Active Directory, X.500, LDAP, and Kerberos
This is intended to clarify, in summary, how Active Directory, X.500, LDAP, and Kerberos work with each other.
2011-02-12 Updated
- Active Directory is the network directory service offered by Microsoft in its Windows Server operating systems starting with Windows 2000 Server. AD allows objects (users, groups, computers, etc.) to be organized in a hierarchical structure, which scales much better than NT 4.0’s flat domain structure.
- NTDS.DIT is the actual physical file used by the AD database. The “DIT” extension in the file name stands for Directory Information Tree. The physical database is based on ESE (Extensible Storage Engine) technology, which is also used by Exchange Server. AD is not a flat file database and uses transaction logs and other database technologies. Every AD DC has its own read-write copy of NTDS.DIT.
- The X.500 directory standard is the basis for the logical structure of AD. The concept of objects and classes, and the hierarchical structure of AD are all based on X.500.
- LDAP (Lightweight Directory Access Protocol) is an access protocol standard that is used to access X.500 directories; AD is LDAP compliant. LDAP allows AD to interoperate with other LDAP-compliant directories and services.
- Kerberos is a secure, encrypted, network authentication protocol that is used natively in an AD domain. It is a relatively open standard and is used in UNIX-based systems also. The key to Kerberos is that it centralizes the account database and provides security to the authentication process.
As you can see, there are many pieces to AD. In most of the books and articles that I’ve read, the authors usually glance over X.500, LDAP, and Kerberos. I think they do that because of their lack of knowledge in those areas; just the concepts used in Kerberos alone are complex enough to fill a very large book.
Most books and articles jump right into forests, domains, OUs, and GPOs, which are really the meat of AD. Your regular sys admin would probably not run across too many issues where deep knowledge of X.500, LDAP, or Kerberos is necessary. But if you really want to develop a deep understanding of AD, you need to know more about X.500, LDAP, and Kerberos.
