Active Directory Domain Services

Purpose

Microsoft Active Directory Domain Services are the foundation for distributed networks built on WindowsВ 2000 Server, Windows ServerВ 2003 and Microsoft Windows ServerВ 2008 operating systems that use domain controllers. Active Directory Domain Services provide secure, structured, hierarchical data storage for objects in a network such as users, computers, printers, and services. Active Directory Domain Services provide support for locating and working with these objects.

This guide provides an overview of Active Directory Domain Services and sample code for basic tasks, such as searching for objects and reading properties, to more advanced tasks such as service publication.

WindowsВ 2000 Server and later operating systems provide a user interface for users and administrators to work with the objects and data in Active Directory Domain Services. This guide describes how to extend and customize that user interface. It also describes how to extend Active Directory Domain Services by defining new object classes and attributes.

The following documentation is for computer programmers. If you are an end-user trying to debug a printing error or home network issue, see the Microsoft community forums.

Where applicable

Network administrators write scripts and applications that access Active Directory Domain Services to automate common administrative tasks, such as adding users and groups, managing printers, and setting permissions for network resources.

Independent software vendors and end-user developers can use Active Directory Domain Services programming to directory-enable their products and applications. Services can publish themselves in Active Directory Domain Services; clients can use Active Directory Domain Services to find services, and both can use Active Directory Domain Services to locate and work with other objects on a network.

Developer audience

Applications that access data in Active Directory Domain Services can be written using the Active Directory Service Interfaces API, Lightweight Directory Access Protocol API, or the System.DirectoryServices namespace.

Run-time requirements

Active Directory Domain Services run on WindowsВ 2000 and later domain controllers. However, client applications can be written for and run on WindowsВ Vista, Windows ServerВ 2003, WindowsВ XP, WindowsВ 2000, WindowsВ NTВ 4.0, WindowsВ 98, and WindowsВ 95.

In this section

General information about Active Directory Domain Services.

Active Directory Domain Services programming guide.

Active Directory Domain Services programming reference.

Обзор доменных служб Active Directory Active Directory Domain Services Overview

Область применения. Windows Server 2016, Windows Server 2012 R2, Windows Server 2012 Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

Каталог — это иерархическая структура, в которой хранятся сведения об объектах в сети. A directory is a hierarchical structure that stores information about objects on the network. Служба каталогов, например домен Active Directory Services (AD DS), предоставляет методы для хранения данных каталога и предоставления доступа к этим данным сетевым пользователям и администраторам. A directory service, such as Active Directory Domain Services (AD DS), provides the methods for storing directory data and making this data available to network users and administrators. Например, AD DS хранит сведения об учетных записях пользователей, таких как имена, пароли, Номера телефонов и т. д., а также позволяет другим полномочным пользователям в той же сети получить доступ к этим сведениям. For example, AD DS stores information about user accounts, such as names, passwords, phone numbers, and so on, and enables other authorized users on the same network to access this information.

Active Directory хранит сведения об объектах в сети и предоставляет эту информацию администраторам и пользователям, которые могут легко найти и использовать ее. Active Directory stores information about objects on the network and makes this information easy for administrators and users to find and use. Active Directory использует структурированное хранилище данных в качестве основы для логической иерархической организации сведений в каталоге. Active Directory uses a structured data store as the basis for a logical, hierarchical organization of directory information.

Это хранилище данных, также называемое каталогом, содержит сведения об Active Directoryных объектах. This data store, also known as the directory, contains information about Active Directory objects. Обычно эти объекты включают в себя общие ресурсы, такие как серверы, тома, принтеры, учетные записи пользователей и компьютеров сети. These objects typically include shared resources such as servers, volumes, printers, and the network user and computer accounts. Дополнительные сведения о Active Directory хранилище данных см. в разделе хранилище данных каталога. For more information about the Active Directory data store, see Directory data store.

Безопасность интегрирована с Active Directory путем проверки подлинности входа и управления доступом к объектам в каталоге. Security is integrated with Active Directory through logon authentication and access control to objects in the directory. С одним сетевым входом администраторы могут управлять данными каталога и Организацией по всей сети, а полномочные пользователи сети могут получать доступ к ресурсам в любой точке сети. With a single network logon, administrators can manage directory data and organization throughout their network, and authorized network users can access resources anywhere on the network. Администрирование на основе политики облегчает управление даже очень сложной сетью. Policy-based administration eases the management of even the most complex network. Дополнительные сведения о Active Directory безопасности см. в разделе Общие сведения о безопасности. For more information about Active Directory security, see Security overview.

Active Directory также включает: Active Directory also includes:

Набор правил, схема, определяющая классы объектов и атрибутов, содержащихся в каталоге, ограничения и ограничения для экземпляров этих объектов и формат их имен. A set of rules, the schema, that defines the classes of objects and attributes contained in the directory, the constraints and limits on instances of these objects, and the format of their names. Дополнительные сведения о схеме см. в разделе Schema. For more information about the schema, see Schema.

Глобальный каталог , содержащий сведения о каждом объекте в каталоге. A global catalog that contains information about every object in the directory. Это позволяет пользователям и администраторам находить данные каталога независимо от того, какой домен в каталоге действительно содержит данные. This allows users and administrators to find directory information regardless of which domain in the directory actually contains the data. Дополнительные сведения о глобальном каталоге см. в статье роль глобального каталога. For more information about the global catalog, see The role of the global catalog.

Механизм запросов и индексов, чтобы объекты и их свойства могли быть опубликованы и найдены сетевыми пользователями или приложениями. A query and index mechanism, so that objects and their properties can be published and found by network users or applications. Дополнительные сведения о запросах к каталогу см. в разделе Поиск сведений о каталоге. For more information about querying the directory, see Finding directory information.

Служба репликации , которая распределяет данные каталога по сети. A replication service that distributes directory data across a network. Все контроллеры домена в домене участвуют в репликации и содержат полную копию всех данных каталога для своего домена. All domain controllers in a domain participate in replication and contain a complete copy of all directory information for their domain. Любые изменения данных каталога реплицируются в домене на все контроллеры домена. Any change to directory data is replicated to all domain controllers in the domain. Дополнительные сведения о репликации Active Directory см. в разделе Общие сведения о репликации. For more information about Active Directory replication, see Replication overview.

Основные сведения о Active Directory Understanding Active Directory

В этом разделе приводятся ссылки на основные понятия Active Directory: This section provides links to core Active Directory concepts:

Подробный список концепций Active Directory см. в разделе Общие сведения о Active Directory. For a detailed list of Active Directory concepts, see Understanding Active Directory.

What is Azure Active Directory Domain Services?

Azure Active Directory Domain Services (AD DS) provides managed domain services such as domain join, group policy, lightweight directory access protocol (LDAP), and Kerberos/NTLM authentication. You use these domain services without the need to deploy, manage, and patch domain controllers (DCs) in the cloud.

An Azure AD DS managed domain lets you run legacy applications in the cloud that can’t use modern authentication methods, or where you don’t want directory lookups to always go back to an on-premises AD DS environment. You can lift and shift those legacy applications from your on-premises environment into a managed domain, without needing to manage the AD DS environment in the cloud.

Azure AD DS integrates with your existing Azure AD tenant. This integration lets users sign in to services and applications connected to the managed domain using their existing credentials. You can also use existing groups and user accounts to secure access to resources. These features provide a smoother lift-and-shift of on-premises resources to Azure.

Take a look at our short video to learn more about Azure AD DS.

How does Azure AD DS work?

When you create an Azure AD DS managed domain, you define a unique namespace. This namespace is the domain name, such as aaddscontoso.com. Two Windows Server domain controllers (DCs) are then deployed into your selected Azure region. This deployment of DCs is known as a replica set.

You don’t need to manage, configure, or update these DCs. The Azure platform handles the DCs as part of the managed domain, including backups and encryption at rest using Azure Disk Encryption.

A managed domain is configured to perform a one-way synchronization from Azure AD to provide access to a central set of users, groups, and credentials. You can create resources directly in the managed domain, but they aren’t synchronized back to Azure AD. Applications, services, and VMs in Azure that connect to the managed domain can then use common AD DS features such as domain join, group policy, LDAP, and Kerberos/NTLM authentication.

In a hybrid environment with an on-premises AD DS environment, Azure AD Connect synchronizes identity information with Azure AD, which is then synchronized to the managed domain.

Azure AD DS replicates identity information from Azure AD, so it works with Azure AD tenants that are cloud-only, or synchronized with an on-premises AD DS environment. The same set of Azure AD DS features exists for both environments.

• If you have an existing on-premises AD DS environment, you can synchronize user account information to provide a consistent identity for users. To learn more, see How objects and credentials are synchronized in a managed domain.
• For cloud-only environments, you don’t need a traditional on-premises AD DS environment to use the centralized identity services of Azure AD DS.

You can expand a managed domain to have more than one replica set per Azure AD tenant. Replica sets can be added to any peered virtual network in any Azure region that supports Azure AD DS. Additional replica sets in different Azure regions provide geographical disaster recovery for legacy applications if an Azure region goes offline. Replica sets are currently in preview. For more information, see Replica sets concepts and features for managed domains.

The following video provides an overview of how Azure AD DS integrates with your applications and workloads to provide identity services in the cloud:

To see Azure AD DS deployment scenarios in action, you can explore the following examples:

Azure AD DS features and benefits

To provide identity services to applications and VMs in the cloud, Azure AD DS is fully compatible with a traditional AD DS environment for operations such as domain-join, secure LDAP (LDAPS), Group Policy, DNS management, and LDAP bind and read support. LDAP write support is available for objects created in the managed domain, but not resources synchronized from Azure AD.

The following features of Azure AD DS simplify deployment and management operations:

• Simplified deployment experience: Azure AD DS is enabled for your Azure AD tenant using a single wizard in the Azure portal.
• Integrated with Azure AD: User accounts, group memberships, and credentials are automatically available from your Azure AD tenant. New users, groups, or changes to attributes from your Azure AD tenant or your on-premises AD DS environment are automatically synchronized to Azure AD DS.
  • Accounts in external directories linked to your Azure AD aren’t available in Azure AD DS. Credentials aren’t available for those external directories, so can’t be synchronized into a managed domain.
• Use your corporate credentials/passwords: Passwords for users in Azure AD DS are the same as in your Azure AD tenant. Users can use their corporate credentials to domain-join machines, sign in interactively or over remote desktop, and authenticate against the managed domain.
• NTLM and Kerberos authentication: With support for NTLM and Kerberos authentication, you can deploy applications that rely on Windows-integrated authentication.
• High availability: Azure AD DS includes multiple domain controllers, which provide high availability for your managed domain. This high availability guarantees service uptime and resilience to failures.
  • In regions that support Azure Availability Zones, these domain controllers are also distributed across zones for additional resiliency.
  • Replica sets can also be used to provide geographical disaster recovery for legacy applications if an Azure region goes offline.

Some key aspects of a managed domain include the following:

• The managed domain is a stand-alone domain. It isn’t an extension of an on-premises domain.
  • If needed, you can create one-way outbound forest trusts from Azure AD DS to an on-premises AD DS environment. For more information, see Resource forest concepts and features for Azure AD DS.
• Your IT team doesn’t need to manage, patch, or monitor domain controllers for this managed domain.

For hybrid environments that run AD DS on-premises, you don’t need to manage AD replication to the managed domain. User accounts, group memberships, and credentials from your on-premises directory are synchronized to Azure AD via Azure AD Connect. These user accounts, group memberships, and credentials are automatically available within the managed domain.

Next steps

To learn more about Azure AD DS compares with other identity solutions and how synchronization works, see the following articles: