Part I
Getting Started
In this part . . .
For many things in life, you have to start at the beginning before you can move on to the rest. That start for Active Directory is here. The first chapter is an introduction to Active Directory and its terminology. Chapters 2 and 3 step back from the technology of Active Directory and instead discuss how to prepare for an Active Directory design and deployment by looking at what requirements you have and developing an implementation plan. Welcome to Active Directory!
Chapter 1
Understanding Active Directory
In This Chapter
Defining Active Directory
Examining the origins of Active Directory: X.500
Understanding Active Directory terms
Investigating the benefits of Active Directory: Whatâs in it for you?
Since the release of Active Directory in Windows 2000 Server, Active Directory has become a very integral part of many information technology (IT) environments. As such, Active Directory has become a very popular topic with the people that have to design and support it. Because of all the terms and technology surrounding Active Directory, you might already be a bit intimidated by the prospect of working with it yourself.
But Active Directory doesnât need to be difficult! In this chapter, you find out in clear and simple language what Active Directory is, what it does, and what benefits it brings to your organization and to your job.
What Is Active Directory?
If you visit the Microsoft Web site seeking a definition of Active Directory (AD), you find words such as hierarchical, distributed, extensible, and integrated. Then you stumble across terms such as trees, forests, and leaf objects in combination with the usual abbreviations and standards: TCP/IP, DNS, X.500, LDAP. The whole thing quickly becomes pretty overwhelming. (Appendix B has a glossary that defines these abbreviations for you!)
I prefer to define things in simpler terms, as the following sections demonstrate â drum roll, please . . .
Active Directory is an umbrella
What? Am I saying that if itâs raining you had better have AD with you? No, I would still recommend a real umbrella in a rainstorm. Iâm saying that in Windows Server 2008, the scope of what Active Directory is has greatly expanded. Active Directory has become an umbrella for a number of technologies beyond what AD was in Windows 2000 Server and Windows Server 2003. (See Figure 1-1.)
You discover new uses for Active Directory in the paragraphs that follow.
Active Directory Domain Services
What was AD in the two previous Windows Server operating systems is now Active Directory Domain Services, or AD DS, in Windows Server 2008. The majority of this book deals with this component of Active Directory because this is the most commonly deployed component of the AD umbrella. But donât worry; I discuss all the other technologies found beneath the Active Directory umbrella as well.
Active Directory Lightweight Directory Services
Beginning with Windows Server 2003, Microsoft created a directory service application separate from Active Directory called Active Directory Application Mode or ADAM for short. ADAM was designed to address an organizationâs needs to deploy a directory service that didnât necessarily need all the features that Active Directory provided. Microsoft includes this application in Windows Server 2008 but renamed it Active Directory Lightweight Directory Services or AD LDS. I talk about AD LDS in Chapter 8.
Figure 1-1: The Active Directory umbrella.
Active Directory Federation Services
Beginning in the R2 release of Windows Server 2003, Microsoft included an optional software package called Federation Services. As you see later in this book, federations provide a Single Sign-on (SSO) service helping to minimize the number of logon IDs and passwords users must remember as well as simplifying how users can access resources in other IT environments. This software is now a part of the Windows Server 2008 AD umbrella and has been renamed Active Directory Federation Services or AD FS.
Active Directory Certificate Services
Certificate Services has been around in Windows Server software for a while now. With this software, you can provide certification authorities that can issue public key certificates used for such things as authentication via smart cards or encrypting data before itâs transmitted over a network. Certificate Services also provides the necessary management of these certificates so that they can be renewed and revoked. In Windows Server 2008, Certificate Services is a part of Active Directory and is referred to as Active Directory Certificate Services (AD CS).
Active Directory Rights Management Services
Managing what users can do with data has always been an issue for most organizations. Although Active Directory did a good job of controlling whether a user could access a document, it didnât have the ability to control what that user did with the data after he or she got it. Enter Active Directory Rights Management Services (AD RMS). With a properly deployed AD RMS environment, organizations can retain control over sensitive documents, for example, so that they cannot be e-mailed to unauthorized users.
I use the term
Active Directory interchangeably with
Active Directory Domain Services. This is because in previous versions of Windows Server software, Active Directory was what is now called
Active Directory Domain Services. When I refer to the Active Directory umbrella as Active Directory, I make it clear that Iâm not just talking about AD DS. Additionally, when I refer to the other elements of AD, such as Active Directory Federation Services, I call it that or use its acronym.
Active Directory is an information store
First and foremost, Active Directory is a store of information. This information is organized into individual objects of data, each object having a certain set of attributes associated with it. A telephone white pages directory, for example, is an information store. Each object in this store represents a home or business that contains attributes for such information as names, addresses, and telephone numbers (see Figure 1-2).
Figure 1-2: A telephone directory is a store containing fields of information.
This store of data as well as the capability of retrieving and modifying the data makes Active Directory a directory service. Why then donât I consider Active Directory to be a database? It certainly shares some common functionality including storage, retrieval, and replication of data, but there are some important differences, too. First, directory services are normally optimized for reads because these are the vast majority of the operations executed, and the data is generally non-changing. Also, the data is structured in some sort of hierarchy that allows for it to be organized in the directory store. Repeating my phone book analogy, the Yellow Pages organizes objects by types of business. This makes finding what youâre looking for easier. The same can be said of a directory service â you can organize your objects into a hierarchy of ...
