Features of the Active Directory
One of the major tasks of any network operating system is keeping track of users and regulating resource access. In Windows NT 4, this was done through the use of NT domains and the Security Accounts Manager (SAM) database. Although Windows 2000 and Windows Server 2003 still support domains, network security has been simplified and enhanced by the addition of a directory service-the Windows Active Directory.
physical location
The actual location of a resource. Each resource must be homed on a server somewhere on the network. Windows 2000/ Windows Server 2003 enables you to organize resources logically, rather than physically.
share
A share is resource, such as a directory or a printer, that is made available to network users. A share can have permissions associated to it to control which users can access its resources.
| Note | For a review of the differences between a domain model and a directory service model, refer back to Chapter 9, 'Network Models.' |
In Windows 2000 and Windows Server 2003, the directory service provides a means of keeping track of users, machines, groups, and other network- and user-related information. The Active Directory does all of this just as the NT domain structure did, but it provides these services more efficiently and with more features.
One of the most interesting differences between NT's domains and Windows Active Directory is that the location of a resource-its physical location-is transparent to users. In NT 4, a user could find a share only by browsing the server on which the share was created. With Directory Services, users can access shared directories and printers just by knowing the name of the share. The Directory does the rest, finding and connecting users to the resource they have requested.
Another interesting element of the Active Directory is that it is tightly tied to TCP/IP and the Internet Domain Name System (DNS). All Windows 2000 and Server 2003 domain names are structured like Internet domains. If your company's NT 4 domain is FOO, your Windows Server 2003 domain might be foo.com. The domain name (FOO) is a NetBIOS name, which is understood only by other Microsoft-compatible machines; the domain name (foo.com) can be understood and referenced by any machine that can use the TCP/IP protocol. This is just one of many ways in which the Active Directory tightly integrates with and complies with Internet standards.
| Tip | Because of this level of integration, Windows Active Directory is dependent on the presence of the TPC/IP protocol suite. TCP/IP must be installed in order to use Windows domains. |
X.500
An industry-standard directory structure used by Windows 2000 and Windows Server 2003 to organize and name network elements. Other network operating systems, such as Novell's NetWare Directory Services, also use X.500.
The following table shows other Internet specifications that are supported by Active Directory. Note that each of the specifications listed below is in actuality a TCP/IP protocol. The TCP/IP protocol suite is made up of a number of 'plug-in' protocols that work together to provide network functionality, and Windows 2000 and Windows Server 2003 supports more of these than Windows NT did. Each of the items in the list below is therefore a separate Internet protocol, with its specific function listed to the right of it.
| Specification | Purpose |
|---|---|
| DHCP | IP addresses must be unique for each machine on a network, and DHCP automates the process of assigning addresses and other TCP/IP information. |
| SNTP | Simple Network Time Protocol provides timekeeping and time synchronization functions, which allow machines to check their internal clocks and make certain that the entire network knows the proper time. |
| LDAP | Lightweight Directory Access Protocol provides a way to query the Active Directory to request e-mail addresses, usernames, and other data. |
| LDIF | Lightweight Directory Information Format is used for directory synchronization. |
| Kerberos | This advanced authentication protocol provides enhanced security during logon and resource access. |
| X.509 certificates | Certificates are used to prove who you are (by allowing you to encrypt a signature into your |
Last, Windows Active Directory uses the naming structure known as X.500. This is an industry-standard naming structure that allows for the unique naming of millions of objects easily and logically. An X.500 username for Humphrey Bogart, a user on the foo.com network, would look like this:
DC=com,DC=foo,CN=Users,CN=Humphrey Bogart
|
|
