What Is An Active Directory Service Account

Directory service, created by Microsoft for Windows domain networks

Agile Directory (Advertisement) is a directory service developed by Microsoft for Windows domain networks. It is included in well-nigh Windows Server operating systems as a set of processes and services.^{[1] [2]} Initially, Agile Directory was used simply for centralized domain management. However, Active Directory eventually became an umbrella title for a broad range of directory-based identity-related services.^[3]

A server running the Agile Directory Domain Service (Ad DS) part is called a domain controller. It authenticates and authorizes all users and computers in a Windows domain type network, assigning and enforcing security policies for all computers, and installing or updating software. For example, when a user logs into a computer that is part of a Windows domain, Active Directory checks the submitted username and password and determines whether the user is a system administrator or normal user.^[4] Also, information technology allows direction and storage of information, provides hallmark and authorization mechanisms and establishes a framework to deploy other related services: Document Services, Active Directory Federation Services, Lightweight Directory Services, and Rights Management Services.^[v]

Agile Directory uses Lightweight Directory Access Protocol (LDAP) versions 2 and 3, Microsoft'due south version of Kerberos,^[6] and DNS.^[vii]

History [edit]

Like many information-engineering science efforts, Active Directory originated out of a democratization of design using Asking for Comments (RFCs). The Internet Engineering Task Force (IETF), which oversees the RFC process, has accepted numerous RFCs initiated past widespread participants. For instance, LDAP underpins Active Directory. As well, X.500 directories and the Organizational Unit of measurement preceded the Active Directory concept that makes utilize of those methods. The LDAP concept began to emerge even before the founding of Microsoft in April 1975, with RFCs equally early every bit 1971. RFCs contributing to LDAP include RFC 1823 (on the LDAP API, August 1995),^[8] RFC 2307, RFC 3062, and RFC 4533.^{[9] [ten] [eleven]}

Microsoft previewed Agile Directory in 1999, released information technology offset with Windows 2000 Server edition, and revised it to extend functionality and improve administration in Windows Server 2003. Active Directory support was also added to Windows 95, Windows 98 and Windows NT 4.0 via patch, with some features being unsupported.^{[12] [thirteen]} Additional improvements came with subsequent versions of Windows Server. In Windows Server 2008, additional services were added to Active Directory, such as Active Directory Federation Services.^[14] The part of the directory in charge of the management of domains, which was previously a core part of the operating organisation,^[14] was renamed Active Directory Domain Services (ADDS) and became a server role similar others.^[3] "Agile Directory" became the umbrella title of a broader range of directory-based services.^[fifteen] According to Byron Hynes, everything related to identity was brought under Agile Directory'due south imprint.^[3]

Agile Directory Services [edit]

Active Directory Services consist of multiple directory services. The all-time known is Active Directory Domain Services, unremarkably abbreviated as AD DS or but Advertizing.

Domain Services [edit]

Active Directory Domain Services (Advertizement DS) is the foundation stone of every Windows domain network. It stores information almost members of the domain, including devices and users, verifies their credentials and defines their access rights. The server running this service is called a domain controller. A domain controller is contacted when a user logs into a device, accesses another device beyond the network or runs a line-of-business Metro-style app sideloaded into a device.

Other Active Directory services (excluding LDS, as described below) besides as most of Microsoft server technologies rely on or use Domain Services; examples include Grouping Policy, Encrypting File Arrangement, BitLocker, Domain Proper noun Services, Remote Desktop Services, Exchange Server and SharePoint Server.

The self-managed Ad DS must not be confused with managed Azure AD DS, which is a cloud product.^[16]

Lightweight Directory Services [edit]

Active Directory Lightweight Directory Services (AD LDS), formerly known equally Active Directory Application Mode (ADAM),^[17] is an implementation of LDAP protocol for AD DS.^[18] Advertising LDS runs every bit a service on Windows Server. Advertizing LDS shares the lawmaking base with Advertizement DS and provides the same functionality, including an identical API, but does non crave the creation of domains or domain controllers. It provides a Data Store for the storage of directory data and a Directory Service with an LDAP Directory Service Interface. Different Advertising DS, however, multiple AD LDS instances tin can run on the aforementioned server.

Document Services [edit]

Active Directory Certificate Services (AD CS) establishes an on-bounds public key infrastructure. It can create, validate and revoke public fundamental certificates for internal uses of an organisation. These certificates can be used to encrypt files (when used with Encrypting File System), emails (per S/MIME standard), and network traffic (when used by virtual private networks, Transport Layer Security protocol or IPSec protocol).

AD CS predates Windows Server 2008, but its proper name was simply Certificate Services.^[nineteen]

Advertizing CS requires an Advertising DS infrastructure.^[20]

Federation Services [edit]

Active Directory Federation Services (Ad FS) is a single sign-on service. With an Advert FS infrastructure in place, users may employ several web-based services (e.g. net forum, blog, online shopping, webmail) or network resources using merely one set of credentials stored at a central location, as opposed to having to be granted a dedicated set of credentials for each service. AD FS uses many pop open up standards to laissez passer token credentials such every bit SAML, OAuth or OpenID Connect.^[21] Advertizing FS supports encryption and signing of SAML assertions.^[22] Advertizement FS'southward purpose is an extension of that of Advertisement DS: The latter enables users to authenticate with and utilize the devices that are part of the aforementioned network, using one prepare of credentials. The former enables them to use the same set of credentials in a dissimilar network.

As the name suggests, AD FS works based on the concept of federated identity.

AD FS requires an Advertizing DS infrastructure, although its federation partner may non.^[23]

Rights Management Services [edit]

Active Directory Rights Direction Services (AD RMS, known as Rights Direction Services or RMS before Windows Server 2008) is a server software for data rights management shipped with Windows Server. Information technology uses encryption and a form of selective functionality deprival for limiting access to documents such every bit corporate east-mails, Microsoft Word documents, and web pages, and the operations authorized users can perform on them. These operations can include viewing, editing, copying, saving as or printing for example. IT administrators can create pre-prepare templates for the convenience of the end user if required. Withal, terminate users can still define who can access the content in question and set what they tin can do. ^[24]

Logical structure [edit]

Every bit a directory service, an Active Directory instance consists of a database and respective executable code responsible for servicing requests and maintaining the database. The executable part, known as Directory System Agent, is a collection of Windows services and processes that run on Windows 2000 and after.^[i] Objects in Agile Directory databases can be accessed via LDAP, ADSI (a component object model interface), messaging API and Security Accounts Manager services.^[2]

Objects [edit]

A simplified example of a publishing company's internal network. The visitor has four groups with varying permissions to the three shared folders on the network.

Active Directory structures are arrangements of information about objects. The objects fall into two broad categories: resources (e.grand., printers) and security principals (user or computer accounts and groups). Security principals are assigned unique security identifiers (SIDs).

Each object represents a unmarried entity—whether a user, a computer, a printer, or a group—and its attributes. Certain objects tin contain other objects. An object is uniquely identified past its name and has a set of attributes—the characteristics and information that the object represents— divers past a schema, which also determines the kinds of objects that can be stored in the Active Directory.

The schema object lets administrators extend or modify the schema when necessary. However, considering each schema object is integral to the definition of Active Directory objects, deactivating or changing these objects can fundamentally change or disrupt a deployment. Schema changes automatically propagate throughout the system. One time created, an object tin simply exist deactivated—non deleted. Irresolute the schema usually requires planning.^[25]

Forests, trees, and domains [edit]

The Active Directory framework that holds the objects tin be viewed at a number of levels. The woods, tree, and domain are the logical divisions in an Active Directory network.

Within a deployment, objects are grouped into domains. The objects for a unmarried domain are stored in a single database (which tin can exist replicated). Domains are identified by their DNS name structure, the namespace.

A domain is defined as a logical group of network objects (computers, users, devices) that share the same Active Directory database.

A tree is a collection of one or more domains and domain trees in a face-to-face namespace and is linked in a transitive trust hierarchy.

At the elevation of the construction is the forest. A woods is a collection of trees that share a common global catalog, directory schema, logical structure, and directory configuration. The forest represents the security boundary within which users, computers, groups, and other objects are attainable.

Organizational units [edit]

The objects held inside a domain can be grouped into organizational units (OUs).^[26] OUs tin provide hierarchy to a domain, ease its administration, and can resemble the organization's construction in managerial or geographical terms. OUs can contain other OUs—domains are containers in this sense. Microsoft recommends using OUs rather than domains for structure and simplifying the implementation of policies and administration. The OU is the recommended level at which to employ group policies, which are Agile Directory objects formally named group policy objects (GPOs), although policies can too be applied to domains or sites (see below). The OU is the level at which administrative powers are commonly delegated, simply delegation can be performed on individual objects or attributes as well.

Organizational units practice non each have a carve up namespace. As a outcome, for compatibility with Legacy NetBios implementations, user accounts with an identical sAMAccountName are not allowed within the aforementioned domain even if the accounts objects are in carve up OUs. This is because sAMAccountName, a user object attribute, must be unique within the domain.^[27] However, 2 users in different OUs can have the same common proper name (CN), the name nether which they are stored in the directory itself such equally "fred.staff-ou.domain" and "fred.student-ou.domain", where "staff-ou" and "student-ou" are the OUs.

In general, the reason for this lack of assart for indistinguishable names through hierarchical directory placement is that Microsoft primarily relies on the principles of NetBIOS, which is a apartment-namespace method of network object management that, for Microsoft software, goes all the manner dorsum to Windows NT 3.1 and MS-DOS LAN Director. Allowing for duplication of object names in the directory, or completely removing the use of NetBIOS names, would foreclose backward compatibility with legacy software and equipment. However, disallowing duplicate object names in this way is a violation of the LDAP RFCs on which Active Directory is supposedly based.

As the number of users in a domain increases, conventions such every bit "kickoff initial, middle initial, terminal name" (Western social club) or the reverse (Eastern order) fail for mutual family names similar Li (李), Smith or Garcia. Workarounds include adding a digit to the end of the username. Alternatives include creating a split ID organization of unique employee/pupil ID numbers to use as account names in identify of actual users' names and allowing users to nominate their preferred discussion sequence within an acceptable use policy.

Because duplicate usernames cannot be within a domain, business relationship name generation poses a significant challenge for large organizations that cannot exist hands subdivided into divide domains, such as students in a public school system or university who must exist able to use whatsoever computer across the network.

Shadow groups [edit]

In Agile Directory, organizational units (OUs) cannot be assigned as owners or trustees. Only groups are selectable, and members of OUs cannot exist collectively assigned rights to directory objects.

In Microsoft's Active Directory, OUs exercise not confer access permissions, and objects placed within OUs are not automatically assigned access privileges based on their containing OU. This is a design limitation specific to Active Directory. Other competing directories such every bit Novell NDS can assign access privileges through object placement within an OU.

Active Directory requires a separate step for an administrator to assign an object in an OU equally a member of a grouping as well within that OU. Relying on OU location solitary to determine access permissions is unreliable, considering the object may non accept been assigned to the group object for that OU.

A common workaround for an Agile Directory administrator is to write a custom PowerShell or Visual Basic script to automatically create and maintain a user group for each OU in their directory. The scripts are run periodically to update the group to match the OU's account membership but are unable to instantly update the security groups someday the directory changes, equally occurs in competing directories where security is direct implemented into the directory itself. Such groups are known as shadow groups. In one case created, these shadow groups are selectable in place of the OU in the administrative tools.

Microsoft refers to shadow groups in the Server 2008 Reference documentation but does not explain how to create them. There are no built-in server methods or console snap-ins for managing shadow groups.^[28]

The division of an organization'south information infrastructure into a hierarchy of ane or more domains and elevation-level OUs is a key determination. Common models are by business unit, past geographical location, by It Service, or past object blazon and hybrids of these. OUs should be structured primarily to facilitate administrative delegation, and secondarily, to facilitate group policy application. Although OUs form an administrative boundary, the but true security boundary is the forest itself and an administrator of any domain in the forest must be trusted across all domains in the forest.^[29]

Partitions [edit]

The Agile Directory database is organized in partitions, each belongings specific object types and post-obit a specific replication pattern. Microsoft often refers to these partitions every bit 'naming contexts'.^[thirty] The 'Schema' segmentation contains the definition of object classes and attributes inside the Forest. The 'Configuration' partition contains information on the physical construction and configuration of the forest (such as the site topology). Both replicate to all domains in the Forest. The 'Domain' partitioning holds all objects created in that domain and replicates merely within its domain.

Physical construction [edit]

Sites are concrete (rather than logical) groupings defined past one or more IP subnets.^[31] AD also holds the definitions of connections, distinguishing depression-speed (eastward.chiliad., WAN, VPN) from loftier-speed (eastward.g., LAN) links. Site definitions are contained of the domain and OU structure and are common beyond the forest. Sites are used to control network traffic generated past replication and likewise to refer clients to the nearest domain controllers (DCs). Microsoft Substitution Server 2007 uses the site topology for mail routing. Policies tin also exist defined at the site level.

Physically, the Active Directory information is held on one or more peer domain controllers, replacing the NT PDC/BDC model. Each DC has a re-create of the Agile Directory. Servers joined to Active Directory that is not domain controllers are called Fellow member Servers.^[32] A subset of objects in the domain partitioning replicate to domain controllers that are configured every bit global catalogs. Global catalog (GC) servers provide a global listing of all objects in the Forest.^{[33] [34]} Global Itemize servers replicate to themselves all objects from all domains and, hence, provide a global listing of objects in the forest. However, to minimize replication traffic and keep the GC'southward database small, merely selected attributes of each object are replicated. This is called the fractional attribute prepare (PAS). The PAS can exist modified by modifying the schema and marking attributes for replication to the GC.^[35] Earlier versions of Windows used NetBIOS to communicate. Agile Directory is fully integrated with DNS and requires TCP/IP—DNS. To be fully functional, the DNS server must support SRV resource records, also known as service records.

Replication [edit]

Active Directory synchronizes changes using multi-chief replication.^[36] Replication past default is 'pull' rather than 'button', significant that replicas pull changes from the server where the change was effected.^[37] The Noesis Consistency Checker (KCC) creates a replication topology of site links using the divers sites to manage traffic. Intra-site replication is frequent and automatic as a result of change notification, which triggers peers to begin a pull replication cycle. Inter-site replication intervals are typically less frequent and exercise non use change notification by default, although this is configurable and can exist made identical to intra-site replication.

Each link can accept a 'cost' (e.g., DS3, T1, ISDN, etc.) and the KCC alters the site link topology appropriately. Replication may occur transitively through several site links on same-protocol site link bridges, if the cost is low, although KCC automatically costs a direct site-to-site link lower than transitive connections. Site-to-site replication can be configured to occur between a bridgehead server in each site, which then replicates the changes to other DCs within the site. Replication for Active Directory zones is automatically configured when DNS is activated in the domain-based by the site.

Replication of Active Directory uses Remote Procedure Calls (RPC) over IP (RPC/IP). Between Sites, SMTP tin be used for replication, but but for changes in the Schema, Configuration, or Partial Attribute Set (Global Catalog) GCs. SMTP cannot be used for replicating the default Domain segmentation.^[38]

Implementation [edit]

In general, a network utilizing Agile Directory has more one licensed Windows server calculator. Fill-in and restore of Active Directory is possible for a network with a unmarried domain controller,^[39] merely Microsoft recommends more than than one domain controller to provide automatic failover protection of the directory.^[xl] Domain controllers are also ideally unmarried-purpose for directory operations just, and should not run any other software or role.^[41]

Certain Microsoft products such as SQL Server^{[42] [43]} and Exchange^[44] can interfere with the operation of a domain controller, necessitating isolation of these products on additional Windows servers. Combining them tin make configuration or troubleshooting of either the domain controller or the other installed software more difficult.^[45] A business intending to implement Agile Directory is therefore recommended to purchase a number of Windows server licenses, to provide for at least two carve up domain controllers, and optionally, boosted domain controllers for performance or redundancy, a split file server, a split Substitution server, a separate SQL Server,^[46] and so forth to support the various server roles.

Physical hardware costs for the many separate servers tin exist reduced through the use of virtualization, although for proper failover protection, Microsoft recommends not running multiple virtualized domain controllers on the same physical hardware.^[47]

Database [edit]

The Active-Directory database, the directory store, in Windows 2000 Server uses the JET Blue-based Extensible Storage Engine (ESE98) and is express to 16 terabytes and ii billion objects (merely merely 1 billion security principals) in each domain controller'south database. Microsoft has created NTDS databases with more than 2 billion objects.^[48] (NT4's Security Account Managing director could support no more than 40,000 objects). Called NTDS.DIT, it has ii main tables: the data table and the link table. Windows Server 2003 added a third master table for security descriptor single instancing.^[48]

Programs may access the features of Active Directory^[49] via the COM interfaces provided by Active Directory Service Interfaces.^[l]

Trusting [edit]

To let users in ane domain to access resource in some other, Active Directory uses trusts.^[51]

Trusts inside a forest are automatically created when domains are created. The woods sets the default boundaries of trust, and implicit, transitive trust is automatic for all domains within a forest.

Terminology [edit]

One-way trust

Ane domain allows access to users on some other domain, merely the other domain does not permit access to users on the commencement domain.

Two-way trust

Two domains allow access to users on both domains.

Trusted domain

The domain that is trusted; whose users have access to the trusting domain.

Transitive trust

A trust that tin can extend beyond 2 domains to other trusted domains in the woods.

Intransitive trust

A i style trust that does not extend across 2 domains.

Explicit trust

A trust that an admin creates. It is not transitive and is ane way only.

Cross-link trust

An explicit trust between domains in different trees or the same tree when a descendant/antecedent (child/parent) relationship does not exist betwixt the 2 domains.

Shortcut

Joins 2 domains in different copse, transitive, one- or two-way.

Woods trust

Applies to the entire forest. Transitive, 1- or two-fashion.

Realm

Tin can be transitive or nontransitive (intransitive), ane- or 2-mode.

External

Connect to other forests or non-AD domains. Nontransitive, one- or two-way.^[52]

PAM trust

A 1-way trust used past Microsoft Identity Manager from a (possibly low-level) product wood to a (Windows Server 2016 functionality level) 'breastwork' forest, which issues time-express group memberships.^{[53] [54]}

Management solutions [edit]

Microsoft Active Directory management tools include:

• Active Directory Administrative Center (Introduced with Windows Server 2012 and above),
• Active Directory Users and Computers,
• Active Directory Domains and Trusts,
• Active Directory Sites and Services,
• ADSI Edit,
• Local Users and Groups,
• Agile Directory Schema snap-ins for Microsoft Management Panel (MMC),
• SysInternals ADExplorer

These management tools may not provide enough functionality for efficient workflow in large environments. Some third-party solutions extend the administration and direction capabilities. They provide essential features for a more user-friendly assistants process, such equally automation, reports, integration with other services, etc.

Unix integration [edit]

Varying levels of interoperability with Agile Directory tin exist achieved on most Unix-similar operating systems (including Unix, Linux, Mac OS X or Java and Unix-based programs) through standards-compliant LDAP clients, but these systems usually do non translate many attributes associated with Windows components, such as Group Policy and support for one-way trusts.

Tertiary parties offering Active Directory integration for Unix-similar platforms, including:

• PowerBroker Identity Services, formerly Likewise (BeyondTrust, formerly As well Software) – Allows a not-Windows client to join Active Directory^[55]
• ADmitMac (Thursby Software Systems)^[55]
• Samba (free software under GPLv3) – Can human activity equally a domain controller^{[56] [57]}

The schema additions shipped with Windows Server 2003 R2 include attributes that map closely enough to RFC 2307 to be generally usable. The reference implementation of RFC 2307, nss_ldap and pam_ldap provided by PADL.com, support these attributes directly. The default schema for group membership complies with RFC 2307bis (proposed).^[58] Windows Server 2003 R2 includes a Microsoft Management Console snap-in that creates and edits the attributes.

An alternative option is to use some other directory service every bit non-Windows clients cosign to this while Windows Clients authenticate to Advert. Non-Windows clients include 389 Directory Server (formerly Fedora Directory Server, FDS), ViewDS Identity Solutions - ViewDS v7.2 XML Enabled Directory and Sun Microsystems Sunday Java System Directory Server. The latter 2 both being able to perform two-way synchronization with AD and thus provide a "deflected" integration.

Another option is to use OpenLDAP with its translucent overlay, which tin can extend entries in any remote LDAP server with additional attributes stored in a local database. Clients pointed at the local database see entries containing both the remote and local attributes, while the remote database remains completely untouched.^{[ citation needed ]}

Administration (querying, modifying, and monitoring) of Agile Directory can be achieved via many scripting languages, including PowerShell, VBScript, JScript/JavaScript, Perl, Python, and Ruby.^{[59] [60] [61] [62]} Free and non-free Ad assistants tools tin can aid to simplify and possibly automate AD management tasks.

Since October 2017 Amazon AWS offers integration with Microsoft Active Directory.^[63]

See also [edit]

• AGDLP (implementing office based admission controls using nested groups)
• Apple Open Directory
• Flexible single master operation

• FreeIPA
• List of LDAP software
• System Security Services Daemon (SSSD)
• Univention Corporate Server

References [edit]

1. ^ ^{a b} "Directory System Agent". MSDN Library. Microsoft. Retrieved 23 Apr 2014.
2. ^ ^{a b} Solomon, David A.; Russinovich, Marker (2005). "Chapter 13". Microsoft Windows Internals: Microsoft Windows Server 2003, Windows XP, and Windows 2000 (fourth ed.). Redmond, Washington: Microsoft Press. p. 840. ISBN0-7356-1917-iv.
3. ^ ^{a b c} Hynes, Byron (Nov 2006). "The Future of Windows: Directory Services in Windows Server "Longhorn"". TechNet Magazine. Microsoft. Archived from the original on 30 April 2020. Retrieved 30 April 2020.
4. ^ "Active Directory on a Windows Server 2003 Network". Active Directory Collection. Microsoft. 13 March 2003. Archived from the original on 30 April 2020. Retrieved 25 December 2010.
5. ^ Rackspace Support (27 Apr 2016). "Install Active Directory Domain Services on Windows Server 2008 R2 Enterprise 64-bit". Rackspace. Rackspace US, Inc. Archived from the original on xxx April 2020. Retrieved 22 September 2016.
6. ^ "Microsoft Kerberos - Win32 apps". docs.microsoft.com.
7. ^ "Domain Name Arrangement (DNS)". docs.microsoft.com.
8. ^ Howes, T.; Smith, M. (August 1995). "The LDAP Awarding Program Interface". The Internet Applied science Task Strength (IETF). Archived from the original on 30 April 2020. Retrieved 26 Nov 2013.
9. ^ Howard, Fifty. (March 1998). "An Approach for Using LDAP every bit a Network Data Service". Internet Engineering science Task Force (IETF). Archived from the original on 30 Apr 2020. Retrieved 26 November 2013.
10. ^ Zeilenga, 1000. (February 2001). "LDAP Countersign Modify Extended Performance". The Internet Engineering science Task Force (IETF). Archived from the original on 30 April 2020. Retrieved 26 November 2013.
11. ^ Zeilenga, Chiliad.; Choi, J.H. (June 2006). "The Lightweight Directory Access Protocol (LDAP) Content Synchronization Operation". The Cyberspace Engineering Chore Force (IETF). Archived from the original on 30 April 2020. Retrieved 26 November 2013.
12. ^ Daniel Petri (8 January 2009). "Active Directory Client (dsclient) for Win98/NT".
13. ^ "Dsclient.exe connects Windows 9x/NT PCs to Active Directory". five June 2003.
14. ^ ^{a b} Thomas, Guy (29 November 2000). "Windows Server 2008 - New Features". ComputerPerformance.co.u.k.. Figurer Performance Ltd. Archived from the original on ii September 2019. Retrieved 30 April 2020.
15. ^ "What's New in Active Directory in Windows Server". Windows Server 2012 R2 and Windows Server 2012 Tech Center. Microsoft.
16. ^ "Compare Agile Directory-based services in Azure". docs.microsoft.com.
17. ^ "Advertisement LDS". Microsoft. Retrieved 28 Apr 2009.
18. ^ "Advertizement LDS versus AD DS". Microsoft. Retrieved 25 February 2013.
19. ^ Zacker, Craig (2003). "11: Creating and Managing Digital Certificates". In Harding, Kathy; Jean, Trenary; Linda, Zacker (eds.). Planning and Maintaining a Microsoft Windows server 2003 Network Infrastructure. Redmond, WA: Microsoft Press. pp. 11–sixteen. ISBN0-7356-1893-three.
20. ^ "Active Directory Certificate Services Overview". Microsoft TechNet. Microsoft. Retrieved 24 November 2015.
21. ^ "Overview of authentication in Ability Apps portals". Microsoft Docs. Microsoft. Retrieved 30 January 2022.
22. ^ "How to Replace the SSL, Service Communications, Token-Signing, and Token-Decrypting Certificates". TechNet. Microsoft. Retrieved 30 Jan 2022.
23. ^ "Step 1: Preinstallation Tasks". TechNet. Microsoft. Retrieved 21 October 2021.
24. ^ "Test Lab Guide: Deploying an Advertizing RMS Cluster". Microsoft Docs. Microsoft. Retrieved xxx January 2022.
25. ^ Windows Server 2003: Active Directory Infrastructure. Microsoft Printing. 2003. pp. ane–8–one–ix.
26. ^ "Organizational Units". Distributed Systems Resource Kit (TechNet). Microsoft. 2011. An organizational unit in Active Directory is coordinating to a directory in the file organization
27. ^ "sAMAccountName is always unique in a Windows domain… or is it?". Joeware. four January 2012. Retrieved 18 September 2013. examples of how multiple Advertising objects tin be created with the aforementioned sAMAccountName
28. ^ Microsoft Server 2008 Reference, discussing shadow groups used for fine-grained password policies: https://technet.microsoft.com/en-u.s./library/cc770394%28WS.10%29.aspx
29. ^ "Specifying Security and Administrative Boundaries". Microsoft Corporation. 23 January 2005. All the same, service administrators accept abilities that cross domain boundaries. For this reason, the woods is the ultimate security boundary, not the domain.
30. ^ Andreas Luther. "Agile Directory Replication Traffic". Microsoft Corporation. Retrieved 26 May 2010. The Agile Directory is made up of ane or more naming contexts or partitions.
31. ^ "Sites overview". Microsoft Corporation. 21 January 2005. A site is a set of well-connected subnets.
32. ^ "Planning for domain controllers and member servers". Microsoft Corporation. 21 Jan 2005. [...] member servers, [...] belong to a domain but do not contain a copy of the Active Directory data.
33. ^ "What Is the Global Catalog?". Microsoft Corporation. x December 2009. [...] a domain controller can locate simply the objects in its domain. [...] The global itemize provides the ability to locate objects from any domain [...]
34. ^ "Global Catalog". Microsoft Corporation.
35. ^ "Attributes Included in the Global Catalog". Microsoft Corporation. 26 August 2010. The isMemberOfPartialAttributeSet aspect of an attributeSchema object is prepare to TRUE if the attribute is replicated to the global catalog. [...] When deciding whether or not to place an attribute in the global itemize remember that yous are trading increased replication and increased disk storage on global catalog servers for, potentially, faster query operation.
36. ^ "Directory information store". Microsoft Corporation. 21 Jan 2005. Agile Directory uses iv distinct directory partition types to store [...] data. Directory partitions contain domain, configuration, schema, and awarding data.
37. ^ "What Is the Active Directory Replication Model?". Microsoft Corporation. 28 March 2003. Domain controllers asking (pull) changes rather than transport (push) changes that might not exist needed.
38. ^ "What Is Active Directory Replication Topology?". Microsoft Corporation. 28 March 2003. SMTP can be used to transport nondomain replication [...]
39. ^ "Active Directory Fill-in and Restore". TechNet. Microsoft. Retrieved five Feb 2014.
40. ^ "Advert DS: All domains should have at to the lowest degree two functioning domain controllers for redundancy". TechNet. Microsoft. Retrieved five February 2014.
41. ^ Posey, Brien (23 Baronial 2010). "10 tips for effective Active Directory design". TechRepublic. CBS Interactive. Retrieved 5 February 2014. Whenever possible, your domain controllers should run on dedicated servers (physical or virtual).
42. ^ "Yous may encounter problems when installing SQL Server on a domain controller (Revision 3.0)". Support. Microsoft. 7 January 2013. Retrieved five February 2014.
43. ^ Degremont, Michel (30 June 2011). "Can I install SQL Server on a domain controller?". Microsoft SQL Server blog . Retrieved v February 2014. For security and performance reasons, we recommend that y'all do not install a standalone SQL Server on a domain controller.
44. ^ "Installing Exchange on a domain controller is not recommended". TechNet. Microsoft. 22 March 2013. Retrieved v February 2014.
45. ^ "Security Considerations for a SQL Server Installation". TechNet. Microsoft. Retrieved 5 Feb 2014. After SQL Server is installed on a computer, you cannot change the computer from a domain controller to a domain member. You must uninstall SQL Server before you change the host computer to a domain member.
46. ^ "Exchange Server Analyzer". TechNet. Microsoft. Retrieved 5 February 2014. Running SQL Server on the aforementioned figurer as a production Commutation mailbox server is not recommended.
47. ^ "Running Domain Controllers in Hyper-V". TechNet. Microsoft. Planning to Virtualize Domain Controllers. Retrieved 5 February 2014. You should effort to avoid creating potential single points of failure when yous program your virtual domain controller deployment.frank
48. ^ ^{a b} efleis (8 June 2006). "Big AD database? Probably not this big". Blogs.technet.com. Archived from the original on 17 Baronial 2009. Retrieved 20 November 2011.
49. ^ Berkouwer, Sander. "Active Directory nuts". Veeam Software.
50. ^ Active Directory Service Interfaces, Microsoft
51. ^ "Domain and Forest Trusts Technical Reference". Microsoft Corporation. 28 March 2003. Trusts enable [...] hallmark and [...] sharing resources across domains or forests
52. ^ "Domain and Forest Trusts Work". Microsoft Corporation. 11 December 2012. Retrieved 29 Jan 2013. Defines several kinds of trusts. (automatic, shortcut, woods, realm, external)
53. ^ "Privileged Admission Direction for Active Directory Domain Services". docs.microsoft.com.
54. ^ "TechNet Wiki". social.technet.microsoft.com.
55. ^ ^{a b} Border, Charles South., Jr; Smith, Zack; Hunter, Beau (2009). "Chapter 3: Active Directory". Enterprise Mac Administrator'due south Guide . New York City: Apress. ISBN978-ane-4302-2443-3.
56. ^ "Samba four.0.0 Available for Download". SambaPeople. SAMBA Project. Archived from the original on 15 Nov 2010. Retrieved 9 Baronial 2016.
57. ^ "The slap-up DRS success!". SambaPeople. SAMBA Project. 5 October 2009. Archived from the original on xiii October 2009. Retrieved 2 November 2009.
58. ^ "RFC 2307bis". Archived from the original on 27 September 2011. Retrieved xx Nov 2011.
59. ^ "Active Directory Assistants with Windows PowerShell". Microsoft. Retrieved 7 June 2011.
60. ^ "Using Scripts to Search Active Directory". Microsoft. Retrieved 22 May 2012.
61. ^ "ITAdminTools Perl Scripts Repository". ITAdminTools.com. Retrieved 22 May 2012.
62. ^ "Win32::OLE". Perl Open-Source Community. Retrieved 22 May 2012.
63. ^ "Introducing AWS Directory Service for Microsoft Active Directory (Standard Edition)". Amazon Spider web Services. 24 October 2017.

External links [edit]

• Microsoft Technet: White paper: Active Directory Architecture (Unmarried technical document that gives an overview about Active Directory.)
• Microsoft Technet: Detailed description of Active Directory on Windows Server 2003
• Microsoft MSDN Library: [MS-ADTS]: Active Directory Technical Specification (function of the Microsoft Open Specification Promise)
• Active Directory Application Mode (ADAM)
• Microsoft MSDN: [AD-LDS]: Active Directory Lightweight Directory Services
• Microsoft TechNet: [Ad-LDS]: Active Directory Lightweight Directory Services
• Microsoft MSDN: Active Directory Schema
• Microsoft TechNet: Understanding Schema
• Microsoft TechNet Magazine: Extending the Active Directory Schema
• Microsoft MSDN: Active Directory Certificate Services
• Microsoft TechNet: Active Directory Certificate Services

What Is An Active Directory Service Account,

Source: https://en.wikipedia.org/wiki/Active_Directory

Posted by: loofas1938.blogspot.com

Share this post