Active Directory Search and Publication Technologies
Active Directory exists so that users, services, and applications can search for and publish useful information in the directory. The operations that users, services and applications perform against the directory include the following:
- Performing searches against the data
- Finding (or in the case of services, publishing) information related to services that are available on the network
Active Directory Search and Publication Architecture
The Active Directory architecture that supports search and service publication can be divided into two functional areas:
- Search
- Service publication
The following table describes these Active Directory functional areas. Active Directory Search and Service Publication
Functional Area | Description |
---|---|
Active Directory search | Directory clients and services need a way to find data that is stored in the directory. Requests for directory objects are carried out either through the Active Directory Service Interfaces (ADSI) Lightweight Directory Access Protocol (LDAP) provider or through the LDAP application programming interface (API). |
Active Directory service publication | Service publication in Active Directory enables services to provide information about themselves in the directory, and it enables directory clients to search for available services on the network. In addition, Active Directory supports service principal names (SPNs) as the means by which client applications can authenticate the services that they use. |
Active Directory Search
The primary components of the architecture for the Active Directory search function include the directory client applications that search the directory; LDAP, which is used for searching and retrieving directory information; and the Active Directory database against which the directory client applications search. The following table describes the Active Directory search components. Active Directory Search Components
Search Component | Description |
---|---|
Directory client application | A directory client application is any application that is capable of searching for information that is stored in Active Directory. |
LDAP | LDAP is a directory service protocol that specifies directory communications. It runs directly over TCP/IP, and it can also run over user datagram protocol (UDP) connectionless transports. LDAP enables clients to query, create, update, and delete information that is stored in a directory service over a TCP connection. LDAP is the preferred and most common means of interacting with Active Directory. |
Active Directory database | The Active Directory database is the structured data store that Active Directory uses to store information about objects on the network, including users, user groups, computers, services, applications, application data, shared files, and distribution lists. A copy (or replica) of the Active Directory database resides on every domain controller in an Active Directory forest. |
Active Directory Service Publication
The primary components of the architecture for Active Directory service publication are the services that publish information about themselves and the client applications that search the directory to find and authenticate services. Active Directory provides the storage and distribution mechanism for published service information and for the SPN attributes that are used in mutual authentication. The Key Distribution Center (KDC) provides the mechanism for authenticating services, using SPNs that are constructed by the client applications. The following table describes the Active Directory service publication and SPN components. Active Directory Service Publication and SPN Components
Service Publication Component | Description |
---|---|
Service | An application that makes data or operations available to client applications. |
Client application | An application, which runs on a workstation (or on a server), that makes use of a service. |
KDC | A service, which runs on every domain controller, that provides authentication services for clients as well as for servers and services. |
Connection point object | An object in Active Directory that contains information about a service. |
Service account object | An object in Active Directory that represents the account in whose security context a service runs and on which an SPN attribute resides. |
SPN attribute | An attribute that contains a unique name that identifies an instance of a service and that is associated with the logon account under which the instance of the service runs. |
Active Directory Search and Publication Scenarios
Scenarios that rely on Active Directory search and publication include performing directory searches, advertising available services, finding available services, and authenticating services.
Performing Directory Searches
Searching the directory is a common Active Directory scenario in which directory clients use LDAP to query the directory and find information. Clients search the directory for a wide variety of information, including address book information, information about shared resources, and information related to a specific directory-enabled application. This scenario requires directory clients, LDAP, and the Active Directory database.
Advertising Available Services
A service that has services to offer client applications can use Active Directory as a way of advertising its services. In this scenario, a network service (at the time when it is installed) publishes a special object in the directory, called a connection point object. The connection point object holds information about the service, including binding information that a client application can use to connect to the service.
Finding Available Services
In large, distributed networks, directory clients must be able to find the network services that they need, regardless of where those services reside on the network. In this scenario, client applications search the directory for connection point objects that contain information about specific services that are available on the network. Client applications can then use this information to connect to the services that they need.
Authenticating Services
In large, distributed networks, a client application must be able to authenticate a service before the client application uses the service. The process of authenticating a service protects client applications from malicious or accidental damage or breaches of security that can be caused by an unauthorized, or rogue, service. In this scenario, a client application requests authentication of an SPN representing the service that the client application wants to use. If the service can authenticate against a domain controller by using the SPN, the client application can safely use that service. So, that’s all in this blog. I will meet you soon with next stuff .Have a nice day !!!
Recommended contents
How to Check the Active Directory Database Integrity
Disabling and Enabling the Outbound Replication
DFS Replication Service Stopped Replication
What is Strict Replication Consistency
The replication operation failed because of a schema mismatch between the servers involved
Troubleshooting ad replication error 8418 the replication operation failed because of a schema mismatch between the servers
How to export replication information in txt file
Repadmin Replsummary
Enabling the outbound replication
Disabling and enabling replication on schema master domain controller
How to enable strict replication consistency
How to prevent lingering objects replication in active directory
AD replication process overview
How to force active directory replication
Change notification in replication process
How to check replication partner for a specific domain controller
dcdiag test replications
Guys please don’t forget to like and share the post.Also join our WindowsTechno Community and where you can post your queries/doubts and our experts will address them .
You can also share the feedback on below windows techno email id.
If you have any questions feel free to contact us on admin@windowstechno.com also follow us on facebook@windowstechno to get updates about new blog posts.