Active Directory service plays many roles, from being the backbone of distributed security in Windows 2000 to providing a framework for publishing network services. It provides a central service for administrators to organize network resources; to manage users, computers, applications, and services; and to secure intranet and Internet network access. In a policy-based networking architecture, Active Directory additionally serves as the �policy store� where policies are defined and bound to objects or aggregates of objects.
Active Directory natively implements the LDAPv3 protocol, schema, and semantics. Support for open standards makes it possible to use a wide variety of software applications with Active Directory. The Active Directory schema, which contains definitions for every object class that can exist in the directory service and thus the universe of objects that can be represented, is extensible. This allows both administrators and software developers to tailor the directory to their needs. The schema is held in Active Directory just as other normal objects are and can be manipulated using the same access methods and tools that are used to access other regular directory objects.
Directory services organize data hierarchically in a tree-like fashion. Within the tree there are two types of entities: Organizational Units (OUs) and objects. OUs are containers that can hold both other OUs and objects. A good analogy is a traditional file system with directories (or folders in the case of the Microsoft Windows� 2000 operating system) and files. Directories can contain other directories (i.e., sub-directories) and ultimately sub-directories contain files.
Directory services represent network entities as objects that contain attributes. Within a given directory (or even at the OU level), there can be many different types of objects. Each object type (or more appropriately "class") can contain whatever set of attributes are necessary to accurately model the entity represented by the object. All popular directory services also allow administrators to create new object classes and extend built-in classes (such as those representing users and computers) to contain attributes that are specific to an individual company.
By modeling network elements (such as people and machines) as objects, and supporting many different object classes within a single tree, directory services provide an exceptionally flexible way to store information about the various and diverse entities in a network. In contrast, relational databases typically would require a new table for each type of object, and it would be even more difficult to represent container-style relationships.
Given the flexibility of directory services to store data and model entities, it is important that they also provide flexible ways to find data within the tree. In particular, directories must make it easy to locate objects and attributes within a "scope" of interest. Scopes should include location within the tree (such as all objects contained within the "Marketing" OU) and classes of objects (such as all objects of class "user") regardless of where they are located within the hierarchy.
Visually, it's a desktop metaphor with objects, typically those that you use most often, displayed on your screen. Add Windows Explorer to that and now you have access to all of the files on all of the disks in your computer. As well as access, however, you also have control. You can keep the desktop as a traditional double-click environment or make it react as a Web page for single-click access. Right click on an object and you'll find options that let you modify or explore it in a variety of ways. In fact, via support for the Light-weight Directory Access Protocol (LDAP) all popular directory services are able to support these types of searches in a way that is both simple and efficient. Simplicity comes from the nature of the LDAP API and efficiency comes from the fact that most directory vendors allow administrators to specify which attributes should also be treated as indices in the underlying data store. With such indexing, searches for "all users who are managers and have spending limits over $5,000.00" can be performed quickly and with no need to search the entire tree. This type of indexing and efficiency is especially important as the industry is deploying directory services containing tens of millions of entries.