Active Directory Object
An Active Directory structure is a hierarchical framework of objects. The data stored in Active Directory, such as information about users, printers, servers, databases, groups, computers, and security policies, is organized into objects. The objects fall into two broad categories:- resources (e.g., printers) and security principals (user or computer accounts and groups). Security principals are Active Directory objects that are assigned unique security identifiers (SIDs) used to control access and set security.
         An object is a distinct named set of attributes that represents a network resource. Object attributes are characteristics of objects in the directory. For example, the attributes of a user account object might include the user's first name, last name, and logon name, while the attributes of a computer account object might include the computer name and description
  • All objects stored in Windows Server 2003's Active Directory Database will have the following attributes attached.
Method-Every object will have the following in common, such as creating the object, opening the object, and deleting the object. Properties-All Active Directory object have a set of properties or attributes. Collection-If an attribute can contain more then a single value (such as the member of a group object), these values are stored as collection or an array of values.
Computers
A computer object is a software representation of a physical entity, namely, the computer. It represents level of participation in the Active Directory domain. This level of participation usually has to do with security.
Users
User accounts comprise the meat and potatoes of Windows Server 2003 domain administrator. All computing activities, whether it be access to are source or backing up a file occur in the context of a user account. An account is needed to interact with the network and is issued an access token at logon time.
Groups
A group object is just another type of account, much like a user account. However, this account's purpose is to store a list. In this is an inventory of all the user account that belongs to the group account. The access token
Is a register of the user account and all the group to which it belongs. It is proffered to resource in the domain for the purpose of determining access.
Printers
In a windows server 2003 domain, you have the option of creating software object in Active Directory object shared printer in your enterprises. The advantage of creating an Active Directory object for each printer (rather then just creating the shared printer on a printer server) is that it enables users to find an enterprise's printer more easily by conducting a search through Active Directory.
 
FSMO Roles
Flexible Single Master Operations (FSMO, sometimes pronounced "fizz-mo") roles are also known as operations master roles. The active directory maintenance pair to pair model, each of this pair updates AD information using multi-master replication model. A certain change in active directory then this update to multi server. In a forest, there are at least five FSMO roles (Operation master Role) that are assigned to one or more domain controllers. The five FSMO roles are
 
Role Name
Scope
Description
 
Schema Master
 
1 per forest
The schema master domain controller controls all updates and modifications to the schema. To update the schema of a forest, you must have access to the schema master. There can be only one schema master in the whole forest.
Domain Naming Master
1 per forest
The domain naming master domain controller controls the addition or removal of domains in the forest. There can be only one domain naming master in the whole forest.
 
 
 
PDC Emulator
 
 
 
1 per domain
The PDC emulator is a domain controller that advertises itself as the primary domain controller (PDC) to workstations, member servers, and domain controllers that are running earlier versions of Windows. For example, if the domain contains computers that are not running Microsoft Windows XP Professional or Microsoft Windows 2000 client software, or if it contains Microsoft Windows NT backup domain controllers, the PDC emulator master acts as a Windows NT PDC. It is also the Domain Master Browser, and it handles password discrepancies. At any one time, there can be only one domain controller acting as the PDC emulator master in each domain in the forest.
 
RID (Relative ID) Master
 
1 per domain
The RID master is responsible for processing RID pool requests from all domain controllers in a particular domain. At any one time, there can be only one domain controller acting as the RID master in the domain.
Infrastructure Master
1 per domain/partition
The infrastructure is responsible for updating references from objects in its domain to objects in other domains. At any one time, there can be only one domain controller acting as the infrastructure master in each domain.
 
Trust
Trust is the relationship between different domains which perform cross domain logon and used of shared resources.
     To allow users in one domain to access resources in another, Active Directory uses trusts.] Trusts inside a forest are automatically created when domains are created. The forest sets the default boundaries of trust, not the domain, and implicit, transitive trust is automatic for all domains within a forest. As well as two-way transitive trust, AD trusts can be a shortcut (joins two domains in different trees, transitive, one- or two-way), forest (transitive, one- or two-way), realm (transitive or non transitive, one- or two-way), or external (non transitive, one- or two-way) in order to connect to other forests or non-AD domains.
Trusts in Windows 2000 (native mode)
  • One-way trust - One domain allows access to users on another domain, but the other domain does not allow access to users on the first domain.
  • Two-way trust - Two domains allow access to users on both domains.
  • Trusting domain - The domain that allows access to users from a trusted domain.
  • Trusted domain - The domain that is trusted; whose users have access to the trusting domain.
  • Transitive trust - A trust that can extend beyond two domains to other trusted domains in the forest.
  • Intransitive trust - A one way trust that does not extend beyond two domains.
  • Explicit trust - A trust that an admin creates. It is not transitive and is one way only.
  • Cross-link trust - An explicit trust between domains in different trees or in the same tree when a descendant/ancestor (child/parent) relationship does not exist between the two domains.
Windows 2000 Server - supports the following types of trusts:
  • Two-way transitive trusts.
  • One-way intransitive trusts.
Additional trusts can be created by administrators. These trusts can be:
  • Shortcut
Windows Server 2003 offers a new trust type - the forest root trust. This type of trust can be used to connect Windows Server 2003 forests if they are operating at the 2003 forest functional level. Authentication across this type of trust isKerberos based (as opposed to NTLM). Forest trusts are also transitive for all the domains in the forests that are trusted. Forest trusts, however, are not transitive.
 
ADAM/AD LDS
Active Directory Application Mode (ADAM) is a light-weight implementation of Active Directory. ADAM is capable of running as a service, on computers running Microsoft Windows Server 2003 or Windows XP Professional. ADAM shares the code base with Active Directory and provides the same functionality as Active Directory, including an identical API, but does not require the creation of domains or domain controllers.
  • Like Active Directory, ADAM provides a Data Store, which is a hierarchical data store for storage of directory data, a Directory Service with an LDAP Directory Service Interface. Unlike Active Directory, however, multiple ADAM instances can be run on the same server, with each instance having its own and required by applications making use of the ADAM directory service.
  • In Windows Server 2008, ADAM has been renamed AD LDS (Lightweight Directory Services).

Additional information

Commentics

<p>Currently under general maintenance.</p><p>Please check back shortly. Thanks.</p>