Active Directory is either deployed as AD DS or as AD LDS. This document describes both forms. When the specification does not refer specifically to AD DS or AD LDS, it applies to both.
The remainder of this section describes the structure of this document.
The basic state model is specified in section 220.127.116.11. The basic state model is prerequisite to the remainder of the document. Section 18.104.22.168 also includes descriptive content to introduce key concepts and refer to places in the document where the full specification is given.
LDAP is an access protocol that determines very little about the behavior of the data being accessed. Section 22.214.171.124 specifies read (LDAP Search) behaviors, and section 126.96.36.199 specifies update (LDAP Add, Modify, Modify DN, Delete) behaviors. Section 188.8.131.52 specifies background tasks required due to write operations, to the extent that those tasks are exposed by protocols.
One of the update behaviors is the maintenance of the change log for use by Windows NT 4.0 operating system backup domain controller (BDC)replication [MS-NRPC] section 3.6. The maintenance of this change log is specified in section 184.108.40.206.
The security services that Active Directory offers clients of LDAP are specified in section 5.1.
A server running Active Directory is part of a distributed system that performs replication. The Knowledge Consistency Checker (KCC) is a component that is used to create spanning trees for DC-to-DC replication, and is specified in section 6.2.
A server running Active Directory is responsible for publishing the services that it offers, in order to eliminate the administrative burden of configuring clients to use particular servers running Active Directory. A server running Active Directory also implements the server side of the LDAP ping and mailslot ping protocols to aid clients in selecting among all the servers offering the same service. Section 6.3 specifies how a server running Active Directory publishes its services, and how a client needing some service can use this publication plus the LDAP ping or mailslot ping to locate a suitable server.
Computers in a network with Active Directory can be put into a state called "domain joined"; when in this state, the computer can authenticate itself. Section 6.4 specifies both the state in Active Directory and the state on a computer required for the domain joined state.
Each type of data stored in Active Directory has an associated function that compares two values to determine if they are equal and, if not, which is greater. Section 220.127.116.11 specifies all but one of these functions; the methodology for comparing two Unicode strings is specified in section 6.5.