do not use
change notification by default, although this is configurable and can be made identical to intrasite replication.

Each link can have a 'cost' (e.g., DS3, T1, ISDN etc.) and the KCC alters the site link topology accordingly.
Replication may occur transitively through several site links on same-protocol site link bridges, if the cost is
low, although KCC automatically costs a direct site-to-site link lower than transitive connections. Site-to-site
replication can be configured to occur between a bridgehead server in each site, which then replicates the
changes to other DCs within the site. Replication for Active Directory zones is automatically configured when
DNS is activated in the domain based by site.

Replication of Active Directory uses Remote Procedure Calls (RPC) over IP (RPC/IP). Between Sites SMTP
can be used for replication, but only for changes in the Schema, Configuration, or Partial Attribute Set (Global
Catalog) GCs. SMTP cannot be used for replicating the default Domain partition.[36]

Implementation
In general, a network utilizing Active Directory has more than one licensed Windows server computer.
Backup and restore of Active Directory is possible for a network with a single domain controller,[37] but
Microsoft recommends more than one domain controller to provide automatic failover protection of the
directory.[38] Domain controllers are also ideally single-purpose for directory operations only, and should not
run any other software or role.[39]

Certain Microsoft products such as SQL Server[40][41] and Exchange[42] can interfere with the operation of a
domain controller, necessitating isolation of these products on additional Windows servers. Combining them
can make configuration or troubleshooting of either the domain controller or the other installed software more
difficult.[43] A business intending to implement Active Directory is therefore recommended to purchase a
number of Windows server licenses, to provide for at least two separate domain controllers, and optionally,
additional domain controllers for performance or redundancy, a separate file server, a separate Exchange
server, a separate SQL Server,[44] and so forth to support the various server roles.

Physical hardware costs for the many separate servers can be reduced through the use of virtualization,
although for proper failover protection, Microsoft recommends not running multiple virtualized domain
controllers on the same physical hardware.[45]

Database
The Active-Directory database, the directory store, in Windows 2000 Server uses the JET Blue-based
Extensible Storage Engine (ESE98) and is limited to 16 terabytes and 2 billion objects (but only 1 billion
security principals) in each domain controller's database. Microsoft has created NTDS databases with more
than 2 billion objects.[46] (NT4's Security Account Manager could support no more than 40,000 objects).
Called NTDS.DIT, it has two main tables: the data table and the link table. Windows Server 2003 added a
third main table for security descriptor single instancing.[46]

Programs may access the features of Active Directory[47] via the COM interfaces provided by Active
Directory Service Interfaces.[48]

Trusting
To allow users in one domain to access resources in another, Active Directory uses trusts.[49]

Trusts inside a forest are automatically created when domains are created. The forest sets the default
boundaries of trust, and implicit, transitive trust is automatic for all domains within a forest.

Terminology
One-way trust
 One domain allows access to users on another domain, but the other domain does not allow
access to users on the first domain.
Two-way trust
Two domains allow access to users on both domains.
Trusted domain
The domain that is trusted; whose users have access to the trusting domain.
Transitive trust
A trust that can extend beyond two domains to other trusted domains in the forest.
Intransitive trust
A one way trust that does not extend beyond two domains.
Explicit trust
A trust that an admin creates. It is not transitive and is one way only.
Cross-link trust
An explicit trust between domains in different trees or in the same tree when a
descendant/ancestor (child/parent) relationship does not exist between the two domains.
Shortcut
Joins two domains in different trees, transitive, one- or two-way.
Forest trust
Applies to the entire forest. Transitive, one- or two-way.
Realm
Can be transitive or nontransitive (intransitive), one- or two-way.
External
Connect to other forests or non-AD domains. Nontransitive, one- or two-way.[50]
PAM trust
A one-way trust used by Microsoft Identity Manager from a (possibly low-level) production
forest to a (Windows Server 2016 functionality level) 'bastion' forest, which issues time-
limited group memberships.[51][52]

Management solutions
Microsoft Active Directory management tools include:

Active Directory Administrative Center (Introduced with Windows Server 2012 and above),
Active Directory Users and Computers,
Active Directory Domains and Trusts,
Active Directory Sites and Services,
ADSI Edit,
Local Users and Groups,
Active Directory Schema snap-ins for Microsoft Management Console (MMC),
SysInternals ADExplorer

These management tools may not provide enough functionality for efficient workflow in large environments.
Some third-party solutions extend the administration and management capabilities. They provide essential
features for a more convenient administration processes, such as automation, reports, integration with other
services, etc.

Unix integration
Varying levels of interoperability with Active Directory can be achieved on most Unix-like operating systems
(including Unix, Linux, Mac OS X or Java and Unix-based programs) through standards-compliant LDAP
clients, but these systems usually do not interpret many attributes associated with Windows components, such
as Group Policy and support for one-way trusts.

Third parties offer Active Directory integration for Unix-like platforms, including:

PowerBroker Identity Services, formerly Likewise (BeyondTrust, formerly Likewise Software) –

Allows a non-Windows client to join Active Directory[53]
ADmitMac (Thursby Software Systems)[53]
Samba (free software under GPLv3) – Can act as a domain controller[54][55]

The schema additions shipped with Windows Server 2003 R2 include attributes that map closely enough to
RFC 2307 to be generally usable. The reference implementation of RFC 2307, nss_ldap and pam_ldap
provided by PADL.com, support these attributes directly. The default schema for group membership complies
with RFC 2307bis (proposed).[56] Windows Server 2003 R2 includes a Microsoft Management Console snap-
in that creates and edits the attributes.

An alternative option is to use another directory service as non-Windows clients authenticate to this while
Windows Clients authenticate to AD. Non-Windows clients include 389 Directory Server (formerly Fedora
Directory Server, FDS), ViewDS Identity Solutions - ViewDS v7.2 XML Enabled Directory and Sun
Microsystems Sun Java System Directory Server. The latter two both being able to perform two-way
synchronization with AD and thus provide a "deflected" integration.

Another option is to use OpenLDAP with its translucent overlay, which can extend entries in any remote
LDAP server with additional attributes stored in a local database. Clients pointed at the local database see
entries containing both the remote and local attributes, while the remote database remains completely
untouched.

Administration (querying, modifying, and monitoring) of Active Directory can be achieved via many scripting
languages, including PowerShell, VBScript, JScript/JavaScript, Perl, Python, and Ruby.[57][58][59][60] Free
and non-free AD administration tools can help to simplify and possibly automate AD management tasks.

Since October 2017 Amazon AWS offers integration with Microsoft Active Directory.[61]

See also
AGDLP (implementing role based access controls using nested groups)
Apple Open Directory
Flexible single master operation
FreeIPA
List of LDAP software
System Security Services Daemon (SSSD)
Univention Corporate Server

References
1. "Directory System Agent" (http://msdn.microsoft.com/en-us/library/ms675902%28v=vs.85%29.a
spx). MSDN Library. Microsoft. Retrieved 23 April 2014.
2. Solomon, David A.; Russinovich, Mark (2005). "Chapter 13". Microsoft Windows Internals:
Microsoft Windows Server 2003, Windows XP, and Windows 2000 (https://archive.org/details/is
bn_9780735619173/page/840) (4th ed.). Redmond, Washington: Microsoft Press. p. 840 (http
s://archive.org/details/isbn_9780735619173/page/840). ISBN 0-7356-1917-4.
 3. Hynes, Byron (November 2006). "The Future of Windows: Directory Services in Windows
Server "Longhorn" " (https://technet.microsoft.com/en-us/magazine/2006.11.futureofwindows.as
px). TechNet Magazine. Microsoft. Archived (https://web.archive.org/web/20200430162954/http
s://docs.microsoft.com/en-us/previous-versions/technet-magazine/cc160894(v=msdn.10)?redir
ectedfrom=MSDN) from the original on 30 April 2020. Retrieved 30 April 2020.
4. "Active Directory on a Windows Server 2003 Network" (https://technet.microsoft.com/en-us/libra
ry/cc780036(WS.10).aspx#w2k3tr_ad_over_qbjd). Active Directory Collection. Microsoft. 13
March 2003. Archived (https://web.archive.org/web/20200430163301/https://docs.microsoft.co
m/en-us/previous-versions/windows/it-pro/windows-server-2003/cc780036(v=ws.10)?redirecte
dfrom=MSDN) from the original on 30 April 2020. Retrieved 25 December 2010.
5. Rackspace Support (27 April 2016). "Install Active Directory Domain Services on Windows
Server 2008 R2 Enterprise 64-bit" (https://support.rackspace.com/how-to/installing-active-direct
ory-on-windows-server-2012/). Rackspace. Rackspace US, Inc. Archived (https://web.archive.o
rg/web/20200430163406/https://support.rackspace.com/how-to/installing-active-directory-on-wi
ndows-server-2012/) from the original on 30 April 2020. Retrieved 22 September 2016.
6. "Microsoft Kerberos - Win32 apps" (https://docs.microsoft.com/en-us/windows/win32/secauthn/
microsoft-kerberos). docs.microsoft.com.
7. "Domain Name System (DNS)" (https://docs.microsoft.com/en-us/windows-server/networking/d
ns/dns-top). docs.microsoft.com.
8. Howes, T.; Smith, M. (August 1995). "The LDAP Application Program Interface" (http://www.ietf.
org/rfc/rfc1823.txt). The Internet Engineering Task Force (IETF). Archived (https://web.archive.o
rg/web/20200430164500/https://www.ietf.org/rfc/rfc1823.txt) from the original on 30 April 2020.
Retrieved 26 November 2013.
9. Howard, L. (March 1998). "An Approach for Using LDAP as a Network Information Service" (htt
p://www.ietf.org/rfc/rfc2307.txt). Internet Engineering Task Force (IETF). Archived (https://web.ar
chive.org/web/20200430164234/https://www.ietf.org/rfc/rfc2307.txt) from the original on 30 April
2020. Retrieved 26 November 2013.
10. Zeilenga, K. (February 2001). "LDAP Password Modify Extended Operation" (http://www.ietf.or
g/rfc/rfc3062.txt). The Internet Engineering Task Force (IETF). Archived (https://web.archive.org/
web/20200430194523/https://www.ietf.org/rfc/rfc3062.txt) from the original on 30 April 2020.
Retrieved 26 November 2013.
11. Zeilenga, K.; Choi, J.H. (June 2006). "The Lightweight Directory Access Protocol (LDAP)
Content Synchronization Operation" (http://www.ietf.org/rfc/rfc4533.txt). The Internet
Engineering Task Force (IETF). Archived (https://web.archive.org/web/20200430194756/http
s://www.ietf.org/rfc/rfc4533.txt) from the original on 30 April 2020. Retrieved 26 November 2013.
12. Daniel Petri (8 January 2009). "Active Directory Client (dsclient) for Win98/NT" (https://petri.co
m/dsclient_for_win98_nt).
13. "Dsclient.exe connects Windows 9x/NT PCs to Active Directory" (https://www.techrepublic.co
m/article/dsclientexe-connects-windows-9x-nt-pcs-to-active-directory/).
14. Thomas, Guy (29 November 2000). "Windows Server 2008 - New Features" (http://www.compu
terperformance.co.uk/Longhorn/longhorn_new_features.htm). ComputerPerformance.co.uk.
Computer Performance Ltd. Archived (https://web.archive.org/web/20190902044655/https://ww
w.computerperformance.co.uk/longhorn/longhorn-new-features/) from the original on 2
September 2019. Retrieved 30 April 2020.
15. "What's New in Active Directory in Windows Server" (https://technet.microsoft.com/en-us/librar
y/dn268294.aspx). Windows Server 2012 R2 and Windows Server 2012 Tech Center.
Microsoft.
16. "Active Directory Services technet.microsoft.com" (https://technet.microsoft.com/en-us/library/dd
578336%28v=ws.10%29.aspx).
17. "Compare Active Directory-based services in Azure" (https://docs.microsoft.com/en-us/azure/ac
tive-directory-domain-services/compare-identity-solutions). docs.microsoft.com.
18. "AD LDS" (http://msdn.microsoft.com/en-us/library/aa705886(VS.85).aspx). Microsoft.
Retrieved 28 April 2009.
19. "AD LDS versus AD DS" (https://technet.microsoft.com/en-us/library/cc755080(v=ws.10).aspx).
Microsoft. Retrieved 25 February 2013.
20. Zacker, Craig (2003). "11: Creating and Managing Digital Certificates" (https://archive.org/detail
s/mcsaselfpacedtra00micr/page/11). In Harding, Kathy; Jean, Trenary; Linda, Zacker (eds.).
Planning and Maintaining a Microsoft Windows server 2003 Network Infrastructure. Redmond,
WA: Microsoft Press. pp. 11–16 (https://archive.org/details/mcsaselfpacedtra00micr/page/11).
ISBN 0-7356-1893-3.
21. "Active Directory Certificate Services Overview" (https://technet.microsoft.com/en-us/library/cc7
31564%28v=ws.10%29.aspx). Microsoft TechNet. Microsoft. Retrieved 24 November 2015.
22. "Step 1: Preinstallation Tasks" (https://technet.microsoft.com/en-us/library/cc771806%28v=ws.1
0%29.aspx). TechNet. Microsoft. Retrieved 24 November 2015.
23. Windows Server 2003: Active Directory Infrastructure. Microsoft Press. 2003. pp. 1–8–1–9.
24. "Organizational Units" (https://technet.microsoft.com/en-us/library/cc978003.aspx). Distributed
Systems Resource Kit (TechNet). Microsoft. 2011. "An organizational unit in Active Directory
is analogous to a directory in the file system"
25. "sAMAccountName is always unique in a Windows domain… or is it?" (http://blog.joeware.net/
2012/01/04/2357/). Joeware. 4 January 2012. Retrieved 18 September 2013. "examples of how
multiple AD objects can be created with the same sAMAccountName"
26. Microsoft Server 2008 Reference, discussing shadow groups used for fine-grained password
policies: https://technet.microsoft.com/en-us/library/cc770394%28WS.10%29.aspx
27. "Specifying Security and Administrative Boundaries" (https://technet.microsoft.com/en-us/librar
y/cc755979(WS.10).aspx). Microsoft Corporation. 23 January 2005. "However, service
administrators have abilities that cross domain boundaries. For this reason, the forest is the
ultimate security boundary, not the domain."
28. Andreas Luther. "Active Directory Replication Traffic" (https://technet.microsoft.com/en-us/librar
y/bb742457.aspx). Microsoft Corporation. Retrieved 26 May 2010. "The Active Directory is
made up of one or more naming contexts or partitions."
29. "Sites overview" (https://technet.microsoft.com/en-us/library/cc782048(WS.10).aspx). Microsoft
Corporation. 21 January 2005. "A site is a set of well-connected subnets."
30. "Planning for domain controllers and member servers" (https://technet.microsoft.com/en-us/libra
ry/cc737059(WS.10).aspx). Microsoft Corporation. 21 January 2005. "[...] member servers, [...]
belong to a domain but do not contain a copy of the Active Directory data."
31. "What Is the Global Catalog?" (https://technet.microsoft.com/en-us/library/cc728188(WS.10).as
px). Microsoft Corporation. 10 December 2009. "[...] a domain controller can locate only the
objects in its domain. [...] The global catalog provides the ability to locate objects from any
domain [...]"
32. "Global Catalog" (https://msdn.microsoft.com/en-us/library/ms676908%28v=vs.85%29.aspx).
Microsoft Corporation.
33. "Attributes Included in the Global Catalog" (http://msdn.microsoft.com/en-us/library/ms675160%
28VS.85%29.aspx). Microsoft Corporation. 26 August 2010. "The
isMemberOfPartialAttributeSet attribute of an attributeSchema object is set to TRUE if the
attribute is replicated to the global catalog. [...] When deciding whether or not to place an
attribute in the global catalog remember that you are trading increased replication and
increased disk storage on global catalog servers for, potentially, faster query performance."
34. "Directory data store" (https://technet.microsoft.com/en-us/library/cc736627(WS.10).aspx).
Microsoft Corporation. 21 January 2005. "Active Directory uses four distinct directory partition
types to store [...] data. Directory partitions contain domain, configuration, schema, and
application data."
35. "What Is the Active Directory Replication Model?" (https://technet.microsoft.com/en-us/library/cc
737314(WS.10).aspx). Microsoft Corporation. 28 March 2003. "Domain controllers request
(pull) changes rather than send (push) changes that might not be needed."
36. "What Is Active Directory Replication Topology?" (https://technet.microsoft.com/en-us/library/cc
775549(WS.10).aspx). Microsoft Corporation. 28 March 2003. "SMTP can be used to transport
nondomain replication [...]"
37. "Active Directory Backup and Restore" (https://technet.microsoft.com/en-us/library/bb727048.as
px). TechNet. Microsoft. Retrieved 5 February 2014.
38. "AD DS: All domains should have at least two functioning domain controllers for redundancy"
(https://technet.microsoft.com/en-us/library/dd378865%28v=ws.10%29.aspx). TechNet.
Microsoft. Retrieved 5 February 2014.
39. Posey, Brien (23 August 2010). "10 tips for effective Active Directory design" (https://www.techr
epublic.com/blog/10-things/10-tips-for-effective-active-directory-design). TechRepublic. CBS
Interactive. Retrieved 5 February 2014. "Whenever possible, your domain controllers should
run on dedicated servers (physical or virtual)."
40. "You may encounter problems when installing SQL Server on a domain controller (Revision
3.0)" (http://support.microsoft.com/kb/2032911). Support. Microsoft. 7 January 2013. Retrieved
5 February 2014.
41. Degremont, Michel (30 June 2011). "Can I install SQL Server on a domain controller?" (http://bl
ogs.technet.com/b/mdegre/archive/2011/07/01/can-i-install-sql-server-on-a-domain-controller.a
spx). Microsoft SQL Server blog. Retrieved 5 February 2014. "For security and performance
reasons, we recommend that you do not install a standalone SQL Server on a domain
controller."
42. "Installing Exchange on a domain controller is not recommended" (https://technet.microsoft.co
m/en-us/library/ms.exch.setupreadiness.warninginstallexchangerolesondomaincontroller%28v
=exchg.150%29.aspx). TechNet. Microsoft. 22 March 2013. Retrieved 5 February 2014.
43. "Security Considerations for a SQL Server Installation" (https://technet.microsoft.com/en-us/libr
ary/ms144228.aspx). TechNet. Microsoft. Retrieved 5 February 2014. "After SQL Server is
installed on a computer, you cannot change the computer from a domain controller to a domain
member. You must uninstall SQL Server before you change the host computer to a domain
member."
44. "Exchange Server Analyzer" (https://technet.microsoft.com/en-us/library/aa997379%28v=exch
g.80%29.aspx). TechNet. Microsoft. Retrieved 5 February 2014. "Running SQL Server on the
same computer as a production Exchange mailbox server is not recommended."
45. "Running Domain Controllers in Hyper-V" (https://technet.microsoft.com/en-us/library/d2cae85b
-41ac-497f-8cd1-5fbaa6740ffe%28v=ws.10%29#bkmk1_planning_to_virtualize_domain_contr
ollers). TechNet. Microsoft. Planning to Virtualize Domain Controllers. Retrieved 5 February
2014. "You should attempt to avoid creating potential single points of failure when you plan
your virtual domain controller deployment.frank"
46. efleis (8 June 2006). "Large AD database? Probably not this large" (https://web.archive.org/we
b/20090817132033/http://blogs.technet.com/efleis/archive/2006/06/08/434255.aspx).
Blogs.technet.com. Archived from the original (http://blogs.technet.com/efleis/archive/2006/06/0
8/434255.aspx) on 17 August 2009. Retrieved 20 November 2011.
47. Berkouwer, Sander. "Active Directory basics" (http://www.veeam.com/wp-active-directory-basic
s.html). Veeam Software.
48. Active Directory Service Interfaces (http://msdn.microsoft.com/en-us/library/aa772170%28VS.8
5%29.aspx), Microsoft
49. "Domain and Forest Trusts Technical Reference" (https://technet.microsoft.com/en-us/library/cc
738955(WS.10).aspx). Microsoft Corporation. 28 March 2003. "Trusts enable [...] authentication
and [...] sharing resources across domains or forests"
50. "Domain and Forest Trusts Work" (https://technet.microsoft.com/en-us/library/cc773178(WS.1
0).aspx). Microsoft Corporation. 11 December 2012. Retrieved 29 January 2013. "Defines
several kinds of trusts. (automatic, shortcut, forest, realm, external)"
51. "Privileged Access Management for Active Directory Domain Services" (https://docs.microsoft.c
om/en-us/microsoft-identity-manager/pam/privileged-identity-management-for-active-directory-d
omain-services). docs.microsoft.com.
52. "TechNet Wiki" (https://social.technet.microsoft.com/wiki/contents/articles/33363.mim-2016-privi
leged-access-management-pam-faq.aspx). social.technet.microsoft.com.
53. Edge, Charles S., Jr; Smith, Zack; Hunter, Beau (2009). "Chapter 3: Active Directory".
Enterprise Mac Administrator's Guide (https://archive.org/details/enterprisemacadm0000edge).
New York City: Apress. ISBN 978-1-4302-2443-3.
54. "Samba 4.0.0 Available for Download" (https://www.samba.org/samba/history/samba-4.0.0.htm
l). SambaPeople. SAMBA Project. Archived (https://web.archive.org/web/20101115160233/htt
p://wiki.samba.org/index.php/Samba4/Releases/4.0.0alpha13) from the original on 15
November 2010. Retrieved 9 August 2016.
55. "The great DRS success!" (https://web.archive.org/web/20091013094528/http://people.samba.
org/people/2009/10/05#drs-success). SambaPeople. SAMBA Project. 5 October 2009.
Archived from the original (https://people.samba.org/people/2009/10/05#drs-success) on 13
October 2009. Retrieved 2 November 2009.
56. "RFC 2307bis" (https://web.archive.org/web/20110927182939/http://www.padl.com/~lukeh/rfc2
307bis.txt). Archived from the original (http://www.padl.com/~lukeh/rfc2307bis.txt) on 27
September 2011. Retrieved 20 November 2011.
57. "Active Directory Administration with Windows PowerShell" (https://technet.microsoft.com/en-u
s/library/dd378937%28WS.10%29.aspx). Microsoft. Retrieved 7 June 2011.
58. "Using Scripts to Search Active Directory"
(https://technet.microsoft.com/library/ee692830.aspx). Microsoft. Retrieved 22 May 2012.
59. "ITAdminTools Perl Scripts Repository" (http://www.itadmintools.com/2011/09/itadmintools-perl-
script-repository.html). ITAdminTools.com. Retrieved 22 May 2012.
60. "Win32::OLE" (https://metacpan.org/module/Win32::OLE). Perl Open-Source Community.
Retrieved 22 May 2012.
61. "Introducing AWS Directory Service for Microsoft Active Directory (Standard Edition)" (https://a
ws.amazon.com/blogs/security/introducing-aws-directory-service-for-microsoft-active-directory-
standard-edition/). Amazon Web Services. 24 October 2017.

External links
Microsoft Technet: White paper: Active Directory Architecture (https://web.archive.org/web/2017
0723214323/https://technet.microsoft.com/en-us/library/bb727030.aspx) (Single technical
document that gives an overview about Active Directory.)
Microsoft Technet: Detailed description of Active Directory on Windows Server 2003 (https://we
b.archive.org/web/20160415041807/https://technet.microsoft.com/en-us/library/cc782657(WS.1
0).aspx)
Microsoft MSDN Library: [MS-ADTS]: Active Directory Technical Specification (http://msdn.micr
osoft.com/en-us/library/cc223122.aspx) (part of the Microsoft Open Specification Promise)
Active Directory Application Mode (ADAM) (https://technet.microsoft.com/en-us/library/cc73676
5%28v=ws.10%29.aspx)
Microsoft MSDN: [AD-LDS]: Active Directory Lightweight Directory Services (https://msdn.micro
soft.com/en-us/library/bb897400.aspx)
Microsoft TechNet: [AD-LDS]: Active Directory Lightweight Directory Services (https://technet.mi
crosoft.com/en-us/library/cc754361%28v=ws.10%29.aspx)
 Microsoft MSDN: Active Directory Schema (http://msdn.microsoft.com/en-us/library/ms675085
(VS.85).aspx)
Microsoft TechNet: Understanding Schema (https://technet.microsoft.com/en-us/library/cc73908
6(WS.10).aspx)
Microsoft TechNet Magazine: Extending the Active Directory Schema (https://technet.microsoft.
com/en-us/magazine/2008.05.schema.aspx?pr=blog)
Microsoft MSDN: Active Directory Certificate Services (https://msdn.microsoft.com/en-us/library/
ff630887.aspx)
Microsoft TechNet: Active Directory Certificate Services (https://technet.microsoft.com/en-us/win
dowsserver/dd448615.aspx)

Retrieved from "https://en.wikipedia.org/w/index.php?title=Active_Directory&oldid=1032978564"

This page was last edited on 10 July 2021, at 20:49 (UTC).

Text is available under the Creative Commons Attribution-ShareAlike License; additional terms may apply. By using this
site, you agree to the Terms of Use and Privacy Policy. Wikipedia® is a registered trademark of the Wikimedia
Foundation, Inc., a non-profit organization.