Reviewing the Original Microsoft Directory Systems
Exchange Server 5.5 ran its own directory
service as part of its email environment. In fact, AD DS took many of
its key design components from the original Exchange directory service.
For example, the AD DS database uses the same Jet database format as
Exchange 5.5 and the site replication topology is similar in many ways.
Several other Microsoft applications
ran their own directory services, namely Internet Information Server
and Site Server. However, each directory service was separate from the
others, and integration was not very tight between the different
implementations.
Outlining the Key Features of Active Directory Domain Services
Five key components are central to AD DS’s
functionality. As compatibility with Internet standards has become
required for new directory services, the existing implementations have
adjusted and focused on these areas:
• TCP/IP compatibility—Unlike
some of the original proprietary protocols such as IPX/SPX and NetBEUI,
the Transmission Control Protocol/Internet Protocol (TCP/IP) was
designed to be cross-platform. The subsequent adoption of TCP/IP as an
Internet standard for computer communications has propelled it to the
forefront of the protocol world and essentially made it a requirement
for enterprise operating systems. AD DS and Windows Server 2012 utilize
the TCP/IP protocol stack as their primary method of communications.
• Lightweight Directory Access Protocol support—LDAP
has emerged as the standard Internet directory protocol and is used to
update and query data within the directory. AD DS directly supports
LDAP.
• Domain name system (DNS) support—DNS was created out of a need to translate simplified names that can be understood by humans (such as www.cco.com)
into an IP address that is understood by a computer (such as
12.222.165.154). The AD DS structure supports and effectively requires
DNS to function properly.
• Security support—Internet
standards-based security support is vital to the smooth functioning of
an environment that is essentially connected to millions of computers
around the world. Lack of strong security is an invitation to be
hacked, and Windows Server 2012 and AD DS have taken security to
greater levels. Support for IP Security (IPsec), Kerberos, certificate
authorities, and Secure Sockets Layer (SSL) encryption is built in to
Windows Server 2012 and AD DS.
• Ease of administration—Although
often overlooked in powerful directory services implementations, the
ease in which the environment is administered and configured directly
affects the overall costs associated with its use. AD DS and Windows
Server 2012 are specifically designed for ease of use to lessen the
learning curve associated with the use of a new environment. Windows
Server 2012 also enhanced AD DS administration with the introduction of
the Active Directory Administration Center, Active Directory Web
Services, and an Active Directory module for Windows PowerShell
command-line administration which has been greatly improved from the
one originally included in Windows Server 2008 and Windows Server 2008
R2. PowerShell support in Windows Server 2012 AD DS now allows for
better troubleshooting and fully automated provisioning of domain
controllers and entire forests from the command line.
Detailing Microsoft’s Adoption of Internet Standards
Since the early development of Windows
2000/2003/2003 R2/2008/2008 R2 and continuing with Windows Server 2012,
Microsoft has strived to make all its products Internet compatible and
friendly. Standards that before had been options or previously
incompatible were subsequently woven into the software as primary
methods of communication and operability. All applications and
operating systems became TCP/IP compliant, and proprietary protocols
such as NetBEUI were phased out.
With the introduction of Windows
Server 2012, the Internet readiness of the Microsoft environment
reaches new levels of functionality, with enhancements such as the
ability to join virtual domain controller templates to a forest; the
ability to restore deleted objects using the Active Directory Recycle
Bin, offline domain join, and Managed Service Accounts; the ability to
use multiple password policies per domain; read-only domain controller
(RODC) support, the ability to start/stop AD on a domain controller
(DC), and the ability to audit changes made to AD objects.
1. Understanding the AD DS Domain
An AD DS domain, traditionally represented by a triangle, as shown in Figure 1,
is the initial logical boundary of AD DS. In a standalone sense, an AD
DS domain acts very much like the legacy Windows NT 4.0 domain
structure that it replaced. Users and computers are all stored and
managed from within the boundaries of the domain. However, several
major changes have been made to the structure of the domain and how it
relates to other domains within the AD DS structure.
Figure 1. Examining a sample domain in AD DS.
Domains in AD DS serve as
administrative security boundaries for objects and contain their own
security policies. It is important to keep in mind that domains are a
logical organization of objects and can easily span multiple physical
locations. Consequently, it is no longer necessary to set up multiple
domains for different remote offices or sites as replication
concerns and security concerns are more properly addressed with the use
of AD DS sites or RODCs, which are described in greater detail in the
following sections.
