Exploring Directory Services
This is only a short list. Larger organizations have multiple servers sharing in each
of these functions--with different services available through different means in each
building or location--and might have additional services beyond those listed here.
All this complexity can quickly make a network chaotic to manage. If each one of
the individual servers required separate administration (with, for instance, separate
lists of users, passwords, groups, printers, network configurations, and so on), the job
would become virtually impossible in no time.
Directory services were invented to bring organization to networks. Basically,
directory services work just like a phone book. Instead of using a name to look up
an address and phone number in a phone book, you query the directory service for
a service name (such as the name of a network folder or a printer), and the directory
service tells you where the service is located. You can also query directory services
by property. For instance, if you query the directory service for all items that are
"printers," it can return a complete list, no matter where the printers are located in the
organization. Even better, directory services enable you to browse all the resources on a
network easily, in one unified list organized in a tree structure.
One important advantage of directory services is that they eliminate the need to
manage duplicates of anything on the network because the directory is automatically
shared among all of the servers. For example, you don't need to maintain separate user
lists on each server. Instead, you manage a single set of user accounts that exists in the
directory service and then assign them various permissions to particular resources on
any of the servers. Other resources work the same way and become centrally managed
in the directory service. Not only does this mean that you have only one collection of
objects to manage, but also that users have a much simpler network experience. From
the users' perspective, they have only one network account with one password, and
they don't need to worry about where resources are located or keep track of multiple
passwords for different network services or servers.
In this chapter, the term network resource refers to any discrete resource on a network,
such as a user account, security group definition, e-mail distribution list, storage volume, folder, or
file. The term directory refers to the directory that a directory service uses, rather than a directory on
a hard disk.
To provide redundancy, directory services usually run on multiple servers in an
organization, with each of the servers having a complete copy of the entire directory
service database. Because a directory service becomes central to the functioning of a
network, this approach lets the network as a whole continue to operate if any single
server with directory services on it crashes. Servers that do not actually host a copy
of the directory still make use of it by communicating with the directory servers. For
instance, if a user tries to open a file hosted on a server that doesn't actually host the
directory service, the server will automatically query the directory service on another
server to authenticate the user's access request. To the user, this happens behind