Active Directory Data Storage |
Windows 2000 uses modules and modes that combine to provide operating system services to applications. Two processor access modes, kernel and user, divide the low-level, platform-specific processes from the upper-level processes, respectively, to shield applications from platform differences and to prevent direct access to system code and data by applications. Each application, including service applications, runs in a separate module in user mode, from which it requests system services through an application programming interface (API) that gains limited access to system data. An application process begins in user mode and is transferred to kernel mode, where the actual service is provided in a protected environment. The process is then transferred back to user mode. The security subsystem in user mode is the module in which Active Directory runs. The security reference monitor, which runs in kernel mode, is the primary authority for enforcing the security rules of the security subsystem. Figure 2.1 shows the location of Active Directory within Windows 2000.
Figure 2.1 Active Directory Within the Windows 2000 Operating System
The tight integration of the directory service and security subsystem services is key to the implementation of Windows 2000 distributed systems. Access to all directory objects first requires proof of identity (authentication), which is performed by components of the security subsystem, and then validation of access permissions (authorization), which is performed by the security subsystem in conjunction with the security reference monitor. The security reference monitor enforces the access control applied to Active Directory objects.
For more information about the Windows 2000 operating system, see "Overview of Networking in Windows 2000 Professional" in the Microsoft® Windows® 2000 Professional Resource Kit, which contains information about the core technologies for both Microsoft® Windows® 2000 Professional and Windows 2000 Server. For more information about authentication, see "Authentication" in this book. For more information about access permissions, see "Access Control" in this book.