Active Directory

Previous page
Table of content
Next page

The Active Directory is one of the most important parts of Windows Server 2003 networking. Although a full discussion of Active Directory is outside the scope of this book, the nature of Exchange Server 2003 ‚ s tight integration with Active Directory warrants a brief discussion of the technology itself and an examination of how it affects the Exchange environment.

Note ‚  

To learn more about Active Directory, start by checking out the Windows Server 2003 product documentation. It provides an overview of the technology and illustrates many of the benefits of using Active Directory. If you are interested in going past the basics, take a look at Active Directory for Microsoft Windows Server 2003 Technical Reference , by Mike Mulcare and Stan Reimer (MS Press, 2003).

Active Directory in Windows Server 2003

To understand Active Directory, it is first necessary to understand what a directory is. Put simply, a directory contains a hierarchy that stores information about objects in a system.

A directory service is the service that manages the directory and makes it available to users on the network. Active Directory stores information about objects on a Windows Server 2003 network and makes this information easy for administrators and users to find and use. Active Directory uses a structured data store as the basis for a hierarchical organization of directory information.

You can use Active Directory to design a directory structure tailored to your organization ‚ s administrative needs. For example, you can scale Active Directory from a single computer to a single network or to many networks. Active Directory can include every object, server, and domain in a network.

What makes Active Directory so powerful, and so scalable, is that it separates the logical structure of the Windows Server 2003 domain hierarchy from the physical structure of the network itself.

Logical Components

In Exchange 5.5 Server and prior versions, resources were organized separately in Windows and Exchange. Now, the organization you set up in Windows Server 2003 and the organization you set up in Exchange Server 2003 are the same. (The same goes for Windows 2000 and Exchange 2000 as well.) In fact, the Active Directory Users and Computers tool (whose use is covered in Chapter 5, ‚“Creating and Managing Exchange Recipients ‚½) is now used to configure and manage Windows users and Exchange- related user features, such as mailbox storage and protocol use. This requires a shift in thinking from previous versions of Exchange, where the duties of Windows and Exchange administrators were more clearly separated. Now, it is often advantageous to have one user administrator manage all aspects of user configuration. In Active Directory, the domain hierarchy is organized using a number of constructs to make administration simpler and more logical. These logical constructs, which are described in the following subsections, allow you to define and group resources so that they can be located and administered by name rather than by physical location.

Objects

An object is the basic unit in Active Directory. It is a distinct named set of attributes that represents something concrete, such as a user, printer, computer, or application. Attributes are the characteristics of the object; for example, a computer is an object, and its attributes include its name and location, among other things. A user is also an object. In Exchange, a user ‚ s attributes include the user ‚ s first name, last name, and e-mail address. User attributes also include Exchange-related features, such as whether the object can receive e-mail, the formatting of e-mail it receives, and the location where it can receive e-mail.

Organizational Units

An organizational unit (OU) is a container in which you can place objects such as user accounts, groups, computers, printers, applications, file shares, and other organizational units. You can use organizational units to hold groups of objects, such as users and printers, and you can assign specific permissions to them. An organizational unit cannot contain objects from other domains and is the smallest unit to which you can assign or delegate administrative authority. Organizational units are provided strictly for administrative purposes and convenience. They are transparent to the end user, but can be extremely useful to an administrator when segmenting users and computers within an organization.

You can use organizational units to create containers within a domain that represent the hierarchical, logical structures within your organization. This enables you to manage how accounts and resources are configured and used.

Organizational units can also be used to create departmental or geographical boundaries. In addition, they can be used to delegate administrative authority over particular tasks to particular users. For instance, you can create an OU for all your printers and then assign full control over the printers to your printer administrator.

Domains

A domain is a group of computers and other resources that are part of a network and share a common directory database. A domain is organized in levels and is administered as a unit with common rules and procedures. All objects and organizational units exist within a domain.

You create a domain by installing the first domain controller inside it. A domain controller is simply a Windows Server 2003 computer that has Active Directory enabled on it. Once a server has been installed, you can use the Active Directory Wizard to install Active Directory. In order to install Active Directory on the first server on a network, that server must have access to a server running DNS (Domain Name Service). If it does not, you ‚ ll be given the chance to install and configure DNS during Active Directory installation.

A domain can exist in one of four possible domain functional levels as outlined in the following list:

  • Windows 2000 mixed. The default domain functional level all new domain controllers are installed in allows for Windows NT 4.0 backup domain controllers (BDCs), Windows 2000 Server domain controllers, and Windows Server 2003 domain controllers. Local and global groups are supported, but universal groups are not. Global catalog servers are supported.

  • Windows 2000 native . The minimum domain functional level at which universal groups become available, along with several other Active Directory features; allows for Windows 2000 Server and Windows Server 2003 domain controllers only.

  • Windows Server 2003 interim . Supports only Windows NT 4.0 and Windows Server 2003 domain controllers. The domains in a forest are raised to this functional level; the forest level has been increased to interim.

  • Windows Server 2003 . The highest domain functional level available, it provides all new features and functionality and allows for only Windows Server 2003 domain controllers.

    Note ‚  

    The mixed mode and native mode you might have been used to when using Windows 2000 Server have been replaced by the domain and forest functional levels in Windows Server 2003. Note, however, that the Windows 2000 mixed mode is similar to the Windows 2000 mixed functional level and that the Windows 2000 native mode is similar to the Windows Server 2003 functional level.

    Note ‚  

    The move from a lower functional level to a higher one is irreversible, so take care to ensure that all older (Windows NT 4.0 or Windows 2000 Server) domain controllers have been retired or upgraded before changing the functional level.

Domain Trees

A domain tree is a hierarchical arrangement of one or more Windows Active Directory domains that share a common namespace. Domain Name Service (DNS) domain names represent the tree structure. The first domain in a tree is called the root domain . For example, a company named Widgets (that has the Internet domain name widgets.com) might use the root domain widgets.com in its primary domain tree. Additional domains in the tree under the root domain are called child domains . For example, the domain hsv.widgets.com would be a child domain of the widgets.com domain. Figure 2.1 shows an example of a domain tree.


Figure 2.1: A domain tree is a hierarchical grouping of one or more domains.

Domains establish trust relationships with one another that allow objects in a trusted domain to access resources in a trusting domain. Windows Server 2003 and Active Directory support transitive, two-way trusts between domains. When a child domain is created, a trust relationship is automatically configured between that child domain and the parent domain. This trust is two-way, meaning that resource access requests can flow from either domain to the other. The trust is also transitive, meaning that any domains trusted by one domain are automatically trusted by the other domain. For example, in Figure 2.1, consider the three domains named widgets.com, hsv.widgets.com, and sales.hsv.widgets.com. When hsv.widgets.com was created as a child domain of widgets.com, a two-way trust was formed between the two. When sales.hsv.widgets.com was created as a child of hsv.widgets.com, another trust was formed between those two domains. Though no explicit trust relationship was ever defined directly between the sales.hsv.widgets.com and widgets.com domains, the two domains trust each other anyway because of the transitive nature of trust relationships.

Domain Forests

A domain forest is a group of one or more domain trees that do not form a contiguous namespace but may share a common schema and global catalog. There is always at least one forest on the network, and it is created when the first Active Directory ‚ enabled computer (domain controller) on a network is installed. This first domain in a forest is called the forest root domain and is special because it is really the basis for naming the entire forest. It cannot be removed from the forest without removing the entire forest itself. Finally, no other domain can ever be created above the forest root domain in the forest domain hierarchy. Figure 2.2 shows an example of a domain forest with multiple domain trees.


Figure 2.2: A domain forest consists of one or more domain trees.

A forest is the outermost boundary of Active Directory; the directory cannot be larger than the forest. You can create multiple forests and then create trust relationships between specific domains in those forests; this would let you grant access to resources and accounts that are outside a particular forest. However, an Exchange organization cannot span multiple forests.

Physical Components

The physical side of Active Directory is primarily represented by domain controllers and sites. These enable organizations to optimize replication traffic across their networks and to assist client workstations in finding the closest domain controller to validate logon credentials.

Domain Controllers

Every domain must have at least one domain controller , a computer running Windows Server 2003 that validates user network access and manages Active Directory. To create a domain controller, all you have to do is install Active Directory on a Windows Server 2003 computer. During this process, you have the option of creating a new domain or joining an existing domain. If you create a new domain, you also have the option of creating or joining an existing domain tree or forest. A domain controller stores a complete copy of all Active Directory information for that domain, manages changes to that information, and replicates those changes to other domain controllers in the same domain. Schema and infrastructure configuration information is replicated between all domain controllers in a forest.

Note ‚  

In previous versions of Windows, a distinction was drawn between primary and backup domain controllers. In Windows Server 2003 and Windows 2000 Server, all domain controllers are considered peers, and each holds a complete copy of Active Directory.

Global Catalog

In a single-domain environment, users can rely on Active Directory for the domain to provide all of the necessary information about the resources on the network. In a multi-domain environment, however, users often need to access resources outside of their domain ‚ resources that may be more difficult to find. For this, a global catalog is used to hold information about all objects in a forest. The global catalog enables users and applications to find objects in an Active Directory domain tree if the user or application knows one or more attributes of the target object.

Through the replication process, Active Directory automatically generates the contents of the global catalog from the domain controllers in the directory. The global catalog holds a partial replica of Active Directory. Even though every object is listed in the global catalog, only a limited set of attributes for those objects is replicated in it. The attributes listed for each object in the global catalog are defined in the schema. A base set of attributes is replicated to the global catalog, but you can specify additional attributes to meet the needs of your organization.

Note ‚  

By default, there is only one global catalog in the entire forest, and that is the first domain controller installed in the first domain of the first tree. All others must be configured manually. We recommend adding a second global catalog for backup and load balancing. Furthermore, each domain should have at least one global catalog to provide for more efficient Active Directory searches and network logons .

Windows Server 2003 Sites

A Windows Server 2003 site is a group of computers that exist on one or more IP subnets. Computers within a site must be connected by a fast, reliable network connection. Using Windows sites helps maximize network efficiency and provide fault tolerance. Windows sites also help clients find the closest domain controller to validate logon credentials.

In versions of Exchange Server prior to Exchange 2000 Server, the concept of a site was used to identify a group of Exchange servers that shared a permanent, high-bandwidth connection and also represented an administrative boundary in Exchange. The concept of Windows sites is unrelated to the use of sites in earlier versions of Exchange. Exchange Server 2003 (and Exchange 2000 Server) has replaced the concept of Exchange sites with routing groups and administrative groups. Routing groups are used to define groups of Exchange servers that share a reliable (but not necessarily high-bandwidth) connection. Administrative groups are used to define administrative boundaries within an Exchange environment.

Note ‚  

Exchange Server 2003 makes extensive use of Active Directory information on global catalog servers. For efficient communication, Exchange Server 2003 requires direct access to a global catalog server in your LAN.

Sites are created using the Active Directory Sites and Services tool. No direct relationship exists between Windows domains and sites, so a single domain can span multiple sites and a single site can span multiple domains.

Schema

A schema represents the structure of a database system ‚ the tables and fields in that database and how the tables and fields are related to one another. The Active Directory information is also represented by a schema. All objects that can be stored in Active Directory are defined in the schema.

Installing Active Directory on the first domain controller in a network creates a schema that contains definitions of commonly used objects and attributes. The schema also defines objects and attributes that Active Directory uses internally. When Exchange Server 2003 is installed, Exchange setup extends the schema to support information that Exchange needs. Updates to the schema require replication of the schema across the forest and also to all domain controllers in the forest. For more information about how Exchange updates the schema, see Chapter 3, ‚“Installing Microsoft Exchange Server 2003. ‚½

Active Directory and Exchange Server 2003

In versions of Exchange Server prior to Exchange 2000 Server, Exchange maintained a directory of its own through a service known as the Directory Service. On each Exchange server, the Directory Service maintained a copy of the directory in a database file on the Exchange server and took care of replicating changes in the directory to other Exchange servers. In Exchange Server 2003, the Directory Service has been removed altogether. Exchange is now totally reliant on Active Directory to provide its directory services.

This new reliance caused a shift in the way that the Exchange directory is maintained. This first section examines the effects that boundaries of a forest place on Exchange. It then looks at the interaction of DNS in an Exchange organization. Finally, it looks at the differences in directory replication now that Exchange itself no longer handles the directory information or uses the Active Directory Connector to exchange data with previous versions of Exchange Server.

Forests

By default, the global catalog shows only objects within a single Windows Server 2003 forest, so an Exchange organization must be within the boundaries of a forest. This is different from earlier versions of Windows NT and Exchange 5.5. In previous versions, an Exchange organization could span domains that did not trust one another because Exchange 5.5 did not rely so much on the underlying security structure of Windows NT. With Active Directory and Exchange Server 2003, the security structure is integrated, which means that a single Exchange organization cannot span multiple forests, but can span multiple domains within a single forest.

Domain Name Service (DNS)

In previous versions of Windows NT, the Windows Internet Name Service (WINS) was the primary provider of name resolution within an organization because it provided dynamic publishing and full names to network address mapping. DNS was really only required for organizations that needed Internet connectivity, though it was usually a recommended practice to use DNS with earlier versions of Exchange Server as well. Windows Server 2003 relies almost exclusively on DNS because it provides maximum interoperability with Internet technologies. In order for Exchange Server 2003 to function, a DNS service must be running in your organization. Outlook Web Access, SMTP connectivity, and Internet connectivity all rely on DNS.

Active Directory is often called a namespace , which is similar to the directory service in earlier versions of Exchange and means any bounded area in which a given name can be resolved. The DNS name creates a namespace for a tree or forest, such as widgets.com. All child domains of widgets.com, such as sales.widgets.com, share the root namespace. In Exchange Server 2003, Active Directory forms a namespace in which the name of an object in the directory can be resolved to the object. All domains that have a common root domain form a contiguous namespace . This means that the domain name of a child domain is the child domain name appended to the name of the parent domain.

In Windows Server 2003 domains using DNS, a domain name such as hsv.widgets.com does not affect the e-mail addresses for Exchange users created in that domain. Although a user ‚ s logon name might be user@hsv.widgets.com, you control how e-mail addresses are generated using recipient policies in System Manager and Active Directory Users and Computers.

Directory Replication

In versions of Exchange Server prior to Exchange 2000 Server, the directory was a part of Exchange, and replication of that directory was handled by Exchange Server. When attributes of directory objects changed, the entire object was replicated throughout the organization.

Now, all directory functions have been passed to Active Directory, which replicates at the attribute level instead of the object level. This means that if a change is made to an attribute, only that attribute (and not the entire object) is replicated to other domain controllers in the domain, resulting in less network traffic and more efficient use of server resources.

Active Directory Connector (ADC)

Exchange Server 2003 supports coexistence with Exchange 5.5 through the Active Directory Connector. For organizations using earlier versions of Exchange, this is a critical component in upgrading to Exchange Server 2003.

Because Exchange Server 2003 uses Active Directory as its directory service, directory information is managed in one location. The Active Directory Connector is a Windows service that synchronizes the Exchange 5.5 directory with Active Directory. This allows you to administer your directory from Active Directory or the Exchange 5.5 directory service. You can also use ADC to migrate objects from the Exchange directory service to Active Directory. For more information on configuring Exchange Server 2003 to work with Exchange 5.5, see Chapter 11, ‚“Coexisting with and Migrating from Exchange 5.5. ‚½



Previous page
Table of content
Next page
MCSA[s]MCSE
MCSA[s]MCSE
ISBN: 735621527
EAN: N/A
Year: 2004
Pages: 160
BUY ON AMAZON
The CISSP and CAP Prep Guide: Platinum Edition
Adobe After Effects 7.0 Studio Techniques
Snort Cookbook
Developing Tablet PC Applications (Charles River Media Programming)
Cisco IOS Cookbook (Cookbooks (OReilly))
Service-Oriented Architecture (SOA): Concepts, Technology, and Design
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy