CHAPTER 9

ACTIVE DIRECTORY SERVICES

What are Active Directory Directory Services?

Active Directory directory services make up the directory service included in the Windows

2000 Server products. A directory service is a network service that identifies all resources on a

network and makes them accessible to users and applications.

Active Directory directory services include the Directory, which stores information about network

resources, as well as all the services that make the information available and useful. The resources

stored in the Directory, such as user data, printers, servers, databases, groups, computers, and

security policies are known as objects.

Simplified Administration

Active Directory directory services organize resources hierarchically in domains. A domain is a

logical grouping of servers and other network resources under a single domain name. The domain

is the basic unit of replication and security in a Windows 2000 network.

Each domain includes one or more domain controllers. A domain controller is a computer running

Windows 2000 Server that stores a complete replica of the domain directory. To simplify

administration, all domain controllers in the domain are peers. You can make changes to any

domain controller, and the updates are replicated to all other domain controllers in the domain.

Active Directory directory services further simplify administration by providing a single point of

administration for all objects on the network. Since Active Directory directory services provide a

single point of logon for all network resources, an administrator can log on to one computer and

administer objects on any computer in the network.

Scalability

In Active Directory directory services, the Directory stores information by organizing itself into

sections that permit storage for a huge number of objects. As a result, the Directory can expand

as an organization grows, allowing you to scale from a small installation with a few hundred

objects to a huge installation with millions of objects. Unlike Windows NT it had a 40 MG

maximum!

======================================================================

winpro9.html PAGE 2 2001/12/06

Open Standards Support

Microsoft has made Directory Services compatible or open-minded to interact with other

operating systems. This allows you to unify and manage the multiple namespaces that now

exist. Active Directory directory services use DNS for its name system and can exchange

information with any application or directory that uses Lightweight Directory Access Protocol

(LDAP) or HTTP.

Active Directory Directory Services will work with Novell, Corel, Unix etc.

IBM is an example of a close-standard company, you must buy their hardware, software, and

drivers etc. to be in an IBM environment.

Domain Name System

Because Active Directory directory services use DNS as their domain naming and location

service, Windows 2000 domain names are also DNS names.

Windows 2000 Server uses Dynamic DNS (DDNS), which enables clients with dynamically

assigned addresses to register directly with a server running the DNS Service and update the

DNS table dynamically. DDNS eliminates the need for other Internet naming services, such

as Windows Internet Name Service (WINS), in a homogenous environment.

IMPORTANT For Active Directory directory services and associated client software to

function correctly, you must have installed and configured the DNS Service.

Support for LDAP and HTTP

Active Directory supports these. LDAP is an Internet standard for accessing directory services,

which was developed as a simpler alternative to the Directory Access Protocol (DAP).

======================================================================

winpro9.html PAGE 3 2001/12/06

Support for Standard Name Formats

Active Directory directory services support several common name formats.

======================================================================

Format Description

======================================================================

RFC 822 RFC 822 names are in the form somenme@domain,

They are similar to E-mail names.

HTTP URL are familiar to users with Web browsers and take the form

http://domain/path-to-page.

UNC Active Directory directory services support UNC.

For example, is \\microsoft.com\sl\budget.xls.

LDAP URL An LDAP URL specifies the server on which the Active

Directory directory service reside and the attributed name

of the object.

LDAP://someserver.Microsoft.com/CN=FirstnameLastname,OU=sys,

OU=product,OU=division,DC=devel

======================================================================

Lesson Summary:

Active Directory Directory Services (ADDS) are not included in Windows 2000 Professional,

but if your Windows 2000 Professional clients are in Windows 2000 domain, the feature and

benefits provided by ADDS are also available to the clients.

ADDS stores information about the network resources, such as the user data, printer, servers,

databases, groups, computers, and security policies. The Directory can scale from a small

installation with a few hundred objects to a huge installation with millions of objects.

ADDS use DNS as their domain naming and location service. Therefore, Windows 2000

domain names are also DNS names.

In a homogeneous environment, DDNS eliminates the need for other Internet naming

services, such as WINS.

======================================================================

winpro9.html PAGE 4 2001/12/06

Lesson 2: Active Directory Structure and Replication

Active Directory directory services provide a method for designing a directory structure that meets

your organization’s needs. As a result, before installing Active Directory directory services,

examine your organization’s business structure and operations. Active Directory, directory

services completely separate the logical structure of the domain hierarchy from the physical

structure.

Logical Structure

In Active Directory directory services, you organize resources in a logical structure. Grouping

resources logically enables you to find a resource by its name rather than by its physical location.

Since you group resources logically, Active Directory directory services make the network’s

physical structure transparent to users.

Object

An object is a distinct, named set of attributes that represents a network resource. Object

attributes are characteristics of objects in the Directory. Some attributes of a user account

might be the user’s first and last name, department, and e-mail address.

In Active Directory directory services, you can organize objects in classes, which are logical

groupings of objects. An object class may be user accounts, groups, computers, domains, or

organizational units.

Organizational Units

An organizational unit (OU) is a container that you use to organize objects within a domain

into logical administrative groups. An OU can contain objects such as user accounts, groups,

computers, printers, applications, file shares, and other OU’s.

The OU hierarchy within a domain is independent of the OU hierarchy structure of other

domains, each domain can implement its own OU hierarchy.

OUs are similar to a domain and group in Windows NT. OUs can contain other OUs.

======================================================================

winpro9.html PAGE 5 2001/12/06

To an OU, you add users and if the user has FC over objects they can change only the

details they are given access to.

Domain Corp

Sales OU Account OU

2000 Server

Aliases: Root of Tree and in a Forest

Domain = Corp.com

Parent

Sales OU Accounting OU

Child domain Child Domain

Sales.corp.com Accounting.corp.com

(username@corp.com) (username@corp.com)

2000 is a transitive trust, a 3-way trust.

Domain

The core unit of logical structure in Active Directory directory services is the domain.

Grouping objects into one or more domains allows your network to reflect your company’s

organization. Domains share these characteristic:

All network objects exist within a domain, each domain stores information only about the

objects that it contains. You can have 1 million objects in a domain.

A domain is a security boundary. Access to domain objects is controlled by access

control lists (ACLs). ACLs contain the permissions associated with objects that control

which users can gain access to an object and which type of access users can gain to the

objects. In Windows 2000, objects include files, folders, shares, printers, and Active

Directory objects. All security policies and settings such as administrative rights, security

policies and ACLs do not cross from one domain to another. The domain administrator

has absolute rights to set policies only within that domain.

Tree

A tree is a grouping of domains or hierarchical arrangement of one or more Windows

2000 domains that share a contiguous namespace:

Following DNS standards, the domain name of a child domain is the relative name of that

child domain appended with the name of the parent domain.

All domains within a single tree share a common schema, which is a formal definition of all

object types that you can store in an Active Directory deployment.

======================================================================

winpro9.html PAGE 6 2001/12/06

All domains within a single tree share a common global catalog, which is the central
repository of information about objects in a tree.

Forest

A forest is a grouping of hierarchical arrangement of one or more domain trees that form a

disjointed namespace. Forests have the following characteristics:

All trees share a common schema.
Trees in a forest have different naming structures, according to their domains.
All domains in a forest share a common global catalog.
Domains in a forest operate independently, but the forest enables communications across
the entire organization.

Sites

The physical structure of Active Directory directory services is based on sites. A site is a

combination of one or more IP subnets, which should be connected by a high-speed link.

Many are used for replication process. Typically, a site has the same boundaries as a LAN.

When you group subnets on your network, you should combine only those subnets that have

fast, cheap, and reliable network connections with one another.

The Site = physical, geographical type of destination

Domain = Logical.

With Active Directory directory services, sites are not part of the namespace. When you browse

the logical namespace, you see computers and users grouped into domains and OUs, not sites.

Sites contain only computer objects and connection objects used to configure replication between

sites.

NOTE: A single domain can span multiple geographical sites, and a single site can include user

accounts and computers belonging to multiple domains.

Replication Emergencies:

Disable user account, sends flag to the domain C and the Registry and does replication

immediately!

Add User/change Password is regular replications, but disable account is a type of

emergency, does it ASAP.

======================================================================

winpro9.html PAGE 7 2001/12/06

Replication with a Site

Active Directory directory services also include a replication feature. Replication ensures that

changes to a domain controller are reflected in all domain controllers within a domain. A

domain can contain one or more domain controllers:

Each domain controller stores a complete copy of all Active Directory information for that

domain, manages changes to that information, and replicates those changes to other domain

controllers in the same domain.

Domain controllers in a domain automatically replicate all objects in the domain to each other.

Domain controllers immediately replicate certain important updates, such as a user account

being disabled.

Active Directory directory services are multimaster replication, in which no one domain

controller is the master domain controller. Instead, all domain controllers within a domain

are peers, and each domain controller contains a copy of the Directory database that can be

written to. Domain controllers can hold different information for short periods of time until a

controllers have synchronized changes to Active Directory directory services.

Domain controllers affect fault tolerance. Having more than one domain controller in a domain

provides fault tolerance. If one domain controller is offline, another can take over.

Domain controllers manage all aspects of user domain interaction, such as locating Active

Directory objects and validating user logon attempts.

Within a site, Active Directory services automatically generate a ring topology for replication

among domain controllers in the same domain.

The Ring structure ensures that at least two replication paths flow from one domain controller

to another; if one domain controller is down temporarily, replication still continues to all other

domain controllers.

If you add or remove a domain controller from the network or a site, Active Directory directory

services reconfigure the topology to reflect the change.

Lesson Summary

Active Directory directory services completely separate the logical structure of the domain

hierarchy from the physical structure.

Grouping resources logically enables you to find a resource by its name rather than by its

physical location.

======================================================================

winpro9.html PAGE 8 2001/12/06

Since you group resources logically, Active Directory directory services make the

network’s physical structure transparent to the users.

An OU is a container that you use to organize objects within a domain into logical administrative

groups, and OU can contain objects such as user accounts, groups, computer, printers,

applications, file shares and other OUs.

A tree is a grouping of hierarchical arrangement of one or more windows 2000 domains

that share a contiguous namespace.

A forest is a grouping of hierarchical arrangement of one or more trees that form a disjointed

namespace.

A site is a combination of one or more IP subnets, connected by a high-speed link.
Within a site Windows 2000 automatically uses the Ring topology for replication among

domain controllers in the same domain.

If you add or remove a domain Active Directory directory services will automatically

reconfigure the topology to reflect the change.

Lesson 3: Understanding Active Directory Concepts

Schema

Schema is outline of objects in User Profile, for example Name/Address and Phone number etc.

Another way to think of it is as a field as in programming language.

The schema contains a formal definition of the contents and structure of Active Directory directory

services, including all attributes, classes, and class properties. For each object, the schema defines

which attribute an instance of the class must have, which additional attributes it can have, and which

object class can be a parent of the current object class. You can modify schema, programmer can

change.

Installing Active Directory directory services on the first computer in a network creates the domain

and the schema. The default schema contains definitions of commonly used objects and properties

(such as user accounts, computers, printers, groups, and so on). The default schema also contains

definitions of objects and properties that Active Directory directory services use internally to function.

The Active Directory schema is extensible, (no limits), plus you can add to it, which means that you

can define new directory object types and attributes and new attributes for existing objects.

An OU cannot have a schema, at the Forest Level, each Forest must have its own schema.

The schema is implemented and stored within Active Directory directory services itself (in the global

catalog), and it can be updated dynamically. As a result, . extensions immediately.

======================================================================

winpro9.html PAGE 9 2001/12/06

Global Catalog ** Important **

The global catalog is the central repository of information about objects in a tree or forest. Active

Directory directory services automatically generates the contents of the global catalog from the

domains that make up the Directory through the normal replication process. The Sears catalogue

is a great example of the Global Catalog. Global Catalog is used in Multiple Domains only. In

he classroom we only have one domain, therefore we do not need to access the Global catalog,

we have the domain to access Corp301.

By default the first domain you create on the domain is the Global domain.

The global catalog is always expandable. Only takes certain attributes information, it does not have

the entire database, name, last name etc., not a lot of details, or it would be too large.

The global catalog is a service and a physical storage location that contains a replica of selected

attributes for every object in Active Directory directory services. By default, the attributes stored

in the global catalog are those most frequently used in search operations (such as a user’s first and

last names, logon name, and so on).

Global catalog can act as a type of Backup Global Catalog. If locations are spread out for example

BC. And Ottawa, you can have multiple types of Global Catalogs. But there is only one set up initially.

When you install Active Directory directory services on the first domain controller in a new forest,

that domain controller is, by default, a global catalog server. A global catalog server is a domain

controller that stores a copy of the global catalog.

The more global catalog servers that you have, the greater the replication traffic.

You can designate additional domain controllers as global catalog servers by using the Active

Directory Sites and Services snap-in. When considering which domain controllers to designate as

global catalog servers, base your decision on the ability of your network structure to handle replication

and query traffic. The more global catalog servers that you have, the greater the replication traffic.

However, the availability of additional servers can provide quicker responses to user inquiries.

Microsoft recommends that every major site in your enterprise have a global catalog server.

Namespace

Active Direcory directory services, like all directory services, primarily comprise a namespace.

A namespace is any bounded area in which a name can be resolved. Name resolution is the

process of translating a name into some object or information that the name represents.

======================================================================

winpro9.html PAGE 10 2001/12/06

Using a common namespace allows you to unify and manage multiple hardware and software

environments in your network. There are two types of namespaces:

Contiguous namespace. The name of the child object in an object hierarchy always contains the

name of the parent domain. A tree is a contiguous namespace.

Disjointed namespace. The names of a parent object and of a child of the same parent object are

not directly related to one another. A forest is a disjointed namespace.

Naming Conventions

Every object in Active Directory directory services is identified by a name.

Distinguished Name

Every object in Active Directory directory services has a distinguished name (DN), or detailed

name which uniquely identifies an object and contains sufficient information for a client to retrieve

the object from the Directory. Actual location or the actual path.

For example, the following DN identifies the Firstname Lastname user object in the Microsoft.com

domain (where Firstname and Lastname represent the actual first and last names of a user account).

/DC=COM/DC=Microsoft/OU=dev/CN=Users/CN=Firstname Lastname

Distinguished Name Attributes

=======================================================================

Attribute Description

=======================================================================

DC DomainComponentName

OU OrganizationalUnitName

CN CommonName

========================================================================

======================================================================

winpro9.html PAGE 11 2001/12/06

DNs must be unique. Active Directory directory services do not allow duplicate DNs. User Logon

Name must be unique on each Domain.

Relative Distinguished Name

Active Directory directory services support querying by attributes, so you can locate an object even if the

exact DN is unknown or has changed. The relative distinguished name (RDN) of an object is the part

of the name that is an attribute of the object itself. Relative to where you are, for example give directions to

a location to where you are at the current time.

You can have duplicate RDNs for Active Directory objects, but you can’t have two objects with the same

RDN in the same OU.

Globally Unique Identifier

A globally unique identifier (GUID) is a 128-bit number that is guaranteed to be unique. GUIDs are

assigned to objects when the objects are created.

The GUID never changes, even if you move or rename the object.

But, if you delete the object it reassigns a new GUID to the new object.

User Principal Name

User accounts have a “friendly”name, the user principal name (UPN). The UPN is composed of a

shorthand name for the user account and the DNS name of the tree where the user account object resides.

Creating aliases make it easier.

Lesson Summary:

For each object, the schema defines which attributes an instance of the class must have, and

which object class can be a parent of the current object class.

Installing Active Directory directory services on the first domain controller in a network creates a

default schema. The Active Directory schema is extensible.

Global catalog is a service and a physical storage location that contains a replica of selected

attributes for every object in Active Directory directory services. The global catalog works as

a kind of caching.

Contiguous namespaces the name of the child object in an object hierarchy always contains

the name of the parent domain. A tree is an example.

Disjointed namespace, the names of a parent object and of a child of the same parent object

aren’t directly related to one another. A forest is an example of a disjointed namespace.