• 
• 
• 
• 
• 
• 
• 

 1 of 7

Gallery

Active Directory Workshop

Posted on 5 Jun 2002 at 14:59

Let Alan Stevens introduce you to the practicalities of Microsoft's directory service with the help of some hands-on experimentation

Few of us have the luxury of time or specialist equipment to really dive into the depths of Active Directory (AD), the directory service included in Windows 2000. The aim of this workshop is to provide some insightful knowledge without you getting your hands dirty. Before you can start, though, a little theory is required as to what a directory service is all about and how you can benefit from using one.

In essence, a directory is little more than a repository for information - a database. But, unlike other databases, the information in a directory is specialised, relating primarily to the users of a network or applications and the resources available to them. A directory also has a number of services and utility programs associated with it - collectively referred to as the directory service - to manage the information held in the repository and provide users and client applications fast access to the data as and when requested. For example, the Microsoft directory service will typically be used to authenticate users when they log on to a network and to identify the shared servers, files and printers they're allowed to use.

Previously, this was all done in Windows NT using a flat, Registry-based file system referred to as SAM (Security Account Manager). AD improves on this with a hierarchical database that, like all directories, is server independent. Rather than logging on to several servers in turn, you only have to log on to the single, network-wide AD service to potentially access all the resources on the LAN.

Yes, NT domains can do that already, but, as anyone who administers a Windows network will tell you, NT domains are severely limited. This is especially true when it comes to handling large numbers of servers and their users. Even on quite small networks, you're likely to end up with lots of separate domains requiring complex one-way 'trust' relationships to enable users in one domain to access resources in another.

A directory service like AD can handle large networks used by millions of users, with the option of spreading the repository information about and holding it on several servers. This makes for a more robust and fault-tolerant system, plus the local directory copies improve performance on a large network. Keeping the copies updated can be a problem, but all directory services, including AD, offer built-in replication facilities to handle this for you.

Information in the directory can be extended and used by other applications. The latest version of Exchange Server uses AD to store email addresses and other information, while many e-business applications use the directory to distinguish between different types of customer and their preferences.

Lastly, directories support standards-based access to the information they hold. The most important of these is LDAP (Lightweight Directory Access Protocol), which is supported by AD and virtually all other directory products. As a result, any LDAP-enabled application should be able to access data managed by any LDAP-compatible directory service, including AD. Or at least that's the theory.

Installing Active Directory

The good news is that AD is included with all server versions of Windows 2000, and there are no special hardware requirements. That said, the primary domain controller (AD still refers to domains and domain controllers) will need plenty of memory and the main system volume has to be formatted with NTFS, if it isn't already. A significant amount of disk space is also required for the repository, especially on a large network.