What is Active Directory Directory Service in details? ADDS

Article Index

Active Directory service provides a single point of network resource management, allowing you to add, remove, and relocate users and resources easily.

Active Directory is software created by Microsoft, based on Novell EDirectory and using modified versions of existing protocols and services that provides a variety of network services, including:

  1. Lightweight Directory Access Protocol LDAP is the industry standard directory access protocol, making Active Directory widely accessible to management and query applications. Active Directory supports LDAPv3 and LDAPv2.

  2. Kerberos-based authentication

  3. DNS-based naming and other network information

  4. Central location for network administration and delegation of authority 

  5. Information security and single sign-on for user access to networked based resources

  6. The ability to scale up or down easily

  7. Central storage location for application data

  8. Synchronization of directory updates amongst several servers 

Active Directory also allows administrators to assign policies, deploy software, and apply critical updates to an organization. Active Directory stores information and settings in a central database.

Active Directory was previewed in 1999, released first with Windows 2000 Server edition, and revised to extend functionality and improve administration in Windows Server 2003. Additional improvements were made in Windows-Server 2003 R2. Active Directory was refined further in Windows Server 2008 and Windows Server 2008 R2 and was renamed Active Directory Domain Services.

Active Directory was called NTDS (NT Directory Service) in older Microsoft documents. This name can still be seen in some Active Directory binaries.

Active Directory Component

Various Active Directory components are used to build a directory structure. Active Directory completely separates the logical structure from the physical structure.

Active Directory components represent logical structures: - Domains, Organizational Units (OUs), Trees & Forests.

Active Directory components represent physical structures: - Sites (physical subnets) and Domain Controllers.

Logical Structures

In Active Directory, you organize resources in a logical structure—a structure that mirrors organizational models using domains, OUs, trees, and forests. Grouping resources logically allows you to easily find a resource by its name rather than by remembering its physical location. Because you group resources logically.


The core unit of logical structure in Active Directory is the domain, which can store millions of objects.

It is group of network components and it is logical collection of users and computers. It enables to organize object in a single logical object different polices can be apply on this object to set its behave it also provide security bounding and provides centralized management of network so it is domain.

Domain controller is a collection of users and computers where then domain controller provide a common security for each client. Trusting Domain –It contain the resource. Trusted Domain – It contain the user.

OU (Organizational Unit)

An OU is a container used to organize objects within a domain into a logical administrative group. OU is collection of active directory object that contain domain other OU’s users and computer account it is type of container which is used to organize the police can be applied on OU.


Tree is collection of domain which has contiguous linking of domain and the share common name space. There can be trust relationship between them which is generally transitive in nature. A tree is a grouping or hierarchical arrangement of one or more Windows Server 2003 domains that you create by adding one or more child domains to an existing parent domain.


The forest links multiple domain trees the first tree in the forest is called root tree.

A forest is a grouping or hierarchical arrangement of one or more separate, completely independent domain trees. As such, forests have the following characteristics:

All domains in a forest share a common schema.

All domains in a forest share a common global catalog.

All domains in a forest are linked by implicit two-way transitive trusts.

Trees in a forest have different naming structures, according to their domains.

Domains in a forest operate independently, but the forest enables communication across the entire   organization.


Physical Structures

The physical components of Active Directory are sites and domain controllers.


A site is a combination of one or more IP subnets connected by a highly reliable and fast link to localize as much network traffic as possible. Site is collection of the subnet in active directory. It represents geographically separated network or subnet. It is replication bounding.

Domain Controllers

Domain Controller is the power full computer running as a server family operating system. He has some additional power to control the client.

        A domain controller is a computer running Windows Server 2003 that stores a replica of the domain directory (local domain database). Because a domain can contain one or more domain controllers, each domain controller in a domain has a complete replica of the domain’s portion of the directory.

Active Directory OBJECT

An Active Directory structure is a hierarchical framework of objects. The data stored in Active Directory, such as information about users, printers, servers, databases, groups, computers, and security policies, is organized into objects. The objects fall into two broad categories:- resources (e.g., printers) and security principals (user or computer accounts and groups). Security principals are Active Directory objects that are assigned unique security identifiers (SIDs) used to control access and set security.

An object is a distinct named set of attributes that represents a network resource. Object attributes are characteristics of objects in the directory. For example, the attributes of a user account object might include the user’s first name, last name, and logon name, while the attributes of a computer account object might include the computer name and description

  • All objects stored in Windows Server 2003’s Active Directory

Database will have the following attributes attached.

Method-Every object will have the following in common, such as creating the object, opening the object, and deleting the object.

Properties-All Active Directory object have a set of properties or attributes.

Collection-If an attribute can contain more then a single value (such as the member of a group object), these values are stored as collection or an array of values.


A computer object is a software representation of a physical entity, namely, the computer. It represents level of participation in the Active Directory domain. This level of participation usually has to do with security.


User accounts comprise the meat and potatoes of Windows Server 2003 domain administrator.

All computing activities, whether it be access to are source or backing up a file occur in the context of a user account. An account is needed to interact with the network and is issued an access token at logon time.


A group object is just another type of account, much like a user account. However, this account’s purpose is to store a list. In this is an inventory of all the user account that belongs to the group account. The access token

Is a register of the user account and all the group to which it belongs. It is proffered to resource in the domain for the purpose of determining access.


In a windows server 2003 domain, you have the option of creating software object in Active Directory object shared printer in your enterprises. The advantage of creating an Active Directory object for each printer (rather then just creating the shared printer on a printer server) is that it enables users to find an enterprise’s printer more easily by conducting a search through Active Directory.

FSMO Roles

Flexible Single Master Operations (FSMO, sometimes pronounced "fizz-mo") roles are also known as operations master roles. The active directory maintenance pair to pair model, each of this pair updates AD information using multi-master replication model. A certain change in active directory then this update to multi server.

I.e. Although the AD domain controllers operate in a multi-master model

Role Name



Schema Master

1 per forest

Controls and handles updates/modifications to the Active Directory schema.

Domain Naming Master

1 per forest

Controls the addition and removal of domains from the forest if present in root domain

PDC Emulator

1 per domain

Provides backwards compatibility for NT4 clients for PDC operations (like password changes). The PDCs also run domain specific processes such as the Security Descriptor Propagator (SDPROP), and is the master time server within the domain. It also handles external trusts, the DFS consistency check, holds the most current passwords and manages all GPOs as default server.

RID Master

1 per domain

Allocates pools of unique identifier to domain controllers for use when creating objects

Infrastructure Master

1 per domain/partition

Synchronizes cross-domain group membership changes. The infrastructure master cannot run on a global catalog server (GCS)(unless all DCs are also GCs, or environment consists of a single domain)


Trust is the relationship between different domains which perform cross domain logon and used of shared resources.

To allow users in one domain to access resources in another, Active Directory uses trusts.] Trusts inside a forest are automatically created when domains are created. The forest sets the default boundaries of trust, not the domain, and implicit, transitive trust is automatic for all domains within a forest. As well as two-way transitive trust, AD trusts can be a shortcut (joins two domains in different trees, transitive, one- or two-way), forest (transitive, one- or two-way), realm (transitive or non transitive, one- or two-way), or external (non transitive, one- or two-way) in order to connect to other forests or non-AD domains.

Trusts in Windows 2000 (native mode)

  1. One-way trust – One domain allows access to users on another domain, but the other domain does not allow access to users on the first domain.

  2. Two-way trust – Two domains allow access to users on both domains.

  3. Trusting domain – The domain that allows access to users from a trusted domain.

  4. Trusted domain – The domain that is trusted; whose users have access to the trusting domain.

  5. Transitive trust – A trust that can extend beyond two domains to other trusted domains in the forest.

  6. Intransitive trust – A one way trust that does not extend beyond two domains.

  7. Explicit trust – A trust that an admin creates. It is not transitive and is one way only.

  8. Cross-link trust – An explicit trust between domains in different trees or in the same tree when a descendant/ancestor (child/parent) relationship does not exist between the two domains.

Windows 2000 Server – supports the following types of trusts:

  1. Two-way transitive trusts.

  2. One-way intransitive trusts.

Additional trusts can be created by administrators. These trusts can be:

  1. Shortcut

Windows Server 2003 offers a new trust type – the forest root trust. This type of trust can be used to connect Windows Server 2003 forests if they are operating at the 2003 forest functional level. Authentication across this type of trust is Kerberos based (as opposed to NTLM). Forest trusts are also transitive for all the domains in the forests that are trusted. Forest trusts, however, are not transitive.


Active Directory Application Mode (ADAM) is a light-weight implementation of Active Directory. ADAM is capable of running as a service, on computers running Microsoft Windows Server 2003 or Windows XP Professional. ADAM shares the code base with Active Directory and provides the same functionality as Active Directory, including an identical API, but does not require the creation of domains or domain controllers.

  1. Like Active Directory, ADAM provides a Data Store, which is a hierarchical data store for storage of directory data, a Directory Service with an LDAP Directory Service Interface. Unlike Active Directory, however, multiple ADAM instances can be run on the same server, with each instance having its own and required by applications making use of the ADAM directory service.

In Windows Server 2008, ADAM has been renamed AD LDS (Lightweight Directory Services).