Pages

Saturday, March 3, 2012

Active Directory

Active Directory (AD) is a technology created by Microsoft that provides a variety of network services, including:
Using the same database, for use primarily in Windows environments, Active Directory also allows administrators to assign policies, deploy software, and apply critical updates to an organization. Active Directory stores information and settings in a central database. Active Directory networks can vary from a small installation with a few hundred objects, to a large installation with millions of objects.
Active Directory was previewed in 1999, released first with Windows 2000 Server edition, and revised to extend functionality and improve administration in Windows Server 2003. Additional improvements were made in both Windows Server 2003 R2 and Windows Server 2008.
Active Directory was called NTDS (NT Directory Service) in older Microsoft documents. This name can still be seen in some AD binaries.
There is a common misconception that Active Directory provides software distribution. Software distribution is run by a separate service that uses additional proprietary schema attributes that work in conjunction with the LDAP protocol. Active Directory does not automate software distribution but provides a mechanism by which other services can provide software distribution.

Objects

Active Directory is a directory service used to store information about the network resources across a domain and also centralize the network.
An 'Active Directory' (AD) structure is a hierarchical framework of objects. The objects fall into three broad categories: resources (e.g., printers), services (e.g., email), and users (user accounts and groups). The AD provides information on the objects, organizes the objects, controls access and sets security.
Each object represents a single entity — whether a user, a computer, a printer, or a group — and its attributes. Certain objects can also be containers of other objects. An object is uniquely identified by its name and has a set of attributes — the characteristics and information that the object can contain — defined by a schema, which also determines the kind of objects that can be stored in the AD.
Each attribute object can be used in several different schema class objects. The schema object exists to allow the schema to be extended or modified when necessary. However, because each schema object is integral to the definition of AD objects, deactivating or changing these objects can have serious consequences because it will fundamentally change the structure of AD itself.
 A schema object, when altered, will automatically propagate through Active Directory and once it is created it can only be deactivated — not deleted. Changing the schema usually requires a fair amount of planning.

Forests, trees, and domains

The AD framework that holds the objects can be viewed at a number of levels. At the top of the structure is the forest. The forest is a collection of every object, its attributes, and rules (attribute syntax) in the AD. The forest, tree, and domain are the logical parts in an AD network.
The AD forest contains one or more transitive, trust-linked trees. A tree is a collection of one or more domains and domain trees, again linked in a transitive trust hierarchy. Domains are identified by their DNS name structure, the namespace.
The objects held within a domain can be grouped into containers called Organizational Units (OUs). OUs give a domain a hierarchy, ease its administration, and can give a semblance of the structure of the AD's company in organizational or geographical terms. OUs can contain OUs - indeed, domains are containers in this sense - and can hold multiple nested OUs. Microsoft recommends as few domains as possible in AD and a reliance on OUs to produce structure and improve the implementation of policies and administration. The OU is the common level at which to apply group policies, which are AD objects themselves called Group Policy Objects (GPOs), although policies can also be applied to domains or sites (see below). The OU is the level at which administrative powers are commonly delegated, but granular delegation can be performed on individual objects or attributes as well.
AD also supports the creation of Sites, which are physical, rather than logical, groupings defined by one or more IP subnets. Sites distinguish between locations connected by low-speed (e.g., WAN, VPN) and high-speed (e.g., LAN) connections. Sites are independent of the domain and OU structure and are common across the entire forest. Sites are used to control network traffic generated by replication and also to refer clients to the nearest domain controllers. Exchange 2007 also uses the site topology for mail routing. Policies can also be applied at the site level.
The actual division of the company's information infrastructure into a hierarchy of one or more domains and top-level OUs is a key decision. Common models are by business unit, by geographical location, by IT Service, or by object type. These models are also often used in combination. OUs should be structured primarily to facilitate administrative delegation, and secondarily, to facilitate group policy application. Although OUs form an administrative boundary, the only true security boundary is the forest itself and an administrator of any domain in the forest must be trusted across all domains in the forest.
Physically the Active Directory information is held on one or more equal peer domain controllers (DCs), replacing the NT PDC/BDC model. Each DC has a copy of the AD; changes on one computer being synchronized (converged) between all the DC computers by multi-master replication. Servers joined into AD, which is not domain controllers, are called Member Servers. The AD database is split into different stores or partitions. Microsoft often refers to these partitions as 'naming contexts'. The 'Schema' partition contains the definition of object classes and attributes within the Forest. The 'Configuration' partition contains information on the physical structure and configuration of the forest (such as the site topology). The 'Domain' partition holds all objects created in that domain. The first two partitions replicate to all domain controllers in the Forest. The Domain partition replicates only to Domain Controllers within its domain. A subset of objects in the domain partition is also replicated to domain controllers that are configured as global catalogs.

 Trust
To allow users in one domain to access resources in another, AD uses trusts. Trusts inside a forest are automatically created when domains are created. The forest sets the default boundaries of trust, not the domain, and implicit, transitive trust is automatic for all domains within a forest. As well as two-way transitive trust, AD trusts can be shortcut (joins two domains in different trees, transitive, one- or two-way), forest (transitive, one- or two-way), realm (transitive or nontransitive, one- or two-way), or external (nontransitive, one- or two-way) in order to connect to other forests or non-AD domains.

Trusts in Windows 2000 (native mode)

  • One-way trust - One domain allows access to users on another domain, but the other domain does not allow access to users on the first domain.
  • Two-way trust - Two domains allow access to users on the other domain.
  • Trusting domain - The domain that allows access to users from a trusted domain.
  • Trusted domain - The domain that is trusted; whose users have access to the trusting domain.
  • Transitive trust - A trust that can extend beyond two domains to other trusted domains in the tree.
  • Intransitive trust - A one-way trust that does not extend beyond two domains.
  • Explicit trust - A trust that an admin creates. It is not transitive and is one way only.
  • Cross-link trust - An explicit trust between domains in different trees or in the same tree when a descendant/ancestor (child/parent) relationship does not exist between the two domains.

ADAM/AD LDS

Active Directory Application Mode (ADAM) is a light-weight implementation of Active Directory. ADAM is capable of running as a service, on computers running Microsoft Windows Server 2003 or Windows XP Professional. ADAM shares the code base with Active Directory and provides the same functionality as Active Directory, including an identical API, but does not require the creation of domains or domain controllers.
Like Active Directory, ADAM provides a Data Store, which is a hierarchical data store for storage of directory data, a Directory Service with an LDAP Directory Service Interface. Unlike Active Directory, however, multiple ADAM instances can be run on the same server, with each instance having its own and required by applications making use of the ADAM directory service.
In Windows Server 2008, ADAM has been renamed AD LDS (Lightweight Directory Services).
Active Directory Explorer
Active Directory Explorer is a viewer and editor for Active Directory databases, from Microsoft. It can be used to navigate around and modify AD entries, view schema for objects as well as perform searches. It can also save AD snapshots for offline browsing.

Domain Name
A name that identifies one or more IP addresses. For example, the domain name microsoft.com represents about a dozen IP addresses. Domain names are used in URLs to identify particular Web pages. For example, in the URL http://www.pcwebopedia.com/index.html, the domain name is pcwebopedia.com.
Every domain name has a suffix that indicates which top level domain (TLD) it belongs to. There are only a limited number of such domains. For example:
.gov - Government agencies
.edu - Educational institutions
.org - Organizations (nonprofit)
.mil - Military
.com - commercial business
.net - Network organizations
.ca - Canada
.th - Thailand

Because the Internet is based on IP addresses, not domain names, every Web server requires a Domain Name System (DNS) server to translate domain names into IP addresses.

Windows Server domain

A Windows Server domain is a logical group of computers running versions of the Microsoft Windows operating system that share a central directory database. This central database (known as Active Directory starting with Windows 2000 also referred to as NT Directory Services on Windows NT Server operating systems, or NTDS) contains the user accounts and security information for the resources in that domain. Each person who uses computers within a domain receives his or her own unique account, or user name. This account can then be assigned access to resources within the domain.
In a domain, the directory resides on computers that are configured as "domain controllers." A domain controller is a server that manages all security-related aspects between user and domain interactions, centralizing security and administration. A Windows Server domain is normally more suitable for moderately larger businesses and/or organizations.
Windows Workgroups ---- is the other model for grouping computers running Windows in a networking environment which ships with Windows. Workgroup computers are considered to be 'standalone' - i.e. there is no formal membership or authentication process formed by the workgroup. A workgroup does not have servers and clients, and as such, it represents the Peer-to-Peer (or Client-to-Client) networking paradigm, rather than the centralized architecture constituted by Server-Client. Workgroups are considered difficult to manage beyond a dozen clients and lack single sign-on, scalability, resilience/disaster recovery functionality, and many security features. Windows Workgroups are more suitable for small or home-office networks.

No comments:

Post a Comment