Active Directory

From Bauman National Library
This page was last modified on 18 June 2016, at 15:01.
Active Directory
Developer(s) Microsoft Corporation
Repository {{#property:P1324}}
Written in C++
Operating system Windows Server
Type Directory service
Website Official

Active Directory — is hierarchically organized data store about the the network objects, providing a convenient means to search for and use of these data. The computer that is running Active Directory, called a domain controller. With the Active Directory connected almost all the administrative tasks. Active Directory technology is based on standard Internet - protocols and helps to clearly define the structure of the network.


With using the Active Directory creates computer accounts, held their connection to the domain management is done with computers, domain controllers, and organizational units (OU). For Active Directory management are administration and support tools. The following instruments are implemented and a snap-MMC (Microsoft Management Console):

  • Active Directory - Users and Computers (Active Directory Users and Computers) allows you to manage users, groups, computers and organizational units (OU);
  • Active Directory - Domains and Trusts (Active Directory Domains and Trusts) can manage domains, domains, domain trees and forests;
  • Active Directory - Sites and Services (Active Directory Sites and Services) allows you to manage sites and subnets;
  • RSoP (Resultant Set of Policy) to view the current policy of the user or the system and to plan policy changes. In Microsoft Windows 2003 Server, you can access these snap-ins directly from the Administrative Tools (Administrative Tools). Another administration tool - ShemaActive Directory snap-in (Active Directory Schema) - allows you to control and modify the directory schema.
Active directory.jpg

Active Directory Components

Active Directory combines the physical and logical structure of the network components. The logical Active Directory structure to help organize directory objects and manage network accounts and shared resources. By the logical structure includes the following elements:

  • OU (organizational unit) - a subgroup of computers, as a rule, reflects the structure of the company;
  • Domain (domain) - a group of computers that share a common directory database;
  • Domain tree (domain tree) - one or more domains that share a contiguous namespace;
  • Forest domain (domain forest) - one or more trees sharing directory information.

Physical elements help to plan the actual structure of the network. The physical structures are formed by a network of communication and physical boundaries of network resources. By the physical structure includes the following elements:

  • subnet (subnet) - Network Group Scoped IP- addresses and network mask;
  • Site (site) - one or more subnets. The site is used to configure access to the directory and replication.

Organizational units

Organizational Unit (OU) - a sub-group in the domains, which often reflect the functional structure of the organization. OP represent a kind of logical containers that are placed accounts, shared resources and other OP. For example, you can create a domain Resourses Division, IT, Marketing. Then, this scheme can be expanded to contain subsidiaries.


Active Directory Domain - a group of computers that share a common directory database. Active Directory domain names must be unique. For example, there can be two domain, but can be the parent domain with subdomains and If the domain name is part of a closed network, the name assigned to the new domain, must not conflict with any existing domain name on the network. If the domain - part of the global Internet, its name must not conflict with any of the existing Internet domain names. To ensure the uniqueness of names on the Internet, the parent domain name, you must register a proxy registration through any organization.

Domain functions are limited and regulated by the mode of its operation. There are four modes of functional domains:

  • Windows 2000 mixed (mixed mode) mode - supports domain controllers running Windows NT 4.0, Windows 2000 and Windows Server 2003;
  • Basic Windows 2000 (native mode) mode - supports domain controllers running Windows 2000 and Windows Server 2003;
  • Windows Server 2003 interim mode (interim mode) - supports domain controllers running Windows NT 4.0 and Windows Server 2003;
  • Windows Server 2003 mode - supports domain controllers running Windows Server 2003.

Forests and the trees

Each Active Directory domain has a DNS-type name Domains that share directory data, form the forest (forest). forest domain names in the DNS naming hierarchy are noncontiguous (discontiguous) or adjacent (contiguous).

Domains that have adjacent structure names, called domain tree. If domains in the forest noncontiguous DNS-names, they form a separate domain trees in the forest. one or more trees can be included in the forest. To access the domain structures of the console Active Directory is designed - Domains and Trusts (Active Directory Domains and Trusts). Options are limited to forests and forest functional regulated regime. There are three modes:

  • Windows 2000 - supports domain controllers running Windows NT 4.0, Windows 2000 and Windows Server 2003;
  • An interim (interim) Windows Server 2003 - supports domain controllers running Windows NT 4.0 and Windows Server 2003;
  • Windows Server 2003 - supports domain controllers running Windows Server 2003.

Most Active Directory advanced features available in Windows Server 2003. If the forest mode domains operate in this mode, you can use the enhanced replication (replication) of global catalogs and more efficient replication of Active Directory data. It is also possible to disable the classes and attributes of the schema, use dynamic auxiliary classes, rename domains in a forest and create one-way, two-way transitive trust relationships.

Sites and subnets

The site - a group of computers in one or more IP-subnets used for the planning of the physical structure of the network. Scheduling site is independent of the logical structure of the domain. Active Directory allows you to create multiple sites in a single domain or a site covering multiple domains.

Unlike sites that can span multiple domains IP-address, subnet have given domain IP-addresses and network mask. Names are specified in the network subnet / mask bit format, eg, where the network address and network mask in the Subnet combined name

Directory Structure

catalog data available to users and computers across the data warehouse (data stores) and global directories (global catalogs). Although most of the functions affect the Active Directory data store, CC [1] are as important as they are used to log in and search for information. If the GC is not available, regular users can not log on to the domain.

Access and distribution of Active Directory data provided by means of the directory access protocol (directory access protocols) and replication (replication). Replication is needed for distribution of updated data to the controllers. The main update distribution method - multi-master replication, but some changes are only processed by specialized controllers - masters of operations (operations masters).

Data Store

Storage provides information about the Active Directory directory service objects important - accounts, shared resources, OP, and group policies. Sometimes referred to simply as a data store directory (directory). On the domain controller is stored in the directory NTDS.DIT ​​file, the location of which is determined when installing Active Directory (it must be an NTFS drive). Some directory information can be stored separately from the main repository, for example, Group Policy, scripts, and other information recorded in the total system resources SYSVOL. Providing directory information in the shared use of the publication referred to (publish).

Global Catalog

If local caching universal group membership is not made, the entrance to the network is carried out on the basis of information about the universal group memberships provided by the Civil Code. It also provides a directory search across all domains of the forest. The controller, acting as a GC server that stores a full replica of all objects in your domain directory and a partial replica of objects remaining domains in the forest. [2]

Replication in Active Directory

The directory stores information in three types: domain data, schema and configuration data. Domain data is replicated to all domain controllers. All domain controllers are equal, ie, all changes to any domain controller to be replicated to all other domain controllers schema and configuration data is replicated to all the domain tree or forest. In addition, all individual objects and domain properties of the timber objects are replicated in the GC. This means that the domain controller stores and replicates the schema for the tree or forest configuration information for all domain tree or forest and all of the directory objects and properties to your own domain. The domain controller that contains the GK contains replicates the schema information for the forest configuration information for all domains in the forest, and a limited set of properties for all directory objects in the forest (it is replicated only between GK servers), as well as all the objects directory and properties your domain.

Active Directory and LDAP

Simplified directory access protocol (Lightweight Directory Access Protocol, LDAP) - a standard Internet protocol connections over TCP / IP networks. LDAP is specially designed to access the directory services with minimal costs. The LDAP operations are also defined that are used to request and changes of directory information.

Active Directory clients use LDAP to communicate with computers that are running Active Directory, each time you log into the network or searching for shared resources. LDAP directories simplifies the relationship and the transition to Active Directory with other directory services. To improve compatibility, you can use Active Directory Service Interfaces (Active Directory Service- Interfaces, ADSI).

Command Line Tools Active Directory

In conclusion, we give a few command-line tools that allow for a wide range of administrative tasks: DSADD - adds to Active Directory computers, contacts, groups, and OD members.

  • DSADD — Displays properties of computers, contacts, groups, OD, users, sites, subnets, and servers registered in Active Directory.
  • DSGET — changes the properties of computers, contacts, groups, OD, users and servers registered in Active Directory.
  • DSMOD — moves a single object to a new location within the domain or renames an object without moving.
  • DSMOVE — searches of computers, contacts, groups, OD, users, sites, subnets, and servers in Active Directory based on specified criteria.
  • DSRM — removes the object from Active Directory.


Cite error: Invalid <references> tag; parameter "group" is allowed only.

Use <references />, or <references group="..." />


  • GC - Global Catalog
  • Default GC server becomes the first domain controller. Therefore, if only one domain controller and the domain server GC controller - the same server. -