1.3 Basic Directory Services Concepts

To effectively set up and work with DSfW, a basic understanding of both eDirectory and Active Directory is required. This section briefly outlines helpful concepts and terminology.

1.3.1 Domains, Trees, and Forests

Domain: In Active Directory, a domain is a security boundary. A domain is analogous to a partition in eDirectory.

Tree A DSfW tree consists of a single domain or multiple domains in a contiguous namespace.

Forest: A forest is a collection of Active Directory domains. A forest is analogous to a tree in eDirectory. You can set up trust relationships to share authentication secrets between domains.

Each Active Directory server has a domain, a configuration, and a schema partition.

Global Catalog: Global catalogs are special Active Directory domain controllers that store a complete copy of all the Active Directory objects belonging to the host domain and a partial copy of all other objects in the forest.

Federation can be accomplished through establishing cross-domain and cross-forest trusts.

1.3.2 Naming

Active Directory uses DC (domain class) naming at the root of a partition, while eDirectory supports other naming attributes like Organization (O) and Organizational Unit (OU). For example, in eDirectory a partition might be specified as:


In Active Directory, the partition is specified as:


Every Active Directory domain maps to a DNS domain. The DNS domain name can be derived from the Active Directory domain name. DSfW also follows this rule and supports mapping of eDirectory partitions to DSfW domains.

For example, the ou=sales.o=company partition can be mapped to the DSfW domain dc=sales,dc=company,dc=com.

1.3.3 Security Model

The Active Directory security model is based on shared secrets. The authentication mechanism is based on Kerberos. The domain controller contains all users’ Kerberos keys. The KDC, Remote Procedure Call (RPC) server, and Directory System Agent (DSA) operate inside a “trusted computing base” and have full access to all user information.

Active Directory users and groups are identified by unique Security Identifiers. The SID consists of domain-specific prefix, followed by an integer suffix or “relative ID” that is unique within the domain.

For more information about Active Directory, see the Microsoft Active Directory Technical Library.

1.3.4 Groups

Active Directory supports universal, global, and local groups. DSfW supports the semantics of these groups with different scopes when the group management is performed through MMC. However, there are exceptions. For example, validation of group type transitions is not supported.

Groups can also contain other groups, which is known as Nesting. Other limitations largely result from the way eDirectory supports nested groups. You cannot add a group from other domains as a member of a group.

In addition eDirectory supports dynamic groups, because Active Directory does not support them, dynamic groups are not supported in DSfW. All groups created by using iManager or MMC can be used as security principals in an Access Control List in eDirectory. Token groups can only have groups that are enabled as security groups through MMC.