CHAPTER 6

ACTIVE DIRECTORY SERVICES

Lesson 1: Overview of Active Directory Services

Active Directory services is the directory service included with Windows 2000 Server. It is secure,

distributed, partitioned and replicated. It can work well for a few hundred objects to thousands

of servers and millions of objects.

Active Directory services is completely integrated with Windows 2000 Server and offers the

hierarchical view, extensibility, scalability, and distributed security required by all business

customers. Active Directory services allows administrators, developers, and end users to

gain access to a directory service that is seamlessly integrated with both Internet and intranet

environments.

Active Directory services integrates the Internet concept of namespace with the operating

system’s directory service. A namespace is a structured collection of information in which

names can be used to symbolically represent another type of information, such as a host

name representing an IP address, and in which specific rules are established that determine

how names can be created and used.

Active Directory Services is not an X.500 directory. Instead, it used LDAP as the access

protocol and supports the X.500 information model without requiring systems to host the

entire X.500 overhead. The result is a high level of interoperability that supports real-world

heterogeneous networks.

NOTE: For information on how LDAP uses X.500, see the Supplemental Course Materials

CD-ROM (\chapt01\articles\RFC 1777.txt) that accompanies this book.

Active Directory services allows a single point of administration for all published resources,

such as files, peripheral devices, host connections, databases, Web access, users, services,

and other objects. It uses the Internet Domain Name System (DNS) as its locater service,

organizes objects in domains into a hierarchy of organizations units (OUs), and allows multiple

domains to be connected to a tree structure.

Administration is further simplified because there is no primary domain controller (PDC)/backup

domain controller (BDC) structure, as was implemented in Windows NT Server.

=====================================================================

winser6.html PAGE 2 2001/01/17

Instead Active Directory services uses domain controllers only, and all domain controllers are

peers. An administrator can make changes to any domain controller, and the updates will be

replicated to all other domain controllers.

Understanding Active Directory Concepts

There are several new concepts introduced with Active Directory services. They are schema,

global catalog, namespace, and naming conventions.

Extensible Schema

The Active Directory schema contains a formal definition of the contents and structure of the

Active Directory store, including all attributes, classes, and class properties. For each object

class, the schema defines what attributes an instance of the class must have, what additional

attributes it can have and what object class can be a parent of the current object class.

Installing Active Directory services on the first domain controller in a network creates a default

schema. The default schema contains definitions of commonly used objects and properties,

such as users, computers, printers and groups. The default schema also contains definitions

of objects and properties that Active Directory services uses internally to function.

The Active Directory schema is extensible, which means that you can define new directory

object types and attributes and new attributes for existing objects.

The schema is implemented and stored within the Active Directory store itself (in the global

catalog) and can be updated dynamically.

Extending the Schema

Extending the Active Directory schema is an advanced operation intended to be performed

by experienced programmers and system administrators.

WARNING: Extending the schema is a highly sensitive operation, with implications potentially

throughout the network. Schema extension is best handled programmatically and only when

absolutely necessary. Improper schema modifications can impair or disable Windows 2000

Server and possibly your entire network.

=====================================================================

winser6.html PAGE 3 2001/01/17

Global Catalog

When you initially install Windows 2000, the first domain controller, by default is the Global

Catalog Server. The global catalog is the central repository of information about objects in a

domain tree (a collection of domains that form a domain hierarchy) or forest (a collection of

domain trees that are part of different hierarchies).

Active Directory services generates the contents of the global catalog from the domains that

are part of the directory via the normal replication process. The Active Directory replication

system automatically builds the global catalog and generates the replication topology.

The global catalog is a service as well as a physical storage location that contains a replica

of selected attributes of every object in the Active Directory store. The process of partial

replication allows many common queries to be resolved from the global catalog without

requiring a lookup in the source domain. By default, the attributes stored in the global

catalog are those most frequently used in search operations (such as a user’s first and

last names, logon name and so on) and those necessary to locate a full replica of the object.

NOTE: Be careful when changing the Schema, only experienced programmers and systems

administrators should be altering it.

When you are installing Active Directory services on the first domain controller, that domain

controller, is the default, a global catalog server. A global catalog server is a domain

controller that stores a copy of the global catalog.

Additional domain controllers can also be designated as global catalog servers by using the

Active Directory Sites and Services snap-in. When considering which domain controllers to

designate as global catalog servers, you should base the decision on the ability of the network

structure to handle replication and query traffic. More global catalog servers, the greater the

replication traffic. However, the availability of additional servers can provide quicker

responses to user inquiries. It is recommended that every major site in the enterprise have a

global catalog server.

Advantage of Multiple Global Catalogs:

Geographic locations do not have to travel over the wire to get information.

=====================================================================

winser6.html PAGE 4 2001/01/17

Namespace

Active Directory services, like all directory services, is primarily a namespace. A namespace

is any bounded area in which a name can be resolved. Name resolution is the process of

translating a name into some object or information that the name represents. See page 243,

or the diagram below:

microsoft.com

div1.microsoft.com div2.microsoft.com

dept1.div1.microsoft.com dep1.div2.microsoft.com

dept2.div1.microsoft.com dept2.div2.microsoft.com

Using a common namespace allows you to unify and manage multiple hardware and software

environments in your network. There are two types of namespaces:

Contiguous namespace. The name of the child object in an object hierarchy always contains

the name of the parent domain. A tree is a contiguous namespace.

Disjointed namespace. The names of a parent object and a child of the same parent object

are not directly related to each other. A forest is a disjointed namespace.

=====================================================================

winser6.html PAGE 5 2001/01/17

Naming Conventions

Every object in the Active Directory store is identified with a name. Active Directory services

uses a variety of naming conventions: distinguished names, relative distinguished names,

globally unique identifiers, and user principal names. Active Directory services is an LDAP-

compliant directory service, which means, that all access to directory objects occurs through LDAP.

Distinguished Name

Objects are located within Active Directory domains according to a hierarchical path, which

includes the labels of the Active Directory domain name and each level of container objects.

Every object in the Active Directory store has a distinguished name (DN). The DN uniquely

identifies an object and contains sufficient information for a client to retrieve the object from

the directory.

The following example is a DN that identifies the James Smith user object in the Microsoft.com

domain:

CN=JAMES^SMITH, CN=Users, DC=Microsoft, DC=COM

D:\Data\Report\xyz.doc (is a distinguished name, it is the exact path from the root)

The delimiters and values used in the DN for James Smith are identified in the following table:

======================================================================

LDAP Delimiter Value Represents

======================================================================

DC COM Domain component

DC Microsoft Domain component

CN User Common name

CN James Smith Common name

======================================================================

NOTE: that the Active Directory snap-in tools do not display the LDAP abbreviations

(O=, DC=, CN=). O= organizational Name C = Country Name.

Relative Distinguished Name

In Active Directory services, you can search for an object even if you don’t know the exact DN

or if the DN has changed. This can be accomplished by querying an object’s attribute. One of

an object’s attribute is its relative distinguished name (RDN), which is a part of the full DN name.

=====================================================================

winser6.html PAGE 6 2001/01/17

Active Directory services allows duplicate RDNs for objects, but no two objects with the same

RDN can exist within the same OU. For example is an OU contains a James Smith user account,

you could not add another James Smith to it. However, it the OU contains two smaller OUs,

such as Manager and Sales, the Managers OU can contain a James Smith user account and the

Sales OU can contain a James Smith user account because each of these users would have a

different DN.

For example, Patti@corp301.com. It would be grayed out, and you would not have to select.

Globally Unique Identifier

Every object in the Active Directory store has a unique identity. Objects might be moved or

renamed, but their identity never changes. The identity of an object is defined by a globally

unique identifier (GUID), a 128-bit number that is assigned by the Directory System Agent

(DSA) when the object is created.

Unlike a distinguished name or a relative distinguished name, a GUID never changes, even if

you move or rename the object.

In Windows NT, domain resources were associated to a security identifier (SID), which was

generated within the domain. This meant that the SID was guaranteed to be unique only

within the domain.

The GUID is stored in an attribute, objectGUID, that is present on every object. The object

GUID attribute is protected so that it cannot be altered or removed.

User Principal Name

A user principal name (UPN) is a friendly name that is shorter than the DN and easier to

remember. The UPN format is the user name, the “@” character, plus a user principal

name suffix.

For example, user James Smith in the Microsoft.com tree might have a UPN of

username@microsoft.com.

Active Directory Architecture

The structure of Active directory services can be broken into several primary architectural

components: the data model, schema, security model, and administration model.

=====================================================================

winser6.html PAGE 7 2001/01/17

Data Model

The Active Directory data model is derived from the X.500 data model. The directory

holds objects that represent various components of the network, and each of the objects

is described by attributes.

Schema

The Active Directory schema is implemented as a set of object class instances stored in

the directory. The schema can be updated dynamically. Like every object in the Active

Directory store, schema objects are protected by access control lists (ACLs), so only

authorized users may alter the schema.

Security Model

The directory is part of the Windows 2000 Trusted Computing Base and is a full participant

in the Windows 2000 security infrastructure. The Trusted Computing Base is the set of

operating system components responsible for enforcing the security policies of the operating

system. The Windows 2000 access validation routines use the ACL to validate any attempt

to access an object or attribute in the Active Directory store.

Administration Model

A user is authorized by a higher authority to perform a specified set of actions on a specified

set of object instances and object classes in some identified subtree of the directory. This is

called delegated administration. Delegated administration allows granular control over who

can do what and enables delegation of authority without granting elevated privileges.

The DSA is the process that manages the directory’s physical storage. Clients use one of the

supported interfaces to connect to the DSA and then search for read and write directory objects

and their attributes.

Access to Active Directory Services

Access to Active Directory services is via wire protocols. Wire protocols define the formats of

messages and interactions of client and server. Various APIs or application programming interfaces

give developers access to these protocols.

=====================================================================

winser6.html PAGE 8 2001/01/17

Protocol Support

Active Directory services supports the following protocols:

LDAP the Active Directory core protocol is the LDAP, LDAP ver2 and ver3 are supported.
MAPI_RPC Active Directory services supports the remote procedure call (RPC) interfaces
supporting the Messaging Application Program Interface (MAPI) interfaces.
X.500 The Active Directory information model is derived from the X.500 information model.
X.500 defines several wire protocols that Active Directory services does not implement, in part

because of their dependence on the OSI network protocol:

· Directory Access Protocol (DAP)

· Directory System Protocol (DSP)

· Directory Information Shadowing Protocol (DISP)

· Directory Operational Binding Management Protocol (DOP)

Application Programming Interfaces

Active Directory services provides powerful, flexible, and easy-to-use APIs.

Active Directory Service Interfaces

To make it easier to write directory-enabled applications that access Active Directory services

and other LDAP-enabled directories, Microsoft developed Active Directory Service Interfaces

(ADSI). ADSI is a set of extensible, easy-to-use programming interfaces that can be used to

write applications to access and manage the following:

Active Directory services
Any LDAP-based directory
Other directory services in a customer’s network, including Novell Directory

Services (NDS)

ADSI is part of Open Directory Services Interfaces (ODSI) and Windows Open Services

Architecture (WOSA).

=====================================================================

winser6.html PAGE 9 2001/01/17

ADSI extracts the capabilities of directory services from different network providers to present

a single set of directory service interfaces for managing network resources.

ADSI makes it easier to perform common administrative tasks, such as adding new users,

managing printers, and locating resources throughout the distributed computing environment.

ADSI makes it easier to perform common administrative tasks, such as adding new users,

managing printers, and locating resources throughout the distributed computing environment

ADSI objects are designed to meet the needs of three main audiences:

Developers. Typically the audience will use ADSI with a compiled language such as

C++, and write an application to manage multiple directories, network printing, backup

databases, and so on.

System Administrators. This audience will access ADSI through a scripting language,

such as Microsoft Visual Basic, although C/C++ can also be used to enhance performance.

Users. Like the system administrators, this audience will access ADSI through a scripting

language. For example, a user might write a script to locate all print jobs in a group of print

queues and display the status of each.

LDAP C API

The LDAP C API provides a lowest common denominator solution for developers who

need their applications to work on many different client types.

Windows Messaging API

Active Directory services provides support for MAPI so that legacy MAPI applications

will continue to work with Active Directory Services.

Virtual Containers

Active Directory services supports virtual containers, which allow any LDAP-compliant

directory to be accessed transparently via Active Directory services.

Directory Service Architecture

Active Directory functionality can be illustrated as a layered architecture in which the layers

represent the server processes that provide directory services to client applications. The

three service layers (DSA, Data-base Layer, and Extensible Storage Engine) accommodate

the different types of information that are required to locate records in the directory database.

=====================================================================

winser6.html PAGE 10 2001/01/17

Active Directory services architecture includes the following key service components:

Directory System Agent (DSA). Builds a hierarchy from the parent-child relationship

stored in the directory.

Database Layer. Provides an abstraction layer between applications an the database.

Extensible Storage Engine (ESE). Communicates directly with individual records

in the directory data store on the basis of the object’s RDN attributes.

Data store (the database file Ntds.dit). This file is manipulated only by the

Extensible Storage Engine (ESE) database engine. You can administer the file by using

the Ntdsutil tool.

NOTE: Ntdsutil.exe is installed in %systemroot%\system32 when Windows 2000 Server is installed.

The Interfaces

Clients gain access to Active Directory by using mechanisms that are supported by the DSA.

=====================================================================

Interface Description

=====================================================================

LDAP Provides API for LDAP clients and exposes the ADSI so that

Additional applications can be written that can talk to the

Active Directory Services.

REPL Used by the replication service to facilitate Active Directory

Replication via RPC over IP or SMTP, simple mail transport

Protocol.

SAM Provides down-level compatibility to facilitate

Communication between Windows 2000 and NT 4.0

Domains.

MAPI MAPI clients, such as Microsoft Outlook messaging and

Collaboration client, connect to the DSA by using the

=====================================================================

winser6.html PAGE 11 2001/01/17

Directory System Agent

Collaboration client, connect to the DSA by using the

The DSA is the Active Directory process that runs on each domain controller and manages all the

directory service functions. This process manages the directory’s physical storage.

The DSA provides access to the store, which is the database file containing directory information

located on a hard disk. DSA is an X.500 term that describes the server-side process that creates

an instance of a directory service, that is applications binding to a DSA.

Object Identification

Every object in the Active Directory store has a permanent GUID associated with a string form of

the object name. The object name is not permanent; it can be changed. All permanent references to

the object are kept in terms of the GUID.

Transaction Processing

Transactions are processed automatically. A write request either commits, and all of its effects are

durable, or it fails before completion and has no effect. Transactions are written synchronously to

the transaction log file and then to the database.

Schema Enforcement of Updates

The duplication and synchronization of directory information is known as multimaster replication.

In a multimaster system, a change to a schema object in one replica might conflict with existing

objects in that replica and also with objects in other replicas. The schema is a formal definition

of every object class that can be created in the directory, the attributes of each object class, and

the possible parents for every object class. In Windows 2000, schema change is a single-master

operation, which means that any change you make on the master is updated on all other replicas.

Access Control Enforcement

The DSA enforces security limitations in the directory. The DSA layer reads SIDs on the

access token.

=====================================================================

winser6.html PAGE 12 2001/01/17

Support for Replication

The DSA contains the hooks for replication notifications. All object updates ultimately must go

through the appropriate function for the directory service to work properly.

Referrals

DSA manages the directory hierarchy information (referred to as knowledge), that it receives

from the database layer. DSA is responsible for cross-references of Active Directory domain

object up and down the hierarchy and also out to other domain hierarchies.

Database Layer

The database layer provides an object view of database information by applying schema semantics

to database records, thereby isolating the upper layers of the directory services from the underlying

database system.

Active Directory services provides a hierarchical namespace. Each object is uniquely identified

in the database by its individual naming attribute, called the RDN. The RDN and the chain of

successive parent object names make up the object’s DN.

A major function of the database layer is to translate each DN into an integer structure called

the DN tag, which is used for all internal accesses.

The database layer is responsible for the creation, retrieval, and deletion of individual records,

attributes within records, and values within attributes.

Extensible Storage Engine

Active Directory services is implemented on top of an Indexed Sequential Access Method

(ISAM) table manager. An earlier version of this table manager, called the JET database, is

used by Microsoft Exchange Server version 5.5 client-server messaging and groupware, the

File Replication Service, the security configuration editor, the certificate server, Windows

Internet Name Service (WINS), and various other Windows components. Windows 2000

has a new and improved version of the JET database, the ESE.

The ESE (Esent.dll) implements a transacted database system that uses log files to ensure that

committed transactions are indeed safe. By default, Esent.dll and Ntds.dit are stored in the

%systemroot%\system32 folder.

=====================================================================

winser6.html PAGE 13 2001/01/17

The ESE stores all Active Directory objects. The ESE can support a database of up to 16

TB in size, which can theoretically hold many millions of objects per domain.

The ESE is well suited to the storage needs of Active Directory services:

The ESE update operations are transacted for stability and integrity across system

failures.

The ESE handles sparse rows well, that is, rows in which many of the properties

do not have values.

Active Directory services comes with a predefined schema that defines all the attributes

required and allowed for a given object. For example if a user object already has 50

attributes defined in the schema and you create a user with only four attributes; storage

space is allocated for those four attributes. If more attributes are added later, more

storage is allocated for them.

Also, the EXE is able to store attributes that can have multiple values. For example, the

database can store multiple phone numbers for a single user without requiring a different

phone number attribute for each phone number.

Lesson Summary:

Active Directory services offers the hierarchical view, extensibility, scalability, and

distributed security required by all business customers. Active Directory services

integrates the Internet concept of namespace with the operating system’s directory service.

It uses the LDAP as its core protocol and can work across operating system boundaries,

integrating multiple namespaces.

The Active Directory schema contains a formal definition of the contents and structure of

the Active Directory store, including all attributes, classes and class properties.

The global catalog, which is the central repository of information about objects in a tree or

a forest, is a service and a physical storage location that contains a replica of selected

attributes of every object in the Active Directory store.

Lesson 2: Planning Active Directory Implementation

Before you implement a Windows 2000 network environment, you should first consider

how to implement Active Directory services. First you must plan the DNS namespace.

The namespace includes a domain hierarchy, the global catalog, trust relationships, and

replication.

=====================================================================

winser6.html PAGE 14 2001/01/17

In a single domain, users and resources can be organized by using a hierarchy of OUs to

reflect the structure of the company. Finally, the planning process for the Active Directory

implementation must include a plan to establish sites that can effectively facilitate the

management of replication and logon traffic over links in your enterprise.

Planning a Namespace

Similar to DNS, the Active Directory namespace is the top-level fully qualified domain

name for a company consisting of Windows 2000 domain, domain controllers, OUs,

trust relationships, and domain trees.

One of the decisions you need to make when implementing Active Directory services is

whether the internal namespace (inside the firewall) or the external namespace (outside

the firewall) will be the same or separate. Simply put, will the Active Directory namespace

match the DNS namespace (typically the Internet domain name) that might already be

defined for your organization?

NOTE: This is not to say that DNS is an external namespace only. The point is that, if the

namespaces are separate, Active Directory services will be administered separately from the

external namespace.

Internal and External Namespaces

A namespace is the top-level Active Directory domain name for an organization.

Scenario 1: Same Internal and External Namespaces

In this scenario, the company uses the same name for the internal and external namespaces.

Microsoft.com is uses both inside and outside the company. To implement this scenario,

the following requirements must be met:

Clients on the company’s internal, private network must be able to access both internal

and external servers (both sides of the firewall).

Clients accessing resources from the outside must not be able to access internal

company resources or resolve names.

=====================================================================

winser6.html PAGE 15 2001/01/17

For this scenario to work, you must have two different DNS zones. There will be one

working on the outside of the firewall, and on the inside of the firewall.

Advantages of using the same name inside and outside the firewall:

The tree name, Microsoft.com, is consistent both on the private network and on the public

Internet.

This scenario extends the idea of a single logon name to the public Internet, allowing users

to use the same logon name both internally and externally. For example,

username@microsoft.com would serve as both the logon and e-mail ID.

Disadvantages of using the same name:

The configuration is more complex. Proxy clients must be configured to know the

different between internal and external resources.

Care must be taken not to publish internal resources on the public Internet.
There will be duplicate zones, for internal and external.
Even though the names are the same, users will get a different view of internal and

external resources.

Scenario 2: Separate Internal and External Namespaces

The two namespaces for the internal and external must be registered with the DNS.

Registering both names prevents duplication of the internal name by another public network.

Two zones will be established. One zone will resolve Microsoft.com and the other

zone will resolve expedia.com. The client can clearly distinguish between the internal and

external name.

Advantages of using separate names for internal and external:

Based on different domain names, the difference between internal and external

resources is clear.

There is no overlap or duplication of effort, resulting in a more

easily managed environment.

Configuration of proxy clients is simpler since exclusion

lists need to contain only expedia.com when identifying external resources.

=====================================================================

winser6.html PAGE 16 2001/01/17

Disadvantages of separate names for internal and external:

Logon names are different from e-mail names. For example if someone logs on as

user@microsoft.com but his e-mail address is unername@expedia.com , he must

remember and maintain separate user names.

Multiple names must be registered with an Internet DNS.

TIP: In this scenario, logon names are different by default. An Administrator can use

the Microsoft Management Console (MMC) to change the UPN suffix properties of

users so that the user logon will match the e-mail address of the user.

Defining a Namespace Architecture

You should consider the impact of replication traffic over the WAN. Additionally,

organizations and their structure change constantly. The goal is to have a namespace

architecture that is scalable, can adapt to change, can distinguish between internal and

external resources, and can protect company data at the same time.

You should have the system designed in the following manner:

Root domain (The Head Office)
First-layer domain (Marketing or Sales)
Second-layer domain (Department London, Department Chatham)

This structure provides a granular replication topology and the ability to limit the scope of

administrators as necessary.

Root Domain

A root domain is the first domain in the namespace, like expedia.com. The root domain in Active

Directory services maps to the company namespace. All internal domains are a part of this domain

tree. Also, servers containing the namespace root will not exist on the public side of the firewall

and therefore will not be visible to the Internet.

First-Layer Domains

In this layer you should create names that do not change, or are static names.

=====================================================================

winser6.html PAGE 17 2001/01/17

The easiest way is to create a name based on geographical location. For example, Europe.

Microsoft.com. However, global catalog servers still make it possible for a user in North

America to find a resource in Europe as needed.

The trust relationship between the root and all first-layer domains make resources available

to all branches of the domain tree. Therefore, a user in noamer.expedia.com can access a

resource in Europe.Microsoft.com

Domain names at this layer should be at least three characters long so that they do not

conflict with the ISO 3166 standard.

*** See the naming samples on page 262, they are only suggestions **

Second-Layer Domains

Ideally, domains at this layer should be countries only and branch off of their corresponding

first-layer domain. The benefit of this method is that child-level domains can be created

below the second-layer domains.

Planning Organizational Units

OUs should reflect the details of the organization’s business structure. Create OUs to

delegate administrative control over smaller groups of users, groups, and resources. Because

top-level OUs can hold additional levels of OUs, one can extend the level of details as far as

necessary.

OUs eliminate the need to provide users with administrative access at the domain level to

perform tasks such as creating computer accounts and setting passwords.

OUs inherit security policies from the parent domain and parent OU unless they are specified

disabled.

Creating the OU Structure

In the design phase, you should create an OU for the first domain in the namespace. Then,

use that domain and OU structure as a model for any domains added to the enterprise.

When you create an OU, you must give careful consideration on who should control the

objects. You should determine which administrator will have access and which ones

should not.

=====================================================================

winser6.html PAGE 18 2001/01/17

OU Design Guidelines

Use the following guidelines when creating OUs for your enterprise:

Create OUs to delegate administration.
Create a logical and meaningful OU structure that allows OU administrators to complete their

tasks efficiently.

Create OUs to apply security policies.
Create OUs to provide or restrict visibility of published resources from certain users.
Create OU structures that are relatively static.
Avoid allocating too many child objects to any OU.

As you begin to design the OU structure, remember to create OU and object names that are

hierarchical, uniform static, and general enough to use in any domain in the enterprise.

One method to creating the OU structure for the first domain is to name the top-level OUs,

which become headers that define the more detailed OUs and objects beneath them.

If there are multiple domains in the design, determine whether the OU structure can be used

across all domains. If not rethink the design.

Structure of OU Hierarchy

Many organizations base their domain structure on a model that mirrors their business. The

following categories provide different ways to classify your OU hierarchy:

Administration or Object-Based OUs

In Active Directory services, you can create OUs based on objects, such as users, computers,

applications, groups, printers, security policies and more. When administration-based OUs are

created in a logical and meaningful manner, it helps administrators do their jobs quickly and easily.

=====================================================================

winser6.html PAGE 19 2001/01/17

Geographical-Based OUs

If you expect your company to change geographically, you may not want to base your OU

naming structure on that.

Business Function-Based OUs

You can create OUs based on business functions, such as marketing, IT, and operations.

Department-Based OUs

Create OUs that mirror a department’s cost center association. This will become unstable if

the company does some restructuring.

Project-Based OUs

Use this type of OU model to align a cost center with a project rather than with a department.

Some organizations’ business is project-driven, for example, software developers, the airline

industry, and more. This is not a recommended OU structure because it is not considered static.

Planning a Site

Up to this point it have revolved around the logical structure. It is important to consider the

physical layout also. The physical design of a Windows 2000 Server-based network is

demarcated by site. A site is a combination of one or more IP subnets connected by a

high-speed link. Often, a site has the same boundaries as a local area network (LAN) or

a very high-bandwidth WAN like an OC3 SONET (155 Mbps) or T3 (45MBps) WAN.

The Active Directory replication engine allows you to differentiate between replication that

takes place over a local network connection and replication that takes place over a

low-bandwidth WAN connection. Network traffic within a site will generally be greater

than traffic between sites. There are two ways to set up your sites:

Workstation logon. When a user logs on, Active Directory services enabled

clients will try to find a domain controller in the same site as the user’s computer

to service the user’s logon request and subsequent request for network information.

=====================================================================

winser6.html PAGE 20 2001/01/17

Directory replication. The schedule and path for replication of a domain’s directory can be

configured differently for intersite replication, as opposed to replication within a site.

Generally, set replication between sites tends to be less frequent than replication within a site.

In Active Directory, sites are not part of the namespace. When you browse the network

you will see users grouped into domains and OUs, not sites. Sites contain only computer

objects and connection objects used to configure intersite replication.

When planning how to group subnets into sites, consider the connection speed between

subnets. Use the following guidelines when planning to combine subnets into sites:

Combine only those subnets that share fast, inexpensive, and reliable network connections.
“Fast” network connections have at least 512 Kbps of unused bandwidth that can be

dedicated to replication traffic.

Configure your site so that replication occurs at times that will not interfere with network

performance.

Domain structure and site structure are maintained separately in Active Directory services.

A single domain can span multiple sites, and a single site can include multiple domains or

parts of multiple domains.

******* See diagram page 267 *******

Optimizing Workstation Logon Traffic

When planning sites, consider which domain controllers that workstations on each subnet

should use. To have a particular workstation log on to a specific set of domain controllers,

define the sites so that only those domain controllers are in the same site as that workstation.

When planning sites, consider where the domain controllers will be located. Because each

domain controller must participate in directory replication with the other domain controllers

in its domain, you must configure sites so that replication occurs at times or intervals that

will not interfere with network performance.

=====================================================================

winser6.html PAGE 21 2001/01/17

=====================================================================

Create

Workstations a Site? Notes

=====================================================================

One to five NO Users are authenticated across a slow link.

The slow link will not be subjected to domain

Replication traffic.

More than five YES Locate domain controllers locally to speed up

authentication of users in the local site.

replication traffic can be set to occur on

slow links at off peak times and at less

intervals.

====================================================================

Lesson Summary:

When designing Active Directory, you should carefully plan your layout and namespace, the

OUs and the sites.

If the namespace is the same, the same top-level domain name appears on both sides of the

firewall.

If the namespace are different, the top-level domain name inside the firewall is different from

the top-level domain name outside the firewall.

In addition to the namespace design, you must plan your OUs.
The OUs should reflect the organizational layout of the company.
When planning a site, combine only those subnets that share high-bandwidth, inexpensive,

and reliable network connections.

Lesson 3: Implementing Active Directory Services

To launch the Active Directory Installation wizard, run Configure Your Server, which is located

on the Administrative Tools menu, of the Start menu, and then select the Active Directory link.

As you install Active Directory services, you can choose either to add the new domain controller

to an existing domain or create the first domain controller for the new domain.

=====================================================================

winser6.html PAGE 22 2001/01/17

Adding a Domain Controller to an Existing Domain

If you choose to add a domain controller to an existing domain, you create a peer domain

controller. Peer domain controllers are used for redundancy and to reduce the load on the

existing domain controllers.

Creating the First Domain Controller for a New Domain

If you choose to create the first domain controller for a new domain, not only will you be

creating a new domain controller, but also a new domain. You can select a new child

domain or a new domain tree.

When you create a new domain tree, the new domain is not part of an existing domain.

At this point, you can create a new forest or domain trees or join an existing forest.

*** See the diagram page 271 ***

CAUTION: Running dcpromo.exe on a domain controller allows you to remove Active

Directory services from the domain controller and demote it to a stand-alone server. If you

remove Active Directory services from all domain controllers in a domain, you also delete

the directory database for the domain, and the domain no longer exists.

The Database and Shared System Volume

When you install Active Directory services, the database, the database log files, and the

shared system volume are automatically created.

The Active Directory Database

The database is the directory for the new domain. The default location for the database and

database log file is %systemroot%\Ntds. But, you can change the path if you want.

For best results place the database and the log file on separate hard disks. Consider placing

the database on a hardware-level redundant array of independent disks (RAID) implementation

such as RAID5 or RAID-10 (mirrored and striped disks) for fault tolerance and performance.

=====================================================================

winser6.html PAGE 23 2001/01/17

The directory database is actually stored in a file named Ntds.dit.

The Shared System Volume

The shared system volume is a folder structure that exists on all Windows 2000 domain controllers

and stores scripts and some of the group policy objects. The default location for the shared

system volume is %systemroot%\Sysvol, and it must be on and NTFS partition.

Replication occurs every 10 minutes.

Domain Modes

There are two domain modes: Mixed Mode and Native mode.

Mixed Mode

When you upgrade a domain controller it will run in Mixed mode, and it can interact with any

domain controller running Windows NT 3.51 or 4.0.

Also, a Windows 2000 Server computer always wins an election to become the master browser.

Native Mode

When all domain controllers in a domain run Windows 2000 Server, and you do not plan to

add any domain controllers below, you can switch the domain from Mixed to Native mode.

Support for down-level replication ceases. Since down-level replication is gone, you can no

longer have any domain controllers in your domain that are not running Windows 2000 Server.

You can no longer add new down-level controllers to the domain.
The server that served as the PDC ruing migration is no longer the domain master, all domain

controllers are now peers.

NOTE: The change from Mixed mode to Native mode is one way only; you cannot change from

Native mode to Mixed mode.

=====================================================================

winser6.html PAGE 24 2001/01/17

Lesson Summary:

The Active Directory Installation wizard is used to install Active Directory services onto a

Windows 2000 Server computer.

The Wizard can add domain controllers to a domain, create a new child domain, or create a

new domain tree.

The directory database is stored in a file names Ntds.dit.
There are two domain modes: Mixed and Native.
When you first install or upgrade a domain controller to Windows 2000 Server, the domain

controller runs in Mixed mode.

When you do not plan to upgrade or add domain controllers below the main ones, you

can switch to Native mode.

Lesson 4: Administering Active Directory Services:

Once you have installed Active Directory Services, you are ready to create objects. You can

manage the objects, such as create, modify or delete objects when needed.

Creating Organizational Units and Their Objects

Active Directory objects are what represent resources. Each object is a distinct named set of

attributes that represent a specific network resource. Resources are printers, accounts, groups

etc., an object is created for each.

Before you create objects, you should create the OU that the object will go into.

Creating Organization Units

You can create an OU under a domain, under the Domain Controller object, or within another

OU. Once you create an OU you can add the objects to the OU.

Naturally you need the required permissions to create the OUs. By default, members of the

Administrators group have the permissions to create OUs.

OUs are created to organize the network, and simplify administration. Think of it as Tupperware

containers used to organize toys in a closet!!!!.

You should create OUs for any of the following reasons:

=====================================================================

winser6.html PAGE 25 2001/01/17

To delegate administrative control to other users or administrators.
To group objects that require similar administrative tasks.
To restrict visibility of network resources in the Active Directory store. Users can view only

objects to which you have given them access. Permissions can easily be changed for an OU

to restrict access to confidential network information.

You can create an OU in the Active Directory Users and Computers snap-in by selecting the

domain or existing OU where you want to create the new OU.

To Refresh type this command at the Command Prompt:

Secedit^refreshpolicy^machine_policy (you can make a batch file refresh.bat)

Adding Objects to Organizational Units ***IMPORTANT***

The objects you add to the OUs is determined by the rules of the schema, wizard, or

snap-in you use.

NOTE: Object attributes (also referred to as properties) in the schema are categories of

information that defines the characteristics for all instances of a defined object type. All

instances of a certain object type have the same attributes. The attribute values of any

object instance make it unique. For example, all instances of a user object have a First

Name attribute: however, the value for the First Name attribute can be any name, such

as Linda or Max.

You can create object instances in the Active Directory Users and Computers snap-in.

Select the OU that you want to add the object to, click the Action menu, point to New,

and then click the name of the object type that you want to add.

=====================================================================

winser6.html PAGE 26 2001/01/17

Active Directory Objects

Active Directory Objects use Icons to represent the objects.

=====================================================================

Object Description

=====================================================================

Computer A computer on the network

Contact Contacts are typically used to represent

External users for the purpose of e-mail.

Group A group object can contain users, computers,

and other groups.

Printer A Printer object is a network printer that has

been published in the directory. The object is

actually a pointer to the printer.

User A user object is a security principal in the

Directory. The information in this object

allows a user to log on to Windows 2000.

Shared Folder A shared folder object is a network share that

has been published in the directory.

======================================================================

Managing Active Directory Objects

The process of managing Active Directory objects involves several different tasks, such as locating

objects, modifying and deleting objects, and moving objects. You must have the proper permissions

to add, delete or modify objects.

Locating Objects

The global catalog is similar to the yellow pages, or a type of index. It only has the most important

parts of Active Directory and it can be used to locate a user by keying in on the name, address or

phone number.

The contents of the global catalog are automatically generated by Active Directory services from

the domains that make up the directory. In essence the global catalog is an abbreviated version of

Active Directory.

=====================================================================

winser6.html PAGE 27 2001/01/17

To locate Active Directory objects, open the Active Directory Users and Computers snap-in located

in the Administrative Tools folder. Then right click a domain or OU in the console tree, and click Find.

The Find option searches the global catalog for the user account or name you are searching for.

The Main Windows

The main windows contains two tabs: the object tab and Advanced tab. The Find Drop-down

Menu (type of objects to include in the search) and the In Drop-down menu (location that you

want to search, which can be the entire Active Directory store, a specific domain, or an OU.)

By default, the domain you are in is selected.

Users, Contacts, and Groups Tab

The tab contains Name and Description text box. You can search in one or both. The search

is based on the combination of the two. You can also use wild cards in either text box to

conduct a search.

Advanced Tab

The Advanced tab provides you with advanced search features that you can use in conjunction

with the object tab or use by themselves.

====================================================================

Field Description

====================================================================

Field List of attributes for which the search is performed.

Condition The methods that are available to further define the search for

an attribute.

Value The value for the condition of the field (attribute) value that

You are using to search the directory.

====================================================================

Search Criteria The definition of the search criteria.

=====================================================================

winser6.html PAGE 28 2001/01/17

Results Windows

The results window opens at the bottom of the main window and displays the results of your

search after you click Find Now, which is located on the main windows.

Modifying Attribute Values and Deleting Objects

You can add and modify objects. The value of the attribute associated with the object changes.

NOTE: Do not confuse modifying an object’s attribute values with adding, deleting, or

modifying objects or attributes in the schema. Schema modifications are permanent and are

replicated to all domain controllers in the forest.

You can modify the attributes by opening the Active Directory Users and Computers snap-in.

For the Action menu, access the properties to make the changes. You can also delete objects

from this menu.

Moving Objects

You can move objects in Active Directory to other locations, such as other OUs. This option

is also in the Active Directory Users and Computers snap-in.

Controlling Access to Active Directory Objects

Windows 2000 uses an object-based security model to implement access control for all Active

Directory objects. This security model is similar to the one that Windows 2000 uses to

implement NTFS security.

Managing Active Directory Permissions

Use Active Directory Security permissions to gain access to the object and what type of access

is allowed. Don’t forget the Owner of the object or the Administrator must be the one assigning

the permissions to the object. There is a ACL for every object in Active Directory.

=====================================================================

winser6.html PAGE 29 2001/01/17

Object Permissions

The object type determines which permissions you can select. A user can be a member of multiple

groups and have different permissions for each group, only unique to that group. The users effective

permissions are the combination of the users permissions and the group permissions.

You can allow or deny permissions. Denied permissions take precedence over any allowed

permissions for user and groups. Deny always overrides, when you are combining permissions.

If you have a user permission deny, and a Full Control permission for a group, that the user is

part of, the users effective permissions Deny.

NOTE: Always ensure that all objects have at least one user with the Full Control permission.

Failure to do so might result in some objects being inaccessible to the person who is using the

Active Directory Users And Computers snap-in, even an administrator.

Assigning Active Directory Permissions

Standard permissions are sufficient for most administrative tasks. There are additional special

permissions on the Advanced Tab and the View/Edit.

Permissions Inheritance

When you are setting up permissions you can deselect the Inheritance box, and you can set up

the permissions up from scratch. The box is Allow Inheritable Permissions From Parent To

Propagate To This Object.

To prevent inheritance, Windows 2000 will allow you to do the following:

Copy previously inherited permissions to the object. A copy command prevents inheritance

of permissions, remember.

Remove previously inherited permissions from the object. Windows 2000 removes any

previously inherited permissions.

=====================================================================

winser6.html PAGE 30 2001/01/17

Delegating Administrative Control of Objects

You can delegate administrative controls of objects to individuals so that they can perform

administrative tasks on the objects. There are different ways to delegate control of objects, and

there are also guidelines for delegating control

You can assign permissions to a user who can act as an Administrator of certain objects. These

objects can be within a Container. This Administrator can delegate the following types of control:

Assigning permissions to a user or group to create or modify objects in a specific OU
Assigning permissions to a user or group to modify specific permissions for the attribute of an

object, such as assigning the permission to reset passwords on a user account object.

It is easier to track permissions at the OU level than the Object level.

To help you delegate administrative control, follow these guidelines:

Assign control at the OU level whenever possible
Use the Delegation of Control Wizard.
Track the delegation of permission assignments
Follow business requirements

Delegation of Control Wizard

This option is in the Active Directory Users And Computers snap-in and select the OU for which

you want to delegate control.

Guidelines for Administering Active Directory Services:

Follow this list of best practices:

In larger organizations, coordinate your Active Directory structure with other

administrators.

When you create Active Directory objects, such as users, complete all attributes that

are important to your organization.

Use Deny permissions sparingly.
Always ensure that at least one user has Full Control so you are not locked out of

any objects.

Ensure that delegated uses take responsibility and can be held accountable.

=====================================================================

winser6.html PAGE 31 2001/01/17

Provide training for users who have control of objects. Ensure that the users to

whom you delegate responsibility understand their responsibility and know how to

perform the administrative tasks.

Lesson Summary:

Once you install Active directory, you can create and manage the objects stored within

the directory.

To add objects you must have the required permissions.
You can modify and delete objects in Active Directory.
You can assign permissions to a user and put the user in an Administrative OU and

they can be responsible for a certain set of attributes. This can be done at Active

Directory Users And
Computers snap-ins.
Be careful to assign permissions to users wisely, and not have to assign the Deny

permissions at all.