Lesson 1: Active Directory Overview | MCSE Designing a Microsoft Windows 2000 Directory Services Infrastructure Readiness Review; Exam 70-219 (Pro-Certification)

Active Directory provides a method for designing a directory structure that meets the needs of your organization. This lesson introduces the use of objects in Active Directory and the function of each of its components.

After this lesson, you will be able to

Explain the purpose of Active Directory
Explain the purpose of object attributes and the schema in Active Directory
Identify the components of Active Directory
Describe the function of Active Directory components
Explain the purpose of the global catalog in Active Directory

Estimated lesson time: 30 minutes

Windows 2000 Active Directory

A directory stores information related to the network resources to facilitate locating and managing these resources. A directory service is a network service that identifies all resources on a network and makes them accessible to users and applications. A directory service differs from a directory in that it is both the source of the information and the service making the information available to users.

Active Directory is the directory service included in Windows 2000 Server. Active Directory includes the directory, which stores information about network resources, as well as all the services that make the information available and useful. The information about user data, printers, servers, databases, groups, computers, and security policies stored in the directory, is organized into objects.

Active Directory Objects

An object is a distinct named set of attributes that represents a network resource. Object attributes are characteristics of objects in the directory. For example, the attributes of a user account might include the user's first name, last name, and logon name, while the attributes of a computer account may include the computer name and description (see Figure 1.1).

click to view at full size

Figure 1.1 Active Directory objects and attributes

Some objects, known as containers, can contain other objects. For example, a domain is a container object that can contain users, computers, and other objects. In Figure 1.1, the Users folder is a container that contains users.

Active Directory Schema

The Active Directory schema defines objects that can be stored in Active Directory. The schema is a list of definitions that determines the kinds of objects and the types of information about those objects that can be stored in Active Directory. Because the schema definitions are themselves stored as objects, they can be administered in the same manner as the rest of the objects in Active Directory.

The schema contains two types of definition objects: schema class objects and schema attribute objects. As shown in Figure 1.2, class objects and attribute objects are defined in separate lists within the schema. Schema class and attribute objects are also referred to as schema objects or metadata.

Schema class objects describe the possible Active Directory objects that can be created. A schema class object functions as a template for creating new Active Directory objects. Each schema class is a collection of schema attribute objects. When you create a schema class, the schema attributes store the information that describes the object. The User class, for example, is composed of many schema attributes, including Network Address, Home Directory, and so on. Every object in Active Directory is an instance of a schema class object.

Schema attribute objects define the schema class objects with which they are associated. Each schema attribute is defined only once and can be used in multiple schema classes. For example, the Description attribute is used in many schema classes but is defined only once in the schema, ensuring consistency.

click to view at full size

Figure 1.2 Schema class and attribute objects

A set of basic schema classes and attributes is shipped with Windows 2000 Server. Experienced developers and network administrators may dynamically extend the schema by defining new classes and attributes for existing classes. For example, if you need to provide information about users not currently defined in the schema, you must extend the schema for the User class. However, extending the schema is an advanced operation with possibly serious consequences. Because schemas cannot be deleted, but only deactivated, and a schema is automatically replicated, you must plan and prepare carefully before extending the schema. Schema extension is discussed in Chapter 3, "Creating a Forest Plan."

Active Directory Components

Active Directory uses components to build a directory structure that meets the needs of your organization. The logical structures of your organization are represented by the following Active Directory components: domains, organizational units, trees, and forests. The physical structure of your organization is represented by the following Active Directory components: sites (physical subnets) and domain controllers. Active Directory completely separates the logical structure from the physical structure.

In addition to the components that represent the logical and physical structures of your organization, Active Directory automatically builds the global catalog on the first domain controller in a forest. The global catalog serves as the central repository of selected information about objects in a tree or forest.

Logical Structures

In Active Directory, you organize resources in a logical structure that mirrors the logical structure of your organization. Grouping resources logically allows you to find a resource by its name rather than by its physical location. Because you group resources logically, Active Directory makes the network's physical structure transparent to users. Figure 1.3 illustrates the relationships of the Active Directory components.

click to view at full size

Figure 1.3 Resources organized in a logical structure

Domains

The core unit of logical structure in Active Directory is the domain, which can store millions of objects. Objects stored in a domain are those vital to the network. These vital objects are items the networked community needs to do its job: printers, documents, e-mail addresses, databases, users, distributed components, and other resources. All network objects exist within a domain, and each domain stores information only about the objects it contains. Active Directory is made up of one or more domains. A domain can span more than one physical location. Domains share these characteristics:

All network objects exist within a domain, and each domain stores information only about the objects that it contains. Theoretically, a domain directory can contain up to 10 million objects, but 1 million objects per domain is a more practical number.
A domain is a security boundary. Access control lists (ACLs) control access to domain objects. ACLs contain the permissions associated with objects that control which users can gain access to an object and what type of access users can gain to the objects. In Windows 2000, objects include files, folders, shares, printers, and other Active Directory objects. None of the security policies and settings—such as administrative rights, security policies, and ACLs—can cross from one domain to another. The domain administrator has absolute rights to set policies only within that domain.

Grouping objects into one or more domains allows your network to reflect your company's organization. See Chapter 4, "Creating a Domain Plan," to read about domain design.

Organizational Units

An organizational unit (OU) is a container used to organize objects within a domain into a logical administrative group. This organization typically mirrors your organization's functional or business structure. An OU can contain objects such as user accounts, groups, computers, printers, applications, file shares, and other OUs from the same domain. The OU hierarchy within a domain is independent of the OU hierarchy structure of other domains—each domain can implement its own OU hierarchy. By adding OUs to other OUs, or nesting, you can provide administrative control in a hierarchical fashion. See Chapter 5, "Creating an Organizational Unit Plan," to read about OU design.

OUs provide a means for handling administrative tasks, such as the administration of users and resources, as they are the smallest scope to which you can delegate administrative authority. See Chapter 5, "Creating an Organizational Unit Plan," to read about planning for delegation.

In Figure 1.4, the microsoft.com domain mirrors the organization of a shipping company and contains three OUs: US, Orders, and Disp, where the last two are nested within the US OU. In the summer months, the number of orders taken for shipping increases and management has requested the addition of a subadministrator for the Orders department. The subadministrator must have permission only to create user accounts and provide users with access to Orders department files and shared printers. Rather than creating another domain, the request can be met by assigning the subadministrator the appropriate permissions within the Orders OU.

If the subadministrator was later required to create user accounts in the US, Orders, and Disp OUs, you could grant the administrator the appropriate permissions separately within each OU. However, because the Orders and Disp OUs are nested in the US OU, a more efficient method is to assign permissions once in the US OU and allow them to be inherited by the Orders and Disp OUs. By default, all child objects (the Orders and Disp OUs) within Active Directory inherit permissions from their parents (the US OU). Granting permissions at a higher level and using inheritance capabilities can reduce administrative tasks.

click to view at full size

Figure 1.4 Using an organizational unit to handle administrative tasks

Trees

A tree is a grouping or hierarchical arrangement of one or more Windows 2000 domains that you create by adding one or more child domains to an existing parent domain. Domains in a tree share a contiguous namespace and a hierarchical naming structure. Namespaces are covered in detail in the next lesson. Trees share these characteristics:

Following Domain Name System (DNS) standards, the domain name of a child domain is the relative name of that child domain appended with the name of the parent domain. In Figure 1.5, microsoft.com is the parent domain and us.microsoft.com and uk.microsoft.com are its child domains. The child domain of uk.microsoft.com is sls.uk.microsoft.com.
All domains within a single tree share a common schema, which is a formal definition of all object types that you can store in an Active Directory deployment.
All domains within a single tree share a common global catalog, which is the central repository of information about objects in a tree.

click to view at full size

Figure 1.5 A domain tree

By creating a hierarchy of domains in a tree, you can retain security and allow for administration within an OU or within a single domain of a tree. The tree structure easily accommodates organizational changes. Chapter 3, "Creating a Forest Plan," discusses tree design.

Forests

A forest is a grouping or hierarchical arrangement of one or more separate, completely independent domain trees. As such, forests have the following characteristics:

All trees in a forest share a common schema.
Trees in a forest have different naming structures, according to their domains.
All domains in a forest share a common global catalog.
Domains in a forest operate independently, but the forest enables communication across the entire organization.
Implicit two-way transitive trusts exist between domains and domain trees.

In Figure 1.6, microsoft.com and msn.com form a forest. The namespace is contiguous only within each tree.

click to view at full size

Figure 1.6 A forest of trees

Forest design is discussed in detail in Chapter 3, "Creating a Forest Plan."

Physical Structure

The physical components of Active Directory are sites and domain controllers. You will use these components to develop a directory structure that mirrors the physical structure of your organization.

Sites

A site is a combination of one or more Internet Protocol (IP) subnets connected by a highly reliable and fast link to localize as much network traffic as possible. Typically, a site has the same boundaries as a local area network (LAN). When you group subnets on your network, you should combine only subnets that have fast, cheap, and reliable network connections with one another. "Fast" network connections are at least 512 kilobits per second (Kbps). An available bandwidth of 128 Kbps and higher is sufficient.

With Active Directory, sites are not part of the namespace. When you browse the logical namespace, you see computers and users grouped into domains and OUs, not sites. Sites contain only computer objects and connection objects used to configure replication between sites. A single domain can span one or multiple geographical sites, and a single site can include user accounts and computers belonging to multiple domains. See Chapter 6, "Creating a Site Topology Plan," to read about site design.

Domain Controllers

A domain controller is a computer running Windows 2000 Server that stores a replica of the domain directory (local domain database). Because a domain can contain one or more domain controllers, each domain controller in a domain has a complete replica of the domain's portion of the directory.

The following list describes the functions of domain controllers:

Each domain controller stores a complete copy of all Active Directory information for that domain, manages changes to that information, and replicates those changes to other domain controllers in the same domain.
Domain controllers in a domain automatically replicate all objects in the domain to each other. When you perform an action that causes an update to Active Directory, you are actually making the change at one of the domain controllers. That domain controller then replicates the change to all other domain controllers within the domain. You can control replication of traffic between domain controllers in the network by specifying how often replication occurs and the amount of data that Windows 2000 replicates at one time.
Domain controllers immediately replicate certain important updates, such as the disabling of a user account.
Active Directory uses multimaster replication, in which no one domain controller is the master domain controller. Instead, all domain controllers within a domain are peers, and each domain controller contains a copy of the directory database that can be written to. Domain controllers may hold different information for short periods of time until all domain controllers have synchronized changes to Active Directory.
Domain controllers detect collisions, which can occur when an attribute is modified on a domain controller before a change to the same attribute on another domain controller is completely propagated. Collisions are detected by comparing each attribute's property version number, a number specific to an attribute that is initialized upon creation of the attribute. Active Directory resolves the collision by replicating the changed attribute with the higher property version number.
Having more than one domain controller in a domain provides fault tolerance. If one domain controller is offline, another domain controller can provide all required functions, such as recording changes to Active Directory.
Domain controllers manage all aspects of users' domain interaction, such as locating Active Directory objects and validating user logon attempts.

There are two domain modes: mixed mode and native mode. Mixed mode allows a Windows 2000 domain controller to interact with any domain controllers in the domain that are running previous versions of Windows NT. Native mode does not allow any domain controllers in the domain to run previous versions of Windows NT.

In general, there should be one domain controller for each domain in each site for authentication purposes. However, authentication requirements for your organization determine the number of domain controllers and their location. Chapter 6, "Creating a Site Topology Plan," discusses the placement of domain controllers.

Catalog Services—The Global Catalog

Active Directory allows users and administrators to find objects, such as files, printers, or users, in their own domain. However, finding objects outside of the domain and across the enterprise requires a mechanism that allows the domains to act as one entity. A catalog service contains selected information about every object in all domains in the directory, which is useful in performing searches across an enterprise. The catalog service provided by Active Directory services is called the global catalog.

The global catalog is the central repository of information about objects in a tree or forest. By default, a global catalog is created automatically on the initial domain controller in the first domain in the forest, known as the global catalog server. Using Active Directory services multimaster replication, the global catalog information is replicated between global catalog servers in other domains. It stores a full replica of all object attributes in the directory for its host domain and a partial replica of all object attributes contained in the directory for every domain in the forest. The partial replica stores attributes most frequently used in search operations (such as a user's first and last names, logon name, and so on). Attributes are marked or unmarked for replication in the global catalog when they are defined in the Active Directory schema. Object attributes replicated to the global catalog inherit the same permissions as in source domains, ensuring that data in the global catalog is secure.

Global Catalog Roles

The global catalog performs two key directory roles:

It enables network logon by providing universal group membership information to a domain controller when a logon process is initiated.
It enables finding directory information regardless of which domain in the forest actually contains the data.

When a user logs on to the network, the global catalog provides universal group membership information for the account to the domain controller processing the user logon information. If there is only one domain controller in a domain, the domain controller holds the global catalog. If there are multiple domain controllers in the network, one domain controller is configured to hold the global catalog. If a global catalog is not available when a user initiates a network logon process, the user is able to log on only to the local computer.

IMPORTANT
If a user is a member of the Domain Admins group, he or she is able to log on to the network even when the global catalog is not available.

The global catalog is designed to respond to user and programmatic queries about objects anywhere in the domain tree or forest with maximum speed and minimum network traffic. Because a single global catalog contains information about all objects in all domains in the forest, a query about an object that is not contained in the local domain can be resolved by a global catalog server in the domain in which the query is initiated. Thus, finding information in the directory does not produce unnecessary query traffic across domain boundaries.

The Query Process

A query is a specific request made by a user to the global catalog in order to retrieve, modify, or delete Active Directory data. The following steps, illustrated in Figure 1.7, describe the query process:

The client queries its DNS server for the location of the global catalog server.
The DNS server searches for the global catalog server location and returns the IP address of the domain controller designated as the global catalog server.
The client queries the IP address of the domain controller designated as the global catalog server. The query is sent to port 3268 on the domain controller; standard Active Directory queries are sent to port 389.
The global catalog server processes the query. If the global catalog contains the attribute of the object being searched for, the global catalog server provides a response to the client. If the global catalog does not contain the attribute of the object being searched for, the query is referred to Active Directory.

click to view at full size

Figure 1.7 The query process

You can configure any domain controller or designate additional domain controllers as global catalog servers. When considering which domain controllers to designate as global catalog servers, base your decision on the ability of your network structure to handle replication and query traffic. The availability of additional servers can provide quicker responses to user inquiries, as well as redundancy. Therefore, it is recommended that every major site in your enterprise have at least one global catalog server. See Chapter 6, "Creating a Site Topology Plan," to read about placing global catalog servers.

Lesson Summary

In this lesson you learned that an object is a distinct named set of attributes that represents a network resource in Active Directory. Object attributes are characteristics of objects in the directory. The Active Directory schema is a list of definitions that determines the kinds of objects and the types of information about those objects that can be stored in an Active Directory forest. Because the schema definitions are stored as objects, they can be administered in the same manner as the rest of the objects in Active Directory. There are two types of definition objects in the schema: schema class objects and schema attribute objects.

You also learned that Active Directory offers you a method for designing a directory structure to reflect your organization's business structure and operations. Active Directory completely separates the logical structure of the domain hierarchy from the physical structure.

In Active Directory, grouping resources logically enables you to find a resource by its name rather than by its physical location. The core unit of logical structure in Active Directory is the domain, which stores information only about the objects that it contains. An OU is a container used to organize objects within a domain into logical administrative groups. A tree is a grouping or hierarchical arrangement of one or more Windows 2000 domains, and a forest is a grouping or hierarchical arrangement of one or more trees.

The physical structure of Active Directory is based on sites and domain controllers. A site is a combination of one or more IP subnets connected by a high-speed link. A domain controller is a computer running Windows 2000 Server that stores a replica of the domain directory.

Finally, you learned that the global catalog is a service and a physical storage location that contains a replica of selected attributes for every object in Active Directory. You can use the global catalog to locate objects anywhere in the network without replication of all domain information between domain controllers.