Windows IT Pro
Windows IT Library
  - Advertise        
Windows IT Pro Logo

  Home  |   Books  |   Chapters  |   Topics  |   Authors  |   Book Reviews  |   Whitepapers  |   About Us  |   Contact Us

search for  on    power search   help
  






Active Directory Concepts
Author: Curt Simmons
Published: April 2000
Copyright: 2000
Publisher: Prentice Hall PTR
 


Abstract
Before planning and implementing the Active Directory in your network, you should get familiar with the concepts that drive how the Active Directory functions. This chapter teaches you the terminology and the conceptual framework of the Active Directory that you will use as you work with Active Directory in your environment.



WHAT IS THE ACTIVE DIRECTORY?

The term "directory" has received a lot of attention in computing environments in the past several years. As computing environments have become larger and more complex, with many offering Internet access and even network resources through an intranet, the task of managing the many resources the network has to offer has become more and more complex for network administrators — and the user's task of finding those resources has become just as difficult. The need to not only organize information, but make that information easy to manage and locate, has become a serious and complicated issue.

By definition, a directory is an information storage location that uses a systematic scheme to organize the information. The Active Directory refers to this systematic scheme as a "namespace." A common example is the telephone book. All information in a telephone book is stored by city/region, last name, then first name(s). By referencing a particular name in a particular city/region, you can find that person's telephone number. The phone book uses a "namespace" in that all names are organized in alphabetical order using the last name and first name of the phone user. If the telephone book did not follow a namespace — in other words, if some names listed were by first name, some by last, some by nicknames, and some by address — you would never find what you needed. So, a directory organizes information using a namespace so you can find more information about the people or things listed in the directory.

Although Windows NT offered directory services through third party software, the Active Directory in Windows 2000 is Microsoft's new answer to directory services. The Active Directory is a powerful tool that allows multiple sites, domains, and even the Internet to fully integrate together. The Active Directory's purpose is to organize information about real network objects, such as users, shares, printers, applications, and so forth, so that users can find the resources they need. Through the Active Directory, users do not have to keep track of which server holds which resource, or where a particular printer resides. The Active Directory lists the information, is completely searchable, and provides a standard folder interface to users so they can find what they need on the network. From an administrator's point of view, the Active Directory provides you with a simple, hierarchical design that you can administer from a single location.


DESIGN GOALS OF THE ACTIVE DIRECTORY

The Active Directory's design goals are simple, yet very powerful, allowing Active Directory to provide the desired functionality in virtually any computing environment. The following list describes the major features and goals of the Active Directory technology.

  • Scalable — The Active Directory is highly scalable, which means it can function in small networking environments or global corporations. The Active Directory supports multiple stores, which are wide groupings of objects, and can hold more than one million objects per store.
  • Extensible — The Active Directory is "extensible," which means it can be customized to meet the needs of an organization.
  • Secure — The Active Directory is integrated with Windows 2000 security, allowing administrators to control access to objects.
  • Seamless — The Active Directory is seamlessly integrated with the local network and the intranet/Internet.
  • Open Standards — The Active Directory is based on open communication standards, which allow integration and communication with other directory services, such as Novell's NDS.
  • Backwards Compatible — Although Windows 2000 operating systems make the most use of the Active Directory, the Active Directory is backwards compatible for earlier versions of Windows operating systems. This feature allows implementation of the Active Directory to be taken one step at a time.

ACTIVE DIRECTORY NAMESPACE

As mentioned previously, the Active Directory functions through the use of an extensible namespace, and the namespace used in the Active Directory follows the Domain Name System (DNS). DNS is the most widely used directory namespace in the world and it is highly scalable. Each time you use the Internet, you are using DNS. DNS takes a host name, such as www.microsoft.com, and resolves it into a TCP/IP address, such as 131.107.2.200, which is required for communication on TCP/IP networks. Since computers must have the TCP/IP address to communicate, and we need the language-based names to communicate, DNS' job is to resolve the two.

The Active Directory is integrated with DNS and the naming schemes used in the Active Directory are DNS names. The DNS integration allows you to use the same domain name for your network as you would on the Internet. For example, smithfin.com is a valid DNS name and can also be used as a Windows 2000 domain name. With DNS as the locator service in the Active Directory, the local area network becomes more seamless with the Internet and intranet. Smithfin.com can be an Internet name or a local area name. Kanderson@smithfin.com is both an Internet email address and a user name in the local network. This structure allows you to find items on your network in the same manner you find them on the Internet.

Windows 2000 also supports Dynamic DNS (DDNS), a new addition to the DNS standard. DDNS can dynamically update a DNS server, which had to be manually performed in the past, with new or changed values. Since name records can be dynamically updated, true Windows 2000 networks no longer need to use Windows Internet Naming Service (WINS).


LDAP IN THE ACTIVE DIRECTORY

DNS is the naming scheme used in the Active Directory, and LDAP (Lightweight Directory Access Protocol) is how you access the Active Directory. LDAP is a widely adopted Internet standard used in newsgroups and search engines. Although often misunderstood, LDAP is not a part of the X.500 standard. The X.500 standard is a directory specification that introduced DAP (Directory Access Protocol) to read and modify a directory database. DAP is an extensible protocol in that it can handle directory requests and changes, as well as directory security. However, DAP places much of the processing burden on the client computers and is considered to be a high overhead protocol. LDAP, which is not defined within the X.500 specification, was developed to overcome the weaknesses of DAP. LDAP is an open standard, which means that it can be used by anyone wishing to develop a directory service and is not restricted to X.500 directories like DAP. Also, a major difference is that LDAP is not a client-based service. The service runs on the server and the information is returned to the LDAP enabled client. The Active Directory is not an X.500 directory, but it supports the information model without requiring systems to implement the X.500 overhead. The result is an LDAP based directory that supports high levels of interoperability.


ACTIVE DIRECTORY HIERARCHY

The structure of the Active Directory is a hierarchy, and before installing and implementing the Active Directory, you must have a firm understanding of the structure as well as the components that make up the Active Directory. You will use this hierarchy design to build the Active Directory infrastructure for your organization, so it is important that you have a firm grasp of their meaning and place in the hierarchy before you begin planning. The following sections explore the components in the hierarchy structure. We will work with each of these in more detail in later chapters.

Object

An Active Directory object represents a physical object of some kind on the network. Common Active Directory objects are users, groups, printers, shared folders, applications, databases, contacts, and so forth. Each of these objects represents something "tangible." Each object is defined by a set of "attributes." An attribute is a quality that helps define the actual object. For example, a user object could have attributes of a username, actual name, and email address. Attributes for each kind of object are defined in the Active Directory. The attributes define the object itself and allow users to search for the particular object, as in Figure 1.

Organizational Unit
An organizational unit (OU) is like a file folder in a filing cabinet. The OU is designed to hold objects (or even other OUs). It contains attributes like an object, but has no functionality on its own. As with a file folder, its purpose is to hold other objects. As the name implies, an OU helps you "organize" your directory structure. For example, you could have an accounting OU that contains other OUs, such as Accounting Group A and Accounting Group B, and inside those OUs can reside objects that belong, such as users, groups, computers, printers, and so forth (Figure 2). OUs also serve as securities and administrative boundaries and can be used to replace domains in multiple Window NT domain networks.

Domain
By definition, a domain is a logical grouping of users and computers. A domain typically resides in a localized geographic location, but this is not always the case. In reality, a domain is more than a logical grouping — it is actually a security boundary in a Windows 2000 or NT network. You can think of a network with multiple domains as being like a residential neighborhood. All of the homes make up the neighborhood, but each home is a security boundary that holds certain objects inside and keeps others out. The domain is the same (Figure 3). Each domain can have its own security policies and can establish trust relationships with other domains. The Active Directory is made up of one or more domains. Domains contain a schema, which is a set of object class instances. The schema determines how objects are defined with the Active Directory. The schema itself resides within the Active Directory and can be dynamically changed. You can learn more about the Active Directory schema in Chapter 18.

Tree
The hierarchy structure of the domain, organizational units, and objects is called a tree. The objects within the tree are referred to as endpoints, while the OUs in the tree structure are nodes. In terms of a physical tree, you can think of the branches as OUs or containers and the leaves as objects — an object is the natural endpoint of the node within the tree.

Domain Trees
A domain tree exists when several domains are linked by trust relationships and share a common schema, configuration, and global catalog. Trust relationships in Windows 2000 are based on the Kerberos security protocol. Kerberos trusts are transitive. In other words, if domain 1 trusts domain 2 and domain 2 trusts domain 3, then domain 1 trusts domain 3, shown in Figure 4.

A domain tree also shares a contiguous namespace (Figure 5). A contiguous namespace follows the same naming DNS hierarchy within the domain tree. For example, if the root domain is smithfin.com and domain A and domain B exist in a domain tree, the contiguous namespace for the two would be domaina.smithfin.com and domainb.smithfin.com. If domain A resides in smithfindal.com and domain B resides in the smithfin.com root, then the two would not share a contiguous name space.

Forest
A forest is one or more trees that do not share a contiguous name space. The trees in the forest do share a common schema, configuration, and global catalog, but the trees do not share a contiguous name space. All trees in the forest trust each other through Kerberos transitive trusts. In actuality, the forest does not have a distinct name, but the trees are viewed as a hierarchy of trust relationships. The tree at the top of the hierarchy normally refers to the tree. For example, corp.com, production.corp.com, and mgmt.corp.com form a forest with corp.com serving as the forest root.

Site
A site is not actually considered a part of the Active Directory hierarchy, but is configured in the Active Directory for replication purposes. A site is defined as a geographical location in a network containing Active Directory servers with a well-connected TCP/IP subnet. Well-connected means that the network connection is highly reliable and fast to other subnets in the network. Administrators use the Active Directory to configure replication between sites. Users do not have to be aware of site configuration. As far as the Active Directory is concerned, users only see domains.


ACTIVE DIRECTORY NAMES

In the Active Directory, every object, such as, a user, a group, a computer, a printer, and so forth, has a unique name. There are four kinds of names assigned to each object.

First, each object has a distinguished name (DN). The DN is unique from all other objects and contains the full information needed to retrieve the object. The DN contains the domain where the object resides and the path to the object. The DN is made up of these attributes (or qualities):

  • DomainComponentName (DC)
  • OrganizationalUnitName (OU)
  • CommonName (CN)
For example if you wanted to access a document called "Production Flow" that resides in a particular domain, the DN might read:

/DC=com/DC=mycompany/OU=prod/CN=documents/CN=Production Flow

By using the DN, the Active Directory can begin at the top of the domain and work its way down to the actual folder or document.

Next, the Active Directory uses the relative distinguished name (RDN). The RDN is the part of the DN that defines the actual object, called an attribute. This is the CN, or common name. Fortunately, all you need to know to search for objects are common names. You don't have to know or use the DN, and the DN itself is normally hidden from the users.

Next, the Active Directory also uses the globally unique identifiers (GUID), which is a 128-bit number unique from all others. The GUID is assigned to an object when it is created in the Active Directory and it never changes.

Finally, Active Directory objects can be identified by the user principal names (UPN), which is a short friendly name that looks like an email address, such as kanderson@smithfin.com.

The major point to remember is that the Active Directory provides the DN, RDN, GUID, and UPN for objects to ensure uniqueness, ease of location for LDAP queries, and ease of use for users. You will learn more about these names throughout the book.


GLOBAL CATALOG

The purpose of LDAP is to allow network users to search and find the objects in the Active Directory they want to use. For this to happen, the Active Directory domain controllers maintain a "global catalog."

The global catalog allows users and applications to find objects in the Active Directory by searching for a particular attribute(s). The global catalog holds a partial "replica" of the objects and their most common attributes. When a user performs a search operation to find a user (or other object), the global catalog is checked to find matches for that request. The global catalog looks for that attribute and returns matches to the user. Data in the global catalog is built and maintained through replication among domain controllers.


SUMMARY

In this chapter, you learned the major concepts and terminology you need to understand to begin planning your Active Directory implementation. The Active Directory is a highly scalable and extensible directory service that makes use of DNS as its naming scheme. The Active Directory natively uses LDAP to locate objects within the Active Directory so users can easily locate the information they need. The Active Directory structure is based on a hierarchy that contains objects, organizational units, domains, trees, and forests. The Active Directory also allows you to configure sites and manage site replication. The Active Directory assigns DN, RDN, GUID, and UPN names to ensure uniqueness and ease of location. All of this information is stored in a global catalog.


 



ADS BY GOOGLE SPONSORED LINKS FEATURED LINKS

Critical Challenges of ESI & Email Retention
Are you storing too much electronic information? Get expert legal advice and better understanding of what you are required to do as an IT professional.

Become a fan of Windows IT Pro on Facebook!
Join us on Facebook and be a fan of Windows IT Pro!

Sustainable Compliance: Are You Having a Resource Crisis?
Read this white paper to examine trends in compliance and security management and review approaches to reducing the cost and operational burden of compliance.

Rev Up Your IT Know-How with Our Recharged Magazine!
The improved Windows IT Pro provides trusted IT content with an enhanced new look and functionality! Get comprehensive coverage of industry topics, expert advice, and real-world solutions—PLUS access to over 10,000 articles online. Order today!

Get It All with Windows IT Pro VIP
Stock your IT toolbox with every solution ever printed in Windows IT Pro and SQL Server Magazine plus bonus Web-exclusive content on hot topics. Subscribe to receive the VIP CD and a subscription to your choice of Windows IT Pro or SQL Server Magazine!



Order Your Fundamentals CD Today!
Gain an introduction to Exchange, learn server security requirements, and understand how unified communications can play a role in your messaging strategies with this free Exchange CD.
Windows IT Pro Home Register About Us Affiliates / Licensing Media Kit Contact Us/Customer Service  
SQL Connected Home IT Library SuperSite FAQ Wininfo News
Europe Edition Office & SharePoint Pro Windows Dev Pro Windows Excavator 
 
 Windows IT Pro is a Division of Penton Media Inc.
 Copyright © 2008 Penton Media, Inc., All rights reserved. Terms and Use | Privacy Statement | Reprints and Licensing