Chapter 7. Searching Active Directory

The data stored in Active Directory is often crucial to providing accurate reports and powering business-critical applications. By querying the directory, you can gather data that meets your requirements directly, whether it’s for a one-off report, a recurring process, or in support of an application that integrates with AD. In order to accomplish this, you need to be proficient in developing LDAP filters for your searches.

LDAP filters are relatively straightforward to build and understand, as the syntax is simple and the operators are very limited in quantity. But in addition to simply constructing an LDAP filter, being able to optimize that query so that it performs efficiently and doesn’t have a negative impact on the performance of AD is a critical skill. Likewise, being able to analyze an application’s query and make changes to the schema in order to improve performance is a fundamental troubleshooting skill.

7.1. The Directory Information Tree

Active Directory stores its database on each domain controller in the ntds.dit file, often simply referred to as “the DIT.” DIT is short for directory information tree—a fancy moniker for the AD database. The structure of the data in the DIT is surprisingly simple, and if you come from a database background where you’re familiar with optimizing data into many tables and iterations of normal forms, you’ll probably be shocked at how AD stores its data.

Database Structure

Fundamentally, the DIT is organized ...

Get Active Directory, 5th Edition now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.