Active Directory Search and Publication Technologies
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2
Active Directory exists so that users, services, and applications can search for and publish useful information in the directory. The operations that users, services and applications perform against the directory include the following:
Note
In Windows 2000 Server and Windows Server 2003, the directory service is named Active Directory. In Windows Server 2008 and Windows Server 2008 R2, the directory service is named Active Directory Domain Services (AD DS). The rest of this topic refers to Active Directory, but the information is also applicable to AD DS.
Performing searches against the data
Finding (or in the case of services, publishing) information related to services that are available on the network
Active Directory Search and Publication Architecture
The Active Directory architecture that supports search and service publication can be divided into two functional areas:
Search
Service publication
The following table describes these Active Directory functional areas.
Active Directory Search and Service Publication
| Functional Area | Description |
|---|---|
Active Directory search |
Directory clients and services need a way to find data that is stored in the directory. Requests for directory objects are carried out either through the Active Directory Service Interfaces (ADSI) Lightweight Directory Access Protocol (LDAP) provider or through the LDAP application programming interface (API). |
Active Directory service publication |
Service publication in Active Directory enables services to provide information about themselves in the directory, and it enables directory clients to search for available services on the network. In addition, Active Directory supports service principal names (SPNs) as the means by which client applications can authenticate the services that they use. |
Active Directory Search
The primary components of the architecture for the Active Directory search function include the directory client applications that search the directory; LDAP, which is used for searching and retrieving directory information; and the Active Directory database against which the directory client applications search.
The following table describes the Active Directory search components.
Active Directory Search Components
| Search Component | Description |
|---|---|
Directory client application |
A directory client application is any application that is capable of searching for information that is stored in Active Directory. |
LDAP |
LDAP is a directory service protocol that specifies directory communications. It runs directly over TCP/IP, and it can also run over user datagram protocol (UDP) connectionless transports. LDAP enables clients to query, create, update, and delete information that is stored in a directory service over a TCP connection. LDAP is the preferred and most common means of interacting with Active Directory. |
Active Directory database |
The Active Directory database is the structured data store that Active Directory uses to store information about objects on the network, including users, user groups, computers, services, applications, application data, shared files, and distribution lists. A copy (or replica) of the Active Directory database resides on every domain controller in an Active Directory forest. |
Active Directory Service Publication
The primary components of the architecture for Active Directory service publication are the services that publish information about themselves and the client applications that search the directory to find and authenticate services. Active Directory provides the storage and distribution mechanism for published service information and for the SPN attributes that are used in mutual authentication. The Key Distribution Center (KDC) provides the mechanism for authenticating services, using SPNs that are constructed by the client applications.
The following table describes the Active Directory service publication and SPN components.
Active Directory Service Publication and SPN Components
| Service Publication Component | Description |
|---|---|
Service |
An application that makes data or operations available to client applications. |
Client application |
An application, which runs on a workstation (or on a server), that makes use of a service. |
KDC |
A service, which runs on every domain controller, that provides authentication services for clients as well as for servers and services. |
Connection point object |
An object in Active Directory that contains information about a service. |
Service account object |
An object in Active Directory that represents the account in whose security context a service runs and on which an SPN attribute resides. |
SPN attribute |
An attribute that contains a unique name that identifies an instance of a service and that is associated with the logon account under which the instance of the service runs. |
Active Directory Search and Publication Scenarios
Scenarios that rely on Active Directory search and publication include performing directory searches, advertising available services, finding available services, and authenticating services.
Performing Directory Searches
Searching the directory is a common Active Directory scenario in which directory clients use LDAP to query the directory and find information. Clients search the directory for a wide variety of information, including address book information, information about shared resources, and information related to a specific directory-enabled application. This scenario requires directory clients, LDAP, and the Active Directory database.
Advertising Available Services
A service that has services to offer client applications can use Active Directory as a way of advertising its services. In this scenario, a network service (at the time when it is installed) publishes a special object in the directory, called a connection point object. The connection point object holds information about the service, including binding information that a client application can use to connect to the service.
Finding Available Services
In large, distributed networks, directory clients must be able to find the network services that they need, regardless of where those services reside on the network. In this scenario, client applications search the directory for connection point objects that contain information about specific services that are available on the network. Client applications can then use this information to connect to the services that they need.
Authenticating Services
In large, distributed networks, a client application must be able to authenticate a service before the client application uses the service. The process of authenticating a service protects client applications from malicious or accidental damage or breaches of security that can be caused by an unauthorized, or rogue, service. In this scenario, a client application requests authentication of an SPN representing the service that the client application wants to use. If the service can authenticate against a domain controller by using the SPN, the client application can safely use that service.