Profile | News | Promotions | Solutions | Products | Case Studies | Tutorials | Contact
<< Back




TUTORIAL - ACTIVE DIRECTORY

Introduction
The Microsoft Active Directory service is a central component of the Windows platform, providing the means to manage the identities and relationships that make up network environments.
Expanding on the foundation of the Windows 2000 operating system, the Windows Server 2003 family improves the manageability of Active Directory as well as eases migration and deployment of directory-enabled applications.

Active Directory has been enhanced to reduce total cost of ownership (TCO) and operation within your business. New features and enhancements have been provided at all levels of the product to extend versatility, simplify management, and increase dependability. With Windows Server 2003, organizations can benefit from further reductions in cost while increasing the efficiency in which they share and manage the various elements of their business.

New features and improvements for Active Directory in the Windows Server 2003 family:
• Integration and productivity.
• Performance and scalability.
• Administration and configuration management.
• Group Policy features.
• Security enhancements.

Active Directory Basics
Active Directory is the directory service for Windows .NET Standard Server, Windows .NET Enterprise Server, and Windows .NET Datacenter Server. (Active Directory cannot be run on Windows .NET Web Server but it can manage any computer running Windows .NET Web Server.) Active Directory stores information about objects on the network and makes this information easy for administrators and users to find and use. Active Directory uses a structured data store as the basis for a logical, hierarchical organization of directory information.

Directory Data Store
This data store is often simply referred to as the directory. The directory contains information about objects such as users, groups, computers, domains, organizational units (OUs), and security policies. This information can be published for use by users and administrators.

The directory is stored on servers known as domain controllers and can be accessed by network applications or services. A domain can have one or more domain controllers. Each domain controller has a writeable copy of the directory for the domain in which it is located. Changes made to the directory are replicated from the originating domain controller to other domain controllers in the domain, domain tree, or forest. Because the directory is replicated, and because each domain controller has a writeable copy of the directory, the directory is highly available to users and administrators throughout the domain.

Directory data is stored in the Ntds.dit file on the domain controller. It is recommended that this file is stored on an NTFS partition. Some data is stored in the directory database file, and some data is stored in a replicated file system, like logon scripts and Group Policies.

There are three categories of directory data replicated between domain controllers:

Domain data. The domain data contains information about objects within a domain. This is the information typically thought of as directory information such as e-mail contacts, user and computer account attributes, and published resources that are of interest to administrators and users.
For example, when a user account is added to your network, a user account object and attribute data are stored in the domain data. When changes to your organization's directory objects occur, such as object creation, deletion, or attribute modification, this data is stored in the domain data.

Configuration data. The configuration data describes the topology of the directory. This configuration data includes a list of all domains, trees, and forests, and the locations of the domain controllers and global catalogs.

Schema data.The schema is the formal definition of all object and attribute data that can be stored in the directory. Windows Server 2003 includes a default schema that defines many object types, such as user and computer accounts, groups, domains, organizational units, and security policies. Administrators and programmers can extend the schema by defining new object types and attributes, or by adding new attributes for existing objects. Schema objects are protected by access control lists (ACLs), ensuring that only authorized users can alter the schema.

Active Directory and Security
Security is integrated with Active Directory through logon authentication and access control to objects in the directory. With a single network logon, administrators can manage directory data and organization throughout their network, and authorized network users can access resources anywhere on the network. Policy-based administration eases the management of even the most complex network.

Active Directory provides protected storage of user account and group information by using access control on objects and user credentials. Because Active Directory stores not only user credentials but also access control information, users who log on to the network obtain both authentication and authorization to access system resources. For example, when a user logs on to the network, the security system authenticates the user with information stored in Active Directory. Then, when the user attempts to access a service on the network, the system checks the properties defined in the discretionary access control list (DACL) for that service.

Because Active Directory allows administrators to create group accounts, administrators can manage system security more efficiently. For example, by adjusting a file's properties, an administrator can permit all users in a group to read that file. In this way, access to objects in Active Directory is based on group membership.

Active Directory Schema
The Active Directory Schema is the set of definitions that defines the kinds of objects—and the types of information about those objects—that can be stored in Active Directory. Because the definitions are themselves stored as objects, Active Directory can manage the schema objects with the same object management operations used for managing the rest of the objects in the directory. There are two types of definitions in the schema: attributes and classes. Attributes and classes are also referred to as schema objects or metadata.

Classes
Classes, also referred to as object classes, describe the possible directory objects that can be created. Each class is a collection of attributes. When you create an object, the attributes store the information that describes the object. The User class, for example, is composed of many attributes, including Network Address, Home Directory, and so on. Every object in Active Directory is an instance of an object class.

The Role of the Global Catalog
A global catalog is a domain controller that stores a copy of all Active Directory objects in a forest. In addition, the global catalog stores each object’s most common searchable attributes. The global catalog stores a full copy of all objects in the directory for its host domain and a partial copy of all objects for all other domains in the forest, which provides efficient searches without unnecessary referrals to domain controllers.

A global catalog is created automatically on the initial domain controller in the forest. You can add global catalog functionality to other domain controllers or change the default location of the global catalog to another domain controller.

A global catalog performs the following directory roles:

Finds objects. A global catalog enables user searches for directory information throughout all domains in a forest, regardless of where the data is stored. Searches within a forest are performed with maximum speed and minimum network traffic.

When you search for people or printers from the Start menu or choose the Entire Directory option within a query, you are searching a global catalog. Once you enter your search request, it is routed to the default global catalog port 3268 and sent to a global catalog for resolution.

Supplies user principal name authentication. A global catalog resolves user principal names when the authenticating domain controller does not have knowledge of the account. For example, if a user’s account is located in example1.microsoft.com and the user decides to log on with a user principal name of user1@example1.microsoft.com from a computer located in example2.microsoft.com, the domain controller in example2.microsoft.com will be unable to find the user’s account and will then contact a global catalog server to complete the logon process.

Supplies universal group membership information in a multiple domain environment. Unlike global group memberships, which are stored in each domain, universal group memberships are only stored in a global catalog. For example, when a user who belongs to a universal group logs on to a domain that is set to the Windows 2000 native domain functional level or higher, the global catalog provides universal group membership information for the user’s account.

If a global catalog is not available when a user logs on to a domain running in Windows 2000 native or higher, the computer will use cached credentials to log on the user if the user has logged on to the domain previously. If the user has not logged on to the domain previously, the user can only log on to the local computer.

Efficient Search Tools
Administrators can use the advanced Find dialogs in the Active Directory Users and Computers snap-in to perform management tasks with greater efficiency and to easily customize and filter data retrieved from the directory. In addition, administrators can add objects to groups quickly and with minimal network impact by utilizing browse-less queries to help find likely members.

Active Directory Replication
Replication provides information availability, fault tolerance, load balancing, and performance benefits for the directory. Active Directory uses multimaster replication, enabling you to update the directory at any domain controller, rather than at a single, primary domain controller. The multimaster model has the benefit of greater fault tolerance, since, with multiple domain controllers, replication continues, even if any single domain controller stops working.

A domain controller stores and replicates:
• Schema information. This defines the objects that can be created in the directory and what attributes those objects can have. This information is common to all domains in the forest. Schema data is replicated to all domain controllers in the forest.

• Configuration information. This describes the logical structure of your deployment, containing information such as domain structure or replication topology. This information is common to all domains in the forest. Configuration data is replicated to all domain controllers in the forest.

• Domain information. This describes all of the objects in a domain. This data is domain-specific and is not distributed to any other domains. For the purpose of finding information throughout the domain tree or forest, a subset of the properties for all objects in all domains is stored in the global catalog. Domain data is replicated to all domain controllers in the domain.

• Application information. Information stored in the application directory partition is intended to satisfy cases where information needs to be replicated, but not necessarily on a global scale. Application data can be explicitly rerouted to administrator-specified domain controllers within a forest to prevent unnecessary replication traffic, or it can be set to replicate to all domain controllers in the domain.

The Role of Sites in Replication
Sites streamline replication of directory information. Directory schema and configuration information is replicated throughout the forest and domain data is replicated among all domain controllers in the domain and partially replicated to global catalogs. By strategically reducing replication, the strain on your network can be similarly reduced.

Domain controllers use sites and replication change control to optimize replication in the following ways:
• By occasionally re-evaluating which connections are used, Active Directory uses the most efficient network connections.

• Active Directory uses multiple routes to replicate changes, providing fault tolerance.

• Replication costs are minimized by only replicating changed information.

Summary
Building on the foundation established in Windows 2000, Active Directory in Windows Server 2003 emphasizes simplified management, versatility, and unmatched dependability. More than ever, Active Directory has become a solid foundation for building enterprise networks unsurpassed in its ability to:

• Take advantage of existing investments and consolidation management of directories.
• Extend administrative control and reduce redundant management tasks.
• Simplify remote integration and use network resources more efficiently.
• Provide a robust development and deployment environment for directory-enabled applications.
• Reduce TCO and improve the leverage of IT resources.

Related Links
See the following resources for further information:

• Microsoft Windows 2000 Active Directory Home Page at http://www.microsoft.com/ad

Further Details
 Contact us .....

Legal Notices
Contact