Microsoft's replacement for the awful Domain Controller concept. Two important things you need to understand here are that it is really LDAP, and that it is (or can be) distributed.
Unless you are working in a really big organization, you probably won't run into the distributed features, but it's just something to remember: one server doesn't necessarily have to be the central location for changes. In a small business, there probably will be just one server that handles it all, but it doesn't have to be that way.
As the base of Active Directory is LDAP, that immediately suggests that it could be holding a lot more information than just user account info, and in fact it does. See https://www.microsoft.com/windows2000/server/evaluation/features/dirlist.asp for an overview of that.
AD also uses Kerberos for security. Again, that function could involve multiple machines, but probably won't in a small shop. Because of the possibility of all these distributed servers, AD makes heavy use of DNS. In the Unix world, particularly in small networks, we usually don't care too much about local DNS: if we pay any attention at all, it's often just /etc/hosts. Few of us bother to set up real DNS for the local network. However, AD, needs local DNS. For most of the folks reading this page, your only concern with that will be getting Samba to play happily with AD. Fortunately, the underlying LDAP/Kerboros/DNS of AD makes that a little easier than it was with the entirely proprietary Domain Controller concepts, but it isn't easy getting there. Truthfully, you and the client would be better of if they weren't using AD at all, but we don't always get to do what's right when Microsoft has a strong grip in a company. At this writing (Samba 3.09), the best you can do is work with AD:
(https://it.samba.org/samba/docs/man/Samba-HOWTO-Collection/samba-bdc.html#id2520142) As of the release of MS Windows 2000 and Active Directory, this information is now stored in a directory that can be replicated and for which partial or full administrative control can be delegated. Samba-3 is not able to be a Domain Controller within an Active Directory tree, and it cannot be an Active Directory server. This means that Samba-3 also cannot act as a Backup Domain Controller to an Active Directory Domain Controller.
That means that you can get Samba to authenticate from an AD controller, but it can't BE the AD controller or an AD server. Not yet, anyway. (If you happen to stumble across this at some later time when Samba no longer has to play second fiddle, please do let me know that I need to update this page.) However, unlike Domain Controllers that could more easily be asked for authentication, AD requires more work.
Got something to add? Send me email.
More Articles by Tony Lawrence © 2011-07-07 Tony Lawrence
We are stuck with technology when what we really want is just stuff that works. (Douglas Adams)
"Microsoft's replacement for the awful Domain Controller concept."
You mean to say that AD is actually an improvement??? <Grin>
Truth is, Microsoft suceeded in developing one of the most convoluted and gawd-awful authentication messes ever devised for a computer system. And, despite all that, their stuff is still woefully insecure. So, what did we gain with AD? It might be some form of LDAP, but that doesn't make it any good, in my opinion. Better we should call it ADD, maybe?
--BigDumbDinosaur
Sat Jul 2 12:23:24 2005: 744 anonymous
There are some concerns about Samba that it doesn't support software deployment, and Active Directory does.
It is not true.
Active Directory can only deploy software that is available in MSI format, which is rare - most installers are in EXE format.
So Active Directory is not that good for software deployment.
With Samba, you can distribute software in many formats (MSI, EXE, other) with a tool called WPKG - it is GPL and can be downloaded from (link)
You can use WPKG with Active Directory, too.
------------------------
Printer Friendly Version
Active Directory: Tech Words of the Day Copyright © November 2004 Tony Lawrence
Have you tried Searching this site?
This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more.
Contact us
Printer Friendly Version