Active Directory includes the directory. The directory stores information about network resources and the services that make the information available and useful. The directory stores such objects as users, printers, servers, databases, groups, services, computers, and security policies. Active Directory is integrated with Windows 2000 Server and provides simplified administration, scalability, open standards support, and support for standard name formats. In this lesson you’ll be introduced to how Active Directory is integrated into Windows 2000 Server and you’ll learn about the Active Directory structures. This lesson also describes the Active Directory replication process.
Active Directory organizes resources hierarchically into domains, which are logical groupings of servers and other network resources. The domain is the basic unit of replication and security in a Windows 2000 network. Each domain contains one or more domain controllers. When a change is made to a domain controller, that change is replicated to all other domain controllers in the domain.
Active Directory stores information by organizing its directory into sections that permit storage for a large number of objects. The directory can expand as an organization grows, allowing administrators to scale their installations to meet the demands of their growing organization.
Active Directory can exist within the scope of the Domain Name System (DNS) used for the Internet namespace. The Active Directory namespace is made up of one or more hierarchical domains beneath a root domain registered as a DNS namespace. Because Active Directory uses DNS as its domain naming and location service, Windows 2000 domain names are also DNS names.
By integrating with DNS, Active Directory can store and replicate DNS zone databases. Normally, zones are stored as text files on name servers. These files are then synchronized among DNS name servers. This system requires a replication process separate from that of Active Directory and the domain controllers. However, when DNS is integrated with Active Directory you can configure a domain controller as a DNS name server so that zone data is stored as an Active Directory object and is replicated as part of the domain replication process.
The Windows 2000 DNS service must run on the domain controllers to be integrated with Active Directory.
Active Directory uses Lightweight Directory Access Protocol (LDAP) as its core protocol. It’s the only wire protocol supported by Active Directory. LDAP, which is an open Internet standard that runs directly over Transmission Control Protocol/Internet Protocol (TCP/IP), is a communication protocol designed for use on TCP/IP networks. LDAP can also run over User Datagram Protocol (UDP) connectionless transports.
LDAP defines how a directory client can access a directory server and how the client can perform directory operations and share directory data. It allows users and applications to query, create, update, and delete information stored in Active Directory. In addition, LDAP allows Active Directory to operate with other vendor directory services.
Active Directory objects represent the physical entities that make up a network. For example, users, printers, and computers are Active Directory objects. Every object is an instance of a particular class. A class defines the attributes available to an instance of that class. An attribute can be present in an object only when the object’s class permits that attribute.
When you create an object in Active Directory, you must provide values for the object’s attributes. You can add only values that are in accordance with the rules stored in the directory schema. For example, when you create a user object, you must provide values for the Full Name attribute and the User Login Name attribute. Without these values, you can’t create a user object because values are required by the directory schema.
In Active Directory objects can be either leaf objects or container objects. A leaf object doesn’t store other objects, but a container object can. An object class is a container if at least one other class specifies it as a possible superior. As a result, any object class defined in the schema can become a container.
The Active Directory schema defines the types of objects and the types of information about those objects that can be stored in the directory. Two types of definitions are in the schema: attributes and classes.
Attributes are defined only once and can be used in multiple classes. For example, the Description attribute is used in many classes, but it’s defined only once.
Classes, also referred to as object classes, describe the possible Active Directory objects that can be created. Each class is a collection of attributes. For example, the User class includes attributes such as First Name, Last Name, and Display Name. Every object in Active Directory is an instance of an object class.
Active Directory can be separated into those components that make up the logical structure and those that make up the physical structure. The two structures are completely separate from each other.
The logical structure is made up of domains, trees, forests, and organizational units (OUs), as shown in Figure 8.1.
Figure 8.1 - Active Directory logical structure
This structure mirrors your organization’s structure by grouping resources logically by name rather than by physical location. In Active Directory a network’s physical structure is transparent to the user.
The domain is the core unit of the logical Active Directory structure. In a domain, network objects, such as users and computers, are grouped together to form an administrative and security boundary. Security policies and settings are confined to one domain and don’t cross from one to another.
Active Directory allows you to organize objects logically so that account and resource management at the domain level is easier and more efficient. You can also publish resources and information about domain objects. When working with multiple domains, you can scale Active Directory to accommodate your administrative and publishing needs by partitioning the directory so that each domain can better serve the particular needs of its user group.
A domain stores information about all network objects within that domain. However, Active Directory can be made up of more than one domain, and a domain can span more than one physical location. In theory, a domain can contain up to 10 million objects, although 1 million objects per domain is more practical.
Above all, a domain is a security boundary. You can use access control lists (ACLs) to control access to domain objects. For example, you can use ACLs to control which users can access specific objects and what type of access those users have to the objects. In Active Directory, objects can include computers, contacts, groups, printers, users, shared folders, and other objects defined in the schema.
A tree is a hierarchical grouping of Active Directory domains. You can create a tree by adding one or more child domains to a parent domain. For example, suppose the parent domain is wingtiptoys.com. You can create two child domains, us.wingtiptoys.com and eu.wingtiptoys.com, and one other domain, sea.us.wingtiptoys.com, that’s a child of us.wingtiptoys.com, as shown in Figure 8.2.
Figure 8.2 - Domain tree for the Wingtip Toys company
Notice that the domains in the tree share a contiguous namespace and hierarchical naming structure. Trees must follow DNS standards. The domain name for a child domain is appended to the parent domain. In addition, all domains within a tree share a common schema and global catalog, which is a central repository of information about objects in a tree. Trust relationships are automatically created between parent and child domains.
A forest groups together one or more domain trees. Although the trees have different naming structures, they share a common schema. In addition, all domains in a forest share a common global catalog. Figure 8.3 shows two domain trees, wingtiptoys.com and tailspintoys.com, which have been grouped together to create a forest.
Figure 8.3 - Domain forest for the Wingtip Toys company and the Tailspin Toys company
The forest enables communication across the entire organization even though the domains operate independently. An implicit two-way transitive trust exists between the domains and domain trees.
Within each domain you can organize objects into logical administrative groups that mirror your organization’s structure. An organizational unit (OU) is an Active Directory container that can contain such objects as users, groups, and computers. An OU can also contain other OUs. The OU hierarchy within one domain is independent from other domains; each domain can implement its own OU hierarchy.
An OU is the smallest unit in a domain to which you can delegate administrative authority. As a result, you can group together resources in a way that reflects your organization’s administrative model. You can apply administrative settings to objects within the OU and grant administrative permissions to specific users for objects within a specific OU without compromising the entire domain’s security.
Active Directory’s physical structure, which is independent of the logical structure, consists of sites and domain controllers.
In Active Directory, a site is made up of one or more IP subnets that are connected by highly reliable and fast links. A site often shares the same boundaries as the local area network (LAN). Computers in a site should be well connected, as you’d expect with computers in the same subnet. You should develop multiple sites for wide area networks (WANs) because servicing requests or replicating directory information across WANs can be highly inefficient. Network connections within a site should be at least 512 kilobits per second (Kbps), with an available bandwidth of 128 Kbps or higher.
Sites aren’t part of the namespace. They map your network’s physical structure, and there’s no necessary correlation between your network’s physical structure and its domain structure. A site can contain multiple domains, and a domain can contain multiple sites, as shown in Figure 8.4.
Figure 8.4 - One site for multiple domains and multiple sites for one domain
Sites facilitate authentication. When a client logs on to a domain, the logon mechanism first searches for domain controllers that are located in the same site as the client, increasing the efficiency of the authentication process. Selecting a domain controller that’s well connected to the client makes handling the request more efficient. If a client has to look outside the local site for a domain controller, the authentication process can put strain on the network.
Sites also facilitate replication, which is discussed later in this lesson.
A domain controller is a computer running one of the Windows 2000 Server operating systems and Active Directory. Each domain can contain one or more domain controllers. A domain controller stores a complete copy of all Active Directory information for that domain, manages changes to that information, and replicates those changes to other domain controllers in that domain. Multiple domain controllers in a domain provide fault tolerance.
When the first domain controller is created in a forest, the global catalog is also created. The global catalog is a central repository of information about objects in a tree or a forest. It stores a full replica of all objects in the directory for its host domain and a partial replica of all objects contained in the directory of every other domain in the forest. The global catalog enables logon to a native-mode domain by providing universal group membership information to a domain controller when a logon process is initiated. It also enables finding directory information regardless of which domain in the forest actually contains the data.
When a user logs on to a native-mode domain, the global catalog provides universal group membership information for the account that’s sending the logon request to the domain controller. If the domain has only one domain controller, the domain controller and the global catalog are the same server. If the network has multiple domain controllers, the global catalog is hosted on the domain controller that is configured as such. If a global catalog isn’t available when a user initiates a network logon process, the user is able to log on only to the local computer.
You can achieve the best network performance by locating a global catalog in every site, since a global catalog is necessary to complete the logon authentication process.
Active Directory allows users and services to access directory information at any time from any computer in the domain tree or forest. Each time an object is added, modified, or deleted, the updated directory data must be relayed to other domain controllers. However, the need for directory data to be distributed must be balanced against the need to optimize network performance. If direc- tory updates are constantly distributed to all other domain controllers in the domain, they’ll consume your network resources.
The replication process is based on three directory partitions:
Schema and configuration information is replicated to all domain controllers in the forest. The domain data for a particular domain is replicated to every domain controller within it. However, the objects in every domain, and a subset of the properties of all objects in the forest, are replicated to the global catalog.
Active Directory uses multimaster replication to synchronize directory information. Multimaster replication allows any domain controller to accept and replicate directory changes to any other domain controller. All domain controllers within a domain are equivalent; there’s no master domain controller. If one domain controller is unavailable, other domain controllers can continue to update the directory. Domain controllers can be distributed across the network and be located in multiple physical sites.
Domain controllers keep track of how many changes they’ve made to their copy of the directory, as well as how many changes they’ve received from domain controllers that are their replication partners. This process makes updating a domain controller that’s been disconnected from the network easy, because it’s clear which directory information has changed and therefore needs to be replicated. Because changes are tracked by a numerical sequence, not by time, the need for synchronized clocks is eliminated in all but the most unusual cases, such as when resolving conflicting changes.
Some changes are impractical to perform in multimaster fashion. As a result, certain domain controllers are assigned roles in order to perform single-master operations. In any Active Directory forest, five operations master roles are assigned to one or more domain controllers: schema master, domain naming master, relative ID master, infrastructure master, and PDC emulator.
Each forest must contain only one schema master and only one domain naming master. The schema master controls all updates and modifications to the schema, and the domain naming master controls the addition or removal of domains in the forest.
Each domain must contain only one relative ID master, infrastructure master, and PDC emulator. The relative ID master allocates sequences of relative IDs to each of the various domain controllers in its domain, and the infrastructure master updates the group-to-user references whenever the members of groups are renamed or changed.
If the domain contains computers operating without Windows 2000 client software or if it contains Microsoft Windows NT backup domain controllers, the PDC emulator acts as a Windows NT Primary Domain Controller (PDC). It processes password changes from clients and replicates updates to the backup domain controllers.
A bridgehead server is the point at which directory information is exchanged with another site. You can specify a preferred bridgehead server if you want to designate a specific computer to transmit and receive information. If a high level of directory information is typically exchanged, a computer with more bandwidth can ensure that these exchanges are handled promptly.
If you specify multiple preferred bridgehead servers, only one will be the active preferred bridgehead server at any time. If the active preferred bridgehead server fails, Active Directory will select another preferred bridgehead server. If no active preferred bridgehead server is available and no other preferred bridgehead servers are available either, Active Directory will select another domain controller in the site to be the preferred bridgehead server. This can be problematic if the domain controller that Active Directory selects doesn’t have the bandwidth to efficiently handle the increased requirements imposed on a preferred bridgehead server.
You must specify a preferred bridgehead server if your deployment uses a firewall to protect a site. Establish your firewall proxy server as the preferred bridgehead server, making it the contact point for exchanging information with servers outside the firewall. If you don’t do this, directory information may not be exchanged.
A preferred bridgehead server is the preeminent server for the exchange of Active Directory information in and out of the site. Other domain controllers can still exchange directory information if the need arises, but under normal conditions the bridgehead server is the first choice to receive and send all directory traffic.
Active Directory organizes resources hierarchically into domains and is integrated with DNS. Active Directory can exist within the scope of DNS Internet namespace and can store and replicate DNS zone databases. Active Directory uses LDAP as its core protocol. Active Directory objects represent the physical entities that make up a network, and the schema defines the types of objects and the types of information about those objects that can be stored in the directory. The logical structure in Active Directory is made up of domains, trees, forests, and OUs, and the physical structure is made up of sites and domain controllers. The two structures are completely separate from each other. A domain is the core unit of the logical Active Directory structure. In a domain, network objects, such as users and computers, are grouped together to form an administrative and security boundary. A site is made up of one or more IP subnets that are connected together by highly reliable and fast links. Sites aren’t part of the namespace. They map the physical structure of your network. Active Directory allows users and services to access directory information at any time from any computer in the domain tree or forest. Active Directory uses multimaster replication to synchronize directory information. However, some domain controllers are assigned roles in order to perform single-master operations. Five operations master roles are assigned to one or more domain controllers: schema master, domain naming master, relative ID master, PDC emulator, and infrastructure master. A bridgehead server is the point at which directory information is exchanged with another site.