Platform SDK: Active Directory, ADSI, and Directory Services

About Active Directory

Writing Powerful Applications that Use Active Directory

If you are writing a distributed application for Microsoft® Windows® 2000, there are many compelling reasons to integrate Active Directory™. The intent of this programmer's guide is to give you the knowledge you need to best write to Active Directory.

Fundamental Directory Features

A directory service is a fundamental service for distributed applications. A directory service, at a minimum, must provide the following:

Location transparency: The ability to find information about a user, group, networked service, or resource, without knowing addressing information.
Information on people and services: The ability to store user, group, organization, and service information in a structured, hierarchical tree.
Rich query: The ability to locate objects of interest by querying for properties of the object.
High availability: The ability to locate a replica of the directory at a location that is maximally efficient for the read/write operations.
Microsoft Active Directory provides these capabilities and much, much more.

Advanced Features of Active Directory

Active Directory also provides the following:

Support for Internet standards

Active Directory global namespace roots in the domain name service (DNS), and then uses LDAP to access objects within the directory service data store.

Tightly integrated and flexible security

Advantages include:

Choice of authentication packages depending on your application needs. Kerberos, secure sockets layer (SSL), or a combination (for example, establish an SSL channel for encryption and then use Kerberos for authentication) can be used.
Central management of service and resource access by using Active Directory users and groups.
Delegation of administration so that central administrators can delegate administrative tasks such as password changing or specific object creation and deletion.
The same access control mechanisms that are used on the Windows NT and Windows 2000 file system are used for Active Directory. Thus, the same tools that manage access control on a file system work for Active Directory.
Comprehensive Public Key infrastructure. The Microsoft Certificate Server and Smart Card support are integrated with Active Directory to provide Smart Card logon and Certificate management.

Scriptable interfaces for easy access

The primary and recommended application programming interface (API) for Active Directory is Active Directory Service Interfaces (ADSI). ADSI enables access to Active Directory by exposing objects stored in the directory as COM objects. A directory object is manipulated using the methods on one or more COM interfaces. You can already get ADSI providers from Microsoft for Novell NetWare Directory Services (NDS) and NetWare 3, Windows NT®, the Lightweight Directory Access Protocol (LDAP), Exchange 5.5, and the Internet Information Server (IIS) metabase. ADSI can be used from any tools from Microsoft Office applications to C/C++. ADSI supports extensibility so that additional functionality can be added to a provider to support new properties and methods. ADSI has a very simple programming model. ADSI abstracts the data management overhead that is characteristic of non-COM interfaces such as the LDAP C APIs . Since ADSI is fully scriptable, it easy to develop rich Web applications. ADO and OLE DB are supported for querying. Several tools make it easy to create an ADO or OLE DB connection and get results. By supporting ADO and OLE DB, Active Directory is just another OLE DB data provider.

Directory enabled system services

The ZAW technologies are written to take advantage of Active Directory. By creating an MSI package and using the application deployment feature of Windows 2000, your client application can be easily deployed to many desktops.

Key application integration

Key distributed applications such as Exchange will be tightly integrated with Active Directory. By doing so, companies can reduce the number of directory services that need to be managed.

Rich and extensible schema

The schema defines what objects and properties can be written and read from a directory service. Active Directory's schema is very rich. Most of the objects and properties a service needs are probably already there. If not, a distributed application can extend the schema to support the application's additional requirements.