Active Directory:
Final Solution to Enterprise
System Integration
Author: Liming Liao
Date: 2/23/2001
What is Directory Services
 It is the central authority that manages the
identities and brokers the relationships between
the distributed resources, enabling them to work
together.
• Examples: Yellow Pages, Shopping List
• It is composed of objects like people, printers,
servers, etc.
Functions of Directory Service
A place to store information about networkbased entities.
A consistent way to name, describe, locate,
access, manage, and secure information
about these individual resources.
Why Directory Service is needed
local area networks (LANs) and wide area
networks (WANs) grow larger and more
complex.
networks are connected to the Internet.
applications require more from the network
and are linked to other systems through
corporate intranets.
Life without a Central Directory
Service
Life without a Central Directory
Service
Disadvantages of life without a
Central Directory Service
• Data duplicates prone to user errors
– same data for one object has to be input several times
enterprise-widely
– Update information for a single object may require
changes to be made to numerous places
• Multiple logins for a single user trying to access different
databases or networks
– Each database in the enterprise requires a separate login
name and password
– Each network in the enterprise requires a separate login
name and password
With Centralized Directory Services
With Centralized Directory Services
Advantages of Directory Services
• Entry and management of personal data,
such as name, phone number and
supervisor, is centralized
– These information is entered and stored in one
place. If some of the information is entered
wrongly or needs to be changed, it is easy to fix
– No pain for duplicate inputs and updates
Advantages of Directory Services
• Information on user ID and password locations for
computer systems is centralized
– Instead of having user IDS and passwords scattered
over several systems, they are managed form the central
directory service
– Security is improved because there are much less
userIDs and passwords
– Management of users’ userIDs is much easier for
system admins
Advantages of Directory Services
• The procedure for determining the status
and role of an individual in the organization
is standardized
– In a large organization, there will be a number
of people that will come and go. It is important
to determine the exact status or relationship to
the company they represent
Advantages of Directory Services
• Lookup of names, addresses, phone
numbers and other “white pages”
information is standardized
• Lookup of network resources like printers,
servers, certificates and other “ yellow
pages” information is standardized
• Centralizing the management of the system
will increase reliability and make it easier to
keep it up to date
Vendor-specific Directory Service Solution and
Open Standards Directory Service Solutions
• Directory Services– Sun Microsystems NIS+ (Network Information Service
Plus)
– Novell’s NDC (NetWare Directory Service)
– Microsoft’s Active Directory
• Open Directory Service Solutions– An Open Solution: X.500
– An Open Gateway Service
– LDAP - the Lightweighted Directory Access Protocal
Microsoft Active Directory
• Active Directory is the first enterprise-class
directory service that is scaleable, built from
the ground up using Internet-standard
technologies, and fully integrated with the
operating system.
Characteristics of Active Directory
 Hierarchical Organization
 It uses objects to represent network resources.
 It uses containers to represent organizations.
 It organizes information in a tree structure made up of these
objects and containers.
 Object-oriented Storage
 Different objects can be assigned different attributes.
 Administrators can assign access privileges to objects
 Multi-Master Replication
 Directories can be replicated on different servers and can be maintained
locally across the network
 User can locate resources using the local directory service rather than
Hierarchical Organization
Object-oriented Storage
Important ADS concepts
• Workgroup
A Windows 2000 workgroup is a logical grouping of
networked computers that share resources, such as files
and printers, and maintain a local security database, which
is a list of user accounts and resource security information
for the computer it is on.
• Domain
A Windows 2000 domain is a logical grouping of
networked computers that share a central directory
database, which contains user accounts and security
information for the domain.
Important ADS concepts
• Domain Tree and Forest
A domain tree refers to a hierarchical grouping of domains
that share a contiguous namespace, a common schema, and
a common global catalog.
A domain forest is a collection of two or more domain trees
that do not share a contiguous namespace, but do share
common schema and global catalog.
• Namespace
A collection of unique domain names.
Important ADS concepts
• Object and Organizational unit
An object is a representation of a network resource,
including users, computers, printers, and so forth.
Organizational unit is an object that can hold other objects.
• Multimaster replication
The process by which Active Directory domains replicate
with each other and resolve conflicting updates.
• Lightweight Directory Access Protocol (LDAP)
An Internet standard by which Active Directory clients and
servers communicate.
Benefits of Active Directory Service
• Simplifies management– Administrators have a single point of management for user
accounts, clients, servers and applications
– Administrators can delegate specific administrative privileges and
tasks to individual users and groups to make better use of system
administration resources
• Strengthens security
– It supports a number of authentication mechanisms used to prove
identity upon logon to Windows 2000
– It support a fully integrated public key infrastructure and Internet
secure protocols to let organizations securely extend selected
directory information beyond their firewall to Extranet users and ecommerce customers
Benefits of Active Directory Service
• Extends interoperatbility
– Expose all of the Windows 2000 directory features through
standards-based interfaces.
– It provides a development platform for directory-enabled
applications.
• More efficient usage of resources
– Centralized security control and shared logon information saves
the trouble of creating security-admin functions of each specific
system
– Users are exempted of the headache of maintaining multiple
security information within a single domain
How to implement ADS
• LDAP ???
–
–
–
–
–
–
–
–
Multi-Platform (Unix, Windows NT, OS2 and IBM mainframes)
Multi-Vendor support (Microsoft, Netscape, Sun and Novell)
Common standard
Centralizes the entry and management of personal data like name,
phone number, and supervisor
Centralizes the location of user ID and passwords for computer
systems
Provides the Simple Authentication and Security Layer(SASL)
providers, and the Secure Socket Layer(SSL) Protocol
Centralizes the procedure for determining the status and role of an
individual in the organization
Centralizes the lookup of names, addresses, phone numbers and other
‘white page’ information
Summary
• Directory Services are essential to daily life
in a networked world
• Personal information that is needed for the
running of any organization is being kept in
many separate systems
• Centralized directory services can improve
productivity and increase security while
reducing management overhead