Free Guides
Language Tutorials
Active Directory Study Guide ( 70-217 )
What is Active Directory?
Active Directory or
A.D. is the antithesis of NT 4.0's LanManager. It is essentially a
database of network resources(known as objects) and information
about each of these objects. This is not a new concept as Novell and
Banyan have used directory services for years. Familiarity with
Novell 4.11 will greatly improve the time it takes to become
comfortable with this new network management system as many of AD's
features and terminology are very similar to that of Novell
Directory Services(NDS).
Why
Active Directory?
While NT 4.0 was a
pretty good networking operating system, it wasn't entirely equipped
for enterprise networking. The network neighborhood was a great tool
until you had a huge network, then browsing problems would begin and
finding a particular printer or server could become a nightmare
especially if you didn't know the name of it. Furthermore, in order
to even accomodate such a network, you would most likely have to
partition it into several domains connected with trust
relationships. AD solves many of these problems and offers a new
level of scalability and orginization for enterprise computing. The
directory of each domain can store as many as 10 million objects
which is enough to accommodate millions of users per domain.
Directory Architecture:
First let's introduce
the concept of "Sites". Sites are used to define the boundaries of
high-speed links on a network containing Active Directory Servers.
Sites are based on IP subnets and are defined as a "well-connected
subnet or subnets". Do not confuse this term with the concept of
domains which are discussed next.
One thing that hasn't changed from NT 4.0 is the use of domains. A
domain is still the centerpiece of a Windows 2000 network, however,
it is set up differently. Domain controllers are no longer separated
into PDCs and BDCs. Now there are simply DCs(Domain Controllers). By
default, all Win2K servers are installed as Standalone Member
Servers. DCPROMO.EXE is the Active Directory
Installation Wizard and is used to promote a non-domain controller
to a DC and vice versa. The wizard prompts for all of the required
information to install Active Directory under the conditions that
you have asked it to run Knowledge Consistency Checker(KCC) - This
is a service created in order to ensure that the Active Directory
service in the Windows 2000 operating system can replicate properly,
runs on all DCs and automatically establishes connections between
individual computers in the same site. These are known as Active
Directory connection objects. An administrator can establish
additional connection objects or remove connection objects, but at
any point where replication within a site becomes impossible or has
a single point of failure, the KCC steps in and establishes as many
new connection objects as necessary to resume Active Directory
replication.
Each domain controller in a domain is capable of accepting requests
for changes to the domain database and replicating that information
with the other DCs in the domain. The first domain that is created
is referred to as the "root domain" and is at the top of the
directory tree. All subsequent domains will live beneath the root
domain and are referred to as child domains. The child domain names
must be unique. As you are viewing the items below, pay attention to
how Windows 2000 now supports internet naming conventions.
When a
root domain and at least 1 child domain have been created, a "tree"
is formed. Remember and understand this term as you will hear it
often when working with a directory service.
You
can see that the structure begins to take the shape of a tree with
branches and sub-branches. Now what if we are a company like
Microsoft or DuPont that owns several other corporations. Typically,
each company would have its own tree and these would be aggregated
together via trusts to create a "forest". Let's look at an example
using our site.
So
let's say that our company owns techtutorials.com(actually that is
true) and xyzabc. You can see that the individual trees are
organized just like the root domain(mcmcse).
Trusts Overview:
Trusts are much more
easily managed in Windows 2000 than in NT 4.0. There are 2 main
reasons that this is the case.
- When a new domain is added, trust relationships are automatically configured.
- Trusts are now commutative 2-way trusts. This means that if domain A trusts domain B then the reverse is automatically true. In Windows NT 4.0 trusts had to be administered as a series of 1 way trusts and could be quite cumbersome.
- Trusts are automatically transitive which means that if domain A trusts domain B and domain B trusts domain C, then domain A trusts domain C and vice versa.
These
changes save an adminstrator some of the time consuming
administration efforts spent creating and maintaining trusts that
were required in NT 4.0. 1-way trusts can still be created when
necessary.
Directory Components:
Now that we have
looked at the big picture, it is time to take a look at what happens
inside a domain. To get started, the first concept that you will
need to understand what the directory is made of. A common analogy
for a directory is a phonebook. Both contain listings of various
objects and information and properties about them. Within the
directory are several other terms that you must know to gain even an
entry level understanding as to how it all works.
- Objects - Objects in the database can include printers, users, servers, clients, shares, services, etc. and are the most basic component of the directory.
- Attributes - An attribute describes an object. For example, passwords and names are attributes of user objects. Different objects will have a different set of attributes that define them, however, different objects may also share attributes. For example, a printer and Windows 2000 Professional Workstation may both have an IP address as an attribute.
- Schema - A schema defines the list of attributes that describe a given type of object. For example, let's say that all printer objects are defined by name, PDL type and speed attributes. This list of attributes comprises the schema for the object class "printers". The schema is customizable, meaning that the attributes that define an object class can be modified.
-
Containers - A container is very similar to the folder concept
in Windows. A folder contains files and other folders. In Active
Directory, a container holds objects and other containers.
Containers have attributes just like objects even though they do
not represent a real entity like an object. The 3 types of
containers are Domains, Sites and Organizational Units and are
explained in more detail below.
- Domains - We have already discussed this concept in the preceding paragraphs.
- Sites - A site is a location. Specifically, sites are used to distinguish between local and remote locations. For example, company XYZ has its headquarters in San Fransisco, a branch office in Denver and an office that uses DUN to connect to the main network from Portland. These are 3 different sites.
- Organizational Units - Organizational units are containers into which you can place users, groups, computers, and other organizational units. An organizational unit cannot contain objects from other domains. The fact that organizational units can contain other OUs, a hierarchy of containers can be created to model your organization's structure and hierarchy within a domain. Organizational units should be used to help minimize the number of domains required for a network.
Now that we know what these concepts mean, let's take a visual look at what is going on inside a domain.
The
folder symbols represent Organizational Unit(OU) containers and
within each of these we find objects such as printers, servers,
computers, users, etc. Instead of objects directly located inside
these OUs, there could be more OU containers.
Object Names:
Most of us are used to
the 15 character NetBIOS naming conventions of NT 4.0. Things are
quite different now as Windows 2000 uses Lightweight Directory
Access Protocol(LDAP) to supply the naming convention. This is a
fairly complicated naming system for those of you without experience
with Novell's context concept. The 2 basic concepts that you need to
know are distiguished names and common names. Distinguished names
are the complete "path" through the hierarchical tree structure to a
specific object. This is similar to specifying the complete path to
a file from a DOS prompt. This "path" points to the location of an
object in the hierarchy. Let's take a look in more detail.
The following are the components that make up a distinguished name:
- OU - Organizational Unit. This attribute is used to divide a namespace based on organizational structure as previously discussed. An OU usually is associated with an Active Directory container or folder.
- DC - Domain Component. Domain components . A distinguished name that uses DC attributes will have one DC for every domain level below root. Another way of thinking of this would be that there would be a DC attribute for every item separated by a dot in the domain name.
- CN - Common Name. This attribute represents the object itself within the directory service.
NOTE:
Contrary to information that is currently posted online(even on
Microsoft's site), AD doesn't support C= and O= objects as Novell
has. The information that you may see posted refers to NT 5
development.
Here is an example of a distinguished name:
CN=Jason Sprague,CN=Users,DC=mcmcse,DC=COM
Now lets say that I was a member of the sales.mcmcse.com domain. My
new DN would be:
CN=Jason Sprague,CN=Users,DC=sales,DC=mcmcse,DC=COM
And what about my computer called WOPR? It would be:
CN=WOPR,CN=Computers,DC=mcmcse,DC=COM
Windows 2000 also supports several other naming conventions in
addition to distinguished names as listed in the table below.
| Naming Convention | Example |
| Friendly name/RFC 822 | jsprague@mcmcse.com |
| LDAP URL |
LDAP://mcmcse.com/CN=jsprague, OU=sales,O=MCMCSE,C=US |
| Universal Naming Convention(UNC) | \\mcmcse.com\documents\webpages\index.shtml |
Global Catalog:
So now that we have
seen how complicated the naming conventions can be, let's look at
the tool that makes it all manageable. Windows 2000 includes a
service called the Global Catalog(GC) that is used to locate any
objects on a network to which a particular user has been granted
access. The searches that can be performed are far more advanced
than those included in NT 4.0 and not only is capable of locating
objects by name, but by attributes as well. So if I have a 50 page
document and I need 1000 copies made, I probably won't want to send
it to an HP 5si. I need to find a production printer that can print
at least 100ppm and has the capability of binding the document. The
Global Catalog allows me to search the network for a printer that
has these attributes. I find a Xerox Docutech 6135. I can add the
driver and send the print job. But what if I am in Portland and the
printer is in Seattle? The GC will provide this information and I
can email the owner of the printer and ask them to ship the job to
me via our internal mail system. Still a little confused? Let's take
a look at another example. Let's say that I get a voice mail from
someone named Betty Doe in the payroll department. Her voicemail is
garbled and I can't understand her phone number. I can use GS to
search for her by name and then access her phone number(assuming
that our network administrator has stored the phone number attribute
for users in the schema). What other previously existing application
has features similar to this? The answer is Microsoft Exchange.
Exchange also has a global catalog that allows you to find users by
name. GC is a scaled up version of this feature in exchange in that
it allows you to find objects based on a variety of customizable
attributes.
When a new object is created in AD, it is assigned a unique number
called a GUID (globally unique identifier). The GUID is useful
because it stays the same for any given object even if the object is
moved. The GUID is a 128-bit identifier, which means that
applications that reference objects in Active Directory can record
the GUIDs for objects and use the GC to find them even if it has
been moved.
REPLICATION:
Windows 2000 networks
will rely heavily on AD, and thus, it will be very important that
the service is running, fast and accessible at all times. In order
to accomplish this, the AD database must exist on multiple servers
so that if one server fails, a client can contact a server with
duplicate services and information. This not only creates
redundancy, but reduces the load on individual servers. All that
needs to be done for a domain controller to become a replication
partner is to add it to the AD domain.
One of the most complex parts of making redundant servers work
properly is replicating the information and ensuring that all
servers have the most up-to-date content. Active Directory uses
multimaster replication, which is another way of stating that
updates can occur on any Active Directory server. This also means
that there is not a master domain controller and all DCs work
together in a peer relationship. Each server keeps track of which
updates it has received from which servers, and can intelligently
request only necessary updates in case of a failure. This is
accomplished via the use of unique sequence numbers(USN). Every time
an update is made, it is assigned a unique sequence number from a
counter that is incremented whenever a change is made.
Flexible Single Master Operation:
To prevent update
conflicts in Windows 2000, the Active Directory performs updates to
certain objects in a single-master fashion. In a single-master
network model, only one domain controller in an Active Directory
handles updates. Windows 2000 Active Directory extends the
single-master model to include multiple roles and the ability to
transfer roles to any DC. Since an Active Directory role is not
bound to a single DC, it is referred to as a Flexible Single Master
Operation role. There are five FSMO roles as follows:
|
Remember from earlier that the schema is a list of attributes that define a given object type. The schema master FSMO role is the DC responsible for performing updates to the directory schema. This DC is the only one that can process updates to the directory schema. Once the schema update is complete, it is replicated from the schema master to all other DCs in the directory. There is only one schema master per directory. Domain Naming Master Controls the addition of Domains in a forest. This DC is the only one that can add or remove a domain from the directory. RID Master(Relative Identifier Master) works with domain controllers to assign unique SIDS to each object that requires one. Each object gets a domain SID that is common to all objects in a domain. What makes SIDS unique is the RID which is unique to all objects in the domain. The RID Master is also responsible for removing an object from its domain and putting it in another domain when an object is moved. PDC Emulator acts like a PDC from a Windows NT 4.0 network and is necessary in domains that are not pure Windows 2000(i.e have Windows 95/98/NT down-level clients). If the domain is running in Native Mode then this server is the "preferred" replication partner for the other DCs for password changes and also handles account lockouts and authentication failures. Updates user to group memberships when changes are made. |
Security:
There are now three
types of groups in Windows 2000:
|
|
The
rules remain the same for Local and Global groups, except that you
can now nest groups in Native mode. Universal groups can have
membership from any domain and can be used to assign access to any
resource in any domain. Accounts go into Global Groups which then go
into local groups that are assigned permissions to use a resource.
Each group can have one of two functions in Native mode -
distribution or security. Security groups are the ones we are
familiar with in NT4 while distribution groups will be used
primarily with Exchange 2000 or any other Active Directory mail
application.
Group Policy:
Group Policy in
Windows 2000 is one of it's largest administrative enhancements and
is designed to enable administrators to control the environment with
minimal effort. Group Policy is administered through the Group
Policy Microsoft Management Console(MMC) snap-in. Group policies are
not applied to "groups", but we can apply them to OUs. There are
five major categories that group policies can be configured for:
|
|
An
administrator can create several Group Policy Objects (GPO) in a
given Group Policy Container (GPC) and assign the appropriate GPO to
the computers or users that need the settings contained in that GPO.
If you want to exclude certain users or computers from processing
the GPO assigned to the Site/Domain/OU that they belong to, you can
simply remove the users' or groups' "apply group policy"
permissions. This effectively creates a filter. You can also
delegate control over GPOs so that a manager can change what a GPO
does for his or her department, but can't create any new GPOs or
change the scope of a GPO.
It is also possible to disable group policy objects without deleting
them. If you do this (from Group Policy - Options) it will only
disable it for that container and any sub-containers that inherit
the settings. If another administrator "linked" to that GPO from
another container, then the GPO is still active in that container.
Software can be efficiently deployed, updated and removed using
Group Policies and two technologies built into Windows 2000 -
Windows Installer and Software Installation and Maintenance.
|
|
When you deploy software, you can choose to assign it or publish it.
Assigned software can be targeted at users or computers. If you
assign an application to a USER, the icons show up on the desktop
and/or start menu, but the program is only installed when the user
runs it for the first time. If it is assigned to a COMPUTER, it's
installed the next time the system is restarted.
If you publish an application, the user can install it through
Add/Remove Programs or through opening a file that requires that
particular program(a file association). Published programs cannot
self repair, cannot be published to computers and are not advertised
on the users' desktop or start menu - only through add/remove
programs.
Assigned applications require a windows installer file(.msi) while
published applications can use Windows Installer files or ZAP files.
A .ZAP file is an administrator created text file that specifies the
parameters of the program to be installed and the file extensions
associated with it. Installations that utilize .ZAP files cannot
self repair or install with higher privileges and will typically
require user intervention to completely install.
You can deploy upgrades using GPO's simply by specifying which
program is to be upgraded and whether or not it is a mandatory
upgrade. You can apply service packs or patches by "re-deploying" an
existing Group Policy with the new information regarding the service
pack.
Active Directory Utilities:
| Utility | Purpose |
| SIDwalker | Security Administration Tools. Consists of 3 programs, showaccs.exe, sidwalk.exe and Security Migration Editor (MMC snap-in). First two used to examine and change ACL entries. Security Migration Editor edits mappings between old and new security IDs (SIDs). |
| repadmin.exe | Replication Diagnostics Tool. Check replication consistency between partners, status, force replication events and knowledge consistency checker recalculation. |
| acldiag.exe | ACL Diagnostics. Used to determine whether users have been granted/denied access to AD objects. Can be used to reset Access Control Lists to their default values. |
| ADSI edit | Low-level editor for Active Directory which enables adding, moving, and deleting objects within Active Directory. |
| dfsutil.exe | Distributed File System Utility. Manages all aspects of the distributed file system. |
| dnscmd.exe | DNS Server Troubleshooting Tool. Check dynamic registration of DNS resource records including secure DNS update and unregister resource records. |
| dsacls.exe | View or modify ACLs of objects in AD. |
| nltest.exe | Create a list of PDCs, force a shutdown, provide info about trusts and replication. |
| dsastat.exe | Active Directory Diagnostic Tool. Compare naming contexts on Domain Controllers and detect differences. |
| ldp.exe | Allows LDAP operations be be performed against Active Directory. |
| movetree.exe | AD Object Manager. Move AD objects like OUs and users between domains in a single forest. |
| netdom.exe | Windows 2000 Domain Manager. Used to manage Windows 2000 domains and trust relationships. |
| replmon.exe | Active Directory Replication Monitor. Graphically displays replication topology, monitor status, force replication and knowledge consistency checker recalculation. |
| sdcheck.exe | Security Descriptor Check Utility. Verify ACL propagation and replication for specified objects in a directory. |
Clients:
As a postscipt, we
thought that we should include information about older Windows
clients such as Windows NT 4.0 and Windows 9x. Microsoft is
providing an add-on for the Windows 95, Windows 98, and Windows NT
4.0 that allows those clients to take advantage of many of the
features provided by the Windows 2000 AD.