Updated: January 21, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
To help users locate the network resources they need, you can publish searchable information about these resources in Active Directory. Resources that can be published include users, computers, printers, shared folders, and network services. Some commonly used directory information, like user and computer names, is published by default when the objects are created. Other directory information, such as information about shared folders, must be published manually. For information about searching the directory, see Finding directory information.
Using access control permissions, you can control which users and groups can search and view published information. Access control permissions give you detailed control over directory information at both the resource and the property levels. For example, you can use permissions to prevent a particular group from viewing any user information published in the directory. Or, you can use permissions to allow that group to view user names, but no other user information. For an overview of permissions, see Access control overview. For information about assigning permissions to Active Directory objects and properties, see Assign, change, or remove permissions on Active Directory objects or attributes.
Publishing users and computers
User and computer accounts are added to the directory using Active Directory Users and Computers and are automatically published to the directory upon creation. Commonly used account information, such as account names, is published by default. Other information, such as account security information, is only visible to administrators. For information about creating new accounts, see Create a new user account and Create a new computer account.
Publishing shared printers
You can also publish information about shared printers in Active Directory. Information about printers shared from Windows NT must be published manually. Information about printers shared from the Windows Server 2003 family or the Windows 2000 Server family is published to the directory automatically when you create a shared printer. You use Active Directory Users and Computers to manually publish shared printer information. For more information about publishing printers, see Manually publish a printer in Active Directory.
Publishing shared folders
To help users find shared folders more easily, you can publish information about shared folders in Active Directory. You use Active Directory Users and Computers to manually publish shared folder information. For more information about publishing shared folders, see Publish a shared folder.
A service is an application that makes data or operations available to network users. Publishing a service in Active Directory enables users and administrators to move from a machine-centric view of the network to a service-centric view. By publishing a service, rather than computers or servers, administrators can focus on managing the service regardless of which computer is providing the service or where the computer is located.
Some services, such as Certificate Services, are automatically published in Active Directory when they are installed. Other services can be published in the directory using programming interfaces. For more information, see Programming interfaces. Administrators can manage published services using Active Directory Sites and Services. For more information about services and how to publish them, see the Service Publication page at the Microsoft Web site. (http://msdn.microsoft.com/)
Categories of service information
Binding and configuration information are the two types of service information frequently published using Active Directory:
Binding information allows clients to connect to services that do not have well-known bindings and that conform to a service-centric model. By publishing the bindings for these kinds of services, connections can be automatically established with services. Machine-centric services are typically handled on a service-by-service basis and should not be published to the directory.
Configuration information can be common across client applications. Publishing this sort of information allows you to distribute current configuration information for these applications to all clients in the domain. The configuration information is accessed by client applications as needed. This eases application configuration for users and gives you more control over application behaviors.
Characteristics of service information
Service information that you publish to the directory is most effective if it has the following characteristics:
Useful to many clients. Information that is useful to a small set of clients or that is useful only in certain areas of the network should not be published. If not widely used, this information wastes network resources, since it is published to every domain controller in the domain.
Relatively stable and unchanging. Although there may be exceptions to this rule, it generally makes sense to publish only service information that changes less frequently than two replication intervals. For intrasite replication, the maximum replication period is fifteen minutes, and for intersite replication, the maximum replication period is configured based on the replication interval of the site link used for the replication. Object properties that change more frequently create excessive demands on network resources. Property values may be out of date until updates are published, which can take as long as the maximum replication period. Consequently, having properties out of date for that period of time must not create unacceptable conditions.
For example, some network services select a valid TCP port for use each time they are started. After selecting the port, the service updates Active Directory with this information, which is stored as the service connection point. Clients access the service connection point when they want to use the service, but if the new service connection point has not been replicated when the client requests it, the client will receive an outdated port, rendering the service temporarily inaccessible.
Well-defined, reasonable properties. Information that is of a consistent form is easier for services to use. The information should be relatively small in size.