There are several new concepts introduced with Active Directory, including the global catalog, replication, trust relationships, DNS namespaces, and naming conventions. It is important that you understand the meaning of these concepts as applied to Active Directory.
After this lesson, you will be able to
Estimated lesson time: 20 minutes
The global catalog is the central repository of information about objects in a tree or forest, as shown in Figure 16.6. By default, a global catalog is created automatically on the initial domain controller in the forest, known as the global catalog server. The global catalog server stores a full replica of all object attributes in the directory for its host domain and a partial replica for all object attributes contained in the directory of every domain in the forest. The partial replica stores attributes that are most frequently used in search operations (such as a user's first and last names, logon name, and so on). Object attributes replicated to the global catalog inherit the same permissions as in source domains, ensuring that data in the global catalog is secure.
Figure 16.6 The global catalog is the central repository of information
The global catalog performs two key directory roles:
When a user logs on to the network, the global catalog provides universal group membership information for the account to the domain controller processing the user logon information. If there is only one domain controller in the domain, the domain controller and the global catalog are the same server. If there are multiple domain controllers in the network, the global catalog is the domain controller configured as such. If a global catalog is not available when a user initiates a network logon process, the user is only able to log on to the local computer.
IMPORTANT
If a user is a member of the Domain Admins group, he or she is able to log on to the network even when the global catalog is not available.
The global catalog is designed to respond to user and programmatic queries about objects anywhere in the domain tree or forest with maximum speed and minimum network traffic. Because a single global catalog contains information about all objects in all domains in the forest, a query about an object can be resolved by a global catalog in the domain in which the query is initiated. Thus, finding information in the directory does not produce unnecessary query traffic across domain boundaries.
You can optionally configure any domain controller or designate additional domain controllers as global catalog servers. When considering which domain controllers to designate as global catalog servers, base your decision on the ability of your network structure to handle replication and query traffic. You should note, though, that the availability of additional servers can provide quicker responses to user inquiries, as well as redundancy. It is recommended that every major site in your enterprise have at least one global catalog server.
Users and services should be able to access directory information at any time from any computer in the domain tree or forest. Replication ensures that changes to a domain controller are reflected in all domain controllers within a domain. Directory information is replicated to domain controllers both within and among sites.
The information stored in the directory is partitioned into three categories. Each of these information categories is referred to as a directory partition. These directory partitions are the units of replication. The following information is contained in each directory:
Schema and configuration information is replicated to all domain controllers in the domain tree or forest. All of the domain data for a particular domain is replicated to every domain controller in that domain. All of the objects in every domain, and a subset of the properties of all objects in a forest, are replicated to the global catalog.
A domain controller stores and replicates the following:
A global catalog stores and replicates the following:
CAUTION
Extensions to schema can have disastrous effects on large networks due to the network traffic generated by a full synchronization of all of the domain data.
Active Directory replicates information within a site more frequently than across sites, balancing the need for up-to-date directory information with the limitations imposed by available network bandwidth.
Within a site, Active Directory automatically generates a topology for replication among domain controllers in the same domain using a ring structure. The topology defines the path for directory updates to flow from one domain controller to another until all domain controllers receive the directory updates (see Figure 16.7).
Figure 16.7 Replication topology
The ring structure ensures that there are at least two replication paths from one domain controller to another; if one domain controller is down temporarily, replication still continues to all other domain controllers.
Active Directory periodically analyzes the replication topology within a site to ensure that it is still efficient. If you add or remove a domain controller from the network or a site, Active Directory reconfigures the topology to reflect the change.
To ensure replication between sites, you must customize how Active Directory replicates information using site links to represent network connections. Active Directory uses the network connection information to generate connection objects that provide efficient replication and fault tolerance.
You provide information about the replication protocol used, cost of a site link, times when the link is available for use, and how often the link should be used. Active Directory uses this information to determine which site link is used to replicate information. Customizing replication schedules so replication occurs during specific times, such as when network traffic is light, will make replication more efficient.
NOTE
When operating in Native mode, Windows 2000 domain controllers do not replicate with pre-Windows 2000 domain controllers.
A trust relationship is a link between two domains in which the trusting domain honors the logon authentication of the trusted domain. Active Directory supports two forms of trust relationships:
For example, in Figure 16.8 a Kerberos transitive trust simply means that if Domain A trusts Domain B, and Domain B trusts Domain C, then Domain A trusts Domain C. As a result, a domain joining a tree immediately has trust relationships established with every domain in the tree. These trust relationships make all objects in the domains of the tree available to all other domains in the tree.
Transitive trust between domains eliminates the management of interdomain trust accounts. Domains that are members of the same tree automatically participate in a transitive, bidirectional trust relationship with the parent domain. As a result, users in one domain can access resources to which they have been granted permission in all other domains in a tree.
Figure 16.8 Active Directory supports two types of trust relationships
Active Directory, like all directory services, is primarily a namespace. A namespace is any bounded area in which a name can be resolved. Name resolution is the process of translating a name into some object or information that the name represents. The Active Directory namespace is based on the DNS naming scheme, which allows for interoperability with Internet technologies. Private networks use DNS extensively to resolve computer names and to locate computers within their local networks and the Internet. DNS provides the following benefits:
NOTE
For more information on DNS, see RFCs 1034 and 1035. To read the text of these Requests for Comment (RFCs), use your Web browser to search for RFC 1034 and RFC 1035.
Because Active Directory uses DNS as its domain naming and location service, Windows 2000 domain names are also DNS names. Windows 2000 Server uses Dynamic DNS (DDNS), which enables clients with dynamically assigned addresses to register directly with a server running the DNS service and update the DNS table dynamically. DDNS eliminates the need for other Internet naming services, such as Windows Internet Name Service (WINS), in a homogeneous environment.
IMPORTANT
For Active Directory and associated client software to function correctly, you must have installed and configured the DNS service.
A DNS name server stores the zone database file. Name servers can store data for one zone or multiple zones. A name server is said to have authority for the domain namespace that the zone encompasses.
One name server contains the master zone database file, referred to as the primary zone database file, for the specified zone. As a result, there must be at least one name server for a zone. Changes to a zone, such as adding domains or hosts, are performed on the server that contains the primary zone database file.
Multiple name servers act as a backup to the name server containing the primary zone database file. Multiple name servers provide the following advantages:
Every object in Active Directory is identified by a name. Active Directory uses a variety of naming conventions: distinguished names (DNs), relative distinguished names (RDNs), globally unique identifiers (GUIDs), and user principal names (UPNs).
Every object in Active Directory has a distinguished name (DN) that uniquely identifies an object and contains sufficient information for a client to retrieve the object from the directory. The DN includes the name of the domain that holds the object as well as the complete path through the container hierarchy to the object.
For example, the following DN identifies the Firstname Lastname user object in the microsoft.com domain (where Firstname and Lastname represent the actual first and last name of a user account):
/DC=COM/DC=microsoft/OU=dev/CN=Users/CN=Firstname Lastname
Table 16.1 describes the attributes in the example.
Table 16.1 Distinguished Name Attributes
Attribute | Description |
---|---|
DC | Domain Component Name |
OU | Organizational Unit Name |
CN | Common Name |
DNs must be unique. Active Directory does not allow duplicate DNs.
NOTE
For more information on distinguished names, see RFC 1779. To read the text of this RFC, use your Web browser to search for RFC 1779.
Active Directory supports querying by attributes, so you can locate an object even if the exact DN is unknown or has changed. The relative distinguished name (RDN) of an object is the part of the name that is an attribute of the object itself. In the preceding example, the RDN of the Firstname Lastname user object is Firstname Lastname. The RDN of the parent object is Users.
You can have duplicate RDNs for Active Directory objects, but you cannot have two objects with the same RDN in the same OU. For example, if a user account is named Jane Doe, you cannot have another user account called Jane Doe in the same OU. However, objects with duplicate RDN names can exist in separate OUs because they have different DNs (see Figure 16.9).
Figure 16.9 Distinguished names and relative distinguished names
A globally unique identifier (GUID) is a 128-bit number that is guaranteed to be unique. GUIDs are assigned to objects when the objects are created. The GUID never changes, even if you move or rename the object. Applications can store the GUID of an object and use the GUID to retrieve that object regardless of its current DN.
In earlier versions of Windows NT, domain resources were associated to a security identifier (SID) that was generated within the domain. This meant that the SID was only guaranteed to be unique within the domain. A GUID is unique across all domains, meaning that you can move objects from domain to domain and they will still have a unique identifier.
User accounts have a "friendly" name, the user principal name (UPN). The UPN is composed of a "shorthand" name for the user account and the DNS name of the tree where the user account object resides. For example, Firstname Lastname (substitute the first and last names of the actual user) in the microsoft.com tree might have a UPN of FirstnameL@microsoft.com (using the full first name and the first letter of the last name).
In this lesson you learned about several new concepts introduced with Active Directory, including the global catalog, replication, trust relationships, DNS namespaces, and naming conventions.
You learned that the global catalog is a service and a physical storage location that contains a replica of selected attributes for every object in Active Directory. You can use the global catalog to locate objects anywhere in the network without replication of all domain information between domain controllers.
Active Directory includes replication to ensure that changes to a domain controller are reflected in all domain controllers within a domain. Within a site, Active Directory automatically generates a ring topology for replication among domain controllers in the same domain. Between sites, you must customize how Active Directory replicates information using site links to specify how your sites are connected.
A trust relationship is a link between two domains in which the trusting domain honors the logon authentication of the trusted domain. Active Directory supports two forms of trust relationships: implicit two-way transitive trusts and explicit one-way nontransitive trusts.
In this lesson you also learned that Active Directory uses DNS as its domain naming and location service; therefore, Windows 2000 domain names are also DNS names. Windows 2000 Server uses DDNS, so clients with dynamically assigned addresses can register directly with a server running the DNS service and dynamically update the DNS table. There are contiguous namespaces and disjointed namespaces.
Finally, you learned about the naming conventions employed by Active Directory: DNs, RDNs, GUIDs, and UPNs.