Talk:Active Directory

From Wikipedia, the free encyclopedia

 This article is part of WikiProject Microsoft Windows, a WikiProject devoted to maintaining and improving the informative value and quality of Wikipedia's many Microsoft Windows articles.
B This article has been rated as B-Class on the assessment scale.
High This article has been rated as high-importance on WikiProject Microsoft Windows's importance scale.

In 2nd para there is a line "indeed DNS is required". Whats the meaning of this emphasis ? Jay 10:42, 27 Jan 2005 (UTC)

Some other directory services can use a variety of name resolution schemes, but AD mandates DNS because it uses SRV records in DNS to locate servers and services. It also forms the basis of the AD naming scheme.--Askegg 04:01, 8 August 2005 (UTC)

TCP/IP was optional in early Windows avatars, as Windows had its own stack (NetBIOS/NetBEUI). It's a measure of TCP/IP's ubiquitousness that AD requires DNS, which is based on TCP/IP (well, strictly UDP/IP). Ambarish 21:08, 15 Apr 2005 (UTC)

I'm confused about Sites. The entry says: As a further subdivision AD supports the creation of Sites, which are physical, rather than logical, groupings defined by one or more IP subnets.

Where do Sites fit in the hierarchy? Forest -> Tree -> Site or Forest -> Site.

--Jonwatson 19:22, 31 May 2005 (UTC)

A site has nothing to do with the structure and function of AD itself, but is provided to manage replication. All servers on the same LAN and be grouped into sites and the replication to other sites can be controlled through policies. --Askegg 04:01, 8 August 2005 (UTC)

Correct. It's kind of cool how MS have seperated the logical structure from the physical structure... most elegant design, I must say. - Ta bu shi da yu 04:40, 8 August 2005 (UTC)

Contents

[edit] Wikipedia:Microsoft notice board

Note: to start this off I'm posting this to a few Microsoft articles.

I have kicked this off as I think we can do a lot better on many of our Microsoft related articles. Windows XP is just one example of a whole bunch of people getting together to fix up issues of NPOV, fact and verifiability of an article. I think that no matter whether you like Microsoft or not that we could definitely do with a review of: a) the articles that we already have, and b) the articles that we should have in Wikipedia! - Ta bu shi da yu 02:06, 10 Jun 2005 (UTC)

[edit] <div id="trust"> </div> in the Trust paragraph.

What is this doing in the trust paragraph? It has been here for a while ( Since Oct 2004 [1] ) and if it serves no purpose it should be removed. --2mcmGespräch 22:41, 17 October 2005 (UTC)

Looks like he inserted it for an internal link. I'd guess he didn't realise that you can use the existing ID's generated by the headings to link to. Plugwash 03:56, 30 October 2005 (UTC)

[edit] Other tools

shouldn't there be some more information about how AD fits in with non-ms tools like samba and openldap. Not every network is 100% single vendor! Plugwash 03:59, 30 October 2005 (UTC)

That would require MS to actually interoperate with non-MS tools. (HHOS.) --moof 11:36, 11 November 2005 (UTC)

MS DO interoperate with plenty of external tools. AD is based on LDAP and Kerberos and it is easy to integrate MS and Non MS directories and kerberos environments using the latest OpenLDAP and MIT Kerberos libraries. This is a prime example of the opinionated anti-MS FUD coming from people that dont know what they are taking about.

[edit] AD vs DC

What AD and DC on Windows view and on Linux view?

Um, what? - Ta bu shi da yu 02:35, 18 April 2006 (UTC)

[edit] Sites...

I want to khow how many sites can one domain have??? I'e for a maximum of how many sites in one domain can the replication take place...

There is no relationship between sites and domains. Sites are part of the configuration naming context and are hence common to all domains within a forest. There are ultimately limits to the number of sites that can be supported however the environment would need to be extremely large. I have seen 800 sites supported without too many problems. The actual replication topology (i.e. inter site links) will be as important as the core number of sites. 800 sites in a chain end to end is a far different proposition to a single hub with 799 spoke sites.

Sites are a logical construct and not a physical one. The concept is to define 'zones' for replication, search space for the preferred domain controller for logon authentication, etc. Microsoft has different treatments for activities defined as being within the same site vs. activities occurring between sites.

AD replication and dFS replication are two oft-cited instances of this treatment: If multiple AD domain controllers exist in each of two or more sites, replication will occur primarily between DCs within a given site, with 'bridgehead' servers providing a link for replication between sites (and then relaying that information to other servers within the site).

But another demonstration of sites can be found by opening MS AD-supporting DNS. Under forward lookups, you'll see MSDCS records; under those records you'll see sites, and within a site you'll be able to drill down to a TCP 389 record (LDAP). Since a Windows logon provides only the following [username+password+domain] in its logon request, something must support locating a physical domain controller as the destination for the logon request. That 'something' is DNS; specifically, a search for that LDAP service. So, functionally, the requesting machine goes to DNS, looks under the domain name, looks in its own site (if available), and finds the server(s) supporting LDAP. If you only have one site, all servers are seen as equally available. That's why, if you have preferences for the authenticating domain controller, or if you want to avoid authenticating over a WAN link, the assignment of sites can control the default action for logons (and controlling replication, etc.)

Sites are defined as named objects, but hosts are assigned to a site by their IP address, so sites should be built to contain one or more IP subnets which you want to be seen as relatively 'together', and 'separated' from other IP subnets assigned to one or more additional sites. —Preceding unsigned comment added by 66.162.130.66 (talk) 00:29, 7 October 2007 (UTC)

[edit] LDAP directory service

This does not make sense. LDAP is an abbreviation for Lightweight Directory Access Protocol and is a standard to define how a directory may be queried - not how a directory is structured. Saying that AD is based on an X500 directory structure may be a little more correct, however it is not strictly speaking X500 compliant.

[edit] Diagram?

Please can someone put some pictures showing the hierarchy of all the different objects.

[edit] AD management

Are there any other tools for AD management other than the MMC? I'm specifically trying to manage users from a linux machine. --212.130.183.202 13:33, 24 April 2007 (UTC)

You can a UNIX LDAP tool to do this, simply bind to the domain controller using an account with rights to manage the users you are concerned with.

If you need to manage your keytabs, have a look at the free adkadmin from certifiedsecuritysolutions.


May I enquire about this article's quote on Services for Unix and Active Directory. As far as I know SFU is an NT subsystem much like Win32; if Microsoft is in the market for integrating Unix machines into Active Directory, SFU is certainly not the product concerned.

I have not made the edit to allow the maintainer of this page to verify this.

17.82.75.150 07:27, 17 May 2007 (UTC)


[edit] A little queation about admin rights

In an domain how can I make a non-administrator capaable to reset passwords. --N00bh4ck3r 17:37, 7 June 2007 (UTC)

Delegate the "reset password" right on the user account in question.

[edit] Open Directory as drop in replacement for AD?

The final sentence of the Alternatives paragraph reads: Open Directory is another alternative to Active Directory that can completely replace the need for Active Directory if a desire to implement Group Policy is not required. But I don't see how to get past the discovery phase. According to Microsoft's How Domain Controllers Are Located in Windows article; after the SRV record lookup a Windows client will use Connectionless LDAP (UDP) to verify that the server is active. (Despite only asking for _tcp SRV records...) As far as I can tell, Open Directory doesn't (yet) support CLDAP; so the server lookup fails. —The preceding unsigned comment was added by 72.196.120.245 (talk • contribs).

"If a desire to implement group policy is not required" - there are in practive few environments that would willingly forgo basics such as login scripts, security policy management, software distribution etc... What about migration?

"Although an Active Directory migration is clearly a case of when, and not if, for the majority, Microsoft won t be alone in the NOS directory services space: Two old rivals Novell and Netscape are also making a strong showing."

http://www.forrester.com/Research/LegacyIT/Excerpt/0,7208,24653,00.html


[edit] Vandalism with Large corporations.

Someone keeps vandalizing this and claiming that AD is the only option for large enterprise, which is funny, because I swear that I've seen many schools and universities running open directory Maybe this should be locked to prevent it again?

This is the second time (at least) now. —Preceding unsigned comment added by 220.239.148.218 (talk • contribs)

Protection isnt really warranted for such manageable acts. Instead please keep an eye for the person who does it. Maybe he can be blocked (if you manage to catch the person, please let me know directly). Also protection would lock yourself out!. --soum talk 11:42, 10 July 2007 (UTC)

I dont agree. A school or university is not a large enterprise in this context. The fact is, large businesses with significant investment in Microsoft technology deploy AD because it makes Windows easier and cheaper to manage. The only commercial product that comes close to providing a similar feature set is a Netware & Zenworks combination and Novell are getting out of this market. Open Source? Give me a break. Sure you can put in SAMBA, completely irrelevant in this context as it emulates NT4, and any LDAP directory, whether open source or otherwise does not support NOS related functionality like group policy, login scripts, startup scripts, security policy management etc. Have

It strikes me that a lot of people contributing to this page seem to look at AD from an LDAP point of view only - this is completely missing the point.

And we havent even started on exchange yet.

So lets get some realism and truth into this discussion, please.


[edit] Software deployment

In the definition it says that software can be deployed, but in Alternatives it says that is cannot. Should the definition be changed?

The definition is wrong. Software deployment is included within Group Policy, it is not an optional extra. Many AD installations make use of this, and it does not require "custom schema extensions" as is currently stated.


[edit] More

[edit] Market coverage

I was interested to see some info in this article about market coverage.. gains etc. For example it seems to have been quite succussful in replacing Novell Netware in this space over the last 7 years or so as almost the default proprietory directory system of choice for many organisations (just my perception - which may be wrong - and thats why i looked up this article)

The article just seems to be about the technical side of it - I think it could befefit from non technical aspects like this.

Djambalawa (talk) 01:42, 21 February 2008 (UTC)

[edit] Server 2003/2008 information

The article lacks info on what new features were added in Srv 03 and 08. Can anyone add them?