Active Directory Technology Backgrounder
Active Directory is the Windows directory service that provides a unified view of complex networks. It reduces the number of directories and namespaces with which a developer must contend. To use the ADSI technology, client computers must have ADSI 2.5 or later installed on them. ADSI 2.5 is automatically installed with Windows 2000 and therefore does not require installation.
In a typical organization, there are often diverse types of directories in use. These may include Windows NT directories, application-specific directories, and directories of network resources. This variety can cause problems for end users, developers, and administrators. A user may encounter problems while trying to log on to multiple resources. An administrator may face difficulties in maintaining network resources on diverse systems. As a developer, you may need to write an application to seamlessly interact with several different directories.
Visual Basic Note Although you could access Active Directory Services Interfaces (ADSI) in Microsoft Visual Basic version 6.0, programming for it involved a complex series of API calls. Now you can simply use the DirectoryEntry component.
Active Directory Basic Concepts
Active Directory provides a straightforward structuring of a complicated network of computers. An Active Directory system is arranged in a hierarchical tree. Each node represents a resource or service available on the network and contains a set of properties that can be retrieved and manipulated.
A directory is an information source used to store information about interesting objects. A telephone directory stores information about telephone subscribers. In a file system, the directory stores information about files. In a distributed computing system or a public computer network such as the Internet, there are many interesting objects: printers, fax servers, applications, databases, and other users. Users want to find and use these objects. Administrators want to manage how these objects are used.
A directory service differs from a directory in that a service is both the information source and the functionality that makes the information available to users. For example, a directory service stores information about objects such as users. That information can be used for identification when communicating with network resources, but also as the definition of where the object fits into the overall hierarchical scheme. Scope is the limits defined for searching the tree or subtrees. For more information about namespaces, scopes, containers, and domains, see About ADSI. For more information about the administration and data models, see Active Directory Architecture.
Active Directory Schema
Active Directory schemas define attributes for directory objects in much the same way that database schemas define structures for databases. This schema information is stored with an Active Directory hierarchy to help expedite member searches on large directories. For more information, see Active Directory Schema.
Active Directory provides a variety of security tools such as Secure Sockets Layer and Kerberos encryption to create a flexible security environment for developers. For more information, see Active Directory Security.
Working with Active Directory in Visual Studio or the .NET Framework
The DirectoryEntry component makes it easy to access an object from a directory and work with its data and behaviors. When you give the DirectoryEntry component a valid directory path in an Active Directory hierarchy, it returns an ADSI COM object that you can manipulate. Examples of ADSI objects include users, computers, services, organizations of user accounts and computers, file systems, and file service operations.
You can use the DirectoryEntry component to work with directories in an Active Directory hierarchy in several ways:
- You can search an Active Directory hierarchy to find a particular service or object.
- You can encapsulate a node from a hierarchy and manipulate or query its properties.
- You can add new nodes to the hierarchy.
You can use the DirectoryEntry component to automate common administrative tasks, such as adding users and groups, managing printers, and setting permissions on network resources. You can use DirectoryEntry components to interact with any resource on any directory system in your enterprise.
ADSI and Active Directory Schema
Active Directory uses a schema to define what information about a network node is accessible. The DirectoryEntry and DirectorySearcher components use this information to conduct searches and view individual properties of nodes in the directory. Schemas are stored within an Active Directory hierarchy, making searching and accessing a large directory more efficient. Schemas provide a means to create global definitions for object types stored in the directory and are given useful names such as "user," and "computer". The type of information that you would access on a network computer would be different from that of a user in a domain.
The DirectoryEntry component also uses Active Directory schemas when creating new objects. You are required to specify a preexisting schema name that the object will be associated to. Microsoft provides example schemas with the ADSI SDK in the MMC folder of the Samples directory.
Providers and Objects
Each type of directory system you can access with the DirectoryEntry component has a specific directory protocol (called a service provider) that allows you to access and work with that directory's contents. ADSI was created to eliminate the difficulty of switching back and forth between these protocols by enabling developers to access all of the protocols through a single interface.
When you create an instance of a DirectoryEntry component, you specify a path for it that indicates the type of provider in use on the system you are accessing and the object to which you want to bind. The following table lists the service providers you can access and the identifiers for each.
|Service provider||Path identifier|
|Windows 2000 or Windows XP||WinNT://path|
|Lightweight Directory Access Protocol (LDAP)||LDAP://path|
|Novell NetWare Directory Service||NDS://path|
|Novell Netware 3.x||NWCOMPAT://path|
For more information about what constitutes a valid directory path in an Active Directory hierarchy for each type of provider, see Namespaces.
Each service provider makes available to you a different set of objects with associated data and behaviors that you can access and manipulate. These objects correspond to items and resources in the directory tree for that namespace. Many of the providers have objects in common. For example, all of the providers give you access to a group object that represents a group account, and a user object that represents a user account.
For the Windows NT service providers, you can access domains, computers, print queues, and sessions. For the LDAP provider, you can access organizations, locality, and Root DS Entry (rootDSE) objects. The Root DS Entry is a required set of operational attributes that the user can read to find out fundamental characteristics of the directory and the server. The rootDSE is required only for LDAP providers.