What Are Active Directory Searches?

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2

What Are Active Directory Searches?

In this section

  • The Business Need

  • The Active Directory Searches Solution

  • LDAP and Security

  • Related Information

In Active Directory, directory clients use Lightweight Directory Access Protocol (LDAP) to perform searches against the directory. LDAP is defined by Request for Comments (RFC) 3377, “Lightweight Directory Access Protocol (v3): Technical Specification.” LDAP is a standards-based protocol that makes it possible for users to query and update information in an LDAP-based directory service, such as Active Directory. To perform Active Directory searches, LDAP-compliant directory clients compose a search query using LDAP syntax and then submit the query to Active Directory for processing.


In Windows 2000 Server and Windows Server 2003, the directory service is named Active Directory. In Windows Server 2008 and Windows Server 2008 R2, the directory service is named Active Directory Domain Services (AD DS). The rest of this topic refers to Active Directory, but the information is also applicable to AD DS.

Active Directory searches are an important part of many directory activities. Active Directory searches are commonly used by:

  • Directory clients to find a domain controller.

  • Directory clients to find network resources, such as printers and shared folders.

  • Directory clients to find address book information, such as user names, e-mail addresses, and phone numbers.

  • Non-Microsoft applications, such as Web portal, e-commerce, and white pages applications, to find and modify application-specific data that is stored in Active Directory.

The Business Need

Active Directory can be used to store all kinds of information, including identity, resource, infrastructure, and application-specific information. For this information to be useful, directory clients must be able to query and retrieve the information from Active Directory with a commonly understood protocol. This protocol must interact with a variety of directory client applications — and with a variety of client operating systems, because many organizations deploy more than one client operating system.

The Active Directory Searches Solution

The Active Directory searches solution consists of the following:

  • Directory clients that submit LDAP search requests

  • Domain controllers (or computers running Active Directory Application Mode (ADAM)) that accept and respond to the LDAP search requests

Any directory client that supports LDAP v2 (RFC 1777, “Lightweight Directory Access Protocol”) or LDAP v3 (RFC 3377) can submit LDAP queries to Active Directory. The following figure illustrates the Active Directory searches solution.

Active Directory Searches

Active Directory Searches


  • In the Windows Server 2003 family, a server running Windows Server 2003, Web Edition cannot be a domain controller.

Windows operating systems that can be used as a directory client include the following:

  • Windows 95 (requires Active Directory Client Extensions)

  • Windows 98 (requires Active Directory Client Extensions)

  • Windows NT 4.0 (requires Active Directory Client Extensions)

  • Windows 2000 Professional, Windows 2000 Server family

  • Windows XP Home Edition, Windows XP Professional

  • Windows Server 2003 family

For more information about Active Directory Client Extensions, see “ADSI WinNT Provider” in the Microsoft Platform SDK on MSDN.

Active Directory supports both LDAP v2 and LDAP v3. For more information about LDAP v2, see RFC 1777 in the IETF RFC Database. For more information about LDAP v3, see RFC 3377 in the IETF RFC Database.

LDAP and Security

Active Directory is designed to be secure by default, which means that directory clients must authenticate themselves before they can search Active Directory. Directory clients authenticate themselves against Active Directory by using the security mechanisms that are built into Windows Server 2003, including the Simple Authentication and Security Layer (SASL) protocol, the Kerberos version 5 (V5) authentication protocol, and NTLM. If necessary, Active Directory can also be configured to accept search requests from anonymous (unauthenticated) directory clients. For more information about search requests from anonymous directory clients, see “Anonymous queries” in “How Active Directory Searches Work.” For more information about authentication methods, see “Logon and Authentication Technologies.”

The following resources contain additional information that is relevant to this section: