共用方式為


1 Introduction

This is the primary specification for Active Directory, both Active Directory Domain Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS). When the specification does not refer specifically to AD DS or AD LDS, it applies to both. The state model for this specification is prerequisite to the other specifications for Active Directory: [MS-DRSR] and [MS-SRPL].

When no operating system version information is specified, information in this document applies to all relevant versions of Windows. Similarly, when no DC functional level is specified, information in this document applies to all DC functional levels.

The information in this specification is applicable to the following Microsoft products or supplemental software. References to product versions include released service packs.

Note: The terms "earlier" and "later", when used with a product version, refer to either all preceding versions or all subsequent versions, respectively. The term "through" refers to the inclusive range of versions. Applicable Microsoft products are listed chronologically in this section.

  • Windows 2000 Server operating system

  • Windows Server 2003 operating system

  • Windows Server 2003 R2 operating system

  • Windows Server 2008 operating system

  • Windows Server 2008 R2 operating system

  • Windows Server 2012 operating system

  • Windows Server 2012 R2 operating system

  • Windows Server 2016 operating system

  • Windows Server v1709 operating system

  • Windows Server v1803 operating system

  • Windows Server v1809 operating system

  • Windows Server 2019 operating system

  • Windows Server v1903 operating system

  • Windows Server 2022 operating system

  • Windows 11, version 24H2 operating system

  • Windows Server 2025 operating system

AD DS first became available as part of Microsoft Windows 2000 operating system and is available as part of Windows 2000 Server, Windows Server 2003, and Windows Server 2003 R2 products; in these products it is called "Active Directory". It is also available as part of Windows Server 2008 and later. AD DS is not present in Windows NT 3.1 operating system, Windows NT 3.51 operating system, Windows NT 4.0 operating system, or Windows XP operating system.

AD LDS first became available during the release of Windows Server 2003. In Windows XP, Windows Server 2003, and Windows Server 2003 R2, it is a standalone application called "Active Directory Application Mode (ADAM)". AD LDS is also available as part of Windows Server 2008 and later. Unless otherwise specified, information in this specification is also applicable to AD LDS. There are two versions of ADAM, ADAM RTW (introduced in the same timeframe as Windows Server 2003 operating system with Service Pack 1 (SP1)) and ADAM SP1 (introduced in the same timeframe as Windows Server 2003 operating system with Service Pack 2 (SP2)); unless otherwise specified, where ADAM is discussed in this document it refers to both versions of ADAM.

AD LDS for a particular Windows client is a standalone application that provides AD LDS capabilities for that Windows client. Information that is applicable to AD LDS on applicable Windows Server releases is generally also applicable to AD LDS on Windows clients, including Windows 11 operating system and later, except where it is explicitly specified that such information is not applicable to that product. The following list provides a mapping of this applicability:

  • Information that is applicable to AD LDS on Windows Server 2008 is also applicable to Active Directory Lightweight Directory Services (AD LDS) for Windows Vista.

  • Information that is applicable to AD LDS on Windows Server 2008 R2 is also applicable to Active Directory Lightweight Directory Services (AD LDS) for Windows 7.

  • Information that is applicable to AD LDS on Windows Server 2012 is also applicable to Active Directory Lightweight Directory Services (AD LDS) for Windows 8 operating system.

  • Information that is applicable to AD LDS on Windows Server 2012 R2 is also applicable to Active Directory Lightweight Directory Services (AD LDS) for Windows 8.1 operating system.

  • Information that is applicable to AD LDS on Windows Server 2016 is also applicable to Active Directory Lightweight Directory Services (AD LDS) for Windows 10 operating system.

  • Information that is applicable to AD LDS on Windows Server v1709 is also applicable to AD LDS for Windows 10 v1703 operating system and Windows 10 v1709 operating system.

  • Information that is applicable to AD LDS on Windows Server v1803 is also applicable to AD LDS for Windows 10 v1803 operating system.

  • Information that is applicable to AD LDS on Windows Server v1809 and Windows Server 2019 is also applicable to AD LDS for Windows 10 v1809 operating system.

  • Information that is applicable to AD LDS on Windows Server v1903 is also applicable to AD LDS for Windows 10 v1903 operating system.

  • Information that is applicable to AD LDS on Windows Server 2022 is also applicable to AD LDS for Windows 10 v21H1 operating system and Windows 10 v21H2 operating system.

State is included in the state model for this specification only as necessitated by the requirement that a licensee implementation of the protocols of applicable Windows Server releases has to be capable of receiving messages and responding in the same manner as applicable Windows Server releases. Behavior is specified in terms of request message received, processing based on current state, resulting state transformation, and response message sent. Unless otherwise specified in the sections that follow, all of the behaviors are required for interoperability.

The following typographical convention is used to indicate the special meaning of certain names:

For clarity, bit flags are sometimes shown as bit field diagrams. In the case of bit flags for Lightweight Directory Access Protocol (LDAP) attributes, these diagrams take on big-endian characteristics but do not reflect the actual byte ordering of integers over the wire, because LDAP transfers an integer as the UTF-8 string of the decimal representation of that integer, as specified in [RFC2252].

Pervasive Concepts

The following concepts are pervasive throughout this specification.

This specification uses [KNUTH1] section 2.3.4.2 as a reference for the graph-related terms oriented tree, root, vertex, arc, initial vertex, and final vertex.

Authentication concepts for domains, account domains, domain controllers, security principals, and user objects can be found in [MS-AUTHSOD] section 1.1.1 and subsections.

replica: A variable containing a set of objects.

attribute: An identifier for a value or set of values. See also attribute in the Glossary (section 1.1).

object: A set of attributes, each with its associated values. Two attributes of an object have special significance:

  • Identifying attribute: A designated single-valued attribute appears on every object. The value of this attribute identifies the object. For the set of objects in a replica, the values of the identifying attribute are distinct.

  • Parent-identifying attribute: A designated single-valued attribute appears on every object. The value of this attribute identifies the object's parent. That is, this attribute contains the value of the parent's identifying attribute or a reserved value identifying no object (for more information, see section 3.1.1.1.3). For the set of objects in a replica, the values of this parent-identifying attribute define an oriented tree with objects as vertices and child-parent references as directed arcs, with the child as an arc's initial vertex and the parent as an arc's final vertex.

Note that an object is a value, not a variable; a replica is a variable. The process of adding, modifying, or deleting an object in a replica replaces the entire value of the replica with a new value.

As the term "replica" suggests, it is often the case that two replicas contain "the same objects". In this usage, objects in two replicas are considered "the same" if they have the same value of the identifying attribute and if there is a process in place (that is, replication) to converge the values of the remaining attributes. When the members of a set of replicas are considered to be the same, it is common to say "an object" as a shorthand way of referring to the set of corresponding objects in the replicas.

object class: A set of restrictions on the construction and update of objects. An object class MUST be specified when an object is created. An object class specifies a set of required attributes (every object of the class MUST have at least one value of each) and may-have attributes (every object of the class may have a value of each). An object class also specifies a set of possible superiors (the parent object of an object of the class MUST have one of these classes). An object class is defined by a classSchema object.

parent object: See "object", above.

child object, children: An object that is not the root of its oriented tree. The children of an object O is the set of all objects whose parent object is O.

See section 3.1.1.1.3 for the particular use made of these definitions in this specification.