2.3 Understanding DSfW in Relation to Active Directory

eDirectory: eDirectory organizes objects in a tree structure, beginning with the top Tree object, which bears the tree's name. Whether your eDirectory servers are running Linux, UNIX, or Windows all resources can be kept in the same tree. You don’t need to access a specific server or domain to create objects, grant rights, change passwords, or manage applications. The hierarchical structure of the tree gives you great management flexibility and power. For more information on trees, refer to “Understanding eDirectory“ in the.NetIQ eDirectory 8.8 Administration Guide

In eDirectory, the master replica is a writable replica type used to initiate changes to an object or partition The master replica is responsible for maintaining all replica and schema epochs. If a replication or schema problem needs to be corrected, the operation is performed from the master replica. If the directory has been partitioned into a number of replicas, a master replica is required on each server.

Active Directory: Active Directory is a hierarchical multilevel framework of objects. It provides information on the objects, organizes them, controls access to them and sets security. The logical divisions of an Active Directory network consist of forests, trees, and domains.

  • Domain: In Active Directory, a domain is a security boundary that is similar to a partition in eDirectory. Each Active Directory domain that is configured to act as a Global Catalog stores a full copy of all Active Directory objects in the host domain and a partial copy of all objects for all other domains in the forest.

  • Forest: A forest is a collection of Active Directory domains and is comparable to a tree in eDirectory

  • Trust Relationships: You can set up trust relationships to share resources between domains. Federation can be accomplished through establishing cross-domain and cross-forest trusts.

  • Domain Names: Active Directory uses domain class (DC) naming at the root of a naming context, as opposed to the X.500 naming used in eDirectory. For example, in eDirectory a partition is specified as ou=sales.o=company, but in Active Directory the partition is specified as dc=sales,dc=company,dc=com.

  • Security Model: The Active Directory security model is based on shared secrets. The domain controller contains all users’ keys. The authentication mechanism is based on Kerberos, NTLM, Smartcard, Digest etc.

The Active Directory security model is based on shared secrets. The domain controller contains all users’ keys.

For more information on Active Directory forests, refer to the Active Directory Tutorial

2.3.1 Additional Features of Active Directory

  • Within an Active Directory topology, distinct roles are defined, but these roles are not fixed. Any role can be moved to another server at any time. For more information about these roles, see Flexible Single Master Operation (FSMO) Roles in the OES 11 SP3: Domain Services for Windows Administration Guide.

  • In Active Directory, Flexible Single Master Operation (FSMO) roles ensure directory integrity by policing specific operations that belong only on a single-server directory service. For example, FSMO roles enable Active Directory to avoid the simultaneous creation of new domains with identical names or the creation of concurrent schema extensions using the same attribute with a different underlying syntax.

  • In Active Directory, the Primary Domain Controller Emulator FSMO role has two primary functions. It provides backward compatibility for Windows NT4 domains and for servers, and it acts as an accelerator for certain account management functions. For example, password changes and account lockouts are passed to the PDC Emulator FSMO role and then quickly replicated throughout a domain infrastructure.

  • In a Microsoft environment, time synchronization is important primarily for maintaining Kerberos authentication. Time synchronization is not vital to the functioning of the primary domain controller.