A Primer to Active Directory: Microsoft's System Information Repository
Active Directory is a potent tool for managing large networks of systems across WANs and LANs, but it can be complex to understand and administer. Beth Cohen's primer is designed to help you get acquainted with the tool that can help you create a robust and flexible architecture for addressing your company's needs, now and in the future.
Many administrators today are finding it increasingly difficult to manage their company's infrastructure as the network and systems continue to grow. If you're like many admins, you've probably been avoiding Active Directory as well, either because you have heard that it is too complex and difficult to administer or because you believe you lack the resources to implement it throughout your organization. All the while, management has been pressuring you to improve network security, asset management, and reduce system administration costs. If this sounds like your working environment, don't put off the inevitable -- it's time to tackle an Active Directory implementation.
Active Directory was officially rolled out in February 2000 as part of Windows 2000 Server. It has been embraced by the system administration community because it allows for administering Windows 2000 and other Microsoft applications from a single point, which can translate into significant reductions in IT overhead headaches.
Given that some type of Windows server is likely to be in your near-term future, let us delve into the murky details of Active Directory. We will start with how it began and then move on to a detailed look at key AD concepts. Once you gain a solid understanding of the intricacies of Active Directory, you will be able to architect a system properly and deploy it in your organization with confidence.
Active Directory Genesis
Active Directory (AD) was originally created to address the needs of the Microsoft-based user and administrator communities, which desperately needed a comprehensive unified identity management system. It interoperates with and supports key features from several major network protocols -- X.500 (sales people initially called Active Directory "X.500-like"), LDAP (Lightweight Directory Access Protocol), and DNS (Domain Name System). This allows AD to interoperate with all the major directory services available, but unfortunately, as is common with many Microsoft implementations of standards-based applications, AD has also taken advantage of minor but significant proprietary differences in several of the protocols -- DNS being the most notable.
To best understand Active Directory, we will explain some of the key concepts, starting with the smallest component -- an object -- and working up to the largest modules -- Global Catalogs. Each of the components builds on the smaller one below it.
Objects, Attributes, Object Classes
The basic unit in AD is an Object. Objects are entities that use or are visible on the network, including (but not limited to) users, printers, network devices, computers, applications, and other directories. Attributes are object characteristics. For example, an employee object could have the attribute's name, e-mail, telephone number, etc. A powerful feature of Active Directory is attribute-level access control. This capability makes it possible for an administrator to be assigned a limited number of attributes to manage, allowing secure distribution of responsibility throughout the organization. A set of objects that share a common set of attributes and are logically grouped together is an object class. Attributes can be shared across multiple classes.
Active directory stores the sets of objects classes in a schema. The schema has a special identifier for each object called an OID -- object identifier. Though the schema can be extended for special purpose applications, it is generally recommended to stick with existing Active Directory objects.