CHAPTER 2

INTRODUCTION TO ACTIVE DIRECTORY

Active Directory provides a single point of network management, allowing you to add, remove, and relocate

users and resources easily.

Lesson 1: Active Directory Overview

An object is a distinct named set of attributes that represent a network resource. Object attribute are

characteristics of objects in the directory.

In Active Directory, you can organize objects in classes, which are logical grouping of objects. Examples

of object classes are those representing user accounts, groups, computers, domains, or organizational

units (OUs).

NOTE: Some objects, known as containers, can contain other objects. For example, a domain is a

container object that can contain users, computers, and other objects.

Active Directory Schema

The Active Directory schema is a list of definitions that defines the kinds of objects and the types of

information about those objects that can be stored in Active Directory.

There are two types of definitions in the schema: attributes and classes.

Attributes and classes are also referred to as schema objects or metadata.

Classes, also referred to as object classes, describe the possible Active Directory objects that can be

created. Each class is a collection of attributes.

You can extend the schema, but is it an advanced operation with possible serious consequences.

Because a schema cannot be deleted, but only deactivated, and a schema is automatically replicated,

you must plan and prepare before extending the schema.

=====================================================================

winads2.html PAGE 2 2002/02/07

Active Directory Components

The physical structure of your organization is represented by the following Active Directory components:

sites (physical subnets) and domain controllers. Active Directory completely separates the logical

structure from the physical structure.

Logical Structures

In Active Directory, you organize resources in a logical structure that mirrors the logical structure of

your organization. Grouping resources logically enables you to find a resource by its name rather than

by its physical location.

Domains

The core unit of logical structure in Active Directory is the domain, which can store millions of objects.

Objects stored in a domain are those considered “interesting” to the network. Such as printer,

documents, databases, e-mail addresses etc. All network objects exist within a domain, and each

domain stores information only about the objects it contains. Active Directory is made up of one or

more domains. A domain can span more than one physical location.

Grouping objects into one or more domains allows your network to reflect your company’s

organization. Domains share these characteristic:

All network objects exist within a domain, and each domain stores information only

about the objects that it contains. There can be up to 1 million objects in a domain.

A domain is a security boundary. Access control lists (ACLs) control access to

domain objects.

ACLs contain the permission associated with objects that control which users can gain

access to an object and what type of access users can gain to the objects.

Organizational Units

An organizational unit (OU) is a container used to organize objects within a domain into logical

administrative groups that mirror your organization’s functional or business structure.

=====================================================================

winads2.html PAGE 3 2002/02/07

Trees

A tree is a grouping or hierarchical arrangement of one or more Windows 2000 domains that you

create by adding one or more child domains to an existing parent domain. Trees share a contiguous

namespace and a hierarchical naming structure. Trees share these characteristics:

Following Domain Name System (DNS) standards, the domain name of a child domain is the

relative name of that child domain appended with the name of the parent domain.

All domains within a single tree share a common schema, which is a formal definition of all object

types that you can store in an Active Directory deployment.

All domains within a single tree share a common global catalog, which is the central repository of

information about objects in a tree.

By creating a hierarchy of domains in a tree, you can retain security and allow for administration

within an OU or within a single domain of a tree. Permissions can flow down the tree by granting

permissions to the user on an OU basis. This tree structure easily accommodates organizational

changes.

Forests

A forest is a grouping or hierarchical arrangement of one or more separate, completely independent

domain trees. A forest is disjointed.As such, forests have the following characteristics:

All trees in a forest share a common schema
Trees in a forest have different naming structures, according to their domains.
All domains in a forest share a common global catalog.
Domains in a forest operate independently, but the forest enables communication across

the entire organization.

Implicit two-way transitive trust exists between domains and domain trees.
A forest is a disjointed namespace.

Physical Structure

The physical components of Active Directory are sites and domain controllers.

=====================================================================

winads2.html PAGE 4 2002/02/07

Sites (physical location)

A site is a combination of one or more Internet Protocol (IP) subnets connected by a highly

reliable and fast link to localize as much network traffic as possible. Typically, a site has the

same boundaries as a local area network (LAN). When you group subnets on your network, you

should combine only those subnets that have fast, cheap and reliable network connections with one

another. “Fast” network connections are at least 512 kilobits per second (Kbps).

With Active Directory, sites are not part of the namespace. When you browse the logical namespace,

you see computers and users grouped into domains and OUs, not sites.

NOTE: A single domain can span multiple geographical sites, and a single site can include user

accounts and computers belonging to multiple domains.

Domain Controllers

A domain controller is a computer running Windows 2000 Server that stores a replica of the domain

directory (local domain database). Because a domain can contain one or more domain controllers,

all domain controllers in a domain have a complete replica of the domain’s portion of the directory.

The following list describes the functions of domain controllers:

Each domain controller stores a complete copy of all Active Directory information for that

domain, manages changes to that information, and replicates those changes to other domain

controllers in the same domain.

Domain controllers in a domain automatically replicate all objects in the domain to each other.
That domain controller then replicates the change to all other domain controllers within the domain.
Domain Controllers immediately replicate certain important updates, such as the disabling of a user

account.

Active Directory uses multimaster replication, in which no one domain controller is the master domain

controller. Instead, all domain controllers in a domain are peers or equals.

Having more than one domain controller in a domain provides fault tolerance. If one domain controller

is offline, another domain controller can provide all required functions, such as recording changes to

Active Directory.
Domain controllers manage all aspects of users’ domain interaction, such as locating Active Directory

objects and validating user logon attempts. “Default is replication every 5 minutes.

=====================================================================

winads2.html PAGE 5 2002/02/07

Lesson Summary:

Objects attributes describe the characteristics of a specific resource in the directory.
A tree is a contiguous namespace.
A forest is a disjointed namespace.
In Active Directory, grouping resources logically enables you to fine a resource by its name

rather than by its physical location. The core unit of logical structure in Active Directory is

the domain, which stores information only about the objects that it contains. An OU is a

container used to organize objects within a domain into logical administrative groups.

The physical structure of Active Directory is based on sites and domain controllers.
A Site is a combination of one or more IP subnets-connected by a high-speed link. A site

is a physical location, for example Windsor and London.

A domain controller is a computer running Windows 2000 Server that stores a replica of

the domain directory.

Lesson 2: Understanding Active Directory Concepts

Global Catalog

The global catalog is the central repository of information about objects in a tree or forest. See the

diagram page 44.

By default, a global catalog is created automatically on the initial domain controller in the forest,

known as the global catalog server. It stores a full replica of all object attributes in the directory

for its host domain and a partial replica of all object attributes contained in the directory of every

domain in the forest. Object attributes replicated to the global catalog inherit the same permissions

as in source domains, ensuring that the data in the global catalog is secure.

The global catalog performs two key directory roles:

It enables network logon by providing universal group membership information to a

domain controller when a logon process is initiated.

It enables finding directory information regardless of which domain in the forest

actually contains the data.

=====================================================================

winads2.html PAGE 6 2002/02/07

When a user logs on to the network, the global catalog provides universal group membership

information for the account to the domain controller processing the user logon information. If a

global catalog is not available when a user initiates a network logon process, the user is only able

to log on to the local computer.

IMPORTANT If a user is a member of the Domain Admins group, he or she is able to log on to

the network even when the global catalog is not available.

You can optionally configure any domain controller or designate additional domain controllers as

global catalog servers. When considering which domain controllers to designate as global catalog

servers, base your decision on the ability of your network structure to handle replication and query

traffic. However, the availability of additional servers can provide quicker responses to user inquiries,

as well as redundancy. It is recommended that every major site in your enterprise have at least one

global catalog server.

Replication

Users and services should be able to access directory information at any time from any computer

in the domain tree or forest. Directory information is replicated to domain controllers both within

and among sites.

What Information is Replicated?

The information stored in the directory is partitioned into three categories. Each of these information

categories is referred to as a directory partition. These directory partitions are the units of replication.

The following information is contained in each directory.

Schema information. This defines the objects that can be created in the directory and what attributes

those objects can have. This information is common to all domains in the domain tree or forest.

Configuration information. This describes the logical structure of your deployment, containing information

such as domain structure or replication topology. This information is common to all domains in the

domain tree or forest.

Domain data. This describes all of the objects in a domain. This data is domain-specific and is not

distributed to any other domains.

Schema and configuration information is replicated to all domain controllers in the domain tree or forest.

All of the domain data for a particular domain is replicated to every domain controller in that domain.

All of the objects in every domain, and a subset of the properties of all objects in a forest, are replicated

to the global catalog.

=====================================================================

winads2.html PAGE 7 2002/02/07

A domain controller stores and replicates:

The schema information for the domain tree or forest
The configuration information for all domains in the domain tree or forest
All directory objects and properties for its domain. This data is replicated to any

additional domain controllers in the domain.

A global catalog stores and replicates:

The schema information for a forest
The configuration information for all domains in a forest
A subset of the properties for all directory objects in the forest (replicated between global

catalog servers only) All directory objects and all their properties for the domain in which

the global catalog is located.

CAUTION Extensions to schema can have disastrous effects on large networks due to full

synchronization of all of the domain data.

How Replication Works

Active Directory replicates information within a site more frequently than across sites, balancing the need

for up-to-date directory information with the limitations imposed by available network bandwidth.

Within a site, Active Directory automatically generates a topology for replication among domain controllers

in the same domain using a ring structure.

The ring structure ensures that there are at least two replication paths from one domain controller to

another; if one domain controller is down temporarily, replication still continues to all other domain

controllers.

=====================================================================

winads2.html PAGE 8 2002/02/07

Replication Between Sites

To ensure replication between sites, you must customize how Active Directory replicates information

using site links to represent network connections. Active Directory uses the network connection

information to generate connection objects that provide efficient replication and fault tolerance.

NOTE: When operating in Native Mode, Windows 2000 Domain controllers do not replicate with

pre-Windows 2000 domain controllers.

Trust Relationships

A trust relationship is a link between two domains in which the trusting domain honors the logon

authentication of the trusted domain. Active Directory supports two forms of trust relationships:

Implicit two-way transitive trust. A relationship between parent and child domains within a tree

and between the top-level domains in a forest. This is the default. Transitive trust is a feature of the

Kerberos authentication protocol, which provides the distributed authentication and authorization

in Windows 2000. ** See the diagram page 48 **

Explicit one-way nontransitive trust. A relationship between domains that are not part of the same

tree. A nontransitive trust is bounded by the two domains in the trust relationship and does not

flow to any other domains in the forest. In most cases, you must explicitly (manually) create

nontransitive trusts. Explicit one-way nontransitive trusts are the only form of trusts possible with:

A Windows 2000 domain and a Windows NT domain
A Windows 2000 domain in one forest and a Windows 2000 domain in another forest.
A Windows 2000 domain and an MIT Kerberos V5 realm, allowing a client in a Kerberos realm to

authenticate to an Active Directory domain in order to access network resources in that domain.

=====================================================================

winads2.html PAGE 9 2002/02/07

DNS Namespace

A namespace is any bounded area in which a name can be resolved. Name resolution is the process

of translating a name into some object or information that the name represents. DNS provides the

following benefits:

DNS names are user-friendly, which means they are easier to remember than IP addresses.
DNS names remain more constant than IP addresses. An IP address for a server can change, but

the server name remains the same.

DNS allows users to connect to local servers using the same naming convention as the Internet.

Because Active Directory uses DNS as its domain naming and location service, Windows 2000

domain names are also DNS names. Windows 2000 Server uses Dynamic DNS (DDNS), which

enables clients with dynamically assigned addresses to register directly with a server running the DNS

service and update the DNS table dynamically.

IMPORTANT: For Active Directory and associated client software to function correctly, you must

have installed and configured the DNS service.

Domain Namespace

The domain namespace is the naming scheme that provides the hierarchical structure for the DNS

database. Each node represents a partition of the DNS database. These nodes are referred to as

domains.

The DNS database is indexed by name; therefore, each domain must have a name. As you add

domains to the hierarchy, the name of the parent domain is appended to its child domain (called a

subdomain).

The hierarchical structure of the domain namespace typically consists of a root domain, top-level

domains, second-level domains, and host names.

There are two types of namespaces:

Contiguous namespace. The name of the child object in an object hierarchy always contains the

name of the parent domain. A tree is a contiguous namespace.

=====================================================================

winads2.html PAGE 10 2002/02/07

Disjointed namespace. The names of a parent object and a child of the same parent object are

not directly related to one another. A forest is a disjointed namespace. For example, consider

the domain names:

www.microsoft.com

mdsn.Microsoft.com

www.msn.com

The first two domain names create a contiguous namespace within Microsoft.com, but the third

domain is part of a disjointed namespace.

NOTE: The term domain, in the context of DNS, is not related to domain as used in Windows

2000 directory services. A Windows 2000 domain is a group of computers and devices that

are administered as a unit.

Root Domain

The root domain is at the top of the hierarchy and is represented as a period (.). The Internet root

domain is managed by several organizations, including Network Solutions Inc.

Top-Level Domains

Top-level domains are organized by organization type or geographic location.

=====================================================================

Top-level domain Description

=====================================================================

gov Government organizations

com Commercial organizations

edu Educational institutions

org Noncommercial organizations

net Commercial sites or networks.

Top-level domains can contain second-level domains and host names.

=====================================================================

winads2.html PAGE 11 2002/02/07

Second-Level Domains

Organizations, such as Network Solutions Inc. and others, assign and register second-level domains

to individuals and organizations for the Internet. A second-level name has two name parts: a top-

level name and a unique second-level name.

=====================================================================

Second-Level Domain Description

=====================================================================

ed.gov United States Department of Educations

microsoft.com Microsoft Corporation

stanford.edu Stanford University

w3.org World Wide Web Consortium

pm.gov.au Prime Minister of Australia

======================================================================

Host Names (WWW)

Host names refer to specific computers on the Internet or a private network.

NOTE: The host name does not have to be the same as the computer name, NetBIOS, or any other

naming protocol.

Zones

A zone represents a discrete portion of the domain namespace. Zones provide a way to partition

the domain namespace into manageable sections.

Multiple zones in a domain namespace are used to distribute administrative tasks to different groups.

The two zones allow one administrator to manage the Microsoft and sales domains to another

administrator to manage the development domain.

A zone must encompass a contiguous domain namespace.

The name-to-IP address mappings for a zone are stored in the zone database file. Each zone is

anchored to a specific domain, referred to as the zone’s root domain.

The zone file for Zone1 does not contain the name-to-IP address mappings for the development

domain, although development is a subdomain of the Microsoft domain. ** diagram page 53 **

=====================================================================

winads2.html PAGE 12 2002/02/07

Name Servers

A DNS name server stores the zone database file. Name servers can store data for one zone or

multiple zones.

One name server contains the master zone database file, referred to as the zone primary database

file, for the specified zone.

Multiple name servers act as a backup to the name server containing the primary zone database file.

Multiple name servers provide the following advantages:

They perform zone transfers.
They provide redundancy
They improve access speed for remote locations.
They reduce the load on the name server containing the primary zone database file.

Naming Conventions

Every object in Active Directory is identified by a name. Active Directory uses a variety of naming

conventions: distinguished names, relative distinguished names, globally unique identifiers, and user

principal names.

Distinguished Name

Every object in Active Directory has a distinguished name DN that uniquely identifies an object and

contains sufficient information for a client to retrieve the object from the directory.

Relative Distinguished Name

Active Directory support querying by attributes, so you can locate an object even if the exact DN is

unknown or has changed. The relative distinguished name (RDN) of an object is the part of the name

that is an attribute of the object itself.

Globally Unique Identifier

A globally unique identifier (GUID) is a 128-bit number that is guaranteed to be unique. GUIDs are

assigned to objects when the objects are created. The GUID never changes, even if you move or

rename the object. A GUID is unique across the domain, meaning that you can move objects from

domain to domain and they will still have a unique identifier.

=====================================================================

winads2.html PAGE 13 2002/02/07

User Principal Name

User accounts have a “friendly” name, the user principal name (UPN). The UPN is composed of a

“shorthand” name for the user account and the DNS name of the tree where the user account object

resides.

Lesson Summary:

The Global Catalog is a service and a physical storage location that contains a replica of selected

attributes for every object in Active Directory.

You can use the global catalog to locate objects anywhere in the network without replication of all

domain information between domain controllers.

Active Directory includes replication to ensure that changes to a domain controller are reflected in

all domain controllers within a domain. Within a sit, Active Directory automatically generates a ring

topology for replication among domain controllers in the same domain.

A trust relationship is a link between two domains in which the trusting domain honors the logon

authentication of the trusted domain.

Active Directory has naming conventions employed are: DNs, RDNs, GUIDs, and UPNs.