Active Directory

Binding to Active Directory: AD Connections De-mystified, Part 1

Note: This series covers Active Directory connection strings, often referred to as bind paths, with the goal of simplifying the process of creating an AD bind path. A significant amount of the information for this series comes from the wonderful AD programming book, The .NET Developer’s Guide to Directory Services Programming, by Ryan Dunn and Joe Kaplan. The LDAP ADsPath article on MSDN also provides good insight into creating valid bind paths for Active Directory.

Introduction

Many Active Directory-enabled applications, including our suite of AD management products, require you to specify a directory connection string to connect to an Active Directory instance. Confusion surrounds how to form a proper connection string, though, since many administrators rarely have to decompose a string or understand a string’s components.

We examine Active Directory connection strings in this series of articles with the goal of simplifying the process of creating a connection string. You have many options when connecting to Active Directory—connecting to a domain root, connecting to a whole forest or just getting a hook to one container object. This article series will explain each option with the goal of empowering you to build your own connection strings that do exactly what you need.

Please note that a significant amount of the information in this series comes from the wonderful AD programming book, The .NET Developer’s Guide to Directory Services Programming, by Ryan Dunn and Joe Kaplan. This 2006 book provides guidance for many AD programming needs and, although the book is now somewhat dated with the advent of a number of new namespaces in the .NET framework, the fundamentals like connecting to AD are still valid.

The Basics

Under the covers, Active Directory implements LDAP (Lightweight Directory Access Protocol) and much of the process of creating valid Active Directory connection strings involves understanding some LDAP basics. Active Directory does have subtle differences from LDAP implementations, though in the end the outcome is the same. I will highlight the differences if they are important but for the most part will concentrate on AD-specific implementation details.

Binding to AD

When connecting to Active Directory, we many times borrow the term “bind” from the LDAP world to describe the process of connecting to AD and operating on it in some way. Essentially, the process of binding to AD includes establishing a network connection to the directory and then obtaining a hook to some object in the directory. I will generally use the term “bind” from here out to describe the process of connecting to AD.

AD Path Syntax

The syntax you use to create a connection string, or path, to bind to AD is very important. Since bind paths actually use the ADSI (Active Directory Services Interfaces) ADsPath syntax to connect to AD objects, you must use this syntax. Although many options are available in the path, each path can include up to three parts.

  1. Provider: Specifies the ADSI provider to use to connect to a directory
  2. Server: AD server to use for a connection
  3. Object name: Directory object to reference

The generic form of the path follows and looks much like a URI instance.

<provider>://<server>/<object name>

Examples

A few examples help illustrate the different capabilities when binding to Active Directory.

LDAP://mydomain.local
LDAP://CN=My Object Name,CN=Users,DC=mydomain,DC=local
GC://myforest.local

In Part 2, we will look in more detail at bind paths and the rules around each part, the provider, server and object name.