Understanding Directory Services:
A directory is a stored collection of information about objects that are related to one another in some way. For example, an e-mail address book stores names of users or entities and their corresponding e-mail addresses. The e-mail address book listing might also contain a street address or other information about the user or entity.
In a distributed computing system or a public computer network such as the Internet, there are many objects stored in a directory, such as file servers, printers, fax servers, applications, databases, and users. Users must be able to locate and use these objects. Administrators must be able to manage how these objects are used. A directory service stores all the information needed to use and manage these objects in a centralized location, simplifying the process of locating and managing these resources. A directory service differs from a directory in that it is both the source of the information and the mechanism that makes the information available to the users.
A directory service acts as the main switchboard of the network operating system. It is the central authority that manages the identities and brokers the relationships between distributed resources, enabling them to work together. Because a directory service sup-plies these fundamental operating system functions, it must be tightly coupled with the management and security mechanisms of the operating system to ensure the integrity and privacy of the network. It also plays a critical role in an organization’s ability to define and maintain the network infrastructure, perform system administration, and control the overall user experience of a company’s information systems.
Active Directory Services Features:
■ Centralized data store All data in Active Directory resides in a single, distributed data repository, allowing users easy access to the information from any location. A single distributed data store requires less administration and duplication and improves the availability and organization of data.
■ Scalability Active Directory enables you to scale the directory to meet business and network requirements through the configuration of domains and trees and the placement of domain controllers. Active Directory allows millions of objects per domain and uses indexing technology and advanced replication techniques to speed performance.
■ Extensibility The structure of the Active Directory database (the schema) can be expanded to allow customized types of information.
■ Manageability In contrast to the flat domain model used in Windows NT, Active Directory is based on hierarchical organizational structures. These organizational structures make it easier for you to control administrative privileges and other security settings, and to make it easier for your users to locate network resources such as files and printers.
■ Integration with the Domain Name System (DNS) Active Directory uses DNS, an Internet standard service that translates easily readable host names to numeric Internet Protocol (IP) addresses. Although separate and implemented differently for different purposes, Active Directory and DNS have the same hierarchical structure. Active Directory clients use DNS to locate domain controllers. When using the Windows Server 2003 DNS service, primary DNS zones can be stored in Active Directory, enabling replication to other Active Directory domain controllers.
■ Client configuration management Active Directory provides new technologies for managing client configuration issues, such as user mobility and hard disk failures, with a minimum of administration and user downtime.
■ Policy-based administration In Active Directory, policies are used to define the permitted actions and settings for users and computers across a given site, domain, or organizational unit. Policy-based management simplifies tasks such as operating system updates, application installation, user profiles, and desktop-system lock down.
■ Replication of information Active Directory provides multimaster replication technology to ensure information availability, fault tolerance, load balancing, and other performance benefits. Multimaster replication enables you to update the
§ Flexible, secure authentication and authorization Active Directory authentication and authorization services provide protection for data while minimizing barriers to doing business over the Internet. Active Directory supports multiple authentication protocols, such as the Kerberos version 5 protocol, Secure Sockets Layer (SSL) version 3, and Transport Layer Security (TLS) using X.509 version 3 certificates. In addition, Active Directory provides security groups that span domains.
■ Security integration Active Directory is integrated with Windows Server 2003 security. Access control can be defined for each object in the directory and on each property of each object. Security policies can be applied locally, or to a specified site, domain, or organizational unit.
■ Directory-enabled applications and infrastructure Features within Active Directory make it easier for you to configure and manage applications and other directory-enabled network components. In addition, Active Directory provides a powerful development environment through Active Directory Service Interfaces (ADSI).
■ Interoperability with other directory services Active Directory is based on standard directory access protocols, including Lightweight Directory Access Protocol (LDAP) version 3, and the Name Service Provider Interface (NSPI), and can interoperate with other directory services employing these protocols. Because the LDAP directory access protocol is an industry-standard directory service protocol, programs can be developed using LDAP to share Active Directory information with other directory services that also support LDAP. The NSPI protocol, which is used by Microsoft Exchange Server 4 and 5.x clients, is supported by Active Directory to provide compatibility with the Exchange directory.
■ Signed and encrypted LDAP traffic By default, Active Directory tools in Windows Server 2003 sign and encrypt all LDAP traffic by default. Signing LDAP traffic guarantees that the packaged data comes from a known source and that it has not been tampered with.
Active Directory Objects
The data stored in Active Directory, such as information about users, printers, servers, databases, groups, computers, and security policies, is organized into objects. An object is a distinct named set of attributes that represents a network resource. Object attributes are characteristics of objects in the directory. For example, the attributes of a user account object might include the user’s first name, last name, and logon name, while the attributes of a computer account object might include the computer name and description
Some objects, known as containers, can contain other objects. For example, a domain is a container object that can contain objects such as user and computer accounts. In Figure 1-2, the Users folder is a container that contains user account objects.
Active Directory Schema
The Active Directory schema defines objects that can be stored in Active Directory. The schema is a list of definitions that determines the kinds of objects and the types of information about those objects that can be stored in Active Directory. Because the schema definitions themselves are stored as objects, they can be administered in the same manner as the rest of the objects in Active Directory.
The schema is defined by two types of objects:
1. schema class objects
2. schema attribute objects
Schema class objects and attribute objects are collectively referred to as schema objects or metadata.
1. Schema class objects describe the possible Active Directory objects that can be created. A schema class functions as a template for creating new Active Directory objects. Each schema class is a collection of schema attribute objects. When you create a schema class, the schema attributes store the information that describes the object. The User class, for example, is composed of many schema attributes, including Network Address and Home Directory. Every object in Active Directory is an instance of a schema class object.
2. Schema attribute objects define the schema class objects with which they are associated. Each schema attribute is defined only once and can be used in multiple schema classes. For example, the Description attribute is used in many schema classes, but is defined only once in the schema, which ensures consistency.
A set of basic schema classes and attributes is shipped with Active Directory. Experienced developers and network administrators can dynamically extend the schema by defining new classes and attributes for existing classes. For example, if you need to provide information about users that is not currently defined in the schema, you must extend the schema for the User class. However, extending the schema is an advanced operation that could have serious consequences. Because schema cannot be deleted, but only deactivated, and a schema is automatically replicated, you must plan and pre-pare carefully before extending the schema.
Active Directory Components
Various Active Directory components are used to build a directory structure that meets the needs of your organization. The following Active Directory components represent logical structures in an organization: domains, organizational units (OUs), trees, and forests. The following Active Directory components represent physical structures in an organization: sites (physical subnets) and domain controllers. Active Directory completely separates the logical structure from the physical structure.
In Active Directory, you organize resources in a logical structure—a structure that mirrors organizational models—using domains, OUs, trees, and forests. Grouping resources logically allows you to easily find a resource by its name rather than by remembering its physical location. Because you group resources logically, Active Directory makes the network’s physical structure transparent to users. Figure 1-4 illustrates the relationship of the Active Directory domains, OUs, trees, and forests.
Domains The core unit of logical structure in Active Directory is the domain, which can store millions of objects. Objects stored in a domain are those considered vital to the network. These vital objects are items the members of the networked community need in order to do their jobs: printers, documents, e-mail addresses, databases, users, distributed components, and other resources. Directory is made up of one or more domains. A domain can span more than one physical location.
Domains share the following characteristics:
■ All network objects exist within a domain, and each domain stores information only about the objects that it contains.
■ A domain is a security boundary. Access to domain objects is governed by access control lists (ACLs), which contain the permissions associated with the objects. Such permissions control which users can gain access to an object and what type of access they can gain. In the Windows Server 2003 family, objects include files, folders, shares, printers, and other Active Directory objects. None of the security policies and settings—such as administrative rights, security policies, and ACLs— can cross from one domain to another. You, as the domain administrator, have absolute rights to set policies only within your domain.
OUs An OU is a container used to organize objects within a domain into a logical administrative group. OUs provide a means for handling administrative tasks, such as the administration of users and resources, as they are the smallest scope to which you can delegate administrative authority. An OU can contain objects such as user accounts, groups, computers, printers, applications, file shares, and other OUs from the same domain. The OU hierarchy within a domain is independent of the OU hierarchy structure of other domains—each domain can implement its own OU hierarchy. By adding OUs to other OUs, or nesting, you can provide administrative control in a hierarchical fashion.
Trees A tree is a grouping or hierarchical arrangement of one or more Windows Server 2003 domains that you create by adding one or more child domains to an existing parent domain. Domains in a tree share a contiguous namespace and a hierarchical naming structure. Namespaces are covered in detail in the next lesson. Following DNS standards, the domain name of a child domain is the relative name of that child domain appended with the name of the parent domain. In Figure 1-6, microsoft.com is the parent domain and us.microsoft.com and uk.microsoft.com are its child domains. The child domain of uk.microsoft.com is sls.uk.microsoft.com. By creating a hierarchy of domains in a tree, you can retain security and allow for administration within an OU or within a single domain of a tree. The tree structure easily accommodates organizational changes.
Forests A forest is a grouping or hierarchical arrangement of one or more separate, completely independent domain trees. As such, forests have the following characteristics:
■ All domains in a forest share a common schema.
■ All domains in a forest share a common global catalog.
■ All domains in a forest are linked by implicit two-way transitive trusts.
■ Trees in a forest have different naming structures, according to their domains.
■ Domains in a forest operate independently, but the forest enables communication across the entire organization.
In Figure 1-7, the microsoft.com and msn.com trees form a forest. The namespace is contiguous only within each tree.
The physical components of Active Directory are sites and domain controllers. As an administrator, you use these components to develop a directory structure that mirrors the physical structure of your organization.
Sites A site is a combination of one or more IP subnets connected by a highly reliable and fast link to localize as much network traffic as possible. Typically, a site has the same boundaries as a local area network (LAN). When you group subnets on your net-work, you should combine only subnets that have fast, cheap, and reliable network connections with one another. “Fast” network connections are at least 512 kilobits per second (Kbps). An available bandwidth (the average amount of bandwidth that is available for use after normal network traffic is handled) of 128 Kbps and higher is sufficient for a site.
With Active Directory, sites are not part of the namespace. When you browse the logical namespace, you see computers and users grouped into domains and OUs, not sites. Sites contain only computer objects and connection objects used to configure replication between sites. As shown in Figure 1-8, a single domain can span one or more geographical sites, and a single site can include user accounts and computers belonging to multiple domains
Domain Controllers A domain controller is a computer running Windows Server 2003 that stores a replica of the domain directory (local domain database). Because a domain can contain one or more domain controllers, each domain controller in a domain has a complete replica of the domain’s portion of the directory. A domain controller can service only one domain. A domain controller also authenticates user logon attempts and maintains the security policy for a domain.
The following list describes the functions of domain controllers:
■ Each domain controller stores a complete copy of all Active Directory information for that domain, manages changes to that information, and replicates those changes to other domain controllers in the same domain.
■ Domain controllers in a domain automatically replicate directory information for all objects in the domain to each other. When you perform an action that causes an update to Active Directory, you are actually making the change at one of the domain controllers. That domain controller then replicates the change to all other domain controllers within the domain. You can control replication of traffic between domain controllers in the network by specifying how often replication occurs and the amount of data that each domain controller replicates at one time.
■ Domain controllers immediately replicate certain important updates, such as the disabling of a user account.
■ Active Directory uses multi-master replication, in which no one domain controller is the master domain controller. Instead, all domain controllers within a domain are peers, and each domain controller contains a copy of the directory database that can be written to. Domain controllers can hold different information for short periods of time until all domain controllers have synchronized changes to Active Directory.
■ Although Active Directory supports multi-master replication , some changes are impractical to perform in multi-master fashion. One or more domain controllers can be assigned to perform single-master replication (operations not permitted to occur at different places in a network at the same time). Operations master roles are special roles assigned to one or more domain controllers in a domain to per-form single-master replication.
■ Domain controllers detect collisions, which can occur when an attribute is modified on a domain controller before a change to the same attribute on another domain controller is completely propagated. Collisions are detected by comparing each attribute’s property version number, a number specific to an attribute that is initialized upon creation of the attribute. Active Directory resolves the collision by replicating the changed attribute with the higher property version number
■ Having more than one domain controller in a domain provides fault tolerance. If one domain controller is offline, another domain controller can provide all required functions, such as recording changes to Active Directory.
■ Domain controllers manage all aspects of users’ domain interaction, such as locating Active Directory objects and validating user logon attempts.
Catalog Services— The Global Catalog:
Active Directory allows users and administrators to find objects such as files, printers, or users in their own domain. However, finding objects outside of the domain and across the enterprise requires a mechanism that allows the domains to act as one entity. A catalog service contains selected information about every object in all domains in the directory, which is useful in performing searches across an enterprise. The global catalog is the catalog service provided by Active Directory.
The global catalog is the central repository of information about objects in a tree or forest. By default, a global catalog is created automatically on the initial domain controller in the first domain in the forest. A domain controller that holds a copy of the global catalog is called a global catalog server. You can designate any domain controller in the forest as a global catalog server. Active Directory uses multimaster replication to replicate the global catalog information between global catalog servers in other domains. It stores a full replica of all object attributes in the directory for its host domain and a partial replica of all object attributes contained in the directory for every domain in the forest. The partial replica stores attributes most frequently used in search operations (such as a user’s first and last names, logon name, and so on). Attributes are marked or unmarked for replication in the global catalog when they are defined in the Active Directory schema. Object attributes replicated to the global catalog inherit the same permissions as in source domains, ensuring that data in the global catalog is secure.
Global Catalog Functions
The global catalog performs the following two key functions:
■ It enables a user to log on to a network by providing universal group membership information to a domain controller when a logon process is initiated.
■ It enables finding directory information regardless of which domain in the forest actually contains the data.
Users and services should be able to access directory information at any time from any computer in the domain tree or forest. Replication ensures that changes to a domain controller are reflected in all domain controllers within a domain. Directory information is replicated to domain controllers both within and among sites.
What Information Is Replicated?
The information stored in the directory (in the Ntds.dit file) is logically partitioned into four categories. Each of these information categories is referred to as a directory partition. A directory partition is also referred to as a naming context. These directory partitions are the units of replication. The directory contains the following partitions:
1. Schema partition: This partition defines the objects that can be created in the directory and the attributes those objects can have. This data is common to all domains in a forest and is replicated to all domain controllers in a forest.
2. Configuration partition: This partition describes the logical structure of the deployment, including data such as domain structure or replication topology. This data is common to all domains in a forest and is replicated to all domain controllers in a forest.
3. Domain partition: This partition describes all of the objects in a domain. This data is domain-specific and is not replicated to any other domains. However, the data is replicated to every domain controller in that domain.
4. Application Directory partition: This partition stores dynamic application-specific data in Active Directory without significantly affecting network performance by enabling you to control the scope of replication and the placement of replicas. The application directory partition can contain any type of object except security principals (users, groups, and computers). Data can be explicitly rerouted to administrator-specified domain controllers within a forest in order to prevent unnecessary replication traffic, or it can be set to replicate everything to all domain controllers in the same fashion as the schema, configuration, and domain partitions.
v A domain controller stores and replicates:
1. The schema partition data for a forest.
2. The configuration partition data for all domains in a forest.
3. The domain partition data (all directory objects and properties) for its domain. This data is replicated to additional domain controllers in the domain. For the purpose of finding information, a partial replica containing commonly used attributes of all objects in the domain is replicated to the global catalog.
v A global catalog stores and replicates:
4. The schema partition data for a forest
5. The configuration partition data for all domains in a forest
6. A partial replica containing commonly used attributes for all directory objects in the forest (replicated between global catalog servers only)
7. A full replica containing all attributes for all directory objects in the domain in which the global catalog is located
How Information Is Replicated: Active Directory replicates information in two ways: intrasite (within a site) and inter-site (between sites). The need for up-to-date directory information is balanced with the limitations imposed by available network bandwidth.
1. Intra-site Replication: Within a site, a Windows Server 2003 service known as the knowledge consistency checker (KCC) automatically generates a topology for replication among domain controllers in the same domain using a ring structure. The KCC is a built-in process that runs on all domain controllers. The topology defines the path for directory updates to flow from one domain controller to another until all domain controllers in the site receive the directory updates. The KCC determines which servers are best suited to replicate with each other, and designates certain domain controllers as replication partners on the basis of connectivity, history of successful replication, and the matching of full and partial replicas. Domain controllers can have more than one replication partner. The KCC then builds connection objects that represent replication connections between the replication partners. The ring structure ensures that there are at least two replication paths from one domain controller to another; if one domain controller is down temporarily, replication still continues to all other domain controllers, as shown
The KCC analyzes the replication topology within a site every 15 minutes to ensure that it still works. If you add or remove a domain controller from the network or a site, the KCC reconfigures the topology to reflect the change. When more than seven domain controllers are added to a site, the KCC creates additional connection objects across the ring structure so that if a change occurs at any one domain controller, replication partners are available to ensure that no domain controller is more than three replication hops from another domain controller, as shown in Figure 1-11. These optimizing connections are created at random and are not necessarily created on every domain controller
2. Inter-site Replication: To ensure replication between sites, you must connect them manually by creating site links. Site links represent network connections and allow replication to occur. A single KCC per site generates all connections between sites. Active Directory uses the network connection information to generate connection objects that provide efficient replication and fault tolerance, as shown in Figure 1-12.
You provide information about the replication transport used, cost of a site link, times when the link is available for use, and how often the link should be used. Active Directory uses this information to determine which site link is used to replicate information. Customizing replication schedules so replication occurs during specific times, such as when network traffic is light, makes replication more efficient.
A trust relationship is a link between two domains in which the trusting domain honors the logon authentication of the trusted domain, as shown. The Kerberos version 5 protocol is the default protocol for computers running Windows Server 2003. If any computer involved in a transaction does not support Kerberos version 5, the NTLM protocol is used. A trust relationship is also permitted with any MIT Kerberos version 5 realm. There are two domains in a trust relationship—the trusting and the trusted domain.
Trusts have the following characteristics:
v Method of creation Trusts can be created manually (explicitly) or automatically (implicitly). Not all trusts can be created both ways.
v Transitivity Trusts can be not bound by the domains in the trust relationship (transitive), or they can be bound by the domains in the trust relationship (non-transitive). For example, a transitive trust means that if a Domain A trusts Domain B and Domain B trusts Domain C, then Domain A trusts Domain C. Similarly, a non-transitive trust means that if Domain A trusts Domain B and Domain B trusts Domain C, there is no trust relationship between Domain A and Domain C.
v Direction Trusts can be one-way or two-way. A one-way trust is a single trust relationship, where Domain A trusts Domain B, as shown in Figure 1-13. One-way relationships can be non-transitive or transitive depending on the type of trust being created. In a two-way trust, Domain A trusts Domain B and Domain B trusts Domain A. This means that authentication requests can be passed between the two domains in both directions.
Windows Server 2003 family, Active Directory supports the following forms of trust relationships:
v Tree-root trust: A tree-root trust is implicitly established when you add a new tree root domain to a forest. For example, in Figure 1-14, a tree-root trust is established between Domain A and Domain 1 when Domain 1, a new tree root domain, is added to the forest. The trust is created between the domain you are creating (the new tree root) and the existing forest root domain. A tree-root trust can be set up only between the roots of two trees in the same forest. The trust is transitive and two-way.
v Parent-child trust: A parent-child trust relationship is implicitly established when you create a new child domain in a tree. For example, in Figure 1-14, a parent-child trust is established between Domain 1 and Domain 2 when Domain 2, a new child domain, is added to the tree. The Active Directory installation process automatically creates a trust relationship between the new domain and the domain that immediately precedes it in the namespace hierarchy (for example, uk.microsoft.com is created as the child of microsoft.com). As a result, a domain joining a tree immediately has trust relationships established with every domain in the tree. These trust relationships make all objects in the domains of the tree avail-able to all other domains in the tree. The trust is transitive and two-way.
v Shortcut trust: A shortcut trust must be explicitly created by a systems administrator between two domains in a forest. This trust is used to improve user logon times, which can be slow when two domains are logically distant from each other in a forest or tree hierarchy. The trust is transitive and can be one-way or two-way.
v External trust: An external trust must be explicitly created by a systems administrator between Windows Server 2003 domains that are in different forests, or between a Windows Server 2003 domain and a domain whose domain controller is running Windows NT 4 or earlier. This trust is used when users need access to resources located in a Windows NT 4 domain or in a domain located within a separate forest, which cannot be joined by a forest trust. The trust is non-transitive and can be one- or two-way.
v Forest trust: A forest trust must be explicitly created by a systems administrator between two forest root domains. This trust allows all domains in one forest to transitively trust all domains in another forest. A forest trust is not transitive across three or more forests. For example, forest A trusts forest B and forest B trusts forest C. There is no trust relationship between forest A and forest C. The trust is transitive between two forests only and can be one-way or two-way. Forest trusts are only available when the forest is at the Windows Server 2003 functional level.
v Realm trust: A realm trust must be explicitly created by a systems administrator between a non–Windows Kerberos realm and a Windows Server 2003 domain. This trust provides interoperability between the Windows Server 2003 domain and any realm used in Kerberos version 5 implementations. The trust can be transitive or non-transitive and one-way or two-way.
Change and Configuration Management Features:
The IntelliMirror Management Technologies can be described as follows:
■ User Data Management: Data and documents follow the users so they can access the data they need to do their jobs. Technologies used include Active Directory, Group Policy, Offline Files, Synchronization Manager, Disk Quotas, and Roaming user profiles.
■ Software Installation and Maintenance: Software follows the users so they have the software they need to do their jobs. Technologies used include Active Directory, Group Policy, Windows Installer, and Add/Remove Programs in Control Panel.
■ User Settings Management: User settings follow users and the users can see their preferred desktop arrangements. Technologies used include Active Directory and Roaming user profiles.
■ Computer Settings Management: Administrators can define how computers are customized and restricted on the network. Technologies used include Active Directory user and computer accounts and Group Policy.
■ Remote Installation Services: Administrators can enable remote installation of Microsoft Windows XP; Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; Microsoft Windows 2000 Professional; Microsoft Windows 2000 Server; and Windows 2000 Advanced Server on new or replacement computers without pre-installation or on-site technical support. Technologies used include Active Directory, Group Policy, and Remote Installation Services.
When IntelliMirror is used in both server and client, the users’ data, applications, and settings follow them when they move to another computer. IntelliMirror uses Active Directory and Group Policy to manage users’ desktops based on users’ business roles, group memberships, and locations. You can configure desktops to meet a new user’s requirements each time that user logs on to the network.
Group policies are collections of user and computer configuration settings that can be linked to computers, sites, domains, and OUs to specify the behavior of users’ desk-tops. For example, using group policies, you can set the programs that are available to users, the programs that appear on the user’s desktop, and Start menu options.
To create a specific desktop configuration for a particular group of users, you create Group Policy Objects (GPOs). GPOs are collections of Group Policy settings. Each computer running Windows Server 2003 has one local GPO and might, in addition, be subject to any number of nonlocal (Active Directory–based) GPOs. Local GPOs are overridden by nonlocal GPOs. Nonlocal GPOs are linked to Active Directory objects (sites, domains, or OUs). Nonlocal GPOs can be applied to either users (regardless of which computer they log on to) or computers (regardless of who logs on to them). Following the inheritance properties of Active Directory, nonlocal GPOs are applied hierarchically from the least restrictive group (site) to the most restrictive group (OU) and are cumulative.