What is Active Directory
Active Directory (AD): is Database storing all kinds of Objects and Policies which apply to the interoperations between Objects.
Object: It is the minimum component in the database that AD manipulates and each Object is associated with a set of mandatory and optional attributes or properties. Object can stand for User, Computer, Printer, Shared Folders or any other resources that used in a organization. Typical Objects in AD include Forest / Domain / OU / User / Group / Contact / Computer / Shared Folder / Printer / Site / Subnet etc.
Both Container Object & Leaf Object are identified in its own Organization Unity or Container by Common Name (CN) which is also termed Relative Distinguish Name (RDN). However, globally throughout the domian, each object is uniquely identified by Distinguished Name (DN).
Search Description: cn=users, dc=uclab, dc=com
- Container Object: Objects which can contain other Container Objects or Leaf Objects. Default Pre-installed Container Objects are Domain Controllers / Computers / Users / Builtin / Foreign Security Principals.
- Leaf Object: Objects that can not contain other Objects.
- Security Principal Object: used for security control purpose, such as authentication, authorization, access control etc.
ObjectClass Vs. ObjectCategory
- ObjectClass: It is a grouping of mandatory & optional attributes or properties for a specific Object. As a part of AD database schema, it is multi-valued and hierarchical (Child ObjectClass inherits attributes from Parent ObjectClass). Itself is a attribute of Object and determines what attributes are mandatory and optional for that Object.
- ObjectCategory: It is single-valued and identified by Distinguished Name (DN).
Most-Frequently Used Attributes for AD Users
Login ID->sAMAccountName; First Name->givenName; Middle Name->middleName; Last Name->sn; Manager->manager; Department->department; E-Mail Address->mail; Telephone Number->telephoneNumber; IP Phone Number->ipPhone; Mobile Number->mobile; Home Phone->homePhone.
LDAP Query & Search Filter
LDAP Search over Port 3268 Vs. Port 389
Port 3268 (Global Catalog): used to search object in the entire Forest (including all domains). However, only part of object attributes (those properties that are marked for replication to the global catalog, which is controlled by Schema Manager in MMC) will be returned. That is why Global Catalog LDAP search is faster and more efficient than LDAP search over port 389.
Port 389: used to search object in one single domain (only local domain controller in entire Forest). However, all the object attributes will be returned as search output.
Reference for LDAP & Active Directory Learning:
The LDAP Explorer
Active Directory 360 – All about Active Directory
The SelfADSI-The LDAP & ADSI Scripting Tutorial
Florian`s Blog-Insights about Active Directory