Introduction to Active Directory Architecture

What is Active Directory?

Active Directory is essentially a database of network resources (known as objects) and information
about each of these objects. While NT 4.0 was a pretty good networking operating system back in the
day, it wasn't entirely equipped for enterprise networking. The network neighborhood was a great tool
until you had a huge network, then browsing problems would begin and finding a particular printer or
server could become a nightmare especially if you didn't know the name of it. Furthermore, in order to
even accomodate such a network, you would most likely have to partition it into several domains
connected with trust relationships. AD solved many of these problems and offered a new level of
scalability and orginization for enterprise computing. The directory of each domain can store as many
as 10 million objects which is enough to accommodate millions of users per domain.

Directory Architecture:
First let's introduce the concept of "Sites". Sites are used to define the boundaries of high-
speed links on a network containing Active Directory Servers . Sites are based on IP subnets
and are defined as a "well-connected subnet or subnets". Do not confuse this term with the
concept of domains which are discussed next.

One thing that didn't changed from the NT 4.0 days is the use of domains. A domain is still
the centerpiece of a Windows network, however, it is set up differently. Domain controllers
are no longer separated into PDCs and BDCs. Now there are simply DCs (Domain
Controllers). By default, servers are installed as Standalone Member Servers.
DCPROMO.EXE is the Active Directory Installation Wizard and is used to promote a non-
domain controller to a DC and vice versa. The wizard prompts for all of the required
information to install Active Directory under the conditions that you have asked it to run
Knowledge Consistency Checker (KCC) - This is a service created in order to ensure that the
Active Directory service can replicate properly. It runs on all DCs and automatically
establishes connections between individual computers in the same site. These are known as
Active Directory connection objects. An administrator can establish additional connection
objects or remove connection objects, but at any point where replication within a site
becomes impossible or has a single point of failure, the KCC steps in and establishes as
many new connection objects as necessary to resume Active Directory replication.

Each domain controller in a domain is capable of accepting requests for changes to the
domain database and replicating that information with the other DCs in the domain. The
first domain that is created is referred to as the "root domain" and is at the top of the
directory tree. All subsequent domains will live beneath the root domain and are referred to
as child domains. The child domain names must be unique.
When a root domain and at least 1 child domain have been created, a "tree" is formed.
Remember and understand this term as you will hear it often when working with a directory
service.

You can see that the structure begins to take the shape of a tree with branches and sub-
branches. Now what if we are a company like Microsoft or DuPont that owns several other
corporations. Typically, each company would have its own tree and these would be
aggregated together via trusts to create a "forest". Let's look at an example using our site.
So let's say that our company owns techtutorials.net (actually that is true) and xyzabc. You
can see that the individual trees are organized just like the root domain (mcmcse).

Trusts Overview:
Trusts are much more easily managed in Active Directory than they were in NT 4.0. There
are 2 main reasons that this is the case.

1. When a new domain is added, trust relationships are automatically configured.

2. Trusts are now commutative 2-way trusts. This means that if domain A trusts
domain B then the reverse is automatically true. In Windows NT 4.0 trusts had to be
administered as a series of 1 way trusts and could be quite cumbersome.
3. Trusts are automatically transitive which means that if domain A trusts domain B and
domain B trusts domain C, then domain A trusts domain C and vice versa.

These changes save an adminstrator some of the time consuming administration efforts
spent creating and maintaining trusts. 1-way trusts can still be created when necessary.

Directory Components:
Now that we have looked at the big picture, it is time to take a look at what happens inside
a domain. To get started, the first concept that you will need to understand what the
directory is made of. A common analogy for a directory is a phonebook. Both contain listings
of various objects and information and properties about them. Within the directory are
several other terms that you must know to gain even an entry level understanding as to
how it all works.

 Objects - Objects in the database can include printers, users, servers, clients,
shares, services, etc. and are the most basic component of the directory.
 Attributes - An attribute describes an object. For example, passwords and names
are attributes of user objects. Different objects will have a different set of attributes
that define them, however, different objects may also share attributes. For example,
a printer and Windows Vista computer may both have an IP address as an attribute.
 Schema - A schema defines the list of attributes that describe a given type of
object. For example, let's say that all printer objects are defined by name, PDL type
 and speed attributes. This list of attributes comprises the schema for the object class
"printers". The schema is customizable, meaning that the attributes that define an
object class can be modified.
 Containers - A container is very similar to the folder concept in Windows. A folder
contains files and other folders. In Active Directory, a container holds objects and
other containers. Containers have attributes just like objects even though they do
not represent a real entity like an object. The 3 types of containers are Domains,
Sites and Organizational Units and are explained in more detail below.
o Domains - We have already discussed this concept in the preceding
paragraphs.
o Sites - A site is a location. Specifically, sites are used to distinguish between
local and remote locations. For example, company XYZ has its headquarters
in San Fransisco, a branch office in Denver and an office that uses DUN to
connect to the main network from Portland. These are 3 different sites.
o Organizational Units - Organizational units are containers into which you can
place users, groups, computers, and other organizational units. An
organizational unit cannot contain objects from other domains. The fact that
organizational units can contain other OUs, a hierarchy of containers can be
created to model your organization's structure and hierarchy within a domain.
Organizational units should be used to help minimize the number of domains
required for a network.

Now that we know what these concepts mean, let's take a visual look at what is going on
inside a domain.

The folder symbols represent Organizational Unit(OU) containers and within each of these
we find objects such as printers, servers, computers, users, etc. Instead of objects directly
located inside these OUs, there could be more OU containers.

Object Names:
Active Directory uses the Lightweight Directory Access Protocol (LDAP) to supply the naming
convention for objects. The 2 basic concepts that you need to know are distiguished names
and common names. Distinguished names are the complete "path" through the hierarchical
tree structure to a specific object. This is similar to specifying the complete path to a file
from a DOS prompt. This "path" points to the location of an object in the hierarchy. Let's
take a look in more detail.

The following are the components that make up a distinguished name:

 OU - Organizational Unit. This attribute is used to divide a namespace based on

organizational structure as previously discussed. An OU usually is associated with an
Active Directory container or folder.
 DC - Domain Component. Domain components . A distinguished name that uses DC
attributes will have one DC for every domain level below root. Another way of
thinking of this would be that there would be a DC attribute for every item separated
by a dot in the domain name.
 CN - Common Name. This attribute represents the object itself within the directory
service.

Here is an example of a distinguished name:

CN=Jason Sprague,CN=Users,DC=mcmcse,DC=COM

Now lets say that I was a member of the sales.mcmcse.com domain. My new DN would be:
CN=Jason Sprague,CN=Users,DC=sales,DC=mcmcse,DC=COM

And what about my computer called WOPR? It would be:

CN=WOPR,CN=Computers,DC=mcmcse,DC=COM

AD also supports several other naming conventions in addition to distinguished names as

listed in the table below.
Naming Convention Example

Friendly name/RFC 822 jsprague@mcmcse.com

LDAP://mcmcse.com/CN=jsprague,
LDAP URL
OU=sales,O=MCMCSE,C=US

Universal Naming
\\mcmcse.com\documents\webpages\index.shtml
Convention(UNC)

Global Catalog:
So now that we have seen how complicated the naming conventions can be, let's look at the
tool that makes it all manageable. Active Directory uses a service called the Global Catalog
(GC) that is used to locate any objects on a network to which a particular user has been
granted access. The searches that can be performed are advanced and not only is capable
of locating objects by name, but by attributes as well. So if I have a 50 page document and
I need 1000 copies made, I probably won't want to send it to an HP 5si. I need to find a
production printer that can print at least 100ppm and has the capability of binding the
document. The Global Catalog allows me to search the network for a printer that has these
attributes. I find a Xerox Docutech 6135. I can add the driver and send the print job. But
what if I am in Portland and the printer is in Seattle? The GC will provide this information
and I can email the owner of the printer and ask them to ship the job to me via our internal
mail system. Still a little confused? Let's take a look at another example. Let's say that I get
a voice mail from someone named Betty Doe in the payroll department. Her voicemail is
garbled and I can't understand her phone number. I can use GS to search for her by name
and then access her phone number (assuming that our network administrator has stored
the phone number attribute for users in the schema). What other previously existing
application has features similar to this? The answer is Microsoft Exchange. Exchange also
has a global catalog that allows you to find users by name. GC is a scaled up version of this
feature in exchange in that it allows you to find objects based on a variety of customizable
attributes.

When a new object is created in AD, it is assigned a unique number called a GUID (globally
unique identifier). The GUID is useful because it stays the same for any given object even if
the object is moved. The GUID is a 128-bit identifier, which means that applications that
reference objects in Active Directory can record the GUIDs for objects and use the GC to
find them even if it has been moved.

Replication:
Windows networks heavily on AD, and thus, it is very important that the service is running,
fast and accessible at all times. In order to accomplish this, the AD database must exist on
multiple servers so that if one server fails, a client can contact a server with duplicate
services and information. This not only creates redundancy, but reduces the load on
individual servers. All that needs to be done for a domain controller to become a replication
partner is to add it to the AD domain.

One of the most complex parts of making redundant servers work properly is replicating the
information and ensuring that all servers have the most up-to-date content. Active Directory
uses multimaster replication, which is another way of stating that updates can occur on any
Active Directory server. This also means that there is not a master domain controller and all
DCs work together in a peer relationship. Each server keeps track of which updates it has
received from which servers, and can intelligently request only necessary updates in case of
a failure. This is accomplished via the use of unique sequence numbers (USN). Every time
an update is made, it is assigned a unique sequence number from a counter that is
incremented whenever a change is made.

Flexible Single Master Operation:

To prevent update conflicts, Active Directory performs updates to certain objects in a single-
master fashion. In a single-master network model, only one domain controller in an Active
Directory handles updates. Active Directory extends the single-master model to include
multiple roles and the ability to transfer roles to any DC. Since an Active Directory role is
not bound to a single DC, it is referred to as a Flexible Single Master Operation role. There
are five FSMO roles as follows:

 Schema Master
Remember from earlier that the schema is a list of attributes that define a given object
type. The schema master FSMO role is the DC responsible for performing updates to the
directory schema. This DC is the only one that can process updates to the directory schema.
Once the schema update is complete, it is replicated from the schema master to all other
DCs in the directory. There is only one schema master per directory.
 Domain Naming Master
Domain Naming Master Controls the addition of Domains in a forest. This DC is the only one
that can add or remove a domain from the directory.
 RID Master
RID Master(Relative Identifier Master) works with domain controllers to assign unique SIDS
to each object that requires one. Each object gets a domain SID that is common to all
objects in a domain. What makes SIDS unique is the RID which is unique to all objects in
the domain. The RID Master is also responsible for removing an object from its domain and
putting it in another domain when an object is moved.
 PDC emulator
PDC Emulator acts like a PDC from a Windows NT 4.0 network and is necessary in domains
that are not native (i.e have Windows 95/98/NT down-level clients). It does a lot more than
that. PDC Emulator is the root time server for synchronizing the clocks of all Windows
computers in your forest which prevents authentication problems. Another function of the
PDC Emulator is that it is the domain controller to which all changes to Group Policy are
initially made and from there the GPO is replicated to all other domain controllers in the
domain. All password changes and account lockout issues are handled by the PDC Emulator
to ensure that password changes are replicated properly and account lockout policy is
effective.
 Infrastructure Daemon
Updates user to group memberships when changes are made.

Security:
Below are the types of groups available:

 Default: Default groups, such as the Domain Admins group, are security groups that are
created automatically when you create an Active Directory domain. You can use these
predefined groups to help control access to shared resources and to delegate specific,
domain-wide, administrative roles. Many default groups are automatically assigned a set of
user rights that authorize members of the group to perform specific actions in a domain,
such as logging on to a local system or backing up files and folders. For example, a member
of the Backup Operators group has the right to perform backup operations for all domain
controllers in the domain. Default groups are located in the Builtin container and the Users
container. The default groups in the Builtin container have a group scope of Builtin Local.
Their group scope and group type cannot be changed. The Users container contains groups
that are defined with global scope and groups that are defined with domain local scope. You
can move groups that are located in these containers to other groups or OUs within the
domain, but you cannot move them to other domains.
 Domain Local: Members of domain local groups can include other groups and accounts
from Windows NT, Windows 2000, Windows Server 2003, Windows Server 2008, and
Windows Server 2008 R2 domains. Members of these groups can be assigned permissions
only within a domain. Groups with domain local scope help you define and manage access
to resources within a single domain. These groups can have the following as their members:

 Accounts from any domain

 Global groups from any domain
 Universal groups from any domain
 Domain local groups, but only from the same domain as the parent domain local
group
 A mixture of any of the above

 Global: Members of global groups can include accounts from the same domain as the
parent global group and global groups from the same domain as the parent global group.
Members of these groups can be assigned permissions in any domain in the forest. Use
groups with global scope to manage directory objects that require daily maintenance, such
as user and computer accounts. Because groups with global scope are not replicated outside
their own domain, you can change accounts in a group having global scope frequently without
generating replication traffic to the global catalog.
 Universal: Members of universal groups can have the following as their members:
  Accounts from any domain within the forest in which this Universal Group resides
 Global groups from any domain within the forest in which this Universal Group
resides
 Universal groups from any domain within the forest in which this Universal Group
resides

Members of these groups can be assigned permissions in any domain in the domain tree or
forest. Use groups with universal scope to consolidate groups that span domains. To do this,
add the accounts to groups with global scope and nest these groups within groups that have
universal scope. When you use this strategy, any membership changes in the groups that
have global scope do not affect the groups with universal scope.

Group Policy:
Group Policy is on of the most powerful administrative features and is designed to enable
administrators to control the environment with minimal effort. Group Policy is administered
through the Group Policy Microsoft Management Console (MMC) snap-in. Group policies are
not applied to "groups", but we can apply them to OUs.

An administrator can create several Group Policy Objects (GPO) in a given Group Policy
Container (GPC) and assign the appropriate GPO to the computers or users that need the
settings contained in that GPO. If you want to exclude certain users or computers from
processing the GPO assigned to the Site/Domain/OU that they belong to, you can simply
remove the users' or groups' "apply group policy" permissions. This effectively creates a
filter. You can also delegate control over GPOs so that a manager can change what a GPO
does for his or her department, but can't create any new GPOs or change the scope of a
GPO.

It is also possible to disable group policy objects without deleting them. If you do this (from
Group Policy - Options) it will only disable it for that container and any sub-containers that
inherit the settings. If another administrator "linked" to that GPO from another container,
then the GPO is still active in that container.

Software can be efficiently deployed, updated and removed using Group Policies and two
technologies - Windows Installer and Software Installation and Maintenance.

 Windows Installer will replace Setup.exe for many applications. Its advantages include
the ability to build custom installations, enable programs to "repair" themselves if a critical
file is missing or corrupt and to remove themselves very cleanly when necessary.
 Software Installation and Maintenance combines Group Policies and Active Directory
technologies to enable an administrator to install, manage and remove software across the
network.

When you deploy software, you can choose to assign it or publish it. Assigned software can
be targeted at users or computers. If you assign an application to a USER, the icons show
up on the desktop and/or start menu, but the program is only installed when the user runs
it for the first time. If it is assigned to a COMPUTER, it's installed the next time the system
is restarted.

If you publish an application, the user can install it through Add/Remove Programs or
through opening a file that requires that particular program(a file association). Published
programs cannot self repair, cannot be published to computers and are not advertised on
the users' desktop or start menu - only through add/remove programs.
Assigned applications require a windows installer file(.msi) while published applications can
use Windows Installer files or ZAP files. A .ZAP file is an administrator created text file that
specifies the parameters of the program to be installed and the file extensions associated
with it. Installations that utilize .ZAP files cannot self repair or install with higher privileges
and will typically require user intervention to completely install.

You can deploy upgrades using GPO's simply by specifying which program is to be upgraded
and whether or not it is a mandatory upgrade. You can apply service packs or patches by
"re-deploying" an existing Group Policy with the new information regarding the service pack.

Active Directory Utilities:

Utility Purpose

SIDwalker Security Administration Tools. Consists of 3 programs, showaccs.exe, sidwalk.exe and

Security Migration Editor (MMC snap-in). First two used to examine and change ACL
entries. Security Migration Editor edits mappings between old and new security IDs
(SIDs).

repadmin.exe Replication Diagnostics Tool. Check replication consistency between partners, status,
force replication events and knowledge consistency checker recalculation.

acldiag.exe ACL Diagnostics. Used to determine whether users have been granted/denied access to
AD objects. Can be used to reset Access Control Lists to their default values.

ADSI edit Low-level editor for Active Directory which enables adding, moving, and deleting
objects within Active Directory.

dfsutil.exe Distributed File System Utility. Manages all aspects of the distributed file system.

dnscmd.exe DNS Server Troubleshooting Tool. Check dynamic registration of DNS resource records
including secure DNS update and unregister resource records.

dsacls.exe View or modify ACLs of objects in AD.

nltest.exe Create a list of PDCs, force a shutdown, provide info about trusts and replication.

dsastat.exe Active Directory Diagnostic Tool. Compare naming contexts on Domain Controllers and
detect differences.

ldp.exe Allows LDAP operations be be performed against Active Directory.

movetree.exe AD Object Manager. Move AD objects like OUs and users between domains in a single
forest.

netdom.exe Enables administrators to manage Active Directory domains and trust relationships
from the command prompt.

replmon.exe Active Directory Replication Monitor. Graphically displays replication topology, monitor
status, force replication and knowledge consistency checker recalculation.

sdcheck.exe Security Descriptor Check Utility. Verify ACL propagation and replication for specified
objects in a directory.

Clients:
As a postscipt, we thought that we should include information about older Windows clients
such as Windows NT 4.0 and Windows 9x. Although rarely encounted, Microsoft has
provided an add-on for Windows 95, Windows 98, and Windows NT 4.0 clients that allows
them to take advantage of many of the features provided by AD. More information about
this can be found here

How And When To Use Virtual LANs (VLANs)

From your Network+ exam studies, you know that switches forward broadcasts, and that sounds
great, but that's not always a good thing. A switch can have anywhere from 12 ports to 80 or more,
and by default all hosts connected to that switch are going to be in the same broadcast domain. Let's
say we have an 80-port switch. If one host connected to that switch sends a broadcast, by default, all
of the other 79 hosts are going to receive the broadcast. That will unnecessarily take up our network's
available bandwidth.

It gets worse. For some network services and protocols, a broadcast received by a host results in that
receiving host transmitting a broadcast of its own. Then when all the hosts receive that broadcast,
they all end up transmitting even more broadcasts. Pretty soon, all these broadcasts have snowballed
into a broadcast storm, which can take up most of a network's bandwidth and make normal network
operations almost impossible.

Most likely, only a few hosts on each switch really need to communicate with each other. Let's take a
eight-port switch for example, where three of the hosts are in the Security department, another three
in the Accounting department, and the other two in the Publishing department.

If any of these PCs sends a broadcast, every other host attached to that switch is going to receive it,
and may well generate a broadcast of its own in response. That's what we want to guard against, and
we can do so through the creation of Virtual LANs, or VLANs. Physically, these hosts all reside on the
same Local Area Network , but we can configure the switch to place them in different logical (virtual)
LANs. When a switch is configured with VLANs, the switch will forward a broadcast only to those hosts
in the same VLAN as the host that originated it. By creating three VLANs on this switch, we now have
three smaller broadcast domains, which helps to limit the scope of a broadcast.

After placing the Security hosts in their own VLAN, and then doing the same for the Accounting and
Publishing hosts, broadcasts are now limited to being forwarded throughout their own VLAN. If a host
in the Security department sends a broadcast, only other hosts in that same VLAN will receive it.

Now, here's another one of those good news / bad news scenarios we've discussed. (Better get used
to those -- in networking, almost everything we do has a good side and a bad side!)

Good news: Broadcasts will not be forwarded (propagated), between VLANs. A broadcast sent by one
host in a VLAN will be forwarded only to other hosts in that same VLAN.

Bad news: No other traffic is going to be able to go from one VLAN to another, either. By default,
there will be no inter-VLAN traffic on the switch. For traffic to go between VLANs, a Layer Three device
must be involved, and that L3 device will most likely be a router.

Notice I said "most likely".

Most books for exams such as Network+ and CCNA say that a switch is a Layer Two device, and a
router is a Layer Three device, and that's it. In today's networking, though, that's not the case, and I
don't want you to be confused when you hear the term "layer three switch" in the real world. (Or
worse, I don't want you to be confused in a job interview if someone mentions this term.)

There are switches available today that are also capable of routing, and these L3 switches are
becoming more and more popular as the price goes down. Having an L3 switch eliminates the need for
routers in some small networks, so you need to know about them. For your Network+ and CCNA
exams, if the term mentioned is simply "switch", they're talking about a classic "layer 2 switch" that
doesn't perform routing.