Terminology for Active Directory

Before I post any videos about how to do things in AD DS, it’s important to establish the basic terminology that we’ll be working with.  As we move forward, I’ll try to reference this post for the basic definitions of terms.  And, of course, there are far more terms that apply to AD DS than are listed below.  But these basic definitions should get your started.

If you want a more full-bodied discussion of AD DS concepts, I’ve listed a few book recommendations at the end of this post.

• Authentication – the process by which Active Directory verifies that a security principle is who they claim to be.
• Authorization – the process by which Active Directory determines the level of permissions (i.e. what it’s allowed to do and what it is restricted from doing) a security principles has over the resources it wishes to access.
• Domain – a partition within an Active Directory Forest that allows the setting of administrative boundaries, limits replication of objects, and enables the setting of security parameters via Group Policy
• Domain Controller (DC) – a special Windows server that stores the Active Directory database and provides directory functionality.
• Domain Naming System (DNS) – the name resolution system used by Active Directory (may be integrated with Active Directory, or maintained separately).
• Forest – this represents a single instance of Active Directory.  It will contain at least one Domain and possibly many domains.  Directory partitions (configuration, schema, domain, and application) combine to define the Active Directory Forest.
• Global Catalog – a special type of Domain Controller that contains a writable copy of all directory objects that exist within the same domain as the GC, along with a read-only thumbnail of all objects from every other domain within the Forest.
• Group Policy – allows for automated management of Active Directory objects (users, computers, and groups).  Group Policies can be configured to impact local machines, sites, domains, or organizational units
• Kerberos – the standard authentication protocol used by Active Directory.  For a complete discussion of the Kerberos protocol, refer to RFC 4120 available at http://www.ietf.org/rfc/rfc4120.txt
• LDAP – the lightweight directory access protocol used to access information and services available within Active Directory
• Organizational Unit (OU) – the standard container within Active Directory contains objects such as users, groups and computers.  Organizational units can be used to apply Group Policy settings to the objects housed within the OU and potentially its child OUs.
• Operations Masters - specialty roles within Active Directory that ensure the health of the directory throughout the forest.  These roles are either unique to a domain (i.e. each domain will have one of them) or a forest (there will be only one in an entire forest).  They are:
  • Schema Master (forest-wide): maintains and updates the AD DS Schema
  • Domain Naming Master (forest-wide): manages the addition/removal/modification of domains within AD DS
  • RID Master (domain-wide): hands out relational IDs (RIDs) used by a domain controller when creating unique objects in AD.  When a new object is created in AD DS, the domain controller adds a RID to the domain SID (security identifier) to produce a unique identifier for that object within the domain
  • PDC Emulator (domain-wide): this DC functions as the primary domain controller for clients that are not Active Directory aware (such as Windows NT 4).  It also manages password changes for a domain
  • Infrastructure Master (domain-wide): keeps track of object changes in other domains and updates object references in its domain that point to the objects which have been changed in other domains
• Partial Attribute Set (PAS) – this is the list of attributes that will be replicated to the Global Catalog as part of the thumbnail of each object in the directory
• Partition – AD DS has 3 essential partitions and one optional partition.  These groupings of objects are broken out by purpose and in order to minimize replication throughout the forest.  The partitions are:
  • Configuration (replicated forest-wide): contains all objects used for the configuration and maintenance of Active Directory
  • Domain (replicated domain-wide): contains all objects specific to a domain, such as users and computers
  • Schema (replicated forest-wide): contains the objects and properties allowed within Active Directory
  • Application (optional): this partition can be replicated to any domain controllers specified and can contain objects determined by the application using this partition.  For example, when DNS is integrated with Active Directory it can be replicated to any domain controller of your choosing.
• Replication – the process of replication allows the information within Active Directory to be housed in multiple locations via the multi-master model of AD.  Replication occurs per partition and happens as follows:
• Configuration: information is replicated forest-wide
• Schema: information is replicated forest-wide
• Domain: information is replicated domain-wide with certain information replicated forest-wide via Global Catalogs
• Application: information is replicated based on the requirements of the application
• Security Principle – an object that can authenticate against Active Directory
• Schema – the schema contains the definitions for the various objects (and properties that those objects can have) that exist within the Active Directory structure
• Site – a well-connected group of Domain Controllers, servers and clients with high-speed connectivity
• Trust – allows users in one domain to authenticate to external environments (other domains, forests, or non-Active Directory environments) in order to gain access to the resources located in those environments

One caveat…AD DS is big.  It’s quite complex, and the list above is in no way a complete list of terms necessary for you to become an AD expert (in fact, the best description of the list above is “woefully inadequate”!).  These terms are offered only because they are the absolute minimum information that needs to be understood when working with Active Directory.

As we move forward, I’ll mention other terms as they become relevant.  For now, these should get you started.

The Active Directory Family–More to Love in 2008

Prior to Windows 2008, when people said “Active Directory” they meant the directory service provided for free with Windows Server 2000/2003.  Windows Windows 2008, however, Microsoft has expanded on the concept of Active Directory so that it now has more than one meaning.

In this post, I thought I’d give a brief description of each of the core products that make up the Active Directory family.  Seeing this list, you’ll understand that it’s no longer technically accurate to talk about ‘Active Directory’ (though those of us who have worked with AD since the beginning certainly continue to speak of it in these terms).  Instead, using the new terminology below is the more appropriate way to refer to the various members of the Active Directory suite of products.

1. Active Directory Domain Services (AD DS) – this is the classic version of Active Directory that is responsible for managing authentication (proving who you are), and authorization (deciding how much you can do) within your Microsoft domain.  It stores user and computer objects (among many other types of objects) and manages communication, directory lookups, and security for the people and resources accessing your infrastructure
2. Active Directory Lightweight Directory Services (AD LDS) – Previously known as ‘ADAM’, AD LDS is a lightweight version of Active Directory used in conjunction with directory-enabled applications.  While it is not intended to handle authentication/authorization, it does serve as a place to store objects and directory data necessary to the functioning of these directory-enabled applications.
3. Active Directory Certificate Services (AD CS) – This product was once known as Microsoft Public Key Infrastructure (PKI), and is designed to allow you to set up your own internal certificate authority, allowing you to issue and manage digital certificates for the objects within your infrastructure.
4. Active Directory Rights Management Services (AD RMS) – While Windows Server has a native way to protect documents from being accessed by unauthorized persons, AD RMS takes it a step further by managing permissions over those documents.  AD RMS allows you to define who has the rights to do many things with the documents in your environment, setting permissions for who can open, read, edit, etc. the documents being managed by AD RMS.
5. Active Directory Federation Services (AD FS) – This service allows users from other domains to log into web-based applications even though those users are not from your own infrastructure, providing a Single-Sign On (SSO) experience for users accessing your web-based applications from other environment (both Windows and non-Windows).

Even though Active Directory has expanded and now includes 5 products rather than the single ‘Active Directory’ that debuted in Windows 2000, the central theme of AD is still identity management.  Each of the products listed above has some functionality related to this area, so it made sense to consolidate each of these products under the heading “Active Directory”.

Knowing a bit about these different products that make up the Active Directory family is important as you work with Windows 2008.  And now that you know them, you’ll be in a good position to respond to someone who talks about ‘Active Directory’ with the question “Which part of the Active Directory suite are you talking about?”