In Windows 2000 and Active Directory services there are several new concepts and some changes to the concepts used in Windows NT. These concepts include replication, trust relationships, group policies, DNS namespaces, and naming conventions. It is important that you understand the meaning of these concepts as applied to Active Directory.
After this lesson, you will be able to
Estimated lesson time: 20 minutes
Users and services should be able to access directory information at any time from any computer in the domain tree or forest. Replication ensures that changes to a domain controller are reflected in all domain controllers within a domain. Directory information is replicated to domain controllers both within and among sites.
The information stored in the directory is partitioned into three categories. Each of these information categories is referred to as a directory partition. These directory partitions are the units of replication. The following information is contained in each directory:
Schema and configuration information is replicated to all domain controllers in the domain tree or forest. All of the domain data for a particular domain is replicated to every domain controller in that domain. All of the objects in every domain, and selected attributes for all objects in a forest, are replicated to the global catalog.
A domain controller stores and replicates
A global catalog stores and replicates
CAUTION
Extensions to schemas in a global catalog should be approached with caution. Schema extensions can have disastrous effects on large networks because the extensions cannot be deleted (only disabled) and because of the large amount of network traffic generated as the extensions are synchronized throughout the forest.
Active Directory replicates information in two ways: intrasite (within a site) and intersite (between sites). The need for up-to-date directory information is balanced with the limitations imposed by available network bandwidth.
Intrasite Replication
Within a site, a Windows 2000 service known as the Knowledge Consistency Checker (KCC) automatically generates a topology for replication among domain controllers in the same domain using a ring structure. The topology defines the path for directory updates to flow from one domain controller to another until all domain controllers in the site receive the directory updates.
The ring structure ensures that there are at least two replication paths from one domain controller to another; if one domain controller is down temporarily, replication still continues to all other domain controllers, as shown in Figure 1.8.
Figure 1.8 Intrasite replication topology
The KCC analyzes the replication topology within a site every 15 minutes to ensure that it still works and is efficient. If you add or remove a domain controller from the network or a site, the KCC reconfigures the topology to reflect the change.
Intersite Replication
To ensure replication between sites, you must manually connect them by creating site links. Site links represent network connections and allow replication to occur. Active Directory uses the network connection information to generate connection objects that provide efficient replication and fault tolerance, as shown in Figure 1.9.
You provide information about the replication transport used, cost of a site link, times when the link is available for use, and how often the link should be used. Active Directory uses this information to determine which site link will be used to replicate information. Customizing replication schedules so replication occurs during specific times, such as when network traffic is light, will make replication more efficient. Replication and site link configuration are discussed in Chapter 6, "Creating a Site Topology Plan."
NOTE
When operating in native mode, Windows 2000 domain controllers do not replicate with pre–Windows 2000 domain controllers.
Figure 1.9 Intersite replication topology
A trust relationship is a link between two domains in which the trusting domain honors the logon authentication of the trusted domain. Active Directory supports two forms of trust relationships:
For example, in Figure 1.10 a Kerberos transitive trust simply means that if Domain A trusts Domain B, and Domain B trusts Domain C, then Domain A trusts Domain C. As a result, a domain joining a tree immediately has trust relationships established with every domain in the tree. These trust relationships make all objects in the domains of the tree available to all other domains in the tree.
Transitive trust between domains eliminates the management of interdomain trust accounts. Domains that are members of the same tree automatically participate in a transitive, bidirectional trust relationship with the parent domain. As a result users in one domain can access resources to which they have been granted permission in all other domains in a tree.
Explicit one-way nontransitive trusts are the only form of trust possible between
Figure 1.10 Active Directory supports two types of trust relationships
Group policies are collections of user and computer configuration settings that can be linked to computers, sites, domains, and OUs to specify the behavior of users' desktops. For example, using group policies, you can determine the programs that are available to users, the programs that appear on the user's desktop, and Start menu options.
To create a specific desktop configuration for a particular group of users, you create group policy objects (GPOs). GPOs are collections of group policy settings. Each Windows 2000 computer has one local GPO and may, in addition, be subject to any number of nonlocal (Active Directory–based) GPOs. Local GPOs are overridden by nonlocal GPOs. Nonlocal GPOs are linked to Active Directory objects (sites, domains, or OUs) and can be applied to either users or computers. Following the inheritance properties of Active Directory, nonlocal GPOs are applied hierarchically from the least restrictive group (site) to the most restrictive group (OU) and are cumulative.
Because nonlocal GPOs are applied hierarchically, the user or computer's configuration is a result of the GPOs applied to its site, domain, and OU. Group policy settings are applied in the following order:
Figure 1.11 shows how group policy is applied for the example Marketing and Servers OUs.
Figure 1.11 How group policy is applied
The default order for the application of group policy settings is subject to the following exceptions:
You should plan your GPO settings and the Active Directory objects to which they will be applied to provide the most efficient group policy management for your organization. Chapter 5, "Creating an Organizational Unit Plan," discusses planning for group policy.
Active Directory, like all directory services, is primarily a namespace. A namespace is any bounded area in which a name can be resolved. Name resolution is the process of translating a name into some object or information that the name represents. The Active Directory namespace is based on the DNS naming scheme, which allows for interoperability with Internet technologies. Private networks use DNS extensively to resolve computer names and to locate computers within their local networks and the Internet. DNS provides the following benefits:
NOTE
To read more about DNS, open your Web browser and use an Internet search engine to run a search on "RFC 1034" and "RFC 1035". RFCs (Request for Comments) are the official documents of the Internet Engineering Task Force (IETF) that specify the details for new Internet specifications or protocols. RFC 1034 is entitled "Domain Names—Concepts and Facilities" and RFC 1035 is entitled "Domain Names—Implementation and Specification."
Because Active Directory uses DNS as its domain naming and location service, Windows 2000 domain names are also DNS names. Windows 2000 Server uses dynamic DNS, which enables clients with dynamically assigned addresses to register directly with a server running the DNS service and update the DNS table dynamically. Dynamic DNS eliminates the need for other Internet naming services, such as Windows Internet Naming Service (WINS), in a homogeneous environment.
NOTE
To read more about dynamic DNS, open your Web browser and use an Internet search engine to run a search on "RFC 2136". RFC 2136 is entitled "Dynamic Updates in the Domain Name System (DNS Update)."
IMPORTANT
For Active Directory and associated client software to function correctly, you must have installed and configured the DNS service.
The domain namespace is the naming scheme that provides the hierarchical structure for the DNS database. Each node represents a partition of the DNS database. These nodes are referred to as domains.
The DNS database is indexed by name; therefore, each domain must have a name. As you add domains to the hierarchy, the name of the parent domain is appended to its child domain (called a subdomain). Consequently, a domain's name identifies its position in the hierarchy. For example, in Figure 1.12, the domain name sales.microsoft.com identifies the sales domain as a subdomain of the microsoft.com domain and microsoft as a subdomain of the com domain.
Figure 1.12 Hierarchical structure of a domain namespace
The hierarchical structure of the domain namespace consists of a root domain, top-level domains, second-level domains, and host names.
There are two types of namespaces:
The first two domain names create a contiguous namespace within microsoft.com, but the third domain is part of disjointed namespace.
NOTE
The term domain, in the context of DNS, is not related to domain as used in Windows 2000 directory services. A Windows 2000 domain is a group of computers and devices that are administered as a unit.
The DNS naming scheme is discussed in Chapter 4, "Creating a Domain Plan."
Root Domain
The root domain is at the top of the hierarchy and is represented as a period (.). The Internet root domain is managed by several organizations, including Network Solutions, Inc.
Top-Level Domains
Top-level domains are arranged by organization type or geographic location. Table 1.1 provides some examples of top-level domain names.
Table 1.1 Examples of Top-Level Domains
Top-level domain | Description |
---|---|
gov | Government organizations |
com | Commercial organizations |
edu | Educational institutions |
org | Noncommercial organizations |
net | Commercial sites or networks |
NOTE
Individual country names may also be a part of top-level domains. Examples of country domain names are "au" for Australia or "fr" for France.
Top-level domains can contain second-level domains and host names.
Second-Level Domains
Organizations, such as Network Solutions, Inc., and others, assign and register second-level domains to individuals and organizations for the Internet. A second-level name has two name parts: a top-level name and a unique second-level name. Table 1.2 provides some examples of second-level domains.
Table 1.2 Examples of Second-Level Domains
Second-level domain | Description |
---|---|
ed.gov | United States Department of Education |
microsoft.com | Microsoft Corporation |
stanford.edu | Stanford University |
w3.org | World Wide Web Consortium |
pm.gov.au | Prime Minister of Australia |
NOTE
In the case of country names, "gov.au", "edu.au", and "com.au" are top-level domains. If the name is structured as "company.au", however (and in this case only), ".au" is top-level.
Host Names
Host names refer to specific computers on the Internet or a private network. For example, in Figure 1.12, Computer1 is a host name. A host name is the leftmost portion of a fully qualified domain name (FQDN), which describes the exact position of a host within the domain hierarchy. In Figure 1.12, Computer1.sales.microsoft.com. (including the end period, which represents the root domain) is an FQDN.
NOTE
The host name does not have to be the same as the computer name, NetBIOS, or any other naming protocol.
Zones
A zone is a database containing resource records for a portion of a DNS namespace. Zones provide a way to partition the domain namespace into manageable sections.
Multiple zones in a domain namespace are used to distribute administrative tasks to different groups. For example, Figure 1.13 depicts the microsoft.com domain namespace divided into two zones. The two zones allow one administrator to manage the microsoft and sales domains and another administrator to manage the development domain.
A zone must encompass a contiguous domain namespace. For example, in Figure 1.13, you could not create a zone that consists of only the sales.microsoft.com and development.microsoft.com domains because the sales and development domains are not contiguous.
The name-to-IP-address mappings for a zone are stored in the zone database file. Each zone is anchored to a specific domain, referred to as the zone's root domain. The zone database file does not necessarily contain information for all subdomains of the zone's root domain, only those subdomains within the zone.
In Figure 1.13, the root domain for Zone1 is microsoft.com, and its zone file contains the name-to-IP-address mappings for the microsoft and sales domains. The root domain for Zone2 is development, and its zone file contains the name-to-IP-address mappings for the development domain only. The zone file for Zone1 does not contain the name-to-IP-address mappings for the development domain, although development is a subdomain of the microsoft domain.
Figure 1.13 Domain namespace divided into zones
A DNS name server stores the zone database file. DNS name servers use the zone database files to handle the DNS name resolution process. Name servers can store data for one zone or multiple zones. A name server is said to have authority for the domain namespace that the zone encompasses. When a DNS name server receives a DNS query, it responds in one of three ways: by returning the requested name or IP-resolution information, by returning a pointer to another DNS name server, or by indicating that the information is not available. There are three main types of DNS name servers: primary, secondary, and master.
A primary name server gets data from the local zone and is the authoritative server (performs administrative tasks) for the zone. A secondary name server is a backup DNS server and receives data from another name server. A zone can have multiple secondary name servers and should have at least one to perform zone transfers, provide redundancy, improve access speed, and reduce the load on the primary name server. A master name server is a primary or secondary name server for a zone that is designated to provided updated DNS information to a secondary server.
Every object in Active Directory is identified by a name. Active Directory uses a variety of naming conventions: distinguished names, relative distinguished names, globally unique identifiers, and user principal names.
Every object in Active Directory has a distinguished name (DN) that uniquely identifies the object and contains sufficient information for a client to retrieve the object from the directory. The DN includes the name of the domain that holds the object, as well as the complete path through the container hierarchy to the object.
For example, the following DN identifies the Firstname Lastname user object in the microsoft.com domain (where Firstname and Lastname represent the actual first and last name of a user account):
/DC=COM/DC=microsoft/OU=dev/CN=Users/CN=Firstname Lastname
Table 1.3 describes the attributes in the example.
Table 1.3 Distinguished Name Attributes
Attribute | Description |
---|---|
DC | Domain component name |
OU | Organizational unit name |
CN | Common name |
DNs must be unique. Active Directory does not allow duplicate DNs.
NOTE
To read more about distinguished names, search on the Internet for "RFC 1779". RFC 1779 is entitled "A String Representation of Distinguished Names."
Active Directory supports querying by attributes, so you can locate an object even if the exact DN is unknown or has changed. The relative distinguished name (RDN) of an object is the part of the name that is an attribute of the object itself. In the preceding example, the RDN of the Firstname Lastname user object is Firstname Lastname. The RDN of the parent object is Users.
You can have duplicate RDNs for Active Directory objects, but you cannot have two objects with the same RDN in the same OU. For example, if a user account is named Jane Doe, you cannot have another user account called Jane Doe in the same OU. However, objects with duplicate RDN names can exist in separate OUs because they have different DNs (see Figure 1.14).
Figure 1.14 Distinguished names and relative distinguished names
A globally unique identifier (GUID) is a 128-bit number that is guaranteed to be unique within the enterprise. GUIDs are assigned to objects when the objects are created. The GUID never changes, even if you move or rename the object. Applications can store the GUID of an object and use the GUID to retrieve that object regardless of its current DN.
In earlier versions of Windows NT, each domain resource was associated with a security identifier (SID) that was generated within the domain. This meant that the SID was guaranteed to be unique only within the domain. A GUID is unique across all domains, meaning that you can move objects from domain to domain and they will still have a unique identifier.
Each user account has a "friendly" name, the user principal name (UPN). The UPN is composed of a shorthand name for the user account and the DNS name of the tree where the user account object resides. For example, Firstname Lastname (substitute the first and last names of the actual user) in the microsoft.com tree might have a UPN of FirstnameL@microsoft.com (using the full first name and the first letter of the last name).
In this lesson you learned about several new concepts introduced with Active Directory, including replication, trust relationships, group policies, DNS namespaces, and naming conventions.
You learned that Active Directory includes replication to ensure that changes to a domain controller are reflected in all domain controllers within a domain. Within a site, the KCC automatically generates a ring topology for replication among domain controllers in the same domain. Between sites, you must specify how your sites are connected by using site links.
A trust relationship is a link between two domains in which the trusting domain honors the logon authentication of the trusted domain. Active Directory supports two forms of trust relationships: implicit two-way transitive trusts and explicit one-way nontransitive trusts.
You also learned that group policies are collections of user and computer configuration settings that can be linked to computers, sites, domains, and OUs to specify the behavior of users' desktops. To create a specific desktop configuration for a particular group of users, you create group policy objects (GPOs), collections of group policy settings. Each Windows 2000 computer has one local GPO and may, in addition, be subject to any number of nonlocal (Active Directory–based) GPOs. Local GPOs are overridden by nonlocal GPOs. Nonlocal GPOs are linked to Active Directory objects (sites, domains, or OUs) and can be applied to either users or computers. Following the inheritance properties of Active Directory, nonlocal GPOs are applied hierarchically from the least restrictive group (site) to the most restrictive group (OU) and are cumulative.
In this lesson you also learned that Active Directory uses DNS as its domain naming and location service; therefore Windows 2000 domain names are also DNS names. Windows 2000 Server uses dynamic DNS, so clients with dynamically assigned addresses can register directly with a server running the DNS service and dynamically update the DNS table. There are contiguous namespaces and disjointed namespaces.
Finally, you learned about the naming conventions employed by Active Directory: DNs, RDNs, GUIDs, and UPNs.