What is Active Directory Directory Service in details? ADDS

Article Index

FSMO Roles

Flexible Single Master Operations (FSMO, sometimes pronounced "fizz-mo") roles are also known as operations master roles. The active directory maintenance pair to pair model, each of this pair updates AD information using multi-master replication model. A certain change in active directory then this update to multi server.

I.e. Although the AD domain controllers operate in a multi-master model

Role Name

Scope

Description

Schema Master

1 per forest

Controls and handles updates/modifications to the Active Directory schema.

Domain Naming Master

1 per forest

Controls the addition and removal of domains from the forest if present in root domain

PDC Emulator

1 per domain

Provides backwards compatibility for NT4 clients for PDC operations (like password changes). The PDCs also run domain specific processes such as the Security Descriptor Propagator (SDPROP), and is the master time server within the domain. It also handles external trusts, the DFS consistency check, holds the most current passwords and manages all GPOs as default server.

RID Master

1 per domain

Allocates pools of unique identifier to domain controllers for use when creating objects

Infrastructure Master

1 per domain/partition

Synchronizes cross-domain group membership changes. The infrastructure master cannot run on a global catalog server (GCS)(unless all DCs are also GCs, or environment consists of a single domain)

Trust

Trust is the relationship between different domains which perform cross domain logon and used of shared resources.

To allow users in one domain to access resources in another, Active Directory uses trusts.] Trusts inside a forest are automatically created when domains are created. The forest sets the default boundaries of trust, not the domain, and implicit, transitive trust is automatic for all domains within a forest. As well as two-way transitive trust, AD trusts can be a shortcut (joins two domains in different trees, transitive, one- or two-way), forest (transitive, one- or two-way), realm (transitive or non transitive, one- or two-way), or external (non transitive, one- or two-way) in order to connect to other forests or non-AD domains.

Trusts in Windows 2000 (native mode)

  1. One-way trust – One domain allows access to users on another domain, but the other domain does not allow access to users on the first domain.

  2. Two-way trust – Two domains allow access to users on both domains.

  3. Trusting domain – The domain that allows access to users from a trusted domain.

  4. Trusted domain – The domain that is trusted; whose users have access to the trusting domain.

  5. Transitive trust – A trust that can extend beyond two domains to other trusted domains in the forest.

  6. Intransitive trust – A one way trust that does not extend beyond two domains.

  7. Explicit trust – A trust that an admin creates. It is not transitive and is one way only.

  8. Cross-link trust – An explicit trust between domains in different trees or in the same tree when a descendant/ancestor (child/parent) relationship does not exist between the two domains.

Windows 2000 Server – supports the following types of trusts:

  1. Two-way transitive trusts.

  2. One-way intransitive trusts.

Additional trusts can be created by administrators. These trusts can be:

  1. Shortcut

Windows Server 2003 offers a new trust type – the forest root trust. This type of trust can be used to connect Windows Server 2003 forests if they are operating at the 2003 forest functional level. Authentication across this type of trust is Kerberos based (as opposed to NTLM). Forest trusts are also transitive for all the domains in the forests that are trusted. Forest trusts, however, are not transitive.

ADAM/AD LDS

Active Directory Application Mode (ADAM) is a light-weight implementation of Active Directory. ADAM is capable of running as a service, on computers running Microsoft Windows Server 2003 or Windows XP Professional. ADAM shares the code base with Active Directory and provides the same functionality as Active Directory, including an identical API, but does not require the creation of domains or domain controllers.

  1. Like Active Directory, ADAM provides a Data Store, which is a hierarchical data store for storage of directory data, a Directory Service with an LDAP Directory Service Interface. Unlike Active Directory, however, multiple ADAM instances can be run on the same server, with each instance having its own and required by applications making use of the ADAM directory service.

In Windows Server 2008, ADAM has been renamed AD LDS (Lightweight Directory Services).