Introducing
Active Directory
T
he directory service has become one of the hottest new
technologies on corporate networks. Microsoft, a new
member of the directory service club, has created a directory
service on which almost its entire product line depends.
Understanding Active Directory is thus a prerequisite to
any management or deployment of Windows 2000.
In the 1970s, all the computing resources you needed, or could
use, were on the same computer or the terminal you logged on
at. In the 1980s, with the advent of the PC LAN, many files were
located on remote machines, and there were definitive paths
to these machines. LAN users shared the files and printers,
and exchanged e-mail on the LAN. Before the end of the 1990s,
we witnessed the beginning of the paradigm shift where all
information and functionality could be accessed on any server
on any network anywhere . . . and the user did not need to
know where the objects were physically located.
This is the ideal computing model in which all network
objects — servers, devices, functionality, information, authen-
tication, and the transports — combine to become a single
contiguous information system and computing environment.
This environ-ment allows users, whether human or machine,
to attach — or remain attached—to systems from a consis-
tent user interface at any point of entry on the network. No
matter what users require — be they functions of a device,
communication, process, algorithms, or perhaps just infor-
mation and knowledge — they must be able to access such
an object without regard for its physical location.
The Active Directory is Microsoft’s bold leap to realizing the

environments to the promise that waits.
In this chapter, we discuss the elements of AD. We will kick off with a brief discussion
of how and why we will use AD, and from whence it came. Then we break it down into
its constituent components (its logical structure), and finally we discuss how the
components work and interoperate with each other. You will notice that the subject
of Windows domains and trusts is going to be left until a full discussion of the AD has
been achieved.
This chapter also features the first appearance of Millennium City, or
mcity.org
,
which is the example Windows 2000 network infrastructure we use throughout the
book. It’s a network that runs the infrastructure of an entire city, and its Active
Directory is what we used to test the limits of what Microsoft says it’s capable of.
MCITY is essentially one huge Active Directory laboratory.
You don’t need to be in front of your monitor for this chapter. Just curl up with
some snacks and postpone any appointments you might have.
The Omniscient Active Directory:
Dawn of a New Era
The Windows NT client-server architecture was a great improvement over other
server and network offerings, both from Microsoft and other companies. However,
it had a shortcoming that, had it not been resolved in Windows 2000, would have
suffocated the advancement of this highly sophisticated operating system. On
Windows NT— actually any network — resources are not easily distributed. The
interoperation and scalability of numerous NT servers, printers, shares, devices, files,
knowledge resources, functionality, and the sustained availability thereof, collapse
when the ability for all network components and objects to share information is
absent. As discussed briefly in Chapter 1, one of the most significant additions to
Microsoft’s technology is the Active Directory. There is perhaps no other aspect of
Windows 2000 that will have the impact the directory service will, because just about
every new feature or ability of this product depends on a directory service.

without going through at least three logins. Everyday, we log into NetWare, the
Windows NT domains, voice mail, the host system (to the AS/400 via Rumba),
FTP, and then finally the Internet; we won’t go into how many accounts and logins
we have.
Not only do we have to log in dozens of times a day, and remember dozens
of passwords and user or login IDs, but we also have to know exactly where
information and resources are located on the network. The uniform resource
locator on the World Wide Web has alleviated the resource location problem to
some extent (it obviates having to know exactly where something lives on the
Internet), but it is still not ideal and not very smooth. URLs are perishable, and
for the most part unmanageable in large numbers, which means they often do
not get updated. They are not managed in any sensible, cohesive system.
4667-8 ch02.f.qc 5/15/00 1:56 PM Page 27
28
Part I ✦ Windows 2000 Server Architecture
The ideal is some sort of badge that allows us to log in once and then flash it
wherever we go. For starters, every application and service on our LANs, from
e-mail to voice mail to data access to printer access, should be made available
to us through one universal login, at home or at work. The type or level of access
we have will depend on the attributes or “clearance level” of our badges. The
access token provided by Windows NT security comes close to this, but it is not
accepted by other technologies as a valid means of authentication. Figure 2-1
illustrates several systems that should be accessed and managed from a central
login authority. In many cases, this is already possible with Active Directory-
compliant applications such as SQL Server 2000 and Exchange 2000.
Figure 2-1: Active Directory as a central login authority
Active
Directory
Intranet Cloud
Internet Cloud

Interconnection with other directories
Internet Users
Internet Road Warriors
Extranet Access
Security
Extranet Cloud
4667-8 ch02.f.qc 5/15/00 1:56 PM Page 28
29
Chapter 2 ✦ Introducing Active Directory
As you will learn in Chapter 3 and in the chapters in Part III, the single login dream
is achieved using the services of AD and Windows 2000 support for MIT’s Kerberos
authentication. This service is known as Single Sign-On (SSO). SSO has become a
quasi-standard among supporters of the Kerberos protocol, such as Microsoft,
Apple, Sun, and Novell.
Once a trusted user is authenticated via the Kerberos protocol, all other services
that support the Kerberos protocol can accept and allow access to the principal.
This is made possible by the Kerberos use of tickets— the badge idea previously
discussed — which are issued by the directory service.
In Chapter 1, we also told you that the Microsoft network domain architecture in
Windows 2000 has been radically overhauled to seamlessly integrate with the AD
and to extend out to the Internet. Imagine being able to log in to your domain from
anywhere. We will be discussing this in much more depth in a later chapter.
Change management
Active Directory makes it easier to manage the roamers and users of cyberspace
and corporate networks and the computers they use to attach to the network. We
administrators want to be able to manage our users and computing resources in
one central omnipresent repository. We don’t want to repeatedly manage users in
the voice mail directory, on the NetWare servers’ directory, in the Host systems
database, in our e-mail directory, on our Windows domains, and so on.
And we, as managers, need to be able to manage this information easier with

a directory on the network for initial configuration and manipulation over the
lifetime or use of the application. We do not want to concern ourselves with
the inner workings of the directory. We want to create our information or config-
uration object, initialize, use it, and be done . . . no matter where the user installs
or invokes our product. And wherever the object we created is moved to, it should
always be accessible to the application.
With all of the above, the cost of access and management has in the past been high.
We are looking for solutions that will, albeit in the long to medium term, reduce the
cost of both management and operation of cyberspace and the information
technology systems running our companies and our lives.
What Is Active Directory?
There are registries and databases that provide directory-type facility for applications
and users. But not one is interconnected, share-centric, or distributed in any way. AD
is a universal distributed information storehouse into which all network objects, such
as application configurations, services, computers, users, and processes, can be
accessed, in a consistent manner, over the full expanse of a network or internetwork.
This is made possible by the logical structure of the directory. And before you start
scratching your head, you should understand that without Active Directory you
cannot log in to a Windows 2000 domain, period. Chapters 7 and 8 discuss this and
illustrate the control you have over AD’s logical and physical structure.
We compare AD to a database later on in this chapter and in Chapter 7 in much
more detail. Meanwhile, if you’re keen to adopt this child, then you need to know
something about its parents.
The Grandfather of the Modern Directory:
The X.500 Specification
The directory service as we are coming to know it began with an interconnection
model proposed by the International Standards Organization (ISO) little more than
20 years ago. This model is popularly known as OSI, which stands for open-systems
interconnection. In the late eighties, OSI was given a huge boost by big business and
government and quickly became the foundation for the information revolution we

Country
Organization
Person
US
MCITY
Jeffrey Shapiro
P1
C1 C3
O2O1 O3
P2P1 P3
4667-8 ch02.f.qc 5/15/00 1:56 PM Page 31
32
Part I ✦ Windows 2000 Server Architecture
at the top, and the branches and leaves hang down, free to proliferate. This model
assured that any object in the tree is always unique as long as it is inherently part of
the tree and can trace its “roots” to the single node at the top. Active Directory trees
(and DNS) work the same way, as discussed later. The tree is read from the bottom
to the top.
Figure 2-3: The X.500 tree structure
The objects in the X.500 tree represented containers for information representing
people, places, and things. These objects would also be organized or grouped into
classes (for example, groups of countries, companies, localities, and so on).
The X.500 standard included the following container objects:
✦ Countries
✦ Location
✦ OU or organizational unit
Unfortunately, X.500 suffered from several limitations in its early days. It became
bogged down under its own weight (the specification was exhaustive), and in many
respects it was ahead of its time (especially with respect to its ties to OSI). It made
its appearance in the late 1980s at a time when most innovators could care less

access and exploit LDAP-compliant directory services. The client needs only
to know how to “talk” to LDAP (IP). TCP, the transport, takes care of the rest.
✦ LDAP performs hyper-searching, which is the ability of a directory to refer to
another for authoritative information. In other words, one LDAP directory can
defer to another to chase information. An example of this is how Web-based
search engines look to other search engines, via hyper-linking, for collateral
information or information that does not exist in their own databases. Directory
services on a worldwide Internet thus can become contiguous and distributed
to form a transparent massive service, limited only by available servers and
network resources.
The replication mechanisms Microsoft is building into its products are so advanced
that products such as SQL Server 2000 will become fully distributed before 2003.
✦ Early on its childhood, LDAP implemented a rich C-based API, making C the de
facto programming language of the directory service. Using the most popular
language of the day with which to call directory functionality ensured LDAP
widespread support in the bustling developer community.
Note
4667-8 ch02.f.qc 5/15/00 1:56 PM Page 33
34
Part I ✦ Windows 2000 Server Architecture
LDAP consists of the following components, which in some shape or form are the
foundations of all modern directories, including the AD:
✦ The data model: This model represents how data is accessed in the
directory. The data model is inherited directly from the data model of
the X.500 specification. Objects are infused with information by way of
assigning attributes to them. Each attribute is type-casted and contains
one or more distinct values. The objects are classified into groups of
classes, such as organizational units (OUs) or Companies.
✦ The organization model: This is the inverted tree paradigm we earlier
discussed, which is also inherited directly from the X.500 specification. It is

be accessed from most e-mail applications, Web-based applications, and even
embedded systems such as routers and gateway devices.
After X.500
A number of large technology companies are hard at work on directory services.
The two of note who appear to have been at it longer than Microsoft are Banyan
Systems and Novell. Others include Netscape and IBM (Lotus Notes).
Banyan perhaps has been at it the longest with its StreetTalk product that has been
part of the Vines OS for more than a decade. Novell entered the market mid-way
through the 1990s with a directory service aimed at its installed NetWare base, called
the Novell Directory Service (NDS), and it has been working on versions of NDS that
will be independent of the NetWare OS, including a version for Windows NT.
Despite its immaturity, AD has been built on proven technology. One area on
which it heavily depends is replication, and the technology for this comes from
Microsoft Exchange. The Exchange site integration and replication technology has
been proven on millions of installations around the world.
From the ground up, Active Directory has been built on open, international
standards. It is important to note that AD is not an X.500 directory, but it has
borrowed heavily from the X.500 specifications. In particular, it uses LDAP
as the access protocol, which opens it to everyone and everything. In short,
Microsoft has taken everything that was great about X.500 and LDAP and
combined it with proven technologies it has develop-ed for other purposes
over the years (such as Microsoft’s Component Object Model [COM]). AD
can exchange information with any application or service that uses LDAP.
AD also relies on DNS as its locator service, allowing clients to transparently
locate domain controllers (AD hosts) by merely connecting to a DNS server and
looking up the IP addresses for the closest domain controller. (We will discuss
this further in Chapters 7 and 8.)
Note
4667-8 ch02.f.qc 5/15/00 1:56 PM Page 35
36

version
.ini
files in error, the application was, for better or worse, destroyed (if the
.ini
files were not backed up). The registry set out to change all that. Today, some of
the largest software houses in the world still do not use it; I can’t imagine why.
What’s more, the registry also became the home for the so-called Security Account
Manager (SAM). This database stores and manages all the security and access
control authority of network resources.
There are some similarities between the registry and the AD. Specifically, the
registry is:
✦ Also a database, somewhat cryptic and complex, but still a database.
✦ Open and accessible (except for the SAM part).
4667-8 ch02.f.qc 5/15/00 1:56 PM Page 36
37
Chapter 2 ✦ Introducing Active Directory
✦ Able to be programmed against.
✦ A replicating structure (single master), providing some vestige of a
distributed system.
✦ A system of hierarchical structures, which contains records that hold
configuration data.
For the most part, the similarities end here. Comparing the registry to Active
Directory is like comparing a JetSki to the USS Kitty Hawk. AD is a completely
different animal. Yes, you can still use the registry to store configuration data,
and you would still use the registry on a standalone workstation or server,
even a domain controller. Specifically, the difference is that AD is:
✦ A distributed multi-master database (peer directories update each other
in real time, latency aside).
✦ Built on open, Internet-based standards.
✦ Object-oriented.

that Microsoft supports are essentially provided for backward compatibility
with earlier versions of NT, other network operating systems, legacy
transports such as SNA and the DLC protocols, and NetBEUI clients.
✦ Active Directory provides a rich set of C/C++, Java, VB, and scripting language
interfaces, allowing it to be fully programmed against.
We have investigated which languages or programming environments should be
used to program the Active Directory. For the speed required by complex code and
advanced development, such as creating service providers, C++ is best. For RAD
and the majority of component-based development, Visual Basic, using the Active
Directory Services Interface (ADSI), is best. Java is useful when you need to make
calls to the LDAP API, but we have found Microsoft’s support for Java-based access
to Active Directory lukewarm to say the least.
✦ Active Directory is built into the Windows NT operating system (still at the
core of Windows 2000), making it backward compatible with earlier versions
of Windows NT.
✦ Active Directory is a fully distributed architecture allowing administrators to
write once and update everywhere from a single point of access, across any
network.
✦ Active Directory is highly scalable and self-replicating. It can be implemented
on one machine, or the smallest network, and can scale to support the largest
companies in the world. Resources and adoption permitting, once the kinks
(and it has a few) are worked out, it will likely become a pervasive technology
within a short time.
✦ Active Directory’s structural model is extensible, allowing its schema to evolve
almost without limits. In this regard, Active Directory has to comply with the
X.500 specification that extending the schema requires you to register the new
class with a X.500 governing body. This compliance is achieved by registering
an Object Identifier (OID) with the authorities. In the United States, the
authority is the American National Standards Institute (ANSI).
AD has fully adopted the most popular namespace models in use today. It embraces

users can now log in to a Windows 2000 network by simply entering their user ID
and password, like this:
User: [email protected]
Password: *************
It is possible to assign any UPN to a domain for login. In other words, you might
create a domain called MCITY but prefer users to log in as [email protected]
so that they do not need to remember more than their e-mail addresses.
LDAP and X.500 names
The LDAP and X.500 naming conventions are known scientifically as attributed
naming, which consists of the server name holding the directory (which we refer
to as the directory host), user name, organizational unit, and so on. For example:
LDAP://anldapserver.bigbrother.com/cn=jsmithers,ou=trucksales,
dc=bigbrother,dc=com
LDAP names are used to query the Active Directory.
Active Directory and the Internet
It is possible to locate AD servers anywhere on the Internet or a private intranet.
These AD servers can be full-blown Windows 2000 domain controllers, or they can
serve the single purpose of being LDAP directory servers. The information and
access that users and clients enjoy from these servers is transparent.
The client needs only resolve the closest AD server to it to get information. The
closest server might be on the same site as the client, in which case the DNS server
will resolve to an AD server on the same subnet as the client. Or it may be located
Tip
4667-8 ch02.f.qc 5/15/00 1:56 PM Page 39
40
Part I ✦ Windows 2000 Server Architecture
on a site far away. This means that AD can and will be used as an Internet directory
server without ever being accessed for domain authentication. Multiple AD servers
will link together to provide a global directory service that spans the continent.
Active Directory Everywhere

allowing administrators to model the domain after their physical organization
structure or relevant business models. A single domain can start very small and
grow to contain tens of millions of objects; thus, objects can be defined at the
smallest corporate atomic structure without the fear of overpopulation, as was
the case with Windows NT 4.0, and NetWare 3.x and 4.x.
Note
4667-8 ch02.f.qc 5/15/00 1:56 PM Page 40