- 1 Tips and Tricks for Detecting Insider Threats
- 2 Red Hat Enterprise Linux 7.5 Debuts with Improved Server Admin Features
- 3 Opportunity Lost: Enterprises Could Slash Cloud Costs by 36 Percent
- 4 Intel Sheds Wind River Embedded Division
- 5 Linux 4.16 Released with Improved Security, Virtualization Features
Learn AD in 15 Minutes a Week: Lightweight Directory Access Protocol Page 3
Active Directory is not an X.500
directory in and of itself, but it does follow the X.500
information model. It uses LDAP as the access protocol on
TCP port 389 by default. The LDAP naming structure follows
the X.500 naming design and looks similar to this:
/DC=COM/DC=gunderville/OU=admins/CN=Jason_Zandri [NOTES FROM THE FIELD] -
Encrypted LDAP requires secure authentication and transport
and uses TCP PORT 636 by default. An LDAP URL names the server holding
Active Directory services and the distinguished name of the
object, which looks similar to this: [NOTES FROM THE FIELD] - The
relative distinguished name (RDN) of an object is the part
of the name that is an attribute of the object itself. While
the distinguished name of a printer object might be
/DC=COM/DC=gunderville/OU=sales/OU=printers/CN=HP5SI,
the relative distinguished name of the printer object is
HP5SI. The only "problem" is the distinguished
name of this printer object
/DC=COM/DC=gunderville/OU=accounting/OU=printers/CN=HP5SI
is also HP5SI, yet they are two separate
objects and are allowed because they are in different
locations in the Active Directory hierarchy. You can have
duplicate relative distinguished names for Active Directory
objects, but you cannot have two objects with the same
relative distinguished name in the same Organizational Unit.
Active Directory integrates the
Internet concept of a name space with the Windows 2000
directory services by using DNS for its name system and can
exchange information with any application or directory that
uses LDAP version 2 and version 3 or Hypertext Transfer
Protocol (HTTP). LDAP utilizes the Active Directory
database servers to provide access to a Directory
Information Tree (DIT) which is composed of data objects. [NOTES FROM THE FIELD] - The
American National Standards Institute (ANSI) is in charge of
assigning the "upper portions" of GUIDs to requesting
organizations. For example, Microsoft Corporation has been
assigned the 1.2.840.113556 branch and can assign GUIDs from
1.2.840.113556 downward by adding additional decimal place
identifiers. There are a few different naming
formats that are supported in Active Directory, and I have
outlined them in the table below.
LDAP://internet.gunderville.com/CN=Jason_Zandri,OU=admins,
The class of all the objects in the DIT are identified by its
Globally Unique Identifier (GUID).
Format | Description |
---|---|
RFC 822 | RFC 822 is also called a User Principal Name and looks like any standard internet email address: Jason@Zandri.net |
HTTP Uniform Resource Locator (URL) | http://www.gunderville.com http://www.zandri.net http://www.2000trainers.com http://www.swynk.com/friends/zandri/ http://www.swynk.com |
Universal Naming Convention (UNC) | Any path you might type in an explorer window or at a command line to get to a given location on a system: D:\DATA\Saved\Online\70-219\70-219-6 |
LDAP URL | Following the RFC 1779
paper, Active
Directory uses the
LDAP URL naming convention
of LDAP://internet.gunderville.com/CN=Jason_Zandri,OU=admins, |
LDAP names, used to identify Directory Information Tree objects, are based on the X.500 naming convention using the object class along with the actual name of the object.
The following table outlines the most common LDAP object classes.
Common LDAP object classes. |
|
Object Class |
Defines |
C |
Country |
DC |
Domain Component |
O |
Organization |
OU |
Organizational Unit |
CN |
Common Name |
[NOTES FROM THE FIELD] - On the exams, don't confuse DC=Domain Component with Domain Controller. More so, do not confuse CN=Common Name with Container Name. I have never had a large amount of Novell exposure, but I've been told that many Novell Engineers are used to referring to CN as Container Name, and while not actually untrue, (they effectively mean the same thing) this will be INCORRECT on the Microsoft exam.