20.6. Active DirectoryActive Directory is the directory service used in Windows 2000. Windows 2000 uses DNS for its usual purposes (for instance, resolving hostnames to IP addresses) and Active Directory for information specific to Windows 2000 domain objects (for instance, information about user accounts). This can be confusing because Windows 2000 requires the DNS structure and the Active Directory structure to use the same names. A computer that is part of a Windows 2000 domain must have a DNS record that gives its IP address and an Active Directory record that holds the authentication information the computer uses to join the domain. These two records will normally have the same name.
Active Directory uses both DNS and LDAP to communicate with clients. Clients use DNS to find Active Directory servers and LDAP to query those servers. (As discussed previously, the DNS used with Active Directory may be an independent server or may be integrated with Active Directory.) In addition, Active Directory uses Kerberos for authentication (for instance, when authenticating clients in order to perform dynamic updates).
To distribute information between servers, Active Directory can use either RPC or SMTP. RPC is the default mechanism, and it is used for all communications within a single site. SMTP can only be used between sites (partly because it is not allowed in situations where both servers can modify the same information; in updates that occur between sites, each piece of information is owned by one end of the transfer, whereas in updates within a site, there is normally information that can be modified by either machine). Regardless of the mechanism that's used to distribute information, servers must have access to each other's certificate information in order to communicate because information is transferred in encrypted form.
Active Directory uses valid electronic mail messages when it is transferring data via SMTP. There is no need for the replicating servers to communicate to each other directly; the messages can be routed like any other electronic mail. SMTP is not a particularly efficient or rapid method of transferring the data, but it is extremely flexible, and it is easier to provide securely through a firewall than RPC. Active Directory does try to maximize efficiency on links between sites (no matter which transport is in use) by transmitting only changes and compressing data.
The firewall characteristics of DNS and LDAP are discussed earlier in this chapter, Kerberos is discussed in Chapter 21, "Authentication and Auditing Services", RPC is discussed in Chapter 14, "Intermediary Protocols", and SMTP is discussed in Chapter 16, "Electronic Mail and News".
Copyright © 2002 O'Reilly & Associates. All rights reserved.