What Makes Active Directory Tick?
 |
Putting things in a technobabble nutshell , Active Directory is implemented using an X.500 structure for directory data, an LDAP interface to access directory data, and Dynamic DNS as a locator mechanism for directory data. So, now that you know all this stuff about Active Directory, what does it give you? The following list recounts some of the main features and advantages of Active Directory:
-
Security: Information is stored in a secure form. Each object in Active Directory has an Access Control List (ACL) that contains a list of resources that may access it and what access privileges are granted to each such resource.
-
Query capabilities: Active Directory generates a global catalog to provide a flexible mechanism for handling queries. Any client that supports Active Directory can query this catalog to request directory data.
Replication: Replication of the directory to all domain controllers in a domain means easier access, higher availability, and improved fault tolerance.
-
Extensible: Active Directory is extensible, which means that new object types can be added to a directory or existing objects can be extended. For example, you could easily add a salary attribute or an employee ID to the user object. (An attribute is extra information about an object.)
-
Multiple protocols: Communication between directory servers or across directories from multiple vendors can use numerous networking protocols because of Active Directory's X.500 foundation. These protocols currently include LDAP Versions 2 and 3 and the Hypertext Transfer Protocol (HTTP). Third parties can extend this capability to include other protocols as well, if needed.
-
Partitioning: In an Active Directory environment, information may be partitioned by domain to avoid the need to replicate large amounts of directory data. Each such domain is called a tree because of the way that X.500 structures directory data into an interlinked hierarchy with a single root. In a large and complex network, a collection of domains forms a group of trees that is - you guessed it - called a forest!
When you partition Active Directory data into different trees, it does not mean that Active Directory cannot be queried for information from other domains. Global catalogs contain a subset of information about every object in an entire domain forest, which allows such searches to be performed on the entire forest through the agencies of your friendly local domain controller.
What replication means
In a Windows Server 2003 domain, all domain controllers are equal. Therefore, if you apply changes to any domain controller, the complete domain directories of all other domain controllers must be updated (through a process called multi-master replication ) to record those changes.
Here's how multi-master replication works: Active Directory uses an Update Sequence Number (USN) to track changes and updates made to Active Directory objects. As changes are made to the objects, this number is incremented by 1 on each object affected by the change. For example, a user account object that was updated to include a home telephone number would have its USN incremented by 1 to reflect that it had been modified. This modification is then sent to the other domain controllers in the domain. The object with the higher USN - that is, the updated object - overwrites the object with the lower USN.
USN increments are atomic operations; in English, this means that the increments to the USN's value and the actual change to directory data occur at the same time. If one part fails, the whole change fails; therefore, it's not possible to change any Active Directory object without its USN being incremented. Thus, no changes will ever be lost. Each domain controller keeps track of the highest USNs for the other domain controllers with which it replicates. This allows the domain controller to calculate which changes must be replicated during each replication cycle. In the simplest terms, the highest-numbered USN always wins!
 |
A domain tree is a set of Windows 2000 domains or Windows Server 2003 domains (or both) connected by a two-way, transitive trust and sharing a common schema, configuration, and global catalog. To be considered a true domain tree, the domains must form a contiguous hierarchical namespace. A single domain all by itself with no child names is still considered a tree.
The first domain installed in a domain tree is the root domain of that tree. It is considered the forest root domain if it is also the first domain in the forest. An Active Directory forest is a collection of one or more Windows 2000 domains or Windows Server 2003 domains (or both) that share a common schema, configuration, and global catalog. Active Directory forests have a non-contiguous namespace.
All domains in a domain tree and all trees in a single forest have the connectivity benefit of the two-way, transitive trust relationship, which is the default trust relationship between Windows 2000 and Windows Server 2003 domains. This complete trust between all domains in an Active Directory domain hierarchy helps to form the forest as a single unit through its common schema, configuration, and global catalog.
| |
At the start of each replication cycle, each domain controller checks its USN table and queries all other domain controllers with which it replicates for their latest USNs. As an example, the following represents the USN table for Server A.
| Domain Controller | USN |
|---|---|
| DC B | 54 |
| DC C | 23 |
| DC D | 53 |
Server A then queries the domain controllers for their current USNs and gets these results:
| Domain Controller | USN |
|---|---|
| DC B | 58 |
| DC C | 23 |
| DC D | 64 |
From this data, Server A can calculate the changes it needs from each server:
| Domain Controller | USN |
|---|---|
| DC B | 55, 56, 57, 58 |
| DC C | Up-to-Date |
| DC D | 54-64 |
It would then query each server for the updates it needs.
Up-to-Date Vectors are two different segments of data that contain a Globally Unique Identifier (GUID) and the Update Sequence Number (USN). The Up-to-Date Vector is made up of server USN pairs held by the two domain controllers containing the highest originating updates. (This is usually the domain controller in which the originating update occurred and then its immediate replication partners .) The High Watermark Vector contains the highest attribute USN for any given object. By using both of these vectors, domain controllers can calculate the fact that a given replication of data has already been received to prevent further replication of that particular update.
Because objects have properties, they also have Property Version Numbers (PVNs). Every property of an object has a PVN, and each time a property is modified, its PVN is incremented by 1. (Sound familiar?) These PVNs are used to detect collisions, which happen when there are multiple changes to the same property of an object. If a collision occurs, the change with the highest PVN takes precedence.
If those PVNs match, a time stamp is used to resolve any such conflicts. Time stamps are a great second line of defense in avoiding collisions. They explicitly mark when each change to the directory data has been made, thus enabling the system to determine whether one change does in fact take precedence over another.
In the highly unlikely event that the PVNs match and the time stamp is the same, a binary buffer comparison is carried out and the larger buffer size takes precedence. PVNs (unlike USNs) are incremented only on original writes, not on replication writes . PVNs are not server specific but travel with the object's properties.
A propagation-dampening scheme is also used to stop changes from being repeatedly sent to other servers. The propagation- dampening scheme used by Windows Server 2003 prevents logical loops in the Active Directory structure from causing endless proliferation of updates and prevents redundant transmission of updates to already current servers.
The grand schema things
Every object in an Active Directory forest is part of the same schema. The schema defines the different types of information that active directory objects can have and store in Active Directory. The two main data definitions outlined in the schema are attributes and classes.
For example, a user object has attributes such as name , address, and phone number. The collection of these attributes and their definitions is called the schema. You may think of an object's schema as a laundry list of its attributes or a checklist of its capabilities. The default schema supplies definitions for users, computers, domains, and more. You can have only one schema per domain per object because you can't have multiple definitions for the same object.
The default schema definition is defined in the SCHEMA.INI file, which also contains the initial structure for the NTDS.DIT file that stores Active Directory data. The SCHEMA.INI file is located in the %systemroot%\ntds directory, it's an ASCII file, and it can be viewed on the screen or printed.
By default, the Active Directory schema cannot be easily edited. For example, you could easily add a salary attribute or an employee ID to the user object. In most cases you should leave schema editing up to the most senior programmers or system administrators, because changes made to the schema can't be undone and incorrect edits can severely damage your Active Directory and affect the entire forest. Some applications, such as Exchange, will edit the schema for you when they're installed. If you feel the need to edit the schema for whatever reason, lie down and wait for that feeling to go away. If it comes back, hire a professional Active Directory Programmer.
| Warning | An entire enterprise forest (a collection of Active Directory trees in a single organizational container) shares a single schema. If you change that schema, it affects every domain controller in every linked domain. Therefore, you'd better be sure that any changes you make are both correct and desirable. The schema should be changed only by experienced programmers or schema administrators. For more information on extending the schema, search the Microsoft Web site (http://www.microsoft.com) for "Active Directory Programmer's Guide." |
Global catalogs
The global catalog contains entries for all objects in a single Active Directory forest (which is a collection of domain trees that may or may not explicitly share a single, contiguous namespace). It contains all the properties for all the objects in its own domain, and it contains a partial subset of properties from all the remaining objects in the forest. The entire forest shares a single global catalog. Multiple servers hold copies of the entire catalog; these servers are domain controllers called global catalog servers. To hold a copy of the global catalog, a server must maintain a copy of the Active Directory, which automatically makes the server a domain controller.
Searches across the entire forest are limited in scope to the object properties that appear in the global catalog. Searches in a user's local domain can be for any property when you perform a so-called deep search on properties not in the global catalog.
Do not configure too many global catalogs for each domain, because the replication needed to maintain such catalogs can be a burden on a network. One global catalog server per site is usually sufficient.
| Tip | Although any given search can encompass a specific container or OU in a domain, a specific domain, a specific domain tree, or the entire forest, in most cases full searches involve querying the entire Active Directory forest throught the global catalog. |
| |
EAN: 2147483647
Pages: 195