180_AD2e_01P1 8/30/01 10:39 AM Page 2
Introduction to
Active Directory
Solutions in this chapter:
■
Introduction to Directory Services
■
Introduction to Active Directory
■
Active Directory Architecture
 Summary
 Solutions Fast Track
 Frequently Asked Questions
Chapter 1
3
180_AD2e_01P1 8/30/01 10:39 AM Page 3
4 Chapter 1 • Introduction to Active Directory
Introduction
In November 1996, Microsoft delivered the first preview of Active Directory for
developers at the Professional Developers Conference held in Long Beach,
California. At the time, it was just the directory service that was shipped with
Windows NT 5.0, and the preview included many of other Windows NT 5.0
features.A lot of changes have taken place since then. For one,Windows NT 5.0
was renamed Windows 2000, and then it was released to the public officially in
February 2000, four years after its original preview to developers.
The change of the name from Windows NT 5.0 to Windows 2000 was a sur-
face change only.Windows 2000 inherits the NT technology legacy from pre-
vious versions. It has been established as the basic network operating system for
Microsoft’s .NET platform. All .NET services run on Windows 2000 Server.
Applications developed with the .NET framework also require servers to be
running Windows 2000.The directory service used by .NET applications is

a way to create relationships between the pieces.The relationships between these
pieces are what make the directory service so powerful. For example, in DNS, a
DNS client computer can query a DNS server to find out the IP address of a
server that it wants to contact.The DNS server receives the host name and
returns the IP address in short order. More complex relationships can be created
in more complex directory services, such as providing access to network resources
and services for users who logon.
Directory Enabled Networks
The Distributed Management Task Force (DMTF) is developing a standard for
Directory Enabled Networks (DEN).You can access the DMTF Web site at
www.dmtf.org. Even though many network operating systems support one or
more types of directory services, most of those directory services are vendor spe-
cific.This means that one server on a network might be able to access one partic-
ular directory, but another server on the same network will not be able to access
that directory simply because it is running a different vendor’s network operating
system. As a result of using multiple network operating systems, you might be
using multiple directory services on a single internetwork.This poses problems
for users who are faced with multiple logons and for network administrators who
must manage information that is duplicated across multiple directory services.
As vendors create DEN-compliant directories, multiple network operating
systems will be able to participate in a single directory service.This will solve the
challenges of managing the same information in multiple directory stores. It will
also reduce the number of logons that a user must execute in order to access net-
work resources.
The standard directory service being developed for DEN will extend beyond
the simple organization of addresses and host names that DNS provides. Instead,
the directory service will organize all the services and resources participating in a
network, depicted in Figure 1.1. Once the DEN standard is finalized, Microsoft
intends to make Active Directory comply with that standard.
DEN standards eventually will apply to all future directory services, and also

Organizes
•
Manages Information
•
Applies Security Settings
•
Enables Access
Network Printer
Next
>
Canc
el
Next >< B ackCancel
Next
>
Can
cel
OK
File Server
E-Mail Address
DHCP Address
DNS Address/Hostname
Application License
180_AD2e_01P1 8/30/01 10:39 AM Page 6
Introduction to Active Directory • Chapter 1 7
Networks first popped up in the military as a method to share data quickly
across great distances.They offered a major advantage in times of war. Money was
one of the main reasons that networking became prevalent in businesses. Hard
drives were extremely expensive, as were printers. Many of the first corporate
networks sprang up out of a need to share printers and precious hard-drive space

client computers.The PDC is the security manager of the domain. BDCs main-
tain a read-only copy of the security database, and the PDC remains the single
point of change control. Member servers and client computers contact the
www.syngress.com
180_AD2e_01P1 8/30/01 10:39 AM Page 7
8 Chapter 1 • Introduction to Active Directory
domain controller (DC) to access network resources. Because of their member-
ship, a PDC or BDC in the domain can use the security database to authenticate
users to access resources.A member server can use the security database by
querying a PDC or BDC. A domain is logically established in the structure
shown in Figure 1.2.
A domain is a security boundary, which means that if you need to separate
one security set from another, you will need to have more than one domain.
Using trust relationships, you could have multiple domains. A trust relationship is
established between two domains. In order to enable users of domain A to access
the resources such as the files and printers of domain B, domain B must trust
domain A.When drawn out, this trust relationship is shown as an arrow pointing
from the trusting domain to the trusted domain. Microsoft defines various
models for a multiple domain structure:
■
Master Domain model All resource domains trust a single Master
Domain that contains all user accounts.This is depicted in Figure 1.3.
■
Multiple Master Domain model All resource domains trust all
Master Domains. Master Domains contain user accounts. Each Master
Domain trusts all other Master Domains.
■
Single Domain model There is only a single domain that contains all
users and resources.There is no trust relationship with other domains.
■

administrative area, the only way to implement distributed administration is to
have multiple domains. Legacy NT domains require a significant amount of
traffic between clients and the PDC or a BDC.These domains also require the
security database to be copied from a PDC to the BDCs on a periodic basis.This
traffic overhead is undesirable over wide area network (WAN) links that may
have a limited amount of bandwidth available, or that are costly to transmit traffic
across.To reduce this overhead, multiple domains can be created such that no
domain spans a WAN link.
Trust relationships between multiple domains become cumbersome as
more domains are added. As a result, trade-offs may be made between WAN
performance or administrative needs and domain structures.
www.syngress.com
Figure 1.3
Legacy Windows NT Master Domain Model
Domain Controllers
Master
Users
Network Printers
Next
>
Canc
el
Next >< BackCancel
Next
>
Can
cel
OK
Member Servers
of Client Computers

180_AD2e_01P1 8/30/01 10:39 AM Page 9