Académique Documents
Professionnel Documents
Culture Documents
Understanding Active
Brought to you by:
Directory
75
Permission and Copyright
This material is reprinted from Windows 2000 Server Architecture and Planning, 2nd Edition, by M.S. Nielsen, ©2000 by The Coriolis Group.
Used with permission.
The Coriolis Group, LLC is a leading publisher and e-learning company, providing technical reference, skills training and study products for the IT-
industry and creative design fields, and for those looking to maximize performance on IT certification exams and standardized tests. Coriolis has over
4 million books in print under its industry-leading Exam Cram certification brand. Exam Cram products cover more than 25 technology and professional
certification programs, and www.examcram.com is the premier online destination and e-learning resource center for IT certification and training.
Coriolis also publishes tutorial series for graphics professionals and technical reference books for software developers, networking professionals, and
Internet users and developers. With titles that frequently land on best-seller lists, the company has gained worldwide recognition for providing proven
learning methods and a real-world approach toward complex topics, by combining succinct, strategy-based content with a reader-friendly writing style.
terminology. The new Active Directory concept presents a lot of information to learn
(and relearn), regardless of your current level of NT 4/Windows 2000 Server experi-
ence. Recognizing that fact, the definitions of the key Active Directory concepts are
reinforced in the next chapter, too.
76 Chapter 4
Essentially, a directory service has the potential to become the heart of the enterprise.
And, as the last chapter made very clear, the Windows NT 4 domain system doesn’t
provide the functionality needed to fulfill this role. Windows NT 4 domains are
plagued by numerous and well-known shortcomings: limited object types, flat
namespaces, Byzantine trust relationships, difficult APIs, and much more.
Fortunately, Microsoft now offers Active Directory to remedy the weaknesses of the
NT 4 domain. Active Directory is an industrial-strength directory service that is
included with Windows 2000 Server.
Active Directory represents a revolution compared to the directory included in Win-
dows NT Server 4. Active Directory includes many of the same traits of Windows
NT Server 4—a single network logon, a single point of administration and replica-
tion, and full integration with the Windows 2000 OS. However, Active Directory
includes much more than NT Server 4:
• Active Directory is built from the ground up, using Internet-standard technolo-
gies, with an emphasis on security, distribution, partitioning, and replication.
• Active Directory is designed to work well in installations of any size, from
a single server with a few hundred objects to thousands of servers and millions
of objects.
• Active Directory is designed to be a consolidation point, so that organizations
can isolate, migrate, centrally manage, and reduce the number of directories that
they maintain. This ought to make Active Directory an ideal long-term founda-
tion for corporate information sharing and common management of network
resources, including applications, network OSs, and directory-enabled devices.
Figure 4.1
A sample user object and its attributes.
Attributes of a user might include the user’s given name, surname, and email address,
such as the example shown in Figure 4.1.
Container
A container is an object that can contain other objects. In the same way that a
file folder is a container for documents, a directory container is a container for direc-
tory objects.
Tree
Tree is used throughout this book to describe a hierarchy of objects. A tree shows how
objects are connected, by displaying the path from one object to another. Visualizing
the structure of a file directory helps most people understand the abstraction of a
tree structure.
In a tree, the end points are called leaf nodes. Inside the realm of directory services,
leaf nodes often are referred to as noncontainer objects, because they can’t contain
other objects.
Nodes in the tree (points at which the tree branches) are known as nonleaf nodes—or
simply containers.
A contiguous subtree (shown inside the dotted circle in Figure 4.2) is any unbroken
path in the tree, including all members of any container in that path.
Namespace
Active Directory is actually a namespace (much like any other directory service), which
is any definable space or context in which a specified name can be resolved. The
following are examples of namespaces:
78 Chapter 4
Figure 4.2
A tree in which a contiguous subtree is shown inside the dotted circle.
Schema
Basically, the schema defines which objects can be created in the directory and which
attributes can be assigned to those objects. In Active Directory, the general definition
Configuration
The configuration naming context contains the replication topology and related
metadata. Global objects should always be published in the configuration naming
context (or the schema) as they are replicated to every Domain Controller (DC) in
the forest.
Name
Active Directory is based on the concept of representing every single object in the
directory with its own name. Names are structured in a hierarchical manner, so that
you can build paths that relate back to the original name.
The following are the two fundamentally different kinds of names:
80 Chapter 4
• Distinguished name (DN)—Every object in Active Directory has a DN that iden-
tifies (or distinguishes) the domain that holds the object, and the complete path
through the container hierarchy by which the object is reached. The following is
a typical DN that identifies the “Viggo Mortensen” user object in the Netlog.com
domain (see Figure 4.3):
/O=Internet/DC=COM/DC=Netlog/CN=Users/CN=Viggo Mortensen
• Relative distinguished name (RDN)—The part of the object’s DN that is an at-
tribute of the object itself. In the preceding example, the RDN of the “Viggo
Mortensen” user object is CN=Viggo Mortensen. The RDN of the parent object
is CN=Users.
Name Resolution
Name resolution is the process of translating a name into some object or information
that the name represents. Active Directory uses the Dynamic Domain Name System
(DDNS) to resolve names.
Organization=Internet
Domain Component=COM
Domain Component=Netlog
Common Name=Users
Common Name=Viggo Mortensen
O=Internet/DC=COM/DC=Netlog/CN=Users/CN=Viggo Mortensen
Figure 4.3
A graphical representation of a distinguished name. Understanding the DN is key to determining the
relative distinguished name.
Trees
A domain tree (or simply tree) is comprised of several hierarchically organized do-
mains that share a common schema and configuration, forming a contiguous
namespace. The domains in a tree are also linked together by trust relationships.
Stated another way, when multiple domains are connected by trust relationships and
share a common schema, configuration, and global catalog, they form a domain tree.
The minimal domain tree is a single Windows 2000 Server domain. Trees can be
viewed in one of two ways:
• By the namespace of the domain tree
• By the trust relationships between domains
82 Chapter 4
Viewing The Namespace
In the namespace view, all domains within a single domain tree share a hierarchical
naming structure.
The first domain in a tree is called the root of the tree. Additional domains in the
same tree are called child domains. Domains immediately above other domains in the
same tree are called parent domains. The domain name of a child domain is the RDN
of that child domain added to the beginning of the name of the parent domain. For
example, HQ.ACME.COM is a child domain of the ACME.COM parent domain.
Often, drawing a picture of the domain tree based on its hierarchical namespace can
help you thoroughly understand the domain tree. For example, as shown in Figure
4.4, you can use the drawing as a straightforward way to determine an object’s DN,
by following the path up the domain tree’s namespace.
root.com
sub.root.com
other.sub.root.com
Figure 4.4
Viewing a domain tree as a hierarchical namespace almost always is very beneficial for under-
standing the specific domain model.
The Forest
A forest is a set of one or more domain trees that does not form a contiguous
namespace—that is, the trees in a forest don’t share a common root. For example, the
domains HQ.COM and SALES.COM have no obvious relationship to each other.
This is an example of disjointed naming, in which the two domains can’t be part of
the same domain tree, but have to be joined as a forest.
Combining trees in a forest provides you with the flexibility of both contiguous and
disjointed naming conventions. This can be useful, for example, in companies with
independent divisions that must each maintain their own DNS names.
Each tree in a forest must share a common schema, configuration, and Global Cata-
log, and must trust the other trees of the forest via transitive hierarchical trust
Automatically
Defined
Trust
Domain X Domain Y
Implicit
Trust
Domain Z
Figure 4.5
Drawing a domain tree based on its trust relationships helps to clarify the full implications of your
domain model.
84 Chapter 4
The Trusts Have Become Transitive
Trusts are also present in Windows 2000 Server for security among the domains in a
tree and among the domain trees in a forest.
However, the trusts in Windows 2000 Server are automatically defined between do-
mains, making them quite different from the trusts available in the previous versions
of Windows NT Server.
So please take note of the heavy changes brought about by the transitive, two-way
nature of the Windows 2000 Server trusts—before somebody with harmful inten-
tions does!
Netlog.com ErikMainz.com
Sales.Netlog.com Sales.ErikMainz.com
Mkt.Sales.Netlog.com
Figure 4.6
When combined, these two separate domain trees form a forest, because the DNS names of the
two domain trees don’t have any common parts.
86 Chapter 4
Global Catalog: Another Key Feature Of
Active Directory
Active Directory can consist of many partitions (or naming contexts), but knowing
the DN of an object provides you with enough information to locate a replica of the
partition that holds a specific object.
Many times, however, the user or application doesn’t know the DN of the target
object, or which partition contains the object. The Global Catalog (GC) enables users
and applications to find objects in Active Directory, even if the user or application
knows only one or a few attributes of the target object. The information stored in the
GC supports fast queries of all objects in the entire domain tree or forest.
This neat feature is able to function because Active Directory holds all objects from
all domains and the Global Catalog holds a subset of each object’s attributes.
The point of the GC is to provide a service and a store that:
• Contains a replica of every object in Active Directory.
• Includes a subset of the object attributes defined by Microsoft. Administrators
can specify additional properties that meet their organization’s needs, to include
object attributes that are most frequently used in searches conducted by its em-
ployees or members.
• Is built automatically by Active Directory’s replication system.
Each site should typically have at least one GC server that is used to look up informa-
tion about any object in the forest in order to avoid unnecessary bandwidth usage. A
search of the Global Catalog can be initiated in one of several ways:
• By a subtree or one-level LDAP search rooted at the null DN (the root of the
namespace)
• By a direct reference to the GC port at a GC replica
• By an explicit reference to the GC ADSI provider (GC://)
Domain Controllers
As mentioned earlier, domain structure and site structure are two totally indepen-
dent concepts. A single domain can span geographical sites, and a single site can
include users and computers belonging to multiple domains.
Also, in Windows 2000 Server networks, you no longer have to distinguish between
primary domain controllers (PDCs) and backup domain controllers (BDCs). Unlike
the single-master model used by Windows NT 3.51 and NT 4, with its PDCs and
BDCs, in Active Directory networks, all DCs are peers, and each DC contains a
writeable copy of the domain’s directory. Any DC can change its copy of the direc-
tory, and any changes in the directory on one DC are then passed to the remaining
DCs in the domain.
Thus, all the DCs in a particular domain can receive changes directly and replicate
those changes throughout the domain. This allows inter-site replication to occur
within a domain, even if any single DC is not available.
Additionally, the peer controller architecture enables you to promote any standalone
or member server to the role of DC—or vice versa. Thus, any computer running
Windows 2000 Server can potentially become a DC, which also makes moving DCs
between domains very simple.
A DC can either join an existing domain or be the first DC in a new domain. A DC
that joins an existing domain is called a replica DC, because it receives a copy of the
domain’s directory and participates in the directory replication. When a DC be-
comes the first DC in a new domain, the act of promoting the server to a DC actually
creates the domain. A domain cannot exist until it has at least one DC.
Sites
To make sure that replication among the DCs for a particular domain can be fit to
the physical bounds (that is, the bandwidth between the geographical sites), Active
Directory includes a site concept.
A site is a location in a network that contains Active Directory servers and that has a
collection (one or more) of well-connected TCP/IP subnets. Typically, a site has the
same physical boundaries as a local area network (LAN).
88 Chapter 4
Domain Controllers: Starting All Over Again!
When Windows 2000 Server is first installed, it is installed as either a standalone
server or a member server:
• A standalone server is a computer that is running Windows 2000 Server and that
isn’t a member of a Windows 2000 Server domain. If you install a server as a mem-
ber of a workgroup, that server is a standalone server.
• A member server is a computer that is running Windows 2000 Server and that is a
member of a domain, but not a DC. Member servers don’t receive copies of the
directory. They typically are dedicated to application services or resource services,
such as a file and print server or a fax server.
Windows 2000 Server uses the Active Directory Installation Wizard (formerly Do-
main Controller Promotion Wizard, DCPROMO) to promote a standalone or
member server to a DC role, or to demote a DC to a standalone or member server.
Also, please note that Windows 2000 Server no longer distinguishes between PDCs
and BDCs. In Active Directory networks, all DCs are peers and contain writable
copies of the directory.
When a user logs on, the Active Directory client finds Active Directory servers in the
same site as the user. This is accomplished easily, because the user’s workstation al-
ready knows what TCP/IP subnet it is on, and subnets translate directly to Active
Directory sites.
Correspondingly, defining a site as a set of subnets lets administrators quickly and
easily configure Active Directory’s access and replication topology to take the proper-
ties of the physical network properly into account.
DNS Integration
Active Directory is tightly integrated with the Domain Name System (DNS). DNS
is the distributed namespace used on the Internet to resolve computer and service
names to TCP/IP addresses. Most enterprises with intranets already use DNS as
their name resolution service—and now they have to expand this use to cover
Active Directory.
Windows 2000 Server domain names are DNS domain names. For example,
“Netlog.com” is a valid DNS domain name and thus can also be the name of a
Windows 2000 Server domain.
When an Active Directory server is installed, it publishes itself via Dynamic DNS
(DDNS), a recent extension to the DNS standard that defines a protocol for dynami-
cally updating a DNS server with new or changed values. Prior to DDNS,
administrators had to configure manually the records stored by DNS servers.
Active Directory servers publish their addresses in a form that enables a client
to find them even if the client knows only the domain name. Active Directory
servers are published via Service Resource Records (SRV RRs) in DNS. The SRV
RR is a DNS record that is used to map the name of a service to the address of a
server that offers that service. The name of a SRV RR takes the following form:
<service>.<protocol>.<domain>.
Active Directory servers offer the Lightweight Directory Access Protocol (LDAP)
service over the TCP protocol, so that published names are in the following form:
_ldap._tcp.<domain>.
Additional information on the SRV RR indicates the priority and weight for the
server, enabling clients to choose the best server for their needs.
90 Chapter 4
Thus, a workstation logging in to acme.com will query DNS for SRV RRs for
_ldap._tcp.acme.com. A server will be selected from the list and then contacted.
The contacted server uses the subnet information presented by the workstation
to locate a DC that is in the site.
Kerberos Security
In Active Directory, authentication and access control are based on the Kerberos
version 5 protocol. This protocol is fully integrated with the Windows 2000 Server
security architecture for authentication and access control of servers and users.
The initial Windows 2000 Server domain logon is provided by the WinLogon single
sign-on architecture. Initial Kerberos protocol authentication is integrated with
WinLogon.
The Kerberos version 5 protocol is a “shared-secret” authentication protocol, in which
the user and the authentication service both know the user’s password or the one-way
encrypted password. The Kerberos protocol defines the interactions between a client
and a network authentication service that is known as a Key Distribution Center (KDC).
Windows 2000 Server implements a KDC as the authentication service on each DC.
The KDC uses the Active Directory as the account database for users (principals)
and groups.
Replication
Active Directory provides multimaster replication, which means that all replicas of a
particular partition (that is, the DC) are writeable, enabling updates to be applied to
any replica of that partition. The Active Directory replication system propagates the
changes from one replica to all other replicas. Replication is automatic and transparent.
Some directory services use timestamps to detect and propagate changes. In these
systems, the clocks on all directory servers must always be synchronized. Historically,
time synchronization within a network has proven to be a very difficult undertaking.
Even with very good network time synchronization, the time at any particular direc-
tory server can be incorrectly set, which in turn can lead to lost updates.
To avoid synchronization problems, the Active Directory replication system doesn’t
depend exclusively on time for update propagation. Instead, it uses an Update Se-
quence Number (USN), a 64-bit number maintained by each DC server. When the
DC server writes any property to Active Directory, the USN is advanced and stored
with the property that was written. This operation is performed atomically—which
means that the incrementing and storage of the USN and the write of the property
succeed or fail as a single unit of work.
Each DC server also maintains a table of USNs that are received from replication
partners. The highest USN received from each partner is stored in this table. When a
DC is notified by a particular partner that replication is required, that server returns
all changes with USNs greater than the last USN value received. This is a very simple
approach that doesn’t depend on the accuracy of timestamps.
Because the USN stored in the table is updated atomically for each update received,
recovery after a failure is also simple. To restart replication, a server simply asks its
partners for all changes with USNs greater than the last valid entry in the table.
Because the table is updated atomically as the changes are applied, an interrupted
replication cycle always picks up exactly where it left off, with no loss or duplication
of updates.
In a multimaster replication system, such as Active Directory, the same property may
be updated at two or more different replicas. When a property changes in a second
(or third, or fourth, and so on) replica before a change from the first replica is fully
92 Chapter 4
propagated, a replication collision occurs. Collisions are detected through the use
of Property Version Numbers. Unlike USNs, which are server-specific values, a
Property Version Number is specific to the property of an Active Directory object.
When a property is first written to an Active Directory object, the version number
is initialized.
An originating write—a write to a property at the system initiating the change—
advances the version number. Property writes caused by replication are not originating
writes, and thus don’t advance the version number. For example, when a user updates
his or her password, an originating write occurs and the password version number is
advanced. Replication writes of the changed password at other servers don’t advance
the version number.
A collision is detected when a change is received via replication in which the property
version number received is equal to the locally stored property version number, and
the received and stored values are different. When this occurs, the receiving system
applies the update that has the later timestamp. This is the only situation in which
time is used in Active Directory replication.
When the received version number is lower than the locally stored version number,
the update is presumed stale and thus discarded. When the received version number
is higher than the locally stored version number, the update is accepted.
The Active Directory replication system also allows loops in the replication topology,
enabling an administrator to configure a replication topology with multiple paths
among the servers, which enhances performance and availability.
Active Directory’s replication system performs propagation dampening to prevent
changes from propagating endlessly, and to eliminate redundant transmission of
changes to replicas that are already up-to-date. Up-to-date vectors—lists of server-
USN pairs held by each DC server—are used to dampen propagation. The up-to-date
vector at each server indicates the highest USN of originating writes received from
the server in the server-USN pair. An up-to-date vector for a server in a particular site
lists all the other servers (where an originating write has occurred) in that site.
When a replication cycle begins, the requesting server sends its up-to-date vector to
the sending server. The sending server uses the up-to-date vector to filter changes
sent to the requesting server. If the highest USN for a specific originating writer is
greater than or equal to the originating writer USN for a particular update, the send-
ing server does not need to send the change; the requesting server is already up-to-date
with respect to the originating writer.
94 Chapter 4
POSIX Win32 OS/2 Active
Application Application Application Directory
System
Threads
Executive Services
I/O Manager Cache Processes Memory Win32 User,
Security
Manager and Threads Manager GDI
File
Systems Object Manager
Device Drivers Kernel
Hardware Abstraction Layer (HAL)
Hardware
Figure 4.7
The Windows 2000 Server architecture looks exactly like the architecture of Windows NT 4, except
for the Active Directory addition to the Security Subsystem in Windows 2000 Server.
Secur32.DLL
RPC Netlogon
NETLOGON.DLL RPC
LSASRV
LSASRV.DLL
LDAP
Directory Service
RPC NTDSA.DLL
Figure 4.8
Active Directory is located in the Local Security Authority (LSASS.EXE) component inside the
Security Subsystem.
96 Chapter 4
Table 4.2 The components of the Directory Service Module (NTDSA.DLL) (continued).
Component Description
DataBase Layer (DB layer) An internal abstraction layer that provides access to
database storage and search functionality. All database
access is routed through the DB layer.
Extensible Storage Engine (ESE) An improved version of the Jet database engine that is used
in Microsoft Exchange Server 4 and 5 (and that will be used
for new versions, starting with release 6). ESE stores all
Active Directory objects. The database currently has a limit
of 17TB, which means that every domain theoretically can
hold at least ten million objects. Also worth mentioning is
that ESE reserves storage only for the space that actually is
used (for example, if an object can have 50 attributes, but a
new instance of that object is created with only 4 attributes,
space is consumed only for the 4 attributes actually used).
Table 4.3 lists and describes the five interface agents that access the Directory Ser-
vices module.
DB Layer
Figure 4.9
Directory Service Module (NTDSA.DLL) is a central part of Active Directory.
98 Chapter 4
Table 4.4 The primary features of Active Directory (continued).
Feature Description
Global Catalog A service that allows users and administrators to query for and find
any network object very quickly. The Global Catalog (GC) can be
thought of as the index engine of Active Directory that makes
queries fast and easy. The GC service lists only the resources
available to the person that posed the query, as a matter of security.
Replication Active Directory is based on multimaster replication, which means
that directory changes can be written to any DC in the domain. The
DC then replicates the changes to its replication partners.
Multimaster replication provides the scalability and fault tolerance
needed to handle a crucial network service such as Active Directory.
DNS integration Active Directory uses DNS as its domain naming and location
service. DNS is the most widely used directory service in the world,
because DNS is the locator service used on the Internet and in most
private intranets. Because Active Directory uses DNS as its location
service, Windows 2000 Server domain names are also DNS names.