Active Directory Basics

Active Directory is the directory service for the Windows Server 2003 family of products. (Active Directory cannot run on Windows Server 2003, Web Edition, but it can manage any computer running Web Edition.)

Active Directory stores information about objects on the network and makes this information easy for administrators and users to find and use. Active Directory uses a structured data store as the basis for a logical, hierarchical organization of directory information. The sections following this one describe the directory data store and other concepts that are important when evaluating Active Directory and Windows Server 2003.

Directory Data Store

The directory data store is often simply referred to as the directory . The directory contains information about objects such as users, groups, computers, domains, organizational units (OUs), and security policies. This information can be published for users and administrators.

The directory is stored on servers known as domain controllers and can be accessed by network applications or services. A domain can have one or more domain controllers. Each domain controller has a writable copy of the directory for the domain in which it is located. Changes made to the directory are replicated from the originating domain controller to other domain controllers in the domain, domain tree, or forest. Because the directory is replicated, and because each domain controller has a writable copy of the directory, the directory is highly available to users and administrators throughout the domain.

Directory data is stored in the Ntds.dit file on the domain controller. This file should preferably be stored on an NTFS partition. Some data is stored in the directory database file, and some data (such as logon scripts or Group Policies) is stored in a replicated file system. Three categories of directory data are replicated between domain controllers:

• Domain data.

  The domain data contains information about objects within a domain. This is the information typically thought of as directory information, such as e-mail contacts, user and computer account attributes, and published resources that are of interest to administrators and users. For example, when a user account is added to your network, a user account object and attribute data are stored in the domain data. When changes to your organization's directory objects occur, such as object creation, object deletion, or attribute modification, this data is stored in the domain data.

• Configuration data.

  The configuration data describes the topology of the directory. This configuration data includes a list of all domains, trees, and forests and the locations of the domain controllers and global catalogs.

• Schema data.

  The schema is the formal definition of all object and attribute data that can be stored in the directory. Windows Server 2003 includes a default schema that defines many object types, such as user and computer accounts, groups, domains, organizational units, and security policies. Administrators and programmers can extend the schema by defining new object types and attributes or by adding new attributes for existing objects. Schema objects are protected by access control lists (ACLs), ensuring that only authorized users can alter the schema.

Active Directory and Security

Security is integrated with Active Directory through logon authentication and access control to objects in the directory. With a single network logon, administrators can manage directory data and organization throughout their network, and authorized network users can access resources anywhere on the network. Policy-based administration eases the management of even the most complex network.

Active Directory provides protected storage of user account and group information by using access control on objects and user credentials. Because Active Directory stores not only user credentials but also access control information, users who log on to the network obtain both authentication and authorization to access system resources. For example, when a user logs on to the network, the security system authenticates the user with information stored in Active Directory. Then, when the user attempts to access a service on the network, the system checks the properties defined in the discretionary access control list (DACL) for that service.

Because Active Directory allows administrators to create group accounts, administrators can manage system security more efficiently . For example, by adjusting a file's properties, an administrator can permit all users in a group to read that file. In this way, access to objects in Active Directory is based on group membership.

Active Directory Schema

The Active Directory Schema is the set of definitions that defines the kinds of objects ”and the types of information about those objects ”that can be stored in Active Directory. Because the definitions are themselves stored as objects, Active Directory can manage the schema objects with the same object management operations used for managing the rest of the objects in the directory. There are two types of definitions in the schema: attributes and classes. Attributes and classes (also referred to as schema objects or metadata) can be described as follows :

• Classes.

  Classes, also referred to as object classes , describe the possible directory objects that can be created. Each class is a collection of attributes. When you create an object, the attributes store the information that describes the object. The User class, for example, is composed of many attributes, including Network Address , Home Directory , and so on. Every object in Active Directory is an instance of an object class.

• Attributes.

  Attributes are defined separately from classes. Each attribute is defined only once and can be used in multiple classes. For example, the Description attribute is used in many classes but is defined once in the schema, ensuring consistency.

  Attributes describe objects. Each attribute has its own definition describing the type of information that can be specified for that attribute. Each attribute in the schema is specified in the Attribute-Schema class, which determines the information that each attribute definition must contain. The list of attributes that can be applied to a particular object is determined by the class of which the object is an instance and by any superclasses of that object's class. Attributes are defined only once and are potentially used many times. This ensures consistency across all classes that share a particular attribute.

• Multivalued Attributes.

  Attributes can be single-valued or multivalued. The schema definition of an attribute specifies whether an instance of the attribute can have multiple values. An instance of a single-valued attribute can be empty, or it can contain a single value. An instance of a multivalued attribute can be empty, or it can contain a single value or multiple values. Each value of a multivalued attribute must be unique.

• Indexing Attributes.

  Indexes apply to attributes, not to classes. Indexing an attribute can help queries more quickly find objects having that attribute. When you mark an attribute as indexed, all instances of the attribute are added to the index, not just the instances that are members of a particular class. Adding indexed attributes can affect Active Directory replication time, available memory, and database size . Because the database is larger, it takes longer to replicate.

  Multivalued attributes can also be indexed. Indexing multivalued attributes increases the size of Active Directory and object creation time more than does indexing single-valued properties. When choosing attributes to be indexed, make sure that they will be commonly used and balance the cost versus performance.

  An indexed schema attribute can also be searched by the container in which the attribute is stored rather than by the entire Active Directory database. This will improve search time and cut down on the amount of resources used during the search.

Experienced developers and network administrators can dynamically extend the schema by defining new classes and new attributes for existing classes. The domain controller that holds the schema operations master role controls the content of the schema. A copy of the schema is replicated to all domain controllers in the forest. The use of this common schema ensures data integrity and consistency throughout the forest. You can also extend the schema by using the Active Directory Schema snap-in. To modify the schema, you must satisfy the both of the following requirements: be a member of the Schema Administrators group (or have the rights to modify the schema master delegated to you by an administrator) and install the Active Directory Schema snap-in on the computer holding the schema operations master role. When considering changes to the schema, you should keep three key points in mind:

• Schema extensions are global.

  When you extend the schema, you extend it for the entire forest because any changes to the schema are replicated to every domain controller in every domain in the forest.

• Schema classes related to the system cannot be modified.

  You cannot modify default system classes within the Active Directory schema; however, applications that are used to modify the schema might add optional system classes, which you can change.

• Schema extensions can be reversible.

  Some properties of attributes or classes can be modified after creation. Once a new class or attribute has been added to the schema, it can be deactivated, but it cannot be removed. However, you can mark definitions as defunct and reuse object identifiers (OIDs) or display names , which allows you to reverse a schema definition.

For more information about modifying the schema, see the Microsoft Windows Resource Kits at http://www.microsoft.com/reskit/. Active Directory does not support deletion of schema objects; however, objects can be marked as deactivated, providing many of the benefits of deletion.

The Global Catalog

A global catalog is a domain controller that stores a copy of all Active Directory objects in a forest. In addition, the global catalog stores each object's most common searchable attributes. The global catalog stores a full copy of all objects in the directory for its host domain and a partial copy of all objects for all other domains in the forest, thus providing efficient searches without unnecessary referrals to domain controllers.

A global catalog is created automatically on the initial domain controller in the forest. You can add global catalog functionality to other domain controllers or change the default location of the global catalog to another domain controller. A global catalog performs the following directory roles:

• Finds objects.

  A global catalog enables user searches for directory information throughout all domains in a forest, regardless of where the data is stored. Searches within a forest are performed with maximum speed and minimum network traffic. When you search for people or printers from the Start menu or choose the Entire Directory option within a query, you are searching a global catalog. Once you enter your search request, it is routed to the default global catalog port and sent to a global catalog for resolution.

• Supplies user principal name authentication.

  A global catalog resolves user principal names when the authenticating domain controller does not have knowledge of the account. For example, if a user's account is located in example1.microsoft.com and the user decides to log on with the user principal name user1@example1.microsoft.com from a computer located in example2.microsoft.com , the domain controller in example2.microsoft.com will be unable to find the user's account and will then contact a global catalog server to complete the logon process.

• Supplies universal group membership information in a multiple-domain environment.

  Unlike global group memberships, which are stored in each domain, universal group memberships are stored only in a global catalog. For example, when a user who belongs to a universal group logs on to a domain that is set to the Windows 2000 native domain functional level or higher, the global catalog provides universal group membership information for the user's account. If a global catalog is not available when a user logs on to a domain running in Windows 2000 native or higher, the computer will use cached credentials to log on the user if the user has logged on to the domain previously. If the user has not logged on to the domain previously, the user can log on to only the local computer.

Finding Directory Information

As explained earlier, Active Directory is designed to provide information to queries about directory objects from both users and programs. Administrators and users can easily search for and find information in the directory by using the Search command on the Start menu. Client programs can access information in Active Directory by using Active Directory Services Interface (ADSI).

One of the principal benefits of Active Directory is its rich store of information about network objects. Information published in Active Directory about users, computers, files, and printers is available to network users. This availability is controlled by security permissions.

Everyday tasks on a network involve communication with other users and connection to published resources. These tasks require finding names and addresses to send mail or connect to shared resources. In this respect, Active Directory functions as a shared address book for the enterprise. For example, you can find a user by first name, last name, e-mail name, office location, or other properties of that person's user account. Finding information is optimized by use of the global catalog, as explained earlier.

Administrators can use the Advanced Find dialog boxes in the Active Directory Users And Computers snap-in to perform management tasks with greater efficiency and to easily customize and filter data retrieved from the directory. In addition, administrators can add objects to groups quickly and with minimal network impact by utilizing browseless queries to help find likely members.

Active Directory Replication

Replication provides information availability, fault tolerance, load balancing, and performance benefits for the directory. Active Directory uses multimaster replication, which lets you update the directory at any domain controller, rather than at a single, primary domain controller. The multimaster model has the benefit of greater fault tolerance because, with multiple domain controllers, replication continues, even if any single domain controller stops working. A domain controller stores and replicates the following types of information:

• Schema information.

  This defines the objects that can be created in the directory and the attributes those objects can have. This information is common to all domains in the forest. Schema data is replicated to all domain controllers in the forest.

• Configuration information.

  This describes the logical structure of your deployment, containing information such as domain structure or replication topology. This information is common to all domains in the forest. Configuration data is replicated to all domain controllers in the forest.

• Domain information.

  This describes all of the objects in a domain. This data is domain-specific and is not distributed to any other domains. For the purpose of finding information throughout the domain tree or forest, a subset of the properties for all objects in all domains is stored in the global catalog. Domain data is replicated to all domain controllers in the domain.

• Application information.

  Information stored in the application directory partition is intended to satisfy cases in which information needs to be replicated, but not necessarily on a global scale. Application data can be explicitly rerouted to administrator-specified domain controllers within a forest to prevent unnecessary replication traffic, or it can be set to replicate to all domain controllers in the domain.

Sites streamline replication of directory information. Directory schema and configuration information is replicated throughout the forest, and domain data is replicated among all domain controllers in the domain and partially replicated to global catalogs. By strategically reducing replication, you can similarly reduce the strain on your network. Domain controllers use sites and replication change control to optimize replication in the following ways:

• By occasionally reevaluating which connections are used, Active Directory uses the most efficient network connections.

• Active Directory uses multiple routes to replicate changes, providing fault tolerance.

• Replication costs are minimized because only changed information is replicated.

If a deployment is not organized into sites, information exchange among domain controllers and clients can be chaotic . Sites improve the efficiency of network usage. Active Directory replicates directory information within a site more frequently than among sites. This way, the best-connected domain controllers ”those most likely to need particular directory information ”receive replications first. The domain controllers at other sites receive all changes to the directory, but less frequently, reducing network bandwidth consumption. And because data is compressed when replicated between sites, bandwidth consumption is further reduced. For the sake of efficiency, updates are limited only to times when new directory information has been added or current directory information has been changed.

If directory updates are constantly distributed to all other domain controllers in the domain, they will consume network resources. Although you can manually add or configure connections or force replication over a particular connection, replication is automatically optimized by the Active Directory Knowledge Consistency Checker (KCC) based on information that you provide in the Active Directory Sites And Services administration tool. The KCC is responsible for constructing and maintaining the replication topology for Active Directory. In particular, the KCC decides when replication will occur and the set of servers that each server must replicate with.

Active Directory Clients

With the Active Directory client, many of the Active Directory features available on Windows 2000 Professional or Microsoft Windows XP Professional are available to computers running Microsoft Windows 95, Microsoft Windows 98, and Microsoft Windows NT 4 operating systems:

• Site awareness.

  You can log on to the domain controller that is closest to the client in the network.

• Active Directory Services Interface.

  You can use scripting to Active Directory. ADSI also provides a common programming API to Active Directory programmers.

• Distributed File System (DFS) fault tolerance client.

  You can access Windows 2000 and servers running Windows .NET DFS fault-tolerant and failover file shares specified in Active Directory.

• NTLM version 2 authentication.

  You can use the improved authentication features in Windows NT Challenge/Response Authentication (NTLM) version 2. For more information about enabling NTLM version 2, see article Q239869, "How to Enable NTLM 2 Authentication," in the Microsoft Knowledge Base at http://support. microsoft.com/.

• Active Directory Windows Address Book (WAB) property pages.

  You can change properties, such as phone number and address, on user object pages.

• Active Directory search capability.

  From the Start button, you can locate printers and people in a Windows 2000 Server or Windows .NET domain. For information about publishing printers in Active Directory, see article Q234619, "Publishing a Printer in Windows Active Directory," in the Microsoft Knowledge Base at http://support.microsoft.com/.

Windows 2000 Professional and Windows XP Professional provide functionality not included in the Active Directory client on Windows 95, Windows 98, and Windows NT 4, including Kerberos version 5 support, Group Policy or IntelliMirror management technologies support, and service principal name or mutual authentication. You can take advantage of these additional features by upgrading to Windows 2000 Professional or Windows XP Professional. For more information, see the following resources:

• Upgrading to Windows 2000 at http://www.microsoft.com/windows2000/professional/howtobuy/upgrading/

• Windows XP Professional Upgrade Center at http://www.microsoft. com/windowsxp/pro/howtobuy/upgrading/

• Active Directory client page at http://www.microsoft.com/windows ­2000/server/evaluation/news/ bulletins /adextension.asp