Contents Overview 1 Overview of Directory Services 2 Using ADSI to Access Active Directory 19 Lab 6.1: Using ADSI 31 Using ADO to Query Active Directory Data 35 Lab 6.2: Using ADO 45 Best Practices 48 Review 49 Module 6: Integrating with Active Directory Information in this document is subject to change without notice. The names of companies, products, people, characters, and/or data mentioned herein are fictitious and are in no way intended to represent any real individual, company, product, or event, unless otherwise noted. Complying with all applicable copyright laws is the responsibility of the user. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Microsoft Corporation. If, however, your only means of access is electronic, permission to print one copy is hereby granted. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.  2000 Microsoft Corporation. All rights reserved. Microsoft, BackOffice, MS-DOS, Windows, Windows NT, Active Directory, ActiveX, Microsoft SQL Server, MSDN, PowerPoint, Visual Basic, Visual C++, Visual InterDev, and Visual J++ are either registered trademarks or trademarks of Microsoft Corporation in the U.S.A. and/or other countries. The names of companies, products, people, characters, and/or data mentioned herein are fictitious and are in no way intended to represent any real individual, company, product, or event, unless otherwise noted. Other product and company names mentioned herein may be the trademarks of their respective owners. Module 6: Integrating with Active Directory iii Instructor Notes This module provides students with an overview of Microsoft ® Active Directory ® , including its features, benefits, terminology, and concepts. Students will learn how to integrate Active Directory with their applications. They will also learn how to retrieve data and properties from Active Directory by using ADSI and ActiveX ® Data Objects (ADO). After completing this module, students will be able to: ! Describe directory services. ! Describe the benefits of integrating with Active Directory. ! Describe the Active Directory programming model. ! Access Active Directory data by using ADSI. ! Query for Active Directory objects by using ADO. In the first practice, students will learn how to browse Active Directory data by using the ADSIEDIT tool. This tool can be used to view, change, and delete the attributes of any object in Active Directory. In the next two practices, students will learn how to access Active Directory data by using ADSI and ADO. In the first lab, students will use ADSI to retrieve data from Active Directory. In the second lab, they will use ADO in conjunction with the OLE DB provider, ADsDSObject, to query Active Directory. Materials and Preparation This section provides you with the required materials and preparation tasks that are needed to teach this module. Required Materials To teach this module, you need the following materials: ! Microsoft PowerPoint ® file 1907A_06.ppt ! Module 6: Integrating with Active Directory ! Lab 6.1: Using ADSI ! Lab 6.2: Using ADO Preparation Tasks To prepare for this module, you should: ! Read all of the materials for this module. ! Complete the practice and the lab. ! Read the instructor notes and the margin notes for the module. Presentation: 90 Minutes Lab: 60 Minutes iv Module 6: Integrating with Active Directory Module Strategy Use the following strategy to present this module: ! Overview of Directory Services Describe the features available in the Active Directory service and explain the benefits that these features bring to solution developers. Explain the key concepts required to understand Active Directory from a developer’s perspective. Describe what types of data are suitable for Active Directory and the benefits of storing application data in Active Directory. Discuss the Lightweight Directory Access Protocol (LDAP) syntax for accessing directory data. ! Using ADSI to Access Active Directory Explain that ADSI provides a set of functions and interfaces that developers can use to access and manipulate data in a directory service. Describe how to use the Active Directory Services Interfaces (ADSI) to access Active Directory data. ! Using ADO to Query Active Directory Explain that because Active Directory is basically a store of information, an OLE DB provider is supplied for it. As a result, either ADO or OLE DB can be used to query the contents of the directory service. For developers already familiar with ADO, it provides a simple and powerful way to query Active Directory data. Explain how to use ADO to query Active Directory for data. ! Best Practices Summarize the best practices that should be followed when integrating distributed solutions with Active Directory. Module 6: Integrating with Active Directory 1 # ## # Overview ! Overview of Directory Services ! Using ADSI to Access Active Directory ! Lab 6.1: Using ADSI ! Using ADO to Query Active Directory Data ! Lab 6.2: Using ADO ! Best Practices ! Review Developers may face many challenges in building distributed applications. When an application spans multiple computers, issues such as security, configuration, data access, and service discovery all become more complex. In such an environment, a directory service acts as a central repository of information about the network of servers and resources and the organization they serve. To work seamlessly and robustly in a distributed environment, an application must take advantage of a directory service as a common store of application data. A directory service allows people and resources to move as appropriate, instead of being fixed to one location. In Microsoft Windows 2000, Active Directory provides such a service. Distributed applications written for Windows 2000 should take full advantage of the features of Active Directory. In this module, you will learn about the benefits of integrating distributed applications with Active Directory. You will learn the structure of Active Directory and the syntax for accessing objects within it. You will also learn how to access Active Directory data by using both Active Directory Service Interfaces (ADSI) and Microsoft ActiveX Data Objects (ADO). Objectives After completing this module, you will be able to: ! Describe directory services. ! Describe the benefits of integrating with Active Directory. ! Access Active Directory data by using ADSI. ! Query for Active Directory objects by using ADO. Slide Objective To introduce the module and objectives. Lead-in In this module, you will learn how to integrate distributed applications with Active Directory. 2 Module 6: Integrating with Active Directory # ## # Overview of Directory Services ! What is a Directory Service? ! What is Active Directory? ! Active Directory Concepts ! Benefits of Integrating with Active Directory ! Active Directory Data ! Practice: Browsing Active Directory This section introduces you to Active Directory. It describes the features available in the Active Directory service and explains the benefits that these features bring to solution developers. In this section, you will learn the key concepts required to understand Active Directory from a developer’s perspective. You will learn what types of data are suitable for Active Directory and the benefits of storing your application’s data in Active Directory. You will also learn the Lightweight Directory Access Protocol (LDAP) syntax for accessing directory data. This section includes the following topics: ! What Is a Directory Service? ! What Is Active Directory? ! Active Directory Concepts ! Benefits of Integrating with Active Directory ! Active Directory Data ! Practice: Browsing Active Directory Module 6: Integrating with Active Directory 3 What Is a Directory Service? ! Repository of information about objects in the enterprise A directory service comprises both a repository of information and the software component that makes the information available and useable globally. Directory services are most commonly used for storing and retrieving information about people and companies, just as you might use the white or yellow pages in a telephone directory. Rich directory services, such as Active Directory, provide a scalable, secure, extensible, and consistent management infrastructure and are ideal for storing many types of information. Such information could range from application- specific information, such as the quality of service for a router, to an expense report approver for each employee in an organization. Applications that integrate with a rich directory service such as Active Directory will be more robust and manageable than those that do not. How Data Is Represented in a Directory Service In a directory service, each piece of information is represented by an object that is defined by its attributes. By using the value of an attribute — a name, for example — you can find a particular object in the directory service. After the object is found, it is possible to find additional attributes of that object. This process is similar to the way in which you can use a telephone directory to find a telephone number or address by searching for a person's name. There are many interesting objects in a networked computer system, including printers, servers, routers, applications, databases, and actual human users. Users need to determine the objects that they want to use, such as applications, printers, and servers. Administrators need to manage and monitor access to these resources and control the rights granted to users. 4 Module 6: Integrating with Active Directory For a distributed computer system, a directory service is essential to simplifying both the use and management of the system. A directory service allows users to query for objects by using their attributes. You may query for a printer, for example, by using the attributes can print double-sided and can be found on the Sixth Floor of Building 41. The directory service can then return the name of the printer, its exact location, and its network address so that you can connect to it and print. Module 6: Integrating with Active Directory 5 What Is Active Directory? ! Distributed Database of objects in a Windows 2000 domain-based enterprise Active Directory is the extensible and scalable directory service for Windows 2000. It stores information about objects in the enterprise and makes this information easy for administrators and users to find and use. Windows 2000 enterprises are comprised of domains. A domain contains related user accounts, computers, and other objects. This information is stored on one or more Windows 2000 servers configured as a domain controller. Windows 2000 domains are named by using Domain Name System (DNS) names such as microsoft.com. A large domain can be divided into subdomains. For example, the microsoft.com domain could have a subdomain named sales. The DNS name for the sales subdomain would be sales.microsoft.com. This hierarchical arrangement is called a domain tree and is shown in the above illustration. 6 Module 6: Integrating with Active Directory In extremely large enterprises, domain trees can be related to one another to form a domain forest. Administrators can configure "trust relationships" between domains in the forest to allow resources to be accessed from anywhere in the enterprise. The following illustration shows a domain forest containing domain trees that are related by trust relationships. Active Directory is the directory service used to store and locate information about objects in a Windows 2000 enterprise. It is scalable from single domain networks to extremely large domain forests. Active Directory uses a structured data store as the basis for a logical, hierarchical organization of directory information. This information is replicated between domain controllers to provide an enterprise-wide, distributed directory. Security is integrated with Active Directory through logon authentication and access control to objects in the directory. With a single network log on, Active Directory administrators can manage and organize directory data throughout their network, and authorized network users can access resources anywhere on the network. Policy-based administration simplifies the management of even the most complex network. Many Microsoft applications, such as Microsoft Exchange Server 2000, will integrate with Active Directory by storing configuration and policy information in Active Directory objects or by using the security data available in Active Directory. As a result, Active Directory is well positioned to provide a platform for enterprise applications. [...]... have finished browsing Active Directory, close the Active Directory Editor Module 6: Integrating with Active Directory 19 # Using ADSI to Access Active Directory ! Active Directory Service Interfaces ! Binding to Active Directory Objects ! Manipulating Active Directory Objects ADSI provides a set of functions and interfaces that you can use to access and manipulate data in a directory service In this... messages) By integrating with Active Directory, the voice mail system can authenticate the user and get access to the voice messages associated with that user Module 6: Integrating with Active Directory Practice: Browsing Active Directory In this practice, you will use the Active Directory Editor (ADSIEDIT), a Microsoft Management Console (MMC) snap-in that allows you to browse Active Directory You... data in a directory service In this section, you will learn how to use ADSI to access Active Directory data This section contains the following topics: ! Active Directory Service Interfaces ! Binding to Active Directory Objects ! Manipulating Active Directory Objects 20 Module 6: Integrating with Active Directory Active Directory Service Interfaces ! The ADSI Programming Model $ $ ! Obtain a reference... Schema" under Active Directory in the Windows 2000 Platform SDK Module 6: Integrating with Active Directory 11 Benefits of Integrating with Active Directory ! Multimaster Replication ! Integrated Granular Access Control ! Efficient Query Across Partitions ! Extensible Schema ! Serverless Binding ! Microsoft Management Console (MMC) The following table describes some of the features of Active Directory. . .Module 6: Integrating with Active Directory Active Directory Concepts LDAP://CN=Juan,OU=PO System Users,DC=contentm,DC=com To use Active Directory correctly, it is important to have a broad understanding of how it works This section describes the key aspects of Active Directory that concern developers Containers and Objects Active Directory stores information about... in Active Directory Active Directory is a distributed, replicated data store Even though the Active Directory schema is fully extensible, not all types of data should be stored in Active Directory ! Data that is only required locally There is no reason to store data in Active Directory that is only required on a specific server For example, you would not store the names of personal files in Active Directory. .. the ADSI Edit node beneath Console Root and select the Connect to option 15 16 Module 6: Integrating with Active Directory 9 In the Connection dialog box, verify that the Name field contains Domain NC and then click OK The following illustration shows an example of the Connection dialog box Module 6: Integrating with Active Directory 17 10 To view the top-level containers in your domain, expand the Domain... built-in resilience so that the server used by an application can be transparently altered with no extra work required by the application Microsoft Management Console (MMC) Enables applications to be managed through a consistent user interface Module 6: Integrating with Active Directory 13 Active Directory Data ! Active Directory Object Attributes $ $ The data type for the value of the attribute $ Range... classes in object-oriented programming The Active Directory schema defines: ! The attributes that each different type of object possesses ! A list of the possible types of attributes ! The types of objects that each different type of container can contain 10 Module 6: Integrating with Active Directory When Active Directory is installed, it comes complete with a varied set of object and container types... locating resources by function without prior knowledge of their location in the directory 12 Module 6: Integrating with Active Directory Feature Benefits Extensible schema Enables developers to modify and extend the schema Enables storage of application-specific information in Active Directory Serverless binding Enables applications to bind to the closest domain controller without prior knowledge of its . applications with Active Directory. 2 Module 6: Integrating with Active Directory # ## # Overview of Directory Services ! What is a Directory Service? ! What is Active. under Active Directory in the Windows 2000 Platform SDK. Note Module 6: Integrating with Active Directory 11 Benefits of Integrating with Active Directory