Active Directory is a distributed system that is made up of a directory database, which includes a schema, transaction logs, a directory service, and all the other necessities that come with a database. The directory service is the process (or processes) that makes use of the information that is stored in the directory database.
Active Directory provides directory services that are geared toward the enterprise.
This means that Active Directory services must provide additional functionality
and availability, such as the following:
-
Scalability—Active Directory domains are logical security boundaries around a set of objects. A domain can contain a varying number of objects, ranging from the hundreds to the millions. Domains can be added and deleted as necessary.
-
Extensibility—As previously mentioned, the Active Directory database uses a schema. The schema is the definition of all of the objects that can be created in Active Directory, along with their attributes. The schema can be modified, allowing for new objects or modified attributes on existing objects. In addition, new object classes can be added to the schema to support directory-enabled applications.
-
Internet standards—Microsoft is starting to move away from proprietary protocols and methods. Microsoft would rather sponsor RFC drafts, which support the naming that adds desired functionality (which is good for all of us). Subsequently, name resolution and the directory access and security protocols are basic Internet standard protocols.
-
Single-seat administration—Administrators can administer any portion of the directory from a single location in the organization (with the right permissions, of course).
-
Fault tolerance—Each domain controller (DC) in the domain has a complete copy of that domain's directory, making Active Directory a multimaster directory. Each DC has a writable copy of the domain partition. If one DC fails, the other DCs are still capable of satisfying requests for Active Directory services.
-
Security—The access control lists (ACLs) control who has permission to access directory data.
-
Interoperability—Because Active Directory is based on an X.500 directory and uses Internet standard protocols, it is capable of interacting with other X.500-based directory services.
Naming and Name Resolution
Every object that represents information or resources in Active Directory must have a name that is unique to Active Directory. Additionally, Active Directory must support several of the common naming conventions that clients might use. The name is a X.500-style distinguished name (DN) that describes the object's location in the directory. The relative distinguished name (RDN) is the portion of the DN that makes the object unique. If you have two Ed Brovicks in your organization (heaven forbid), they will have unique DNs as long as they are in different OUs or have different RDNs. For example, there could be two Ed Brovicks in two different OUs because the OU made the DN unique. If two Ed Brovicks exist in the same OU, they would have to have different RDNs, such as CN=ebrovick and CN=ebrovick1, so that they are unique DNs.
The following list shows the organization of the Active Directory objects involved in name resolution.
-
Name resolution—The process that translates the DN into an object or into information that the DN represents.
-
Active Directory—A collection of objects. These objects and their definitions are as follows:
-
Object classes—These are the types of objects that can be created in the directory. Object classes have attributes associated with them, which compose the object class. Users, for example, are a class of objects. First Name and Last Name are examples of attributes that are associated with the Users object class.
-
Objects—These are the instances of the object classes that you create. When you create a user object, it is based on the object class.
-
Attributes—These are the characteristics, or fields, that make up the object class. Each object’s attributes, as well as the values that each can contain, are defined in the object classes. Attributes can be either mandatory or optional. Again, when a user object is created, attributes on that object are populated. Examples of such attributes are First Name, Last Name, and Display Name.
-
Schema—The schema contains all of the Active Directory object classes and attributes. The dictionary defines what is in the Active Directory database.
-