Introduction

Active Directory is an LDAP-based directory that supports the LDAP v3 specification defined in RFC 2251. In this chapter, I'm going to cover some of the most common tasks that you'll need to do to support an Active Directory infrastructure. However, Active Directory is a complex intermixed set of technologies that cannot be covered comprehensively in a single chapter. If you want more information after finishing this chapter, read Active Directory (O'Reilly) to get a thorough understanding of Active Directory's capabilities or Active Directory Cookbook (O'Reilly) for more examples, scripts, and tips.

A Really Brief Introduction

A forest is a logical structure that is a collection of domains, plus the configuration and schema naming contexts, and application partitions. Forests are considered the primary security boundary in Active Directory. By that I mean, if you need to definitively restrict access to a domain to block access by administrators from other domains, you need to implement a separate forest (and subsequently a domain in that forest), instead of using a domain within a given forest. This is due to the transitive trust relationship between all domains in a forest and the extensive permissions that members of the Domain Admins group have. Unlike domains and trusts, a forest is not represented by a container or any other type of object in Active Directory. At a minimum, a forest consists of three naming contexts: the forest root domain, the Configuration Naming Context (NC), and the Schema NC. The Partitions container in the Configuration NC lists partitions that are associated with a forest. Here are the types of partitions that can be part of a forest:

Configuration NC

Contains data that is applicable across all of the domains and thus is replicated to all domain controllers in the forest. Some of this data includes the site topology, list of partitions, published services, display specifiers, and extended rights.

Schema NC

Contains the objects that describe how data can be structured and stored in Active Directory. The classSchema objects in the Schema NC represent class definitions for objects. The attributeSchema objects describe what data can be stored with classes. The Schema NC is replicated to all domain controllers in a forest.

Domain NC

A domain is a naming context that holds domain-specific data including user, group, and computer objects.

Application partitions

Configurable partitions that can be rooted anywhere in the forest and can be replicated to any domain controller in the forest. These are not available with Windows 2000.

Each Active Directory domain is served by one or more domain controllers. A Domain controller is authoritative for a single domain, but can store partial read-only copies of objects in other domains in the forest if it is enabled as a global catalog server. All domain controllers in a forest also replicate the Configuration and Schema Naming Contexts.

Active Directory is a multimaster directory, meaning that updates can be made on any domain controller in a domain, but some tasks cannot be distributed to all servers due to concurrency issues. For example, if two different domain controllers made conflicting updates to the schema, the impact could be severe and could result in data loss. For this reason, Active Directory supports Flexible Single Master Operations (FSMO) roles. For each role there is only one domain controller that acts as the role owner and performs the tasks associated with the role. See Recipe 15.18 for more information on FSMO roles.