Talk:Active Directory

From Wikipedia, the free encyclopedia
Jump to: navigation, search
          This article is of interest to the following WikiProjects:
WikiProject Microsoft Windows / Computing  (Rated C-class, High-importance)
WikiProject icon This article is within the scope of WikiProject Microsoft Windows, a collaborative effort to improve the coverage of Microsoft Windows on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.
C-Class article C  This article has been rated as C-Class on the project's quality scale.
 High  This article has been rated as High-importance on the project's importance scale.
Taskforce icon
This article is supported by WikiProject Computing (marked as Mid-importance).
WikiProject Computing / Networking / Software / Security (Rated C-class, Mid-importance)
WikiProject icon This article is within the scope of WikiProject Computing, a collaborative effort to improve the coverage of computers, computing, and information technology on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.
C-Class article C  This article has been rated as C-Class on the project's quality scale.
 Mid  This article has been rated as Mid-importance on the project's importance scale.
Taskforce icon
This article is supported by Networking task force (marked as Mid-importance).
Taskforce icon
This article is supported by WikiProject Software (marked as Low-importance).
Taskforce icon
This article is supported by WikiProject Computer Security (marked as Mid-importance).
WikiProject Cryptography / Computer science  (Rated C-class, Low-importance)
WikiProject icon This article is within the scope of WikiProject Cryptography, a collaborative effort to improve the coverage of Cryptography on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.
C-Class article C  This article has been rated as C-Class on the quality scale.
 Low  This article has been rated as Low-importance on the importance scale.
Taskforce icon
This article is supported by WikiProject Computer science (marked as Low-importance).
WikiProject Technology (Rated C-class)
WikiProject icon This article is within the scope of WikiProject Technology, a collaborative effort to improve the coverage of technology on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.
C-Class article C  This article has been rated as C-Class on the project's quality scale.
Checklist icon
WikiProject Guild of Copy Editors
WikiProject icon A version of this article was copy edited by lfstevens, a member of the Guild of Copy Editors, on December, 2010. The Guild welcomes all editors with a good grasp of English and Wikipedia's policies and guidelines to help in the drive to improve articles. Visit our project page if you're interested in joining! If you have questions, please direct them to our talk page.

DNS is required?[edit]

In 2nd para there is a line "indeed DNS is required". Whats the meaning of this emphasis ? Jay 10:42, 27 Jan 2005 (UTC)

Some other directory services can use a variety of name resolution schemes, but AD mandates DNS because it uses SRV records in DNS to locate servers and services. It also forms the basis of the AD naming scheme.--Askegg 04:01, 8 August 2005 (UTC)

TCP/IP was optional in early Windows avatars, as Windows had its own stack (NetBIOS/NetBEUI). It's a measure of TCP/IP's ubiquitousness that AD requires DNS, which is based on TCP/IP (well, strictly UDP/IP). Ambarish 21:08, 15 Apr 2005 (UTC)

Where do sites fit?[edit]

I'm confused about Sites. The entry says: As a further subdivision AD supports the creation of Sites, which are physical, rather than logical, groupings defined by one or more IP subnets.

Where do Sites fit in the hierarchy? Forest -> Tree -> Site or Forest -> Site.

--Jonwatson 19:22, 31 May 2005 (UTC)

A site has nothing to do with the structure and function of AD itself, but is provided to manage replication. All servers on the same LAN and be grouped into sites and the replication to other sites can be controlled through policies. --Askegg 04:01, 8 August 2005 (UTC)

Correct. It's kind of cool how MS have seperated the logical structure from the physical structure... most elegant design, I must say. - Ta bu shi da yu 04:40, 8 August 2005 (UTC)

What does "IP" have to do with "physical"?? With the introduction of VLANs, IP subnets can be arbitrarily spread over a region... — Preceding unsigned comment added by (talk) 11:10, 20 July 2011 (UTC)

Wikipedia:Microsoft notice board[edit]

Note: to start this off I'm posting this to a few Microsoft articles.

I have kicked this off as I think we can do a lot better on many of our Microsoft related articles. Windows XP is just one example of a whole bunch of people getting together to fix up issues of NPOV, fact and verifiability of an article. I think that no matter whether you like Microsoft or not that we could definitely do with a review of: a) the articles that we already have, and b) the articles that we should have in Wikipedia! - Ta bu shi da yu 02:06, 10 Jun 2005 (UTC)

<div id="trust"> </div> in the Trust paragraph.[edit]

What is this doing in the trust paragraph? It has been here for a while ( Since Oct 2004 [1] ) and if it serves no purpose it should be removed. --2mcmGespräch 22:41, 17 October 2005 (UTC)

Looks like he inserted it for an internal link. I'd guess he didn't realise that you can use the existing ID's generated by the headings to link to. Plugwash 03:56, 30 October 2005 (UTC)
At the time the editor inserted that div it looks like he/she was thinking about later having trust be a paragraph but not a section. The div was inserted so that people could link to Active Directory#trust. The div was redundant as the editor also added a trust section and that never went away. I removed the div. --Marc Kupper|talk 22:34, 15 November 2010 (UTC)

Other tools[edit]

MS DO interoperate with plenty of external tools. AD is based on LDAP and Kerberos and it is easy to integrate MS and Non MS directories and kerberos environments using the latest OpenLDAP and MIT Kerberos libraries. This is a prime example of the opinionated anti-MS FUD coming from people that dont know what they are taking about.

  • Wikipedia is full of anti-MS content. —Preceding unsigned comment added by (talk) 12:47, 5 August 2009 (UTC)

AD vs DC[edit]

What AD and DC on Windows view and on Linux view?

Um, what? - Ta bu shi da yu 02:35, 18 April 2006 (UTC)


I want to khow how many sites can one domain have??? I'e for a maximum of how many sites in one domain can the replication take place...

There is no relationship between sites and domains. Sites are part of the configuration naming context and are hence common to all domains within a forest. There are ultimately limits to the number of sites that can be supported however the environment would need to be extremely large. I have seen 800 sites supported without too many problems. The actual replication topology (i.e. inter site links) will be as important as the core number of sites. 800 sites in a chain end to end is a far different proposition to a single hub with 799 spoke sites.

Sites are a logical construct and not a physical one. The concept is to define 'zones' for replication, search space for the preferred domain controller for logon authentication, etc. Microsoft has different treatments for activities defined as being within the same site vs. activities occurring between sites.

AD replication and dFS replication are two oft-cited instances of this treatment: If multiple AD domain controllers exist in each of two or more sites, replication will occur primarily between DCs within a given site, with 'bridgehead' servers providing a link for replication between sites (and then relaying that information to other servers within the site).

But another demonstration of sites can be found by opening MS AD-supporting DNS. Under forward lookups, you'll see MSDCS records; under those records you'll see sites, and within a site you'll be able to drill down to a TCP 389 record (LDAP). Since a Windows logon provides only the following [username+password+domain] in its logon request, something must support locating a physical domain controller as the destination for the logon request. That 'something' is DNS; specifically, a search for that LDAP service. So, functionally, the requesting machine goes to DNS, looks under the domain name, looks in its own site (if available), and finds the server(s) supporting LDAP. If you only have one site, all servers are seen as equally available. That's why, if you have preferences for the authenticating domain controller, or if you want to avoid authenticating over a WAN link, the assignment of sites can control the default action for logons (and controlling replication, etc.)

Sites are defined as named objects, but hosts are assigned to a site by their IP address, so sites should be built to contain one or more IP subnets which you want to be seen as relatively 'together', and 'separated' from other IP subnets assigned to one or more additional sites. —Preceding unsigned comment added by (talk) 00:29, 7 October 2007 (UTC)

AD management[edit]

Are there any other tools for AD management other than the MMC? I'm specifically trying to manage users from a linux machine. -- 13:33, 24 April 2007 (UTC)

You can a UNIX LDAP tool to do this, simply bind to the domain controller using an account with rights to manage the users you are concerned with.

If you need to manage your keytabs, have a look at the free adkadmin from certifiedsecuritysolutions.

May I enquire about this article's quote on Services for Unix and Active Directory. As far as I know SFU is an NT subsystem much like Win32; if Microsoft is in the market for integrating Unix machines into Active Directory, SFU is certainly not the product concerned.

I have not made the edit to allow the maintainer of this page to verify this. 07:27, 17 May 2007 (UTC)

A little queation about admin rights[edit]

In an domain how can I make a non-administrator capaable to reset passwords. --N00bh4ck3r 17:37, 7 June 2007 (UTC)

Delegate the "reset password" right on the user account in question.

Open Directory as drop in replacement for AD?[edit]

The final sentence of the Alternatives paragraph reads: Open Directory is another alternative to Active Directory that can completely replace the need for Active Directory if a desire to implement Group Policy is not required. But I don't see how to get past the discovery phase. According to Microsoft's How Domain Controllers Are Located in Windows article; after the SRV record lookup a Windows client will use Connectionless LDAP (UDP) to verify that the server is active. (Despite only asking for _tcp SRV records...) As far as I can tell, Open Directory doesn't (yet) support CLDAP; so the server lookup fails. —The preceding unsigned comment was added by (talkcontribs).

"If a desire to implement group policy is not required" - there are in practive few environments that would willingly forgo basics such as login scripts, security policy management, software distribution etc... What about migration?

"Although an Active Directory migration is clearly a case of when, and not if, for the majority, Microsoft won t be alone in the NOS directory services space: Two old rivals Novell and Netscape are also making a strong showing.",7208,24653,00.html

Vandalism with Large corporations.[edit]

Someone keeps vandalizing this and claiming that AD is the only option for large enterprise, which is funny, because I swear that I've seen many schools and universities running open directory Maybe this should be locked to prevent it again?

This is the second time (at least) now. —Preceding unsigned comment added by (talkcontribs)

Protection isnt really warranted for such manageable acts. Instead please keep an eye for the person who does it. Maybe he can be blocked (if you manage to catch the person, please let me know directly). Also protection would lock yourself out!. --soum talk 11:42, 10 July 2007 (UTC)

I dont agree. A school or university is not a large enterprise in this context. The fact is, large businesses with significant investment in Microsoft technology deploy AD because it makes Windows easier and cheaper to manage. The only commercial product that comes close to providing a similar feature set is a Netware & Zenworks combination and Novell are getting out of this market. Open Source? Give me a break. Sure you can put in SAMBA, completely irrelevant in this context as it emulates NT4, and any LDAP directory, whether open source or otherwise does not support NOS related functionality like group policy, login scripts, startup scripts, security policy management etc. Have

It strikes me that a lot of people contributing to this page seem to look at AD from an LDAP point of view only - this is completely missing the point.

And we havent even started on exchange yet.

So lets get some realism and truth into this discussion, please.

Like, for instance Google... Or Sun... Or Apple... Or Novell. —Preceding unsigned comment added by (talk) 23:19, 5 October 2010 (UTC)

Software deployment[edit]

In the definition it says that software can be deployed, but in Alternatives it says that is cannot. Should the definition be changed?

The definition is wrong. Software deployment is included within Group Policy, it is not an optional extra. Many AD installations make use of this, and it does not require "custom schema extensions" as is currently stated.

Market coverage[edit]

I was interested to see some info in this article about market coverage.. gains etc. For example it seems to have been quite succussful in replacing Novell Netware in this space over the last 7 years or so as almost the default proprietory directory system of choice for many organisations (just my perception - which may be wrong - and thats why i looked up this article)

The article just seems to be about the technical side of it - I think it could befefit from non technical aspects like this.

Djambalawa (talk) 01:42, 21 February 2008 (UTC)

Server 2003/2008 information[edit]

The article lacks info on what new features were added in Srv 03 and 08. Can anyone add them? 2003 server bater than on the 2008 server.


Should the Active Directory Migration Tool be mentioned somewhere? Thomas d stewart (talk) 15:27, 30 October 2008 (UTC) gggyggy — Preceding unsigned comment added by (talk) 05:19, 24 September 2015 (UTC)


The diagram provided under Forests, Trees, and Domains seems incomplete. It appears as though OUs contained (or should/are able to contain) groups rather than directly Users which appears to be what this diagram suggests. There seems to be very little in this article on groups at all, perhaps a section or link should be added. Learning about Global, Domain Local and Universal Groups in my Windows Server classes makes me wish there was a concisely laid out section (or article) on the various types of groups on a Windows Server.

--Ninjasaves (talk.stalk) 17:38, 23 September 2009 (UTC)


AD provide central list of users and groups. —Preceding unsigned comment added by (talk) 15:04, 8 October 2010 (UTC)


There's a sentence about Novell eDirectory in this article, along with a screenshot. Is that appropriate? —Preceding unsigned comment added by (talk) 15:01, 21 October 2010 (UTC)

Yes, it is. This is not marketing material for Microsoft. An encyclopedia article is not supposed to just extol on the virtues of the subject material without mentioning deficiencies or disadvantages.
AD has some very real design problems which make usage and management unnecessarily difficult for end-users (no name duplications allowed, even in separate OUs) and which Microsoft either does not intend to fix or cannot fix.
Someone with only AD experience may assume that this is the only way things can work. It is worth mentioning the alternatives and how they compare to AD. DMahalko (talk) 03:27, 30 December 2010 (UTC)


Howdy, I hope I'm not out of line in tagging this article for cleanup (specifically the lead). My issue is that as a very tech competent person (at least more than the average bear), I was unable to understand from reading the lead: What is an active directory and how it is notable. To my mind this is the basic question(s) that a lead must answer with tech articles being no exception. While we hope that experts write these articles, they must be written with the non-expert in mind. Thoughts? Joe407 (talk) 13:44, 15 December 2010 (UTC)

Comparison with Novell eDir is a valid topic here[edit]

In rebuttal to User:Lfstevens who has removed the content referring to Novell eDirectory as marketing, encyclopedia articles are supposed to be unbiased about the topic material and may include sections discussing both the advantanges and disadvantages of the topic material in comparison to other topic material. Stripping the Novell comparisons away removes any hint that there is an alternative to the deficiencies of the Microsoft directory implementation.

As far as suggestions from other editors that there are a myriad of "other directories" available besides Novell's, that is false. The only alternatives are LDAP and eDir, and only Novell has worked to make eDir a viable drop-in replacement for AD.

The deficiencies of Active Directory are very real and require significant workaround and kludges to resolve (shadow groups), and that should be mentioned as well, as the fact that there is an alternative.

I will likely be restoring or re-inserting the sections referring to Novell that were removed by Lfstevens. DMahalko (talk) 15:31, 28 December 2010 (UTC)

There's a statement in the lead that AD is based on Novell eDirectory. It's unclear what that means. Did the removed content explain that? If not, that bit in the lead needs a citation. --Pnm (talk) 04:16, 30 December 2010 (UTC)
I think the comment about AD being based on Novell eDirectory is false. James Alchin who led Active Directory development was hired by Microsoft from Banyan, where he was chief architect of Vines. I am removing the eDirectory attribution, if someone wants to reinstate it with evidence, be my guest. Jonabbey (talk) 21:38, 7 January 2011 (UTC)
Thanks. --Pnm (talk) 05:42, 8 January 2011 (UTC)

Merger complete[edit]

  YesY Merger complete. All information from Likewise Open has been merged into this article. Northamerica1000(talk) 06:11, 16 March 2012 (UTC)

Container terminology is ambiguous and misleading[edit]

The article contains this assertion:

Organizational Units are an abstraction for the administrator and do not function as containers; the underlying domain is the true container.

The notion of a "true container" here is apparently one which does not permit any duplicates of some particular property anywhere in the hierarchy above or below it (in this case, sAMAccountName). This is IMO the author's terminological invention and not standard. The assertion and its conceptual basis is muddy at best and utterly confusing to the reader at worst.

Organizational Units clearly *do* function as hierarchical containers; there should be no assertion that they "do not function" this way. Containing leaf nodes in the tree, and other OU's to add hierarchy to the tree, is indeed their *primary* function.

A suggestion revision would be something like: "Organization Units do not define coherent identity management domains. That is the purpose of the domain itself, ensuring uniqueness of user identities across the domain, which in Active Directory is represented most tangibly by the sAMAccountName property," etc. — Preceding unsigned comment added by Chriscorbell (talkcontribs) 19:09, 29 March 2012 (UTC)

I challenged the statement. --Chealer (talk) 20:31, 17 October 2014 (UTC)
He. Rewrote it entirely because it contradicted a source in the article. The preceding TechNet source explicitly called OUs containers. But I think it is true that they are not mutually exclusive containers. Best regards, Codename Lisa (talk) 05:20, 19 October 2014 (UTC)


All great an all but since some made the great redirect of (Redirected from User Principal Name) they could have figured to include a formatting example. The three sins of tubez, date, example and contact. — Preceding unsigned comment added by (talk) 10:49, 2 April 2013 (UTC)

Functional Levels[edit]

This resource needs a paragraph on functional levels. The Trusts section mentions functional level, but the levels themselves are not described. See for a source. -- Dave Braunschweig (talk) 16:24, 4 June 2013 (UTC)

Active Directory History[edit]

Active Directory (AD) is NOT a Microsoft unique technology. Inexperienced folks and Microsoft evangelist tend to make the common mistake that Microsoft is a leader in research and development. Microsoft most often exploits existing technologies for profit and participates in the refinement of the technology but rarely creates a new technology, if ever. Even at the core of Microsoft, Windows, is Microsoft's implementation of X-Windowing developed in the 1960s at MIT. AD is an industry technology that Microsoft adopted by name and implemented in its midrange server product lines about 1998. Microsoft utilizing AD most likely drove the industry to look at it since so many systems are Microsoft and must integrate with Microsoft's products. In a release prior to Microsoft, Novell released NetWare 5.0 introducing its version of Active Directory called Netware Directory Services (NDS). NetWare 5.0 was a poor implementation of AD and resulted in the demise of Novell and NetWare as a competitive product to Microsoft's mid range server line.

Active Directory, as most information technology efforts, originated out of a democratization of design using Request for Comments or RFCs. Numerous RFCs have been initiated by widespread participants and accepted by the IEEE Consortium, The Internet Engineering Task Force (IETF), that oversees the RFC process. Active Directory incorporates decades of communication technologies into the overarching AD concept then makes improvements upon them. For example, LDAP is a long standing directory technology that undergirds AD. Also X.500 directories and the Organizational Unit preceded the Active Directory concept that makes use of those methods. The Active Directory concept was emerging as much as a decade before Microsoft even was even a startup with RFC's as early as 1971. Bill Gates was asking his mom for a nickel and was chasing ice cream trucks when AD was emerging.

IETF: RFCs can be searched here: — Preceding unsigned comment added by GeoBub (talkcontribs) 01:04, 7 June 2013 (UTC)

This is untrue. NDS uses LDAP and AD is Microsoft's own name for its LDAP implementation.--Best Dog Ever (talk) 12:15, 5 July 2013 (UTC)

User Principal Name redirects here[edit]

...but is not mentioned in the body of this article. Can anyone expand on it? --BlueNovember (talk contribs) 12:36, 14 May 2014 (UTC)

Hi. I nominated it for deletion. Best regards, Codename Lisa (talk) 13:11, 14 May 2014 (UTC)

Rename "Physical Matters" to "Sites"[edit]

I just came to this page as a user to improve my understanding of domains. I was looking specifically for more information on 'sites' but the index made no mention of it (though I found it by searching the page). I think this article would be improved if this chapter was renamed from "Physical Matters" to "Sites", but I dare not change it as there might be a clever rationale behind the current chapter name. — Preceding unsigned comment added by (talk) 12:58, 1 July 2014 (UTC)

Physical structure - Distinguishing Low Speeds[edit]

In the Physical Structure section, it states that AD distinguishes Low speeds from High speeds, citing WANs and VPNs as low speeds, and LANs as high speeds. Is this meant to refer to WANs (Wide Area Networks), or WLANs (Wireless Local Area Networks)? — Preceding unsigned comment added by (talk) 03:04, 21 September 2015 (UTC)

Client connections[edit]

Could someone address the technical differences in how Microsoft OSes since the advent of Vista no longer can join domains from the "lesser" (starter, home, home premium) versions? What is disabled and how? Is it missing files, registry keys or what? Is there workarounds, software that can be utilized as alternatives? — Preceding unsigned comment added by (talk)

This issue addressed in each Windows article.
And you are wrong about the Windows Vista part. Windows XP Starter, Home and Media Center edition could also not join a domain. Neither could Windows ME, 98 or 95.
Best regards,
Codename Lisa (talk) 19:47, 23 January 2016 (UTC)

Yeah. Good discussion. If you can't answer the question, then why bother writing anything at all? Oh, because you're busy being a Troll, perhaps? — Preceding unsigned comment added by (talk)