{
	"id": "606c8e16-a8b3-4ae2-98e6-0f89fd1f5d34",
	"created_at": "2026-04-06T00:20:15.940838Z",
	"updated_at": "2026-04-10T03:31:17.792025Z",
	"deleted_at": null,
	"sha1_hash": "5790e842eef16425fdb70ece976173f305245608",
	"title": "Active Directory",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 307030,
	"plain_text": "Active Directory\r\nBy Contributors to Wikimedia projects\r\nPublished: 2001-12-05 · Archived: 2026-04-05 14:03:56 UTC\r\nThis article is about Microsoft's on-premises directory service. For their cloud-based system formerly known as\r\nAzure Active Directory, see Microsoft Entra ID.\r\nActive Directory (AD) is a directory service developed by Microsoft for Windows domain networks. Windows\r\nServer operating systems include it as a set of processes and services.\r\n[1][2]\r\n Originally, only centralized domain\r\nmanagement used Active Directory. However, it ultimately became an umbrella title for various directory-based\r\nidentity-related services.[3]\r\nA domain controller is a server running the Active Directory Domain Services (AD DS) role. It authenticates and\r\nauthorizes all users and computers in a Windows domain-type network, assigning and enforcing security policies\r\nfor all computers and installing or updating software. For example, when a user logs into a computer which is part\r\nof a Windows domain, Active Directory checks the submitted username and password and determines whether the\r\nuser is a system administrator or a non-admin user.\r\n[4]\r\n Furthermore, it allows the management and storage of\r\ninformation, provides authentication and authorization mechanisms, and establishes a framework to deploy other\r\nrelated services: Certificate Services, Active Directory Federation Services, Lightweight Directory Services, and\r\nRights Management Services.\r\n[5]\r\nActive Directory uses Lightweight Directory Access Protocol (LDAP) versions 2 and 3, Microsoft's version of\r\nKerberos,\r\n[6]\r\n and DNS.\r\n[7]\r\nRobert R. King defined it in the following way:[8]\r\n\"A domain represents a database. That database holds records about network services-things like\r\ncomputers, users, groups and other things that use, support, or exist on a network. The domain database\r\nis, in effect, Active Directory.\"\r\nLike many information-technology efforts, Active Directory originated out of a democratization of design using\r\nRequests for Comments (RFCs). The Internet Engineering Task Force (IETF) oversees the RFC process and has\r\naccepted numerous RFCs initiated by widespread participants. For example, LDAP underpins Active Directory.\r\nAlso, X.500 directories and the Organizational Unit preceded the Active Directory concept that uses those\r\nmethods. The LDAP concept began to emerge even before the founding of Microsoft in April 1975, with RFCs as\r\nearly as 1971. RFCs contributing to LDAP include RFC 1823 (on the LDAP API, August 1995),[9] RFC 2307,\r\nRFC 3062, and RFC 4533.[10][11][12]\r\nMicrosoft previewed Active Directory in 1999, released it first with Windows 2000 Server edition, and revised it\r\nto extend functionality and improve administration in Windows Server 2003. Active Directory support was also\r\nadded to Windows 95, Windows 98, and Windows NT 4.0 via patch, with some unsupported features.[13][14]\r\nhttps://en.wikipedia.org/wiki/Active_Directory\r\nPage 1 of 13\n\nAdditional improvements came with subsequent versions of Windows Server. In Windows Server 2008, Microsoft\r\nadded further services to Active Directory, such as Active Directory Federation Services.\r\n[15]\r\n The part of the\r\ndirectory in charge of managing domains, which was a core part of the operating system,[15] was renamed Active\r\nDirectory Domain Services (ADDS) and became a server role like others.[3] \"Active Directory\" became the\r\numbrella title of a broader range of directory-based services.[16] According to Byron Hynes, everything related to\r\nidentity was brought under Active Directory's banner.\r\n[3]\r\nActive Directory Services\r\n[edit]\r\nActive Directory Services consist of multiple directory services. The best known is Active Directory Domain\r\nServices, commonly abbreviated as AD DS or simply AD.\r\nActive Directory Domain Services (AD DS) is the foundation of every Windows domain network. It stores\r\ninformation about domain members, including devices and users, verifies their credentials, and defines their\r\naccess rights. The server running this service is called a domain controller. A domain controller is contacted when\r\na user logs into a device, accesses another device across the network, or runs a line-of-business Metro-style app\r\nsideloaded into a machine.\r\nOther Active Directory services (excluding LDS, as described below) and most Microsoft server technologies rely\r\non or use Domain Services; examples include Group Policy, Encrypting File System, BitLocker, Domain Name\r\nServices, Remote Desktop Services, Exchange Server, and SharePoint Server.\r\nThe self-managed Active Directory DS must be distinct from managed Azure AD DS, a cloud product.[17]\r\nLightweight Directory Services\r\n[edit]\r\nActive Directory Lightweight Directory Services (AD LDS), previously called Active Directory Application Mode\r\n(ADAM),[18] implements the LDAP protocol for AD DS.[19] It runs as a service on Windows Server and offers\r\nthe same functionality as AD DS, including an equal API. However, AD LDS does not require the creation of\r\ndomains or domain controllers. It provides a Data Store for storing directory data and a Directory Service with an\r\nLDAP Directory Service Interface. Unlike AD DS, multiple AD LDS instances can operate on the same server.\r\nCertificate Services\r\n[edit]\r\nActive Directory Certificate Services (AD CS) establishes an on-premises public key infrastructure. It can create,\r\nvalidate, revoke and perform other similar actions, public key certificates for internal uses of an organization.\r\nThese certificates can be used to encrypt files (when used with Encrypting File System), emails (per S/MIME\r\nstandard), and network traffic (when used by virtual private networks, Transport Layer Security protocol or IPSec\r\nprotocol).\r\nhttps://en.wikipedia.org/wiki/Active_Directory\r\nPage 2 of 13\n\nAD CS predates Windows Server 2008, but its name was simply Certificate Services.[20]\r\nAD CS requires an AD DS infrastructure.[21]\r\nFederation Services\r\n[edit]\r\nActive Directory Federation Services (AD FS) is a single sign-on service. With an AD FS infrastructure in place,\r\nusers may use several web-based services (e.g. internet forum, blog, online shopping, webmail) or network\r\nresources using only one set of credentials stored at a central location, as opposed to having to be granted a\r\ndedicated set of credentials for each service. AD FS uses many popular open standards to pass token credentials\r\nsuch as SAML, OAuth or OpenID Connect.\r\n[22]\r\n AD FS supports encryption and signing of SAML assertions.[23]\r\nAD FS's purpose is an extension of that of AD DS: The latter enables users to authenticate with and use the\r\ndevices that are part of the same network, using one set of credentials. The former enables them to use the same\r\nset of credentials in a different network.\r\nAs the name suggests, AD FS works based on the concept of federated identity.\r\nAD FS requires an AD DS infrastructure, although its federation partner may not.[24]\r\nRights Management Services\r\n[edit]\r\nActive Directory Rights Management Services (AD RMS), previously known as Rights Management Services\r\nor RMS before Windows Server 2008, is server software that allows for information rights management, included\r\nwith Windows Server. It uses encryption and selective denial to restrict access to various documents, such as\r\ncorporate e-mails, Microsoft Word documents, and web pages. It also limits the operations authorized users can\r\nperform on them, such as viewing, editing, copying, saving, or printing. IT administrators can create pre-set\r\ntemplates for end users for convenience, but end users can still define who can access the content and what actions\r\nthey can take.[25]\r\nActive Directory is a service comprising a database and executable code. It is responsible for managing requests\r\nand maintaining the database. The Directory System Agent is the executable part, a set of Windows services and\r\nprocesses that run on Windows 2000 and later.\r\n[1]\r\n Accessing the objects in Active Directory databases is possible\r\nthrough various interfaces such as LDAP, ADSI, messaging API, and Security Accounts Manager services.[2]\r\nhttps://en.wikipedia.org/wiki/Active_Directory\r\nPage 3 of 13\n\nA simplified example of a publishing company's internal network. The company has four groups\r\nwith varying permissions to the three shared folders on the network.\r\nActive Directory structures consist of information about objects classified into two categories: resources (such as\r\nprinters) and security principals (which include user or computer accounts and groups). Each security principal is\r\nassigned a unique security identifier (SID). An object represents a single entity, such as a user, computer, printer,\r\nor group, along with its attributes. Some objects may even contain other objects within them. Each object has a\r\nunique name, and its definition is a set of characteristics and information by a schema, which determines the\r\nstorage in the Active Directory.\r\nAdministrators can extend or modify the schema using the schema object when needed. However, because each\r\nschema object is integral to the definition of Active Directory objects, deactivating or changing them can\r\nfundamentally alter or disrupt a deployment. Modifying the schema affects the entire system automatically, and\r\nnew objects cannot be deleted, only deactivated. Changing the schema usually requires planning.[26]\r\nForests, trees, and domains\r\n[edit]\r\nIn an Active Directory network, the framework that holds objects has different levels: the forest, tree, and domain.\r\nDomains within a deployment contain objects stored in a single replicable database, and the DNS name structure\r\nidentifies their domains, the namespace. A domain is a logical group of network objects such as computers, users,\r\nand devices that share the same Active Directory database.\r\nOn the other hand, a tree is a collection of domains and domain trees in a contiguous namespace linked in a\r\ntransitive trust hierarchy. The forest is at the top of the structure, a collection of trees with a standard global\r\ncatalog, directory schema, logical structure, and directory configuration. The forest is a secure boundary that\r\nlimits access to users, computers, groups, and other objects.\r\nOrganizational units\r\n[edit]\r\nThe objects held within a domain can be grouped into organizational units (OUs).[27] OUs can provide hierarchy\r\nto a domain, ease its administration, and can resemble the organization's structure in managerial or geographical\r\nterms. OUs can contain other OUs—domains are containers in this sense. Microsoft recommends using OUs\r\nhttps://en.wikipedia.org/wiki/Active_Directory\r\nPage 4 of 13\n\nrather than domains for structure and simplifying the implementation of policies and administration. The OU is\r\nthe recommended level at which to apply group policies, which are Active Directory objects formally named\r\ngroup policy objects (GPOs), although policies can also be applied to domains or sites (see below). The OU is the\r\nlevel at which administrative powers are commonly delegated, but delegation can be performed on individual\r\nobjects or attributes as well.\r\nOrganizational units do not each have a separate namespace. As a consequence, for compatibility with Legacy\r\nNetBios implementations, user accounts with an identical SamAccountName are not allowed within the same\r\ndomain even if the accounts objects are in separate OUs. This is because SamAccountName, a user object\r\nattribute, must be unique within the domain.[28] However, two users in different OUs can have the same common\r\nname (CN), the name under which they are stored in the directory itself such as \"fred.staff-ou.domain\" and\r\n\"fred.student-ou.domain\", where \"staff-ou\" and \"student-ou\" are the OUs.\r\nIn general, the reason for this lack of allowance for duplicate names through hierarchical directory placement is\r\nthat Microsoft primarily relies on the principles of NetBIOS, which is a flat-namespace method of network object\r\nmanagement that, for Microsoft software, goes all the way back to Windows NT 3.1 and MS-DOS LAN Manager.\r\nAllowing for duplication of object names in the directory, or completely removing the use of NetBIOS names,\r\nwould prevent backward compatibility with legacy software and equipment. However, disallowing duplicate\r\nobject names in this way is a violation of the LDAP RFCs on which Active Directory is supposedly based.\r\nAs the number of users in a domain increases, conventions such as \"first initial, middle initial, last name\" (Western\r\norder) or the reverse (Eastern order) fail for common family names like Li (李), Smith or Garcia. Workarounds\r\ninclude adding a digit to the end of the username. Alternatives include creating a separate ID system of unique\r\nemployee/student ID numbers to use as account names in place of actual users' names and allowing users to\r\nnominate their preferred word sequence within an acceptable use policy.\r\nBecause duplicate usernames cannot exist within a domain, account name generation poses a significant challenge\r\nfor large organizations that cannot be easily subdivided into separate domains, such as students in a public school\r\nsystem or university who must be able to use any computer across the network.\r\nIn Active Directory, organizational units (OUs) cannot be assigned as owners or trustees. Only\r\ngroups are selectable, and members of OUs cannot be collectively assigned rights to directory\r\nobjects.\r\nIn Microsoft's Active Directory, OUs do not confer access permissions, and objects placed within OUs are not\r\nautomatically assigned access privileges based on their containing OU. It represents a design limitation specific to\r\nhttps://en.wikipedia.org/wiki/Active_Directory\r\nPage 5 of 13\n\nActive Directory, and other competing directories, such as Novell NDS, can set access privileges through object\r\nplacement within an OU.\r\nActive Directory requires a separate step for an administrator to assign an object in an OU as a group member also\r\nwithin that OU. Using only the OU location to determine access permissions is unreliable since the entity might\r\nnot have been assigned to the group object for that OU yet.\r\nA common workaround for an Active Directory administrator is to write a custom PowerShell or Visual Basic\r\nscript to automatically create and maintain a user group for each OU in their Directory. The scripts run\r\nperiodically to update the group to match the OU's account membership. However, they cannot instantly update\r\nthe security groups anytime the directory changes, as occurs in competing directories, as security is directly\r\nimplemented into the Directory. Such groups are known as shadow groups. Once created, these shadow groups are\r\nselectable in place of the OU in the administrative tools. Microsoft's Server 2008 reference documentation\r\nmentions shadow groups but does not provide instructions on creating them. Additionally, there are no available\r\nserver methods or console snap-ins for managing these groups.[29]\r\nAn organization must determine the structure of its information infrastructure by dividing it into one or more\r\ndomains and top-level OUs. This decision is critical and can base on various models such as business units,\r\ngeographical locations, IT service, object type, or a combination of these models. The immediate purpose of\r\norganizing OUs is to simplify administrative delegation and, secondarily, to apply group policies. While OUs\r\nserve as an administrative boundary, the forest itself is the only security boundary. All other domains must trust\r\nany administrator in the forest to maintain security.\r\n[30]\r\nThe Active Directory database is organized in partitions, each holding specific object types and following a\r\nparticular replication pattern. Microsoft often refers to these partitions as 'naming contexts.[31] The 'Schema'\r\npartition defines object classes and attributes within the forest. The 'Configuration' partition contains information\r\non the physical structure and configuration of the forest (such as the site topology). Both replicate all domains in\r\nthe forest. The 'Domain' partition holds all objects created in that domain and replicates only within it.\r\nSites are physical (rather than logical) groupings defined by one or more IP subnets.[32] AD also defines\r\nconnections, distinguishing low-speed (e.g., WAN, VPN) from high-speed (e.g., LAN) links. Site definitions are\r\nindependent of the domain and OU structure and are shared across the forest. Sites play a crucial role in managing\r\nnetwork traffic created by replication and directing clients to their nearest domain controllers (DCs). Microsoft\r\nExchange Server 2007 uses the site topology for mail routing. Administrators can also define policies at the site\r\nlevel.\r\nThe Active Directory information is physically held on one or more peer domain controllers, replacing the NT\r\nPDC/BDC model. Each DC has a copy of the Active Directory. Member servers joined to Active Directory that\r\nare not domain controllers are called Member Servers.[33] In the domain partition, a group of objects acts as\r\ncopies of domain controllers set up as global catalogs. These global catalog servers offer a comprehensive list of\r\nall objects in the forest.[34][35]\r\nGlobal Catalog servers replicate all objects from all domains to themselves, providing an international listing of\r\nentities in the forest. However, to minimize replication traffic and keep the GC's database small, only selected\r\nhttps://en.wikipedia.org/wiki/Active_Directory\r\nPage 6 of 13\n\nattributes of each object are replicated, called the partial attribute set (PAS). The PAS can be modified by\r\nmodifying the schema and marking features for replication to the GC.[36] Earlier versions of Windows used\r\nNetBIOS to communicate. Active Directory is fully integrated with DNS and requires TCP/IP—DNS. To fully\r\noperate, the DNS server must support SRV resource records, also known as service records.\r\nActive Directory uses multi-master replication to synchronize changes,[37] meaning replicas pull changes from the\r\nserver where the change occurred rather than being pushed to them.[38] The Knowledge Consistency Checker\r\n(KCC) uses defined sites to manage traffic and create a replication topology of site links. Intra-site replication\r\noccurs frequently and automatically due to change notifications, which prompt peers to begin a pull replication\r\ncycle. Replication intervals between different sites are usually less consistent and don't usually use change\r\nnotifications. However, it's possible to set it up to be the same as replication between locations on the same\r\nnetwork if needed.\r\nEach DS3, T1, and ISDN link can have a cost, and the KCC alters the site link topology accordingly. Replication\r\nmay occur transitively through several site links on same-protocol site link bridges if the price is low. However,\r\nKCC automatically costs a direct site-to-site link lower than transitive connections. A bridgehead server in each\r\nzone can send updates to other DCs in the exact location to replicate changes between sites. To configure\r\nreplication for Active Directory zones, activate DNS in the domain based on the site.\r\nTo replicate Active Directory, Remote Procedure Calls (RPC) over IP (RPC/IP) are used. SMTP is used to\r\nreplicate between sites but only for modifications in the Schema, Configuration, or Partial Attribute Set (Global\r\nCatalog) GCs. It's not suitable for reproducing the default Domain partition.[39]\r\nGenerally, a network utilizing Active Directory has more than one licensed Windows server computer. Backup and\r\nrestore of Active Directory are possible for a network with a single domain controller.\r\n[40]\r\n However, Microsoft\r\nrecommends more than one domain controller to provide automatic failover protection of the directory.\r\n[41]\r\nDomain controllers are ideally single-purpose for directory operations only and should not run any other software\r\nor role.[42]\r\nSince certain Microsoft products, like SQL Server[43][44] and Exchange,[45] can interfere with the operation of a\r\ndomain controller, isolation of these products on additional Windows servers is advised. Combining them can\r\ncomplicate the configuration and troubleshooting of the domain controller or the other installed software more\r\ncomplex.[46] If planning to implement Active Directory, a business should purchase multiple Windows server\r\nlicenses to have at least two separate domain controllers. Administrators should consider additional domain\r\ncontrollers for performance or redundancy and individual servers for tasks like file storage, Exchange, and SQL\r\nServer[47] since this will guarantee that all server roles are adequately supported.\r\nOne way to lower the physical hardware costs is by using virtualization. However, for proper failover protection,\r\nMicrosoft recommends not running multiple virtualized domain controllers on the same physical hardware.[48]\r\nThe Active-Directory database, the directory store, in Windows 2000 Server uses the JET Blue-based Extensible\r\nStorage Engine (ESE98). Each domain controller's database is limited to 16 terabytes and 2 billion objects (but\r\nonly 1 billion security principals). Microsoft has created NTDS databases with more than 2 billion objects.[49]\r\nhttps://en.wikipedia.org/wiki/Active_Directory\r\nPage 7 of 13\n\nNT4's Security Account Manager could support up to 40,000 objects. It has two main tables: the data table and the\r\nlink table. Windows Server 2003 added a third main table for security descriptor single instancing.[49]\r\nPrograms may access the features of Active Directory[50] via the COM interfaces provided by Active Directory\r\nService Interfaces.\r\n[51]\r\nTo allow users in one domain to access resources in another, Active Directory uses trusts.[52]\r\nTrusts inside a forest are automatically created when domains are created. The forest sets the default boundaries of\r\ntrust, and implicit, transitive trust is automatic for all domains within a forest.\r\nOne-way trust\r\nOne domain allows access to users on another domain, but the other domain does not allow access to users\r\non the first domain.\r\nTwo-way trust\r\nTwo domains allow access to users on both domains.\r\nTrusted domain\r\nThe domain that is trusted; whose users have access to the trusting domain.\r\nTransitive trust\r\nA trust that can extend beyond two domains to other trusted domains in the forest.\r\nIntransitive trust\r\nA one way trust that does not extend beyond two domains.\r\nExplicit trust\r\nA trust that an admin creates. It is not transitive and is one way only.\r\nCross-link trust\r\nAn explicit trust between domains in different trees or the same tree when a descendant/ancestor\r\n(child/parent) relationship does not exist between the two domains.\r\nShortcut\r\nJoins two domains in different trees, transitive, one- or two-way.\r\nForest trust\r\nApplies to the entire forest. Transitive, one- or two-way.\r\nRealm\r\nCan be transitive or nontransitive (intransitive), one- or two-way.\r\nExternal\r\nConnect to other forests or non-Active Directory domains. Nontransitive, one- or two-way.\r\n[53]\r\nPAM trust\r\nA one-way trust used by Microsoft Identity Manager from a (possibly low-level) production forest to a\r\n(Windows Server 2016 functionality level) 'bastion' forest, which issues time-limited group memberships.\r\n[54][55]\r\nMicrosoft Active Directory management tools include:\r\nActive Directory Administrative Center (Introduced with Windows Server 2012 and above),\r\nActive Directory Users and Computers,\r\nhttps://en.wikipedia.org/wiki/Active_Directory\r\nPage 8 of 13\n\nActive Directory Domains and Trusts,\r\nActive Directory Sites and Services,\r\nADSI Edit,\r\nLocal Users and Groups,\r\nActive Directory Schema snap-ins for Microsoft Management Console (MMC),\r\nSysInternals ADExplorer.\r\nThese management tools may not provide enough functionality for efficient workflow in large environments.\r\nSome third-party tools extend the administration and management capabilities. They provide essential features for\r\na more convenient administration process, such as automation, reports, integration with other services, etc.\r\nVarying levels of interoperability with Active Directory can be achieved on most Unix-like operating systems\r\n(including Unix, Linux, Mac OS X or Java and Unix-based programs) through standards-compliant LDAP clients,\r\nbut these systems usually do not interpret many attributes associated with Windows components, such as Group\r\nPolicy and support for one-way trusts.\r\nThird parties offer Active Directory integration for Unix-like platforms, including:\r\nPowerBroker Identity Services, formerly Likewise (BeyondTrust, formerly Likewise Software) – Allows a\r\nnon-Windows client to join Active Directory[56]\r\nADmitMac (Thursby Software Systems)\r\n[56]\r\nSamba (free software under GPLv3) – Can act as a fully functional Active Directory[57][58]\r\nThe schema additions shipped with Windows Server 2003 R2 include attributes that map closely enough to RFC\r\n2307 to be generally usable. The reference implementation of RFC 2307, nss_ldap and pam_ldap provided by\r\nPADL.com, support these attributes directly. The default schema for group membership complies with RFC\r\n2307bis (proposed).[59] Windows Server 2003 R2 includes a Microsoft Management Console snap-in that creates\r\nand edits the attributes.\r\nAn alternative option is to use another directory service as non-Windows clients authenticate to this while\r\nWindows Clients authenticate to Active Directory. Non-Windows clients include 389 Directory Server (formerly\r\nFedora Directory Server, FDS), ViewDS v7.2 XML Enabled Directory, and Sun Microsystems Sun Java System\r\nDirectory Server. The latter two are both able to perform two-way synchronization with Active Directory and thus\r\nprovide a \"deflected\" integration.\r\nAnother option is to use OpenLDAP with its translucent overlay, which can extend entries in any remote LDAP\r\nserver with additional attributes stored in a local database. Clients pointed at the local database see entries\r\ncontaining both the remote and local attributes, while the remote database remains completely untouched.[citation\r\nneeded]\r\nAdministration (querying, modifying, and monitoring) of Active Directory can be achieved via many scripting\r\nlanguages, including PowerShell, VBScript, JScript/JavaScript, Perl, Python, and Ruby.\r\n[60][61][62][63]\r\n Free and\r\nnon-free Active Directory administration tools can help to simplify and possibly automate Active Directory\r\nmanagement tasks.\r\nhttps://en.wikipedia.org/wiki/Active_Directory\r\nPage 9 of 13\n\nSince October 2017 Amazon AWS offers integration with Microsoft Active Directory.\r\n[64]\r\nAGDLP (implementing role based access controls using nested groups)\r\nApple Open Directory\r\nFlexible single master operation\r\nFreeIPA\r\nList of LDAP software\r\nSystem Security Services Daemon (SSSD)\r\nUnivention Corporate Server\r\n1. ^ Jump up to: a\r\n \r\nb\r\n \"Directory System Agent\". MSDN Library. Microsoft. Retrieved 23 April 2014.\r\n2. ^ Jump up to: a\r\n \r\nb\r\n Solomon, David A.; Russinovich, Mark (2005). \"Chapter 13\". Microsoft Windows\r\nInternals: Microsoft Windows Server 2003, Windows XP, and Windows 2000 (4th ed.). Redmond,\r\nWashington: Microsoft Press. p. 840. ISBN 0-7356-1917-4.\r\n3. ^ Jump up to: a\r\n \r\nb\r\n \r\nc\r\n Hynes, Byron (November 2006). \"The Future of Windows: Directory Services in\r\nWindows Server \"Longhorn\"\". TechNet Magazine. Microsoft. Archived from the original on 30 April 2020.\r\nRetrieved 30 April 2020.\r\n4. ^ \"Active Directory on a Windows Server 2003 Network\". Active Directory Collection. Microsoft. 13\r\nMarch 2003. Archived from the original on 30 April 2020. Retrieved 25 December 2010.\r\n5. ^ Rackspace Support (27 April 2016). \"Install Active Directory Domain Services on Windows Server 2008\r\nR2 Enterprise 64-bit\". Rackspace. Rackspace US, Inc. Archived from the original on 30 April 2020.\r\nRetrieved 22 September 2016.\r\n6. ^ \"Microsoft Kerberos - Win32 apps\". docs.microsoft.com. 7 January 2021.\r\n7. ^ \"Domain Name System (DNS)\". docs.microsoft.com. 10 January 2022.\r\n8. ^ King, Robert (2003). Mastering Active directory for Windows server 2003 (3rd ed.). Alameda, Calif.:\r\nSybex. p. 159. ISBN 978-0-7821-5201-2. OCLC 62876800.\r\n9. ^ Howes, T.; Smith, M. (August 1995). \"The LDAP Application Program Interface\". The Internet\r\nEngineering Task Force (IETF). Archived from the original on 30 April 2020. Retrieved 26 November\r\n2013.\r\n10. ^ Howard, L. (March 1998). \"An Approach for Using LDAP as a Network Information Service\". Internet\r\nEngineering Task Force (IETF). Archived from the original on 30 April 2020. Retrieved 26 November\r\n2013.\r\n11. ^ Zeilenga, K. (February 2001). \"LDAP Password Modify Extended Operation\". The Internet Engineering\r\nTask Force (IETF). Archived from the original on 30 April 2020. Retrieved 26 November 2013.\r\n12. ^ Zeilenga, K.; Choi, J.H. (June 2006). \"The Lightweight Directory Access Protocol (LDAP) Content\r\nSynchronization Operation\". The Internet Engineering Task Force (IETF). Archived from the original on\r\n30 April 2020. Retrieved 26 November 2013.\r\n13. ^ Daniel Petri (8 January 2009). \"Active Directory Client (dsclient) for Win98/NT\".\r\n14. ^ \"Dsclient.exe connects Windows 9x/NT PCs to Active Directory\". 5 June 2003.\r\n15. ^ Jump up to: a\r\n \r\nb\r\n Thomas, Guy (29 November 2000). \"Windows Server 2008 - New Features\".\r\nComputerPerformance.co.uk. Computer Performance Ltd. Archived from the original on 2 September\r\n2019. Retrieved 30 April 2020.\r\nhttps://en.wikipedia.org/wiki/Active_Directory\r\nPage 10 of 13\n\n16. ^ \"What's New in Active Directory in Windows Server\". Windows Server 2012 R2 and Windows Server\r\n2012 Tech Center. Microsoft. 31 August 2016.\r\n17. ^ \"Compare Active Directory-based services in Azure\". docs.microsoft.com. 3 April 2023.\r\n18. ^ \"AD LDS\". Microsoft. Retrieved 28 April 2009.\r\n19. ^ \"AD LDS versus AD DS\". Microsoft. 2 July 2012. Retrieved 25 February 2013.\r\n20. ^ Zacker, Craig (2003). \"11: Creating and Managing Digital Certificates\". In Harding, Kathy; Jean,\r\nTrenary; Linda, Zacker (eds.). Planning and Maintaining a Microsoft Windows server 2003 Network\r\nInfrastructure. Redmond, WA: Microsoft Press. pp. 11–16. ISBN 0-7356-1893-3.\r\n21. ^ \"Active Directory Certificate Services Overview\". Microsoft TechNet. Microsoft. Retrieved 24 November\r\n2015.\r\n22. ^ \"Overview of authentication in Power Apps portals\". Microsoft Docs. Microsoft. Retrieved 30 January\r\n2022.\r\n23. ^ \"How to Replace the SSL, Service Communications, Token-Signing, and Token-Decrypting Certificates\".\r\nTechNet. Microsoft. Retrieved 30 January 2022.\r\n24. ^ \"Step 1: Preinstallation Tasks\". TechNet. Microsoft. Retrieved 21 October 2021.\r\n25. ^ \"Test Lab Guide: Deploying an AD RMS Cluster\". Microsoft Docs. Microsoft. 31 August 2016. Retrieved\r\n30 January 2022.\r\n26. ^ Windows Server 2003: Active Directory Infrastructure. Microsoft Press. 2003. pp. 1–8–1–9.\r\n27. ^ \"Organizational Units\". Distributed Systems Resource Kit (TechNet). Microsoft. 2011. “An\r\norganizational unit in Active Directory is analogous to a directory in the file system”\r\n28. ^ \"SamAccountName is always unique in a Windows domain... or is it?\". Joeware. 4 January 2012.\r\nRetrieved 18 September 2013. “examples of how multiple AD objects can be created with the same\r\nSamAccountName”\r\n29. ^ Microsoft Server 2008 Reference, discussing shadow groups used for fine-grained password policies:\r\nhttps://technet.microsoft.com/en-us/library/cc770394%28WS.10%29.aspx\r\n30. ^ \"Specifying Security and Administrative Boundaries\". Microsoft Corporation. 23 January 2005.\r\n“However, service administrators have abilities that cross domain boundaries. For this reason, the forest is\r\nthe ultimate security boundary, not the domain.”\r\n31. ^ Andreas Luther (9 December 2009). \"Active Directory Replication Traffic\". Microsoft Corporation.\r\nRetrieved 26 May 2010. “The Active Directory is made up of one or more naming contexts or partitions.”\r\n32. ^ \"Sites overview\". Microsoft Corporation. 21 January 2005. “A site is a set of well-connected subnets.”\r\n33. ^ \"Planning for domain controllers and member servers\". Microsoft Corporation. 21 January 2005. “[...]\r\nmember servers, [...] belong to a domain but do not contain a copy of the Active Directory data.”\r\n34. ^ \"What Is the Global Catalog?\". Microsoft Corporation. 10 December 2009. “[...] a domain controller\r\ncan locate only the objects in its domain. [...] The global catalog provides the ability to locate objects from\r\nany domain [...]”\r\n35. ^ \"Global Catalog\". Microsoft Corporation.\r\n36. ^ \"Attributes Included in the Global Catalog\". Microsoft Corporation. 26 August 2010. “The\r\nisMemberOfPartialAttributeSet attribute of an attributeSchema object is set to TRUE if the attribute is\r\nreplicated to the global catalog. [...] When deciding whether or not to place an attribute in the global\r\ncatalog remember that you are trading increased replication and increased disk storage on global catalog\r\nservers for, potentially, faster query performance.”\r\nhttps://en.wikipedia.org/wiki/Active_Directory\r\nPage 11 of 13\n\n37. ^ \"Directory data store\". Microsoft Corporation. 21 January 2005. “Active Directory uses four distinct\r\ndirectory partition types to store [...] data. Directory partitions contain domain, configuration, schema,\r\nand application data.”\r\n38. ^ \"What Is the Active Directory Replication Model?\". Microsoft Corporation. 28 March 2003. “Domain\r\ncontrollers request (pull) changes rather than send (push) changes that might not be needed.”\r\n39. ^ \"What Is Active Directory Replication Topology?\". Microsoft Corporation. 28 March 2003. “SMTP can\r\nbe used to transport nondomain replication [...]”\r\n40. ^ \"Active Directory Backup and Restore\". TechNet. Microsoft. 9 December 2009. Retrieved 5 February\r\n2014.\r\n41. ^ \"AD DS: All domains should have at least two functioning domain controllers for redundancy\". TechNet.\r\nMicrosoft. Retrieved 5 February 2014.\r\n42. ^ Posey, Brien (23 August 2010). \"10 tips for effective Active Directory design\". TechRepublic. CBS\r\nInteractive. Retrieved 5 February 2014. “Whenever possible, your domain controllers should run on\r\ndedicated servers (physical or virtual).”\r\n43. ^ \"You may encounter problems when installing SQL Server on a domain controller (Revision 3.0)\".\r\nSupport. Microsoft. 7 January 2013. Retrieved 5 February 2014.\r\n44. ^ Degremont, Michel (30 June 2011). \"Can I install SQL Server on a domain controller?\". Microsoft SQL\r\nServer blog. Retrieved 5 February 2014. “For security and performance reasons, we recommend that you\r\ndo not install a standalone SQL Server on a domain controller.”\r\n45. ^ \"Installing Exchange on a domain controller is not recommended\". TechNet. Microsoft. 22 March 2013.\r\nRetrieved 5 February 2014.\r\n46. ^ \"Security Considerations for a SQL Server Installation\". TechNet. Microsoft. Retrieved 5 February 2014.\r\n“After SQL Server is installed on a computer, you cannot change the computer from a domain controller to\r\na domain member. You must uninstall SQL Server before you change the host computer to a domain\r\nmember.”\r\n47. ^ \"Exchange Server Analyzer\". TechNet. Microsoft. Retrieved 5 February 2014. “Running SQL Server on\r\nthe same computer as a production Exchange mailbox server is not recommended.”\r\n48. ^ \"Running Domain Controllers in Hyper-V\". TechNet. Microsoft. Planning to Virtualize Domain\r\nControllers. Retrieved 5 February 2014. “You should attempt to avoid creating potential single points of\r\nfailure when you plan your virtual domain controller deployment.frank”\r\n49. ^ Jump up to: a\r\n \r\nb\r\n efleis (8 June 2006). \"Large AD database? Probably not this large\". Blogs.technet.com.\r\nArchived from the original on 17 August 2009. Retrieved 20 November 2011.\r\n50. ^ Berkouwer, Sander. \"Active Directory basics\". Veeam Software.\r\n51. ^ Active Directory Service Interfaces, Microsoft\r\n52. ^ \"Domain and Forest Trusts Technical Reference\". Microsoft Corporation. 28 March 2003. “Trusts\r\nenable [...] authentication and [...] sharing resources across domains or forests”\r\n53. ^ \"Domain and Forest Trusts Work\". Microsoft Corporation. 11 December 2012. Retrieved 29 January\r\n2013. “Defines several kinds of trusts. (automatic, shortcut, forest, realm, external)”\r\n54. ^ \"Privileged Access Management for Active Directory Domain Services\". docs.microsoft.com. 8 February\r\n2023.\r\n55. ^ \"TechNet Wiki\". social.technet.microsoft.com. 17 January 2024.\r\nhttps://en.wikipedia.org/wiki/Active_Directory\r\nPage 12 of 13\n\n56. ^ Jump up to: a\r\n \r\nb\r\n Edge, Charles S. Jr; Smith, Zack; Hunter, Beau (2009). \"Chapter 3: Active Directory\".\r\nEnterprise Mac Administrator's Guide. New York City: Apress. ISBN 978-1-4302-2443-3.\r\n57. ^ \"Samba 4.0.0 Available for Download\". SambaPeople. SAMBA Project. Archived from the original on 15\r\nNovember 2010. Retrieved 9 August 2016.\r\n58. ^ \"The great DRS success!\". SambaPeople. SAMBA Project. 5 October 2009. Archived from the original\r\non 13 October 2009. Retrieved 2 November 2009.\r\n59. ^ \"RFC 2307bis\". Archived from the original on 27 September 2011. Retrieved 20 November 2011.\r\n60. ^ \"Active Directory Administration with Windows PowerShell\". Microsoft. Retrieved 7 June 2011.\r\n61. ^ \"Using Scripts to Search Active Directory\". Microsoft. 26 May 2010. Retrieved 22 May 2012.\r\n62. ^ \"ITAdminTools Perl Scripts Repository\". ITAdminTools.com. Retrieved 22 May 2012.\r\n63. ^ \"Win32::OLE\". Perl Open-Source Community. Retrieved 22 May 2012.\r\n64. ^ \"Introducing AWS Directory Service for Microsoft Active Directory (Standard Edition)\". Amazon Web\r\nServices. 24 October 2017.\r\nMicrosoft Technet: White paper: Active Directory Architecture (Single technical document that gives an\r\noverview about Active Directory.)\r\nMicrosoft Technet: Detailed description of Active Directory on Windows Server 2003\r\nMicrosoft MSDN Library: [MS-ADTS]: Active Directory Technical Specification (part of the Microsoft\r\nOpen Specification Promise)\r\nActive Directory Application Mode (ADAM)\r\nMicrosoft MSDN: [AD-LDS]: Active Directory Lightweight Directory Services\r\nMicrosoft TechNet: [AD-LDS]: Active Directory Lightweight Directory Services\r\nMicrosoft MSDN: Active Directory Schema\r\nMicrosoft TechNet: Understanding Schema\r\nMicrosoft TechNet Magazine: Extending the Active Directory Schema\r\nMicrosoft MSDN: Active Directory Certificate Services\r\nMicrosoft TechNet: Active Directory Certificate Services\r\nSource: https://en.wikipedia.org/wiki/Active_Directory\r\nhttps://en.wikipedia.org/wiki/Active_Directory\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://en.wikipedia.org/wiki/Active_Directory"
	],
	"report_names": [
		"Active_Directory"
	],
	"threat_actors": [
		{
			"id": "e993faab-f941-4561-bd87-7c33d609a4fc",
			"created_at": "2022-10-25T16:07:23.460301Z",
			"updated_at": "2026-04-10T02:00:04.617715Z",
			"deleted_at": null,
			"main_name": "Longhorn",
			"aliases": [
				"APT-C-39",
				"Platinum Terminal",
				"The Lamberts"
			],
			"source_name": "ETDA:Longhorn",
			"tools": [
				"Black Lambert",
				"Blue Lambert",
				"Corentry",
				"Cyan Lambert",
				"Fluxwire",
				"Gray Lambert",
				"Green Lambert",
				"Magenta Lambert",
				"Pink Lambert",
				"Plexor",
				"Purple Lambert",
				"Silver Lambert",
				"Violet Lambert",
				"White Lambert"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "70db80bd-31b7-4581-accb-914cd8252913",
			"created_at": "2023-01-06T13:46:38.57727Z",
			"updated_at": "2026-04-10T02:00:03.028845Z",
			"deleted_at": null,
			"main_name": "Longhorn",
			"aliases": [
				"the Lamberts",
				"APT-C-39",
				"PLATINUM TERMINAL"
			],
			"source_name": "MISPGALAXY:Longhorn",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "23dfc9f5-1862-4510-a6ae-53d8e51f17b1",
			"created_at": "2024-05-01T02:03:08.146025Z",
			"updated_at": "2026-04-10T02:00:03.67072Z",
			"deleted_at": null,
			"main_name": "PLATINUM TERMINAL",
			"aliases": [
				"APT-C-39 ",
				"Longhorn ",
				"The Lamberts ",
				"Vault7 "
			],
			"source_name": "Secureworks:PLATINUM TERMINAL",
			"tools": [
				"AfterMidnight",
				"Assassin",
				"Marble Framework"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434815,
	"ts_updated_at": 1775791877,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5790e842eef16425fdb70ece976173f305245608.pdf",
		"text": "https://archive.orkl.eu/5790e842eef16425fdb70ece976173f305245608.txt",
		"img": "https://archive.orkl.eu/5790e842eef16425fdb70ece976173f305245608.jpg"
	}
}