Lesson 1: Overview of Active Directory

Previous page
Table of content
Next page

Active Directory, first introduced with Microsoft Windows 2000 Server, allows administrators to create a more flexible network structure than what was previously available with Windows operating systems for servers. Active Directory is a directory service, and the benefits of a directory service–based approach to network design is that it allows for large distributed network environments that have a common centralized authority for network security. Active Directory provides a single point of management for Windows-based user accounts, clients, servers, and applications.

start example

After this lesson, you will be able to

  • Understand Active Directory forests and domains

  • Understand sites

  • Understand the Active Directory schema

  • Understand organizational units (OUs)

  • Understand global catalogs

  • Understand operations masters

Estimated lesson time: 20 minutes

end example

Active Directory Forests and Domains

The primary security boundary for Active Directory is the forest, which contains domain trees. There can be one or more domain trees in a forest, though the first domain is designated as the forest root domain. Domains in Active Directory are identified through their Domain Name System (DNS) names rather than the NetBIOS naming scheme that was prevalent in Windows NT Server 4 and earlier. An example of a DNS domain name is contoso.com. A domain tree can contain multiple domains that share a common namespace. For example, contoso.com, marketing.contoso.com, sales.contoso.com, and europe.sales.contoso.com are all a part of the same domain tree. The marketing.contoso.com domain is a child domain of contoso.com, the parent domain. Since a forest can contain multiple domain trees, you could also have a domain tree for fabrikam.com in the same forest as the contoso.com domain tree.

Regardless of the number of domain trees in a forest, there is centralized administration at the forest level with permissions to all domain trees. Each forest has an Enterprise Admins group as well as a Schema Admins group. Members of these groups have authority over all the domain trees in the forest. Each domain has a Domain Admins group, and administrators in a parent domain automatically have administrative permissions to all child domains through automatic transitive trust relationships.

This type of structure is known as a hierarchical structure, since there can be multiple levels. This differs from the flat structure of Windows NT domains, which did not support parent-child relationships between domains.

Active Directory Sites

With the amount of replication that takes place between domain controllers and the amount of querying of data that is done in Active Directory, it is important for computers and services to have a way of identifying Active Directory resources that are located on the same local area network (LAN) versus resources that are on a different LAN separated by a wide area network (WAN) connection. Active Directory uses the concept of sites to make this distinction. Sites contain Active Directory resources that are all connected by reliable high-speed bandwidth—a minimum of 10 megabytes (MB). Site membership is used in the logon process as a computer attempts to locate a domain controller in its own site first; in replication (intrasite replication occurs immediately, and intersite replication is scheduled); in accessing global catalogs (discussed in the section entitled "Global Catalogs," later in this lesson); and in the Exchange Server 2003 messaging infrastructure.

Active Directory Schema

One of the defining elements of a forest is a common schema. The schema is a definition of the types of objects that are allowed within a directory and the attributes that are associated with those objects. These definitions must be consistent across domains in order for the security policies and access rights to function correctly.

There are two types of definitions within the schema: attributes and classes, also known as schema objects and metadata. Attributes are defined only once, and then can be applied to multiple classes as needed. The object classes, or metadata, are used to define objects. For example, the Users class requires certain attributes such as user name, password, groups, and so on. A particular user account is simply an Active Directory object that has those attributes defined.

A class is simply a generic framework for objects. It is a collection of attributes, such as Logon Name and Home Directory for user accounts or Description and Network Address for computer accounts. Active Directory comes standard with a predefined set of attributes and classes that fit the needs for many network environments. In addition, network administrators can extend the schema by defining additional attributes and extending the classes within the directory.

Organizational Units

One of the enhancements within Active Directory is the ability to organize the network in a logical manner and hide the physical structure of the network from the end users. Active Directory uses a special container known as an organizational unit (OU) to organize objects within a domain for the purpose of administration. OUs can be used to split a domain into administrative divisions that mirror the functional or physical separations within the company.

An OU can contain user accounts, computers, printers, shared folders, applications, and any other object within the domain. OUs can be used to separate administrative functions within a domain without granting administrative rights to the whole domain. This was something that couldn't be done prior to Active Directory.

An OU is the smallest element to which you can assign administrative rights. This means that OUs can be used to delegate authority and control within a domain; in essence, OUs function as subdomains without the creation of additional domains.

Global Catalogs

Domain controllers keep a complete copy of the Active Directory database for a domain, so that information about each object in the domain is readily available to users and services. This works well within a domain but poses problems when crossing domain trees. Active Directory solves this issue with a special limited database known as the global catalog. The global catalog stores partial replicas of the directories of other domains. The catalog is stored on domain controllers that have been designated as global catalog servers. These servers also maintain the normal database for their domain.

Function of the Global Catalog

The global catalog has two primary functions within Active Directory. These functions relate to the logon capability and queries within Active Directory.

Within a multidomain environment that is running in Windows 2000 Native mode or the Windows Server 2003 functional level, a global catalog is required for logging on to the network. The global catalog provides universal group membership information for the user account that is attempting to log on to the network. If the global catalog is not available during the logon attempt and the user account is external to the local domain, the user will only be allowed to log on to the local machine.

If the account is part of the local domain, the domain controllers for the local domain will handle the authentication request. The global catalog is required only when a user account or object needs to be authenticated by another domain.

Querying generates the majority of Active Directory traffic, and queries for objects (printers, services, and so on) occur much more often than database updates. Within a simple single-domain environment, the directory is readily available for these queries. However, in a highly complex, multidomain environment, having every query search through each domain would generate an unreasonable amount of network traffic.

The global catalog maintains a subset of the directory information available within every domain in the forest. This allows queries to be handled by the nearest global catalog, saving time and bandwidth. If more than one domain controller is a global catalog server, the response time for the queries improves. The tradeoff is that each additional global catalog server increases the amount of replication overhead within the network.

Note

The global catalog is a read-only database, unlike the normal Active Directory database.

Global Catalog Servers

Active Directory automatically creates a global catalog on the first domain controller within a forest. Each forest requires at least one global catalog. In an environment with multiple sites, it is good practice to designate a domain controller in each site to function as a global catalog server. While any domain controller can be configured as a global catalog server, a sense of balance is necessary when designating these servers. As the number of global catalog servers increases, the response time to user inquiries decreases. However, the replication requirements within the environment increase as the number of global catalog servers increases.

Operations Masters

Much of the replication within an Active Directory environment is multimaster replication, which means that the domain controllers are all peers. This is in contrast to earlier versions of Windows NT, in which a primary domain controller (PDC) was responsible for recording all changes to the security policy and replicating those changes to the backup domain controllers (BDCs).

Some operations are impractical in a multimaster environment. Active Directory handles these operations by allowing only a single domain controller to make these types of changes. This domain controller is known as an operations master. There are five different operations master roles in Active Directory: Schema Master, Domain Naming Master, Relative ID Master, PDC Emulator, and Infrastructure Master. The Schema Master and Domain Naming Master roles function at the forest level and exist only once in a forest. The Relative ID Master, PDC Emulator, and Infrastructure Master roles function at the domain level and exist in each domain in the forest. The functions of the operations master roles are as follows:

  • The Schema Master role controls all the updates and modifications to the schema itself. The schema controls the definition of each object in the directory and the object's associated attributes.

  • The Domain Naming Master role controls the addition or removal of domains from the forest.

  • The Relative ID (RID) Master role controls the sequence number for the domain controllers within the domain. The master assigns a unique sequence of RIDs to each of the domain controllers. When a new object is created by a domain controller, the object is assigned a security ID (SID). The SID must be unique within the domain and is generated by combining a domain SID and a RID. The domain SID is a constant ID within the domain, while the RID is assigned to the object by the domain controller. When the domain controller uses all the RIDs that the RID Master has assigned, the domain controller receives another sequence of RIDs from the RID Master. If the RID Master is unavailable and a domain controller exhausts its pool, it will be unable to create additional objects.

  • The PDC Emulator role is used whenever a domain contains non–Active Directory computers. It acts as a Windows NT PDC for legacy client operating systems, as well as for Windows NT BDCs. The PDC Emulator processes password changes and receives preferential treatment within the domain for password updates. If another domain controller is unable to authenticate a user due to a bad password, the request is forwarded to the PDC Emulator.

  • The Infrastructure Master role is responsible for maintaining all inter-domain object references. In other words, the Infrastructure Master informs certain objects (such as groups) that other objects (such as users in another domain) have been moved, changed, or otherwise modified. This update is needed only in a multiple domain environment. If there is only a single domain, then all domain controllers already know of the update, and this role is unnecessary. Likewise, if all domain controllers are also global catalog servers, the domain controllers are aware of the updates and do not need the assistance of the Infrastructure Master.

By default, Active Directory assigns all five of these operations master roles to the first domain controller installed in a forest. In a simple network environment, these roles may remain with that first domain controller. As the network environment expands, some of the roles will need to be reassigned to other domain controllers.

Lesson Review

The following questions are intended to reinforce key information presented in this lesson. If you are unable to answer a question, review the lesson materials and then try the question again. You can find answers to the questions in the "Questions and Answers" section at the end of this chapter.

  1. You are developing a deployment plan for Exchange Server 2003. You have been asked to ensure that the contoso.com and fabrikam.com domain trees that are part of the same forest can be included in the same Exchange Server 2003 organization. Is this possible with the existing Active Directory structure, or will you need to change the Active Directory structure first?

  2. You are an Exchange Server 2003 administrator. You regularly create new user accounts for contractors, but periodically you receive an error that the object cannot be created. Usually you are able to cancel the process and try again later or to create the new account from another server. Since the process works most of the time, you know it isn't a configuration problem or permissions problem. What else might be causing the problem?

    1. The PDC Emulator is unavailable

    2. The RID Master is unavailable

    3. The Schema Master is unavailable

    4. The Infrastructure Master is unavailable

  3. The CIO for your company returns from a Windows Server 2003 seminar and is anxious to share his new knowledge. He says you should make all of the servers in your Active Directory forest global catalog servers because it will improve the response time to user queries, especially with Exchange Server 2003. He feels that this will help significantly since your organization has four domain trees with multiple child domains in each. Do you agree with him? Why or why not?

Lesson Summary

  • Active Directory is a hierarchical structured database that replaced the flat structure of Windows NT domains.

  • Global catalog servers are used to allow Active Directory queries to cross domains.

  • There are five operations masters roles. The Schema Master and Domain Naming Master roles are forest-wide, while the PDC Emulator, Infrastructure Master, and RID Master roles are domain-wide.

  • Sites are used to control the replication topology by defining whether resources in Active Directory are connected by high-speed or low-speed links.

  • The schema defines the types of objects that are allowed in Active Directory, as well as the attributes the objects can have.



Previous page
Table of content
Next page
MCSA/MCSE Self-Paced Training Kit (Exam 70-284(c) Implementing and Managing Microsoft Exchange Server 2003)
MCSA/MCSE Self-Paced Training Kit (Exam 70-284): Implementing and Managing MicrosoftВ® Exchange Server 2003 (Pro-Certification)
ISBN: 0735618992
EAN: 2147483647
Year: 2003
Pages: 221
Authors: Will Willis, Ian McLean
BUY ON AMAZON
Java I/O
Certified Ethical Hacker Exam Prep
WebLogic: The Definitive Guide
Building Web Applications with UML (2nd Edition)
The Lean Six Sigma Pocket Toolbook. A Quick Reference Guide to Nearly 100 Tools for Improving Process Quality, Speed, and Complexity
DNS & BIND Cookbook
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy