Windows Server NOS and Active Directory concepts

Directory services often use a hierarchical structure to organize various sets of records In this chapter we will look at the basics of Microsoft Active Directory and some general concepts of the Windows Server network operating system.

Many concepts of computer networking are independent of the network operating system (NOS). General networking concepts and services related to TCP /IP are covered in the section basic network concepts and the OSI model explained in simple terms.

What are directory services?

The power of today's modern  business enterprise networks is fueled by the concept of directory services.

A common example of a directory in the non technology world is a telephone directory, where a list of names is used to cross reference addresses and phone numbers.

In computer networks directory services store, organize, and provide access to information in a directory, creating associations between names and other values. Directory services often use a hierarchical structure to organize various sets of records such as a corporate email directory or telephone directory.

The X.500 series established the basic standards covering electronic directory services with the concepts. The X.500 series, first approved in 1988, defined a hierarchical information tree structure consisting of the Distinguished Names of directory service entries. The International Organization for Standardization (ISO)  was a partner in developing the standards.

What is LDAP?

Lightweight Directory Access Protocol (LDAP) is an application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network. 

One of the advantages of a directory service compared to earlier types of network computing was to provide a single sign-on for a user so that only one log in was required on a network to access many shared services.

The latest version of LDAP established by the Internet Engineering Task Force (IETF) Standard Track Request for Comments (RFCs), was published as RFC 4511 in 2006.

What is Microsoft Active Directory?

Microsoft Active Directory is Microsoft's directory service for Windows domain networks.

With Microsoft Active Directory a domain controller is a  Windows Server that authenticates and authorizes all users and computers in a Windows domain network.

when a user logs into a Windows domain computer the domain controller checks the submitted user name and password against active directory to determine what access rights the user has on the local workstation as well as network wide privileges. 

Microsoft Active Directory is described as using LDAP as the access protocol and supports the X.500 information model without requiring systems to host the entire X.500 overhead. According to Microsoft (1) , "Lightweight Directory Access Protocol (LDAP) is a subset of the X.500 protocol. LDAP clients are, therefore, smaller, faster, and easier to implement than are X.500 clients."

Microsoft Active Directory was first released with Windows 2000 Server edition.(2)  Active Directory was first released in beta in 1997.(3)


Introduction to Lightweight Directory Access Protocol (LDAP)

Network World states that "it all started on Feb. 17, 2000, with the official release of Windows 2000, which featured the first ever network directory from Microsoft."

(3) Active Directory: Designing, Deploying, and Running Active Directory  By Brian Desmond, Joe Richards, Robbie Allen, Alistair G. Lowe-Norris
From the book, " The NT NOS slowly evolved over the next eight years until Active Directory was first released in beta in 1997."

What are Active Directory Domain Services naming contexts

A generic diagram of a 'tree' or 'hierarchical' computer networkThe individual sub components of the Active Directory Domain Services (AD DS) replication architecture and naming contexts (NCs) are discussed here.

Windows Active Directory is full of definitions and acronyms.  Like we have in other sections of we have grouped definitions together so they compliment each other and help to better understand a general concept.

What are  Active Directory Domain Services naming contexts?

Active Directory Domain Services (AD DS) naming contexts (NCs), also called partitions, are a contiguous sub-tree of the directory that is a unit of replication.

In the Active Directory each domain controller always holds at least three NC replicas: 1) Schema, 2) Configuration, and 3) Domain naming context

1) The schema naming context defines types of objects and attributes of those objects that can be created stored in the AD DS, and as well as the rules for creating and manipulating them.

Schema information is replicated to all domain controllers in the forest. Unlike other NCs, the schema NC is only writeable on the domain controller holding the Schema Master role.

2) The configuration naming context is the container in Active Directory that specifies the configuration of the forest. Specifies such things as partitions, sites, servers, display specifiers, services, physical locations, well-known security principals, and forest updates.

All enterprise domain controllers need this information to make operational decisions so it is replicated to every domain controller in the forest.

3) Domain naming contexts contain the actual objects in the directory such as users, groups, computers, and organizational units. A full domain naming context replica contains a writeable replica of all information in the domain including all objects and their attributes.

A domain controller (DC) holds a full replica of its domain naming context. A partial domain naming context replica contains a read-only subset of the information in the domain, all objects, but only selected attributes.  These attributes are collectively known as the Partial Attribute Set (PAS).

What is a forest?

The term forest describes a collection of Active Directory trees that share a Configuration container and Schema and are connected through trusts. The forest acts as a security boundary for an organization and defines the scope of authority for administrators.

What is the Global Catalog?

The global catalog is a distributed data repository that contains a searchable, partial representation of every object in every domain in a multidomain Active Directory Domain Services (AD DS) forest.

The global catalog is stored on domain controllers that have been designated as global catalog servers and is distributed through multimaster replication.  Searches that are directed to the global catalog are faster because they do not involve referrals to different domain controllers.

Notes and disclaimers

Our goal is not be be a complete course on Active Directory Domain Services, but to sort through some definitions and acronyms in a logical manner to help in understanding the main topics.

Most of the concepts are defined using Window Server 2003 or Windows Server 2008 definitions. The overall concept of active directory has not changed much since Windows Server 2000, but some of the specific terms have changed with each update. In Microsoft Windows 2000 Server and Windows Server 2003, the directory service is named Active Directory. In Windows Server 2008, the directory service is named Active Directory Domain Services (AD DS).

See the links below to Microsoft's website for additional information.

Active Directory Replication Technologies

How Active Directory Replication Works

Graphic: A generic diagram of a 'tree' or 'hierarchical' computer network