Active Directory Considerations

   

The Active Directory directory service is an essential and inseparable part of the Windows Server 2003 network architecture that provides a directory service designed for distributed networking environments. It offers a single point of management for Windows-based user accounts, clients , servers, and applications. It also helps organizations integrate systems not using Windows with Windows-based applications and Windows-compatible devices, thus consolidating directories and easing management of the entire network operating system.

Companies can also use Active Directory to extend systems securely to the Internet. Active Directory thus increases the value of an organization's existing network investments and lowers the overall costs of computing by making the Windows network operating system more manageable, secure, and interoperable.

The Active Directory directory service uses a structured data store as the basis for a logical, hierarchical organization of directory information. This data store, also known as the directory, contains information about Active Directory objects. These objects typically include shared resources such as servers, volumes , printers, and the network user and computer accounts. The directory is stored on domain controllers and can be accessed by network applications or services. A domain can have one or more domain controllers. Each domain controller has a copy of the directory for the domain in which it is located.

Security is integrated with Active Directory through logon authentication and access control to objects in the directory. With a single network logon, administrators can manage directory data and organization throughout their network. Authorized network users can access resources anywhere on the network. Policy-based administration eases the management of even the most complex network.

The Active Directory directory service also includes

  • Schema.

    Active Directory Schema is the set of definitions that defines the kinds of objects, and the types of information about those objects, that can be stored in Active Directory. The definitions are themselves stored as objects so that Active Directory can manage the schema objects with the same object management operations used for managing the rest of the objects in the directory. There are two types of definitions in the schema: attributes and classes. Attributes and classes are also referred to as schema objects or metadata.

  • Global catalog.

    The global catalog contains information about every object in the directory. This allows users and administrators to find directory information regardless of which domain in the directory actually contains the data. The global catalog is hosted on one or more domain controllers in a forest.

  • Query and index mechanism.

    Active Directory is designed to provide information to queries about directory objects from both users and programs. Administrators and users can easily search for and find information in the directory by using the Search command on the Start menu. Client programs can access information in Active Directory by using Active Directory Services Interface (ADSI).

  • Replication service.

    Except for very small networks, directory data must reside in more than one place on the network to be equally useful to all of your users. Through the automatic process of replication, the Active Directory directory service maintains copies, or replicas, of directory data on each domain controller. Active Directory replication uses a multimaster replication model. With multimaster replication, you can make directory changes at any domain controller, not just at a designated primary domain controller, and your changes will be replicated to all other relevant domain controllers.

  • Client software.

    Computers running Windows 95, Windows 98, and Windows NT 4.0 can access many of the Active Directory features available on Windows 2000 Professional or Windows XP Professional by running the Active Directory client software. To client computers not running Active Directory client software, the directory will appear just like a Windows NT directory.

New Features for Active Directory

Active Directory plays such an important role in managing the network that as you prepare to move to Windows Server 2003, it's helpful to review the new features of the Active Directory service. With the new Active Directory features available in the Standard Edition, Enterprise Edition, and Datacenter Edition, more efficient administration of Active Directory is available to you.

New features can be divided into those available on any domain controller running Windows Server 2003 and those available only when all domain controllers of a domain or forest are running Windows Server 2003. The following list summarizes the Active Directory features that are enabled by default on any domain controller running Windows Server 2003:

  • Multiple selection of user objects.

    Modify common attributes of multiple user objects at one time.

  • Drag-and-drop functionality.

    Move Active Directory objects from container to container by dragging and dropping one or more objects to a desired location in the domain hierarchy. You can also add objects to group membership lists by dragging and dropping one or more objects (including other group objects) onto the target group .

  • Efficient search capabilities.

    Conduct efficient browseless searches that minimize network traffic associated with browsing objects.

  • Saved queries.

    Save commonly used search parameters for reuse in Active Directory Users and Computers.

  • Active Directory command-line tools.

    Run new directory service commands for administration scenarios.

  • Selective class creation.

    Create instances of specified classes in the base schema of a Windows Server 2003 forest. You can create instances of several common classes, including country or region, person, organizationalPerson , groupOfNames , device, and certificationAuthority .

  • InetOrgPerson class.

    The inetOrgPerson class has been added to the base schema as a security principal and can be used in the same manner as the user class. The userPassword attribute can also be used to set the account password.

  • Application directory partitions.

    Configure the replication scope for application-specific data among domain controllers running the Standard Edition, Enterprise Edition, and Datacenter Edition. For example, you can control the replication scope of Domain Name System (DNS) zone data stored in Active Directory so that only specific domain controllers in the forest participate in DNS zone replication.

  • Add domain controllers to existing domains by using backup media.

    Reduce the time it takes to add a domain controller in an existing domain by using backup media.

  • Universal group membership caching.

    Prevent the need to locate a global catalog across a WAN during logons by storing user universal group memberships on an authenticating domain controller.

New domainwide or forestwide Active Directory features can be enabled only when all domain controllers in a domain or forest are running Windows Server 2003 and the domain functionality or forest functionality has been set to Windows Server 2003. The following list summarizes the domainwide and forestwide Active Directory features that can be enabled when either a domain or a forest functional level has been raised to Windows .NET.

  • Domain controller rename tool.

    Rename domain controllers without first demoting them.

  • Domain rename.

    Rename any domain running Windows Server 2003 domain controllers. You can change the NetBIOS name or DNS name of any child, parent, tree-root, or forest-root domain.

  • Forest trusts.

    Create a forest trust to extend two-way transitivity beyond the scope of a single forest to a second forest.

  • Forest restructuring.

    Move existing domains to other locations in the domain hierarchy.

  • Defunct schema objects.

    Deactivate unnecessary classes or attributes from the schema.

  • Dynamic auxiliary classes.

    Dynamically link auxiliary classes to individual objects, not just to entire classes of objects. Auxiliary classes that have been attached to an object instance can subsequently be removed from the instance.

  • Global catalog replication tuning.

    Retain the synchronization state of the global catalog when an administrative action results in an extension of the partial attribute set. This minimizes the work generated as a result of a partial attribute set extension by transmitting only attributes that were added.

  • Replication enhancements.

    Replicate individual group members across the network instead of having to treat the entire group membership as a single unit of replication.

Compatibility with Windows NT 4.0

The Active Directory directory service is compatible with Windows NT 4.0 Server and supports a mix of operations that support domain controllers running Windows NT 4.0, Windows 2000, and Windows Server 2003. This allows you to upgrade domains and computers at your own pace, based on your organization's needs.

Active Directory supports the NTLM protocol used by Windows NT. This enables authorized users and computers from a Windows NT domain to log on and access resources in Windows 2000 or Windows Server 2003 domains. To clients running Windows 95, Windows 98, or Windows NT that are not running Active Directory client software, a Windows 2000 or Windows Server 2003 domain appears to be a Windows NT 4.0 domain.

The upgrade to Active Directory can be gradual and performed without interrupting operations. If you follow domain upgrade recommendations, it should never be necessary to take a domain off line to upgrade domain controllers, member servers, or workstations. When upgrading a Windows NT domain, you must upgrade the primary domain controller first. You can upgrade member servers and workstations at any time after this.

Active Directory allows upgrading from any Windows NT 4.0 domain model and supports both centralized and decentralized models. The typical master or multiple-master domain model can be easily upgraded to an Active Directory forest.


   
Top


Introducing Microsoft Windows Server 2003
Introducing Microsoft Windows Server(TM) 2003
ISBN: 0735615705
EAN: 2147483647
Year: 2005
Pages: 153

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net