2 Functional Overview

The Active Directory protocols provide a centralized directory service with the ability to integrate with the Windows domain security model. They are used for the following purposes:

  • For storage of data that is a good fit to the data model used by LDAP [LDAP] and the other Active Directory Services protocols, namely, hierarchically organized objects that consist of a collection of attributes.

  • For storage of relatively static data that is expected to be read at a significantly higher rate than it is updated.

  • For use in scenarios where domain integration capabilities are required. When deploying the Active Directory system to provide these capabilities, the AD DS mode of operation is used.

  • For use in scenarios where other systems that have a dependency on the Active Directory system, such as Group Policy or Message Queuing, are to be deployed. When deploying the Active Directory system in support of these other systems, make sure to choose the appropriate mode of operation (typically, AD DS) for the Active Directory system.

  • As a directory service for use by applications, such as web portals, that store information about their registered users. In scenarios where domain integration capabilities are not required, the AD LDS mode of operation can be a particularly good choice because it does not require support for protocols such as SAMR, LSAD, and LSAT that are not used by the client application in these scenarios.

  • For replication of objects. Active Directory is a distributed directory service that stores objects that represent real-world entities such as users, computers, services, and network resources. Objects in the directory are distributed among all domain controllers in a forest. Directory replication protocols DRSR, SRPL, and SAMS are used to replicate directory objects between different domain controllers.

The Active Directory protocols are not used for the following purposes:

  • As a replacement for a file system. Directory services such as the Active Directory system are not intended for storing highly volatile data, and emphasize read performance over write performance. They are also not designed for storing large amounts of unstructured data, such as storing a multimegabyte value in a single attribute of a directory object.

  • As a means of passing transient messages between clients. The Active Directory system is not intended to be a message-passing system. Applications that require such a system are encouraged to investigate the use of a system that is designed for that purpose.

There is no interoperability requirement that an implementation of the Active Directory system support both the AD DS and AD LDS modes of operation. Implementers are free to implement either or both modes of operation, depending on their requirements for and intended use of the Active Directory system.