4

Understanding Active
Brought to you by:
Directory

Buy this book at:

As Chapter 3 discussed, information about people, applications, and resources is

scattered throughout most IT enterprises. Almost all current operating systems and
applications (ranging from email to Enterprise Resource Planning [ERP] systems)
provide their own repositories—or directories—to store information about users and
resources. And as companies continually increase the number of applications
and platforms that they use and support, the number of different repositories
increases as well.
This rapid increase in repositories forces companies to manage information in many
different places—even though those places contain duplicated and related informa-
tion. To minimize costs and increase their ability to respond to changes, companies
need an enterprise-class directory service that provides a common place to store,
access, and manage corporate information—and that doesn’t sacrifice application
and operating system functionality. Microsoft’s Active Directory is one such
enterprise-class directory service.
This chapter provides a review of all the key Active Directory terminology and how it
relates to the Windows 2000 Server core components. As the key terms are defined
and the inner workings are singled out, your understanding of Active Directory should
grow rapidly. Over the next several chapters, your understanding of Active Directory
will be transformed into knowledge that you can utilize to design and plan for your
own Active Directory implementation.
Understanding the key Active Directory concepts and terminology presented in this
chapter is essential for the planning of a Windows 2000 Server environment and a
prerequisite for successfully completing the rest of the book. However, don’t despair
if you are a bit overwhelmed by this chapter’s tour de force into Active Directory

75
Permission and Copyright
This material is reprinted from Windows 2000 Server Architecture and Planning, 2nd Edition, by M.S. Nielsen, ©2000 by The Coriolis Group.
Used with permission.

The Coriolis Group, LLC is a leading publisher and e-learning company, providing technical reference, skills training and study products for the IT-
industry and creative design fields, and for those looking to maximize performance on IT certification exams and standardized tests. Coriolis has over
4 million books in print under its industry-leading Exam Cram certification brand. Exam Cram products cover more than 25 technology and professional
certification programs, and www.examcram.com is the premier online destination and e-learning resource center for IT certification and training.
Coriolis also publishes tutorial series for graphics professionals and technical reference books for software developers, networking professionals, and
Internet users and developers. With titles that frequently land on best-seller lists, the company has gained worldwide recognition for providing proven
learning methods and a real-world approach toward complex topics, by combining succinct, strategy-based content with a reader-friendly writing style.
 terminology. The new Active Directory concept presents a lot of information to learn
(and relearn), regardless of your current level of NT 4/Windows 2000 Server experi-
ence. Recognizing that fact, the definitions of the key Active Directory concepts are
reinforced in the next chapter, too.

Enter Active Directory

Two of the most critical corporate assets in today’s economy are people and informa-
tion systems. Unfortunately, from a technical point of view, in the typical Windows
NT 4–based network, these resources have no knowledge of each other—whatsoever.
For example, every time that a new application is installed or a new employee is
hired, NT 4 administrators must create multiple directory entries to match new users
with the proper resources. Simple events such as a new hire can turn into a laborious
exercise, requiring enrollment in email systems, ERP systems, intranet systems, re-
mote access systems, and other systems. Similarly, if an employee leaves the company,
that user must be removed immediately from all of these systems.
Promotions, too, can quickly turn into nightmares for the administrators, because
they can’t simply drag-and-drop users from one domain to another domain. Instead,
they must delete the person being promoted from one domain and completely re-
create that person in another domain. (And moving entire groups between domains
is far more difficult.)
Data from Forrester Research helps to put the scale of this task into perspective: On
average, a Fortune 1000 company has more than 180 separate directories in its net-
work. In short, in today’s fast-paced world of mergers, acquisitions, divestitures, and
reorganizations, ensuring that employees have proper access to company resources
can be a full-time job for an army of IT workers. Furthermore, the technical fallouts
of NT 4 don’t result only in cost and replication of effort—they touch upon the very
flexibility and security that safeguard vital corporate information.
Unifying corporate directories does far more than just ease management woes,
improve flexibility, and eliminate many inherent security risks. An industrial-strength
directory service can serve as a central repository to store information that impacts
every part of the performance and functionality of the corporate network. And
this centralized directory plays an essential role in supporting such tasks as creating
and enforcing policies to prioritize traffic, manage bandwidth, and control access to
corporate information.

76 Chapter 4
Essentially, a directory service has the potential to become the heart of the enterprise.
And, as the last chapter made very clear, the Windows NT 4 domain system doesn’t
provide the functionality needed to fulfill this role. Windows NT 4 domains are
plagued by numerous and well-known shortcomings: limited object types, flat
namespaces, Byzantine trust relationships, difficult APIs, and much more.
Fortunately, Microsoft now offers Active Directory to remedy the weaknesses of the
NT 4 domain. Active Directory is an industrial-strength directory service that is
included with Windows 2000 Server.
Active Directory represents a revolution compared to the directory included in Win-
dows NT Server 4. Active Directory includes many of the same traits of Windows
NT Server 4—a single network logon, a single point of administration and replica-
tion, and full integration with the Windows 2000 OS. However, Active Directory
includes much more than NT Server 4:
• Active Directory is built from the ground up, using Internet-standard technolo-
gies, with an emphasis on security, distribution, partitioning, and replication.
• Active Directory is designed to work well in installations of any size, from
a single server with a few hundred objects to thousands of servers and millions
of objects.
• Active Directory is designed to be a consolidation point, so that organizations
can isolate, migrate, centrally manage, and reduce the number of directories that
they maintain. This ought to make Active Directory an ideal long-term founda-
tion for corporate information sharing and common management of network
resources, including applications, network OSs, and directory-enabled devices.

Basic Directory Services Definitions

Before venturing into the key terms that are specific to Active Directory, you should
understand some of the basic definitions that are universal to Active Directory and
almost all current directory services. Many of the terms and concepts may seem very
abstract at first, so staying on track all the way through this section may take some
effort—but it will prove to be a worthwhile investment later on.

Objects And Attributes

An object is a distinct, named set of attributes that represents something concrete,
such as a user, a printer, or an application. The attributes (also referred to as properties)
hold data that describes the subject identified by the directory object.

Understanding Active Directory 77

 user Attributes for user object:
Name: Viggo
Surname: Mortensen
Email: vm@netlog.com

Figure 4.1
A sample user object and its attributes.

Attributes of a user might include the user’s given name, surname, and email address,
such as the example shown in Figure 4.1.

Container
A container is an object that can contain other objects. In the same way that a
file folder is a container for documents, a directory container is a container for direc-
tory objects.

Tree
Tree is used throughout this book to describe a hierarchy of objects. A tree shows how
objects are connected, by displaying the path from one object to another. Visualizing
the structure of a file directory helps most people understand the abstraction of a
tree structure.
In a tree, the end points are called leaf nodes. Inside the realm of directory services,
leaf nodes often are referred to as noncontainer objects, because they can’t contain
other objects.
Nodes in the tree (points at which the tree branches) are known as nonleaf nodes—or
simply containers.
A contiguous subtree (shown inside the dotted circle in Figure 4.2) is any unbroken
path in the tree, including all members of any container in that path.

Namespace
Active Directory is actually a namespace (much like any other directory service), which
is any definable space or context in which a specified name can be resolved. The
following are examples of namespaces:

78 Chapter 4
Figure 4.2
A tree in which a contiguous subtree is shown inside the dotted circle.

• A telephone directory forms a namespace in which the names of telephone sub-

scribers can be resolved to telephone numbers.
• The Windows 2000 Server file system forms a namespace in which the name of
a file can be resolved to the actual file.
Active Directory forms a namespace in which the name of an object in the directory
can be resolved to the specific object. The namespace also defines the scope of
replication.

Naming Contexts And Partitions

Active Directory consists of one or more naming contexts, or partitions. A naming
context is any contiguous subtree of the directory. Naming contexts are the unit
of replication.
In Active Directory, a single server always holds at least three naming contexts:
• The schema
• The configuration
• One or more user naming contexts

Schema
Basically, the schema defines which objects can be created in the directory and which
attributes can be assigned to those objects. In Active Directory, the general definition

Understanding Active Directory 79

 of schema is the set of all object classes and attributes that can be stored in
Active Directory. The more-specific details of the Active Directory schema are the
following:
• The class is a list of attributes that instances of that class (that is, objects) must or
may contain. For example, a value for the First Name attribute is required for a
user account object, whereas a value for the Address attribute is optional.
• The schema defines a syntax that determines what kind of data each attribute
can hold and optional range limits.
• The schema is extensible, which means that new classes and attributes can be
added at your discretion.
It is worth noticing that the Active Directory schema is implemented as a set of
object class instances, which is stored in the directory. This is very different from
many other directories that have a schema, which typically store the schema as a text
file to be read at startup. However, storing the schema in the directory has many
advantages. For example, applications can read the schema to discover which objects
and properties are available, and the Active Directory schema can be updated
dynamically.

Configuration
The configuration naming context contains the replication topology and related
metadata. Global objects should always be published in the configuration naming
context (or the schema) as they are replicated to every Domain Controller (DC) in
the forest.

User Naming Contexts

The user naming contexts are subtrees containing the actual objects in the directory
(please remember that the range of possible types of objects are specified in the schema
naming context). There is one user naming context for each Active Directory do-
main. Therefore, one will always have at least one user naming context (that is, one
for the first domain defined when creating the directory) in each Active Directory
structure.

Name
Active Directory is based on the concept of representing every single object in the
directory with its own name. Names are structured in a hierarchical manner, so that
you can build paths that relate back to the original name.
The following are the two fundamentally different kinds of names:

80 Chapter 4
 • Distinguished name (DN)—Every object in Active Directory has a DN that iden-
tifies (or distinguishes) the domain that holds the object, and the complete path
through the container hierarchy by which the object is reached. The following is
a typical DN that identifies the “Viggo Mortensen” user object in the Netlog.com
domain (see Figure 4.3):
/O=Internet/DC=COM/DC=Netlog/CN=Users/CN=Viggo Mortensen
• Relative distinguished name (RDN)—The part of the object’s DN that is an at-
tribute of the object itself. In the preceding example, the RDN of the “Viggo
Mortensen” user object is CN=Viggo Mortensen. The RDN of the parent object
is CN=Users.

Name Resolution
Name resolution is the process of translating a name into some object or information
that the name represents. Active Directory uses the Dynamic Domain Name System
(DDNS) to resolve names.

Domains: Logical Partitioning Of

The Directory
The domain is the core unit of logical structure in Active Directory (as it was in
Windows NT Server 4 and earlier versions). However, an Active Directory domain is
very different from an NT Server domain.

Organization=Internet
Domain Component=COM
Domain Component=Netlog
Common Name=Users
Common Name=Viggo Mortensen

O=Internet/DC=COM/DC=Netlog/CN=Users/CN=Viggo Mortensen

Figure 4.3
A graphical representation of a distinguished name. Understanding the DN is key to determining the
relative distinguished name.

Understanding Active Directory 81

 In Active Directory, the domain represents a logical grouping of objects, as well as a
boundary for replication and security. The following are the major features and ben-
efits of Active Directory domains:
• Domains provide object-grouping functionality, to reflect the company’s organi-
zation on the network.
• Each domain stores information only about the objects located in that domain.
By splitting up, or partitioning, the directory information in this way, Active
Directory can be scaled to accommodate virtually as many objects as a company
ever needs.
• Each domain is also a security boundary. Security policies and settings (such as
administrative rights and access control lists) do not cross from one domain to
another. The administrator of a domain has absolute rights to set policies only
within that domain.
• A domain can span more than one physical location. The use of domains actually
is a purely logical way of partitioning the directory—domains don’t have any
bearing on the physical side of things such as the actual placing of servers
and clients.
Active Directory consists of one or more domains that are joined together in trees
or a forest.
Even though “domains” are still the fundamental building blocks for Active Directory,
don’t confuse Active Directory domains in Windows 2000 Server with NT Server domains.
Active Directory domains are totally different than the domains used in Windows NT Server.

Trees
A domain tree (or simply tree) is comprised of several hierarchically organized do-
mains that share a common schema and configuration, forming a contiguous
namespace. The domains in a tree are also linked together by trust relationships.
Stated another way, when multiple domains are connected by trust relationships and
share a common schema, configuration, and global catalog, they form a domain tree.
The minimal domain tree is a single Windows 2000 Server domain. Trees can be
viewed in one of two ways:
• By the namespace of the domain tree
• By the trust relationships between domains

82 Chapter 4
Viewing The Namespace
In the namespace view, all domains within a single domain tree share a hierarchical
naming structure.
The first domain in a tree is called the root of the tree. Additional domains in the
same tree are called child domains. Domains immediately above other domains in the
same tree are called parent domains. The domain name of a child domain is the RDN
of that child domain added to the beginning of the name of the parent domain. For
example, HQ.ACME.COM is a child domain of the ACME.COM parent domain.
Often, drawing a picture of the domain tree based on its hierarchical namespace can
help you thoroughly understand the domain tree. For example, as shown in Figure
4.4, you can use the drawing as a straightforward way to determine an object’s DN,
by following the path up the domain tree’s namespace.

Viewing Trust Relationships

All domains in a tree are automatically joined together through two-way, transitive
trust relationships.
Windows 2000 Server establishes trust relationships between domains via the Kerberos
security protocol. Kerberos trust relationships are two-way and transitive—that is,
if domain A trusts domain B, and domain B trusts domain C, then domain A
also trusts domain C. Kerberos trust relationships are a stark contrast to the
nontransitive trusts of Windows NT Server 4 and earlier releases. The properties of
transitive trusts effectively minimize the number of trusts necessary, regardless of the
particular application.

root.com

sub.root.com

other.sub.root.com

Figure 4.4
Viewing a domain tree as a hierarchical namespace almost always is very beneficial for under-
standing the specific domain model.

Understanding Active Directory 83

 In Active Directory, a domain that joins a domain tree immediately has trust rela-
tionships established with every domain in the tree—no administrative intervention
is required. With these trust relationships already established, a user can log on just
once to be authenticated and granted access throughout the entire network. This
system makes all the objects in all the domains of the tree available to users and
computers in all other domains in the tree.
Just as drawing a picture of the hierarchical namespace helps you to grasp the intrica-
cies of the domain tree, drawing a picture of a domain tree based on its individual
domains and their mutual trusts will help you to understand the domain’s trust rela-
tionships (see Figure 4.5).

The Forest
A forest is a set of one or more domain trees that does not form a contiguous
namespace—that is, the trees in a forest don’t share a common root. For example, the
domains HQ.COM and SALES.COM have no obvious relationship to each other.
This is an example of disjointed naming, in which the two domains can’t be part of
the same domain tree, but have to be joined as a forest.
Combining trees in a forest provides you with the flexibility of both contiguous and
disjointed naming conventions. This can be useful, for example, in companies with
independent divisions that must each maintain their own DNS names.
Each tree in a forest must share a common schema, configuration, and Global Cata-
log, and must trust the other trees of the forest via transitive hierarchical trust

Automatically
Defined
Trust
Domain X Domain Y

Implicit
Trust
Domain Z

Figure 4.5
Drawing a domain tree based on its trust relationships helps to clarify the full implications of your
domain model.

84 Chapter 4
 The Trusts Have Become Transitive
Trusts are also present in Windows 2000 Server for security among the domains in a
tree and among the domain trees in a forest.
However, the trusts in Windows 2000 Server are automatically defined between do-
mains, making them quite different from the trusts available in the previous versions
of Windows NT Server.
So please take note of the heavy changes brought about by the transitive, two-way
nature of the Windows 2000 Server trusts—before somebody with harmful inten-
tions does!

relationships—just as in a domain tree. Thus, the only marked difference between a

tree and a forest is that each tree in an enterprise has its own unique namespace,
instead of having a contiguous namespace (which is also why a forest is sometimes
referred to as a noncontiguous or disjoint namespace).
A forest exists as a set of cross-referenced objects and trust relationships that is known
to the member trees. Trees in a forest form a hierarchy for the purpose of trust; the
tree name at the root of the trust tree can be used to refer to a particular forest (see
Figure 4.6).
To make the resources in a domain or domain tree universally available to users, you
simply join a domain to a tree or associate two domain trees as a forest. When a domain
joins a tree, the trust is created between the joining domain and the parent domain.

Netlog.com ErikMainz.com

Sales.Netlog.com Sales.ErikMainz.com

Mkt.Sales.Netlog.com

Figure 4.6
When combined, these two separate domain trees form a forest, because the DNS names of the
two domain trees don’t have any common parts.

Understanding Active Directory 85

 When two trees are associated in a forest, the trust is created between the root do-
mains of each tree. The underlying trust relationships are transparent, and no further
management of the trust relationships is necessary. Because domain trees linked to-
gether in a forest are linked by transitive, two-way Kerberos trusts, users have access
to resources in any domain in the entire forest.
Note, however, that the chief advantage of the domain tree (that is, a contiguous
namespace) over the forest is that a deep search from the root of the namespace
effectively searches the entire hierarchy, whereas with a forest, you can search only
the Global Catalog and the local domain tree. This difference is the primary reason
that you should always strive to establish domain trees rather than a forest. A forest
merely provides a way to deliver the necessary flexibility for making Active Directory
viable in real-life applications when no other alternatives are available. Thus, a forest
should be considered only when a domain tree isn’t possible.

Organizational Units: Logical

Partitioning Of Domains
Organizational Units (OUs) are just one among many types of directory objects con-
tained within each domain. However, an OU probably is the most important kind of
domain directory object, because it provides another level of partitioning of the logi-
cal namespace.
OUs are container objects that can be used to organize objects within a domain into
logical administrative groups. These logical containers can carry many interesting
objects, such as user accounts, groups, computers, printers, and even other OUs.
The combination of domains and OUs provides you with a powerful, flexible way
to organize your directory for the most effective administration. When you create
OUs within domains, you can organize your logical structure on as many levels
as you want, while still having the benefits of creating and managing a small number
of domains.
Even more importantly, OUs provide an administrative model that can be scaled to
the smallest size necessary. And with the new delegation features of Active Directory,
users and groups can perform very detailed administrative work, such as resetting
passwords and maintaining special rights in particular containers, based on OU mem-
bership. For example, a user can be granted administrative rights for only a subtree of
OUs, or even for a single OU.

86 Chapter 4
Global Catalog: Another Key Feature Of
Active Directory
Active Directory can consist of many partitions (or naming contexts), but knowing
the DN of an object provides you with enough information to locate a replica of the
partition that holds a specific object.
Many times, however, the user or application doesn’t know the DN of the target
object, or which partition contains the object. The Global Catalog (GC) enables users
and applications to find objects in Active Directory, even if the user or application
knows only one or a few attributes of the target object. The information stored in the
GC supports fast queries of all objects in the entire domain tree or forest.
This neat feature is able to function because Active Directory holds all objects from
all domains and the Global Catalog holds a subset of each object’s attributes.
The point of the GC is to provide a service and a store that:
• Contains a replica of every object in Active Directory.
• Includes a subset of the object attributes defined by Microsoft. Administrators
can specify additional properties that meet their organization’s needs, to include
object attributes that are most frequently used in searches conducted by its em-
ployees or members.
• Is built automatically by Active Directory’s replication system.
Each site should typically have at least one GC server that is used to look up informa-
tion about any object in the forest in order to avoid unnecessary bandwidth usage. A
search of the Global Catalog can be initiated in one of several ways:
• By a subtree or one-level LDAP search rooted at the null DN (the root of the
namespace)
• By a direct reference to the GC port at a GC replica
• By an explicit reference to the GC ADSI provider (GC://)

Domain Controllers And Sites:

The Directory’s Physical Parts
Until now, all the terms and concepts discussed have been purely logical—that is,
they are not bound in any way by physical limitations and thus don’t take important
physical limitations into account.

Understanding Active Directory 87

 Active Directory is adapted to the physical side of life through two important features:
• Domain Controllers (DCs)
• Sites

Domain Controllers
As mentioned earlier, domain structure and site structure are two totally indepen-
dent concepts. A single domain can span geographical sites, and a single site can
include users and computers belonging to multiple domains.
Also, in Windows 2000 Server networks, you no longer have to distinguish between
primary domain controllers (PDCs) and backup domain controllers (BDCs). Unlike
the single-master model used by Windows NT 3.51 and NT 4, with its PDCs and
BDCs, in Active Directory networks, all DCs are peers, and each DC contains a
writeable copy of the domain’s directory. Any DC can change its copy of the direc-
tory, and any changes in the directory on one DC are then passed to the remaining
DCs in the domain.
Thus, all the DCs in a particular domain can receive changes directly and replicate
those changes throughout the domain. This allows inter-site replication to occur
within a domain, even if any single DC is not available.
Additionally, the peer controller architecture enables you to promote any standalone
or member server to the role of DC—or vice versa. Thus, any computer running
Windows 2000 Server can potentially become a DC, which also makes moving DCs
between domains very simple.
A DC can either join an existing domain or be the first DC in a new domain. A DC
that joins an existing domain is called a replica DC, because it receives a copy of the
domain’s directory and participates in the directory replication. When a DC be-
comes the first DC in a new domain, the act of promoting the server to a DC actually
creates the domain. A domain cannot exist until it has at least one DC.

Sites
To make sure that replication among the DCs for a particular domain can be fit to
the physical bounds (that is, the bandwidth between the geographical sites), Active
Directory includes a site concept.
A site is a location in a network that contains Active Directory servers and that has a
collection (one or more) of well-connected TCP/IP subnets. Typically, a site has the
same physical boundaries as a local area network (LAN).

88 Chapter 4
 Domain Controllers: Starting All Over Again!
When Windows 2000 Server is first installed, it is installed as either a standalone
server or a member server:
• A standalone server is a computer that is running Windows 2000 Server and that
isn’t a member of a Windows 2000 Server domain. If you install a server as a mem-
ber of a workgroup, that server is a standalone server.
• A member server is a computer that is running Windows 2000 Server and that is a
member of a domain, but not a DC. Member servers don’t receive copies of the
directory. They typically are dedicated to application services or resource services,
such as a file and print server or a fax server.
Windows 2000 Server uses the Active Directory Installation Wizard (formerly Do-
main Controller Promotion Wizard, DCPROMO) to promote a standalone or
member server to a DC role, or to demote a DC to a standalone or member server.
Also, please note that Windows 2000 Server no longer distinguishes between PDCs
and BDCs. In Active Directory networks, all DCs are peers and contain writable
copies of the directory.

When a user logs on, the Active Directory client finds Active Directory servers in the
same site as the user. This is accomplished easily, because the user’s workstation al-
ready knows what TCP/IP subnet it is on, and subnets translate directly to Active
Directory sites.
Correspondingly, defining a site as a set of subnets lets administrators quickly and
easily configure Active Directory’s access and replication topology to take the proper-
ties of the physical network properly into account.

How Does A Workstation Discover Its Site?

A workstation discovers its site by presenting its subnet (that is, by applying its
subnet mask to its IP address) to the first Active Directory server contacted. The
first server contacted uses the presented subnet to locate the Site object for the
site in which the workstation is located. If the current server isn’t in that site, the
server notifies the workstation of a better server to use.

Key Active Directory Features

Some of the other features that are integral to a full understanding of Active Directory’s
functionality are DNS integration, Kerberos security, the wire protocols used to

Understanding Active Directory 89

 access the directory information, and replication. These functions are crucial for bring-
ing and keeping the Active Directory in operation. That is, most of them aren’t concepts
that have to be taken into consideration when doing the actual designing of the
Active Directory structures, but they have to be properly understood by Windows
2000 Server administrators.

DNS Integration
Active Directory is tightly integrated with the Domain Name System (DNS). DNS
is the distributed namespace used on the Internet to resolve computer and service
names to TCP/IP addresses. Most enterprises with intranets already use DNS as
their name resolution service—and now they have to expand this use to cover
Active Directory.
Windows 2000 Server domain names are DNS domain names. For example,
“Netlog.com” is a valid DNS domain name and thus can also be the name of a
Windows 2000 Server domain.
When an Active Directory server is installed, it publishes itself via Dynamic DNS
(DDNS), a recent extension to the DNS standard that defines a protocol for dynami-
cally updating a DNS server with new or changed values. Prior to DDNS,
administrators had to configure manually the records stored by DNS servers.
Active Directory servers publish their addresses in a form that enables a client
to find them even if the client knows only the domain name. Active Directory
servers are published via Service Resource Records (SRV RRs) in DNS. The SRV
RR is a DNS record that is used to map the name of a service to the address of a
server that offers that service. The name of a SRV RR takes the following form:
<service>.<protocol>.<domain>.
Active Directory servers offer the Lightweight Directory Access Protocol (LDAP)
service over the TCP protocol, so that published names are in the following form:
_ldap._tcp.<domain>.
Additional information on the SRV RR indicates the priority and weight for the
server, enabling clients to choose the best server for their needs.

How Does A Workstation Find A Directory Server?

A workstation finds a directory server by querying DNS. Directory servers for a
particular domain publish SRV Resource Records in DNS with names in the form:
_ldap._tcp.<domain name>.

90 Chapter 4
 Thus, a workstation logging in to acme.com will query DNS for SRV RRs for
_ldap._tcp.acme.com. A server will be selected from the list and then contacted.
The contacted server uses the subnet information presented by the workstation
to locate a DC that is in the site.

Kerberos Security
In Active Directory, authentication and access control are based on the Kerberos
version 5 protocol. This protocol is fully integrated with the Windows 2000 Server
security architecture for authentication and access control of servers and users.
The initial Windows 2000 Server domain logon is provided by the WinLogon single
sign-on architecture. Initial Kerberos protocol authentication is integrated with
WinLogon.
The Kerberos version 5 protocol is a “shared-secret” authentication protocol, in which
the user and the authentication service both know the user’s password or the one-way
encrypted password. The Kerberos protocol defines the interactions between a client
and a network authentication service that is known as a Key Distribution Center (KDC).
Windows 2000 Server implements a KDC as the authentication service on each DC.
The KDC uses the Active Directory as the account database for users (principals)
and groups.

Accessing Active Directory

Access to Active Directory is accomplished via wire protocols, which define the for-
mats of messages and interactions between the client and server. Supported protocols
include the following:
• Lightweight Directory Access Protocol (LDAP)—The Active Directory core proto-
col. LDAP versions 2 and 3 are supported.
• Messaging API-remote procedure call (MAPI-RPC)—Active Directory supports
the remote procedure call interfaces that support the MAPI interfaces.
Various APIs give developers access to these protocols. Supported APIs include:
• Active Directory Service Interface (ADSI)—Provides a simple, powerful, object-
oriented interface to Active Directory developed by Microsoft. Developers can
use many different programming languages, including Java, Visual Basic, C, C++,
and others. ADSI is fully scriptable for ease of use by system administrators.
ADSI hides the details of LDAP communications from users.

Understanding Active Directory 91

 • LDAP API—The LDAP C API, defined in RFC 1823, is a lower-level interface
that is available to C programmers.
• Messaging API—Active Directory supports MAPI for backward-compatibility.
New applications should use ADSI or the LDAP C API.

Replication
Active Directory provides multimaster replication, which means that all replicas of a
particular partition (that is, the DC) are writeable, enabling updates to be applied to
any replica of that partition. The Active Directory replication system propagates the
changes from one replica to all other replicas. Replication is automatic and transparent.
Some directory services use timestamps to detect and propagate changes. In these
systems, the clocks on all directory servers must always be synchronized. Historically,
time synchronization within a network has proven to be a very difficult undertaking.
Even with very good network time synchronization, the time at any particular direc-
tory server can be incorrectly set, which in turn can lead to lost updates.
To avoid synchronization problems, the Active Directory replication system doesn’t
depend exclusively on time for update propagation. Instead, it uses an Update Se-
quence Number (USN), a 64-bit number maintained by each DC server. When the
DC server writes any property to Active Directory, the USN is advanced and stored
with the property that was written. This operation is performed atomically—which
means that the incrementing and storage of the USN and the write of the property
succeed or fail as a single unit of work.
Each DC server also maintains a table of USNs that are received from replication
partners. The highest USN received from each partner is stored in this table. When a
DC is notified by a particular partner that replication is required, that server returns
all changes with USNs greater than the last USN value received. This is a very simple
approach that doesn’t depend on the accuracy of timestamps.
Because the USN stored in the table is updated atomically for each update received,
recovery after a failure is also simple. To restart replication, a server simply asks its
partners for all changes with USNs greater than the last valid entry in the table.
Because the table is updated atomically as the changes are applied, an interrupted
replication cycle always picks up exactly where it left off, with no loss or duplication
of updates.
In a multimaster replication system, such as Active Directory, the same property may
be updated at two or more different replicas. When a property changes in a second
(or third, or fourth, and so on) replica before a change from the first replica is fully

92 Chapter 4
propagated, a replication collision occurs. Collisions are detected through the use
of Property Version Numbers. Unlike USNs, which are server-specific values, a
Property Version Number is specific to the property of an Active Directory object.
When a property is first written to an Active Directory object, the version number
is initialized.
An originating write—a write to a property at the system initiating the change—
advances the version number. Property writes caused by replication are not originating
writes, and thus don’t advance the version number. For example, when a user updates
his or her password, an originating write occurs and the password version number is
advanced. Replication writes of the changed password at other servers don’t advance
the version number.
A collision is detected when a change is received via replication in which the property
version number received is equal to the locally stored property version number, and
the received and stored values are different. When this occurs, the receiving system
applies the update that has the later timestamp. This is the only situation in which
time is used in Active Directory replication.
When the received version number is lower than the locally stored version number,
the update is presumed stale and thus discarded. When the received version number
is higher than the locally stored version number, the update is accepted.
The Active Directory replication system also allows loops in the replication topology,
enabling an administrator to configure a replication topology with multiple paths
among the servers, which enhances performance and availability.
Active Directory’s replication system performs propagation dampening to prevent
changes from propagating endlessly, and to eliminate redundant transmission of
changes to replicas that are already up-to-date. Up-to-date vectors—lists of server-
USN pairs held by each DC server—are used to dampen propagation. The up-to-date
vector at each server indicates the highest USN of originating writes received from
the server in the server-USN pair. An up-to-date vector for a server in a particular site
lists all the other servers (where an originating write has occurred) in that site.
When a replication cycle begins, the requesting server sends its up-to-date vector to
the sending server. The sending server uses the up-to-date vector to filter changes
sent to the requesting server. If the highest USN for a specific originating writer is
greater than or equal to the originating writer USN for a particular update, the send-
ing server does not need to send the change; the requesting server is already up-to-date
with respect to the originating writer.

Understanding Active Directory 93

 What Happens To WINS?
WINS is unchanged for Windows 2000 Server. Actually, Windows 2000 Server in-
cludes a new and much-improved version of WINS. However, Windows 2000 clients
(and Windows 95/98 clients with the Active Directory upgrade installed) no longer
need to use NetBIOS on top of the TCP/IP stack—they use DDNS to resolve net-
work names, instead.
WINS is still required for down-level (that is, legacy) clients to find servers, and vice
versa. So, when no more down-level clients and servers are in the enterprise, all the
WINS servers can be turned off.

How Active Directory Fits Within The

Windows 2000 Server Architecture
The core architecture of the Windows 2000 Server operating system is very similar
to its predecessor, Windows NT Server 4 (see Figure 4.7). For example, Windows
2000 Server still carries a very modular architecture, which means that it is composed
of several separate and distinct components, each of which is responsible for its
own functions.
This modularity is also the reason that Active Directory hasn’t forced any major
changes on the OS kernel. Active Directory is simply part of the Security Subsystem
component (which is run in User Mode). This means that Active Directory is a full
participant in the Windows 2000 Server security infrastructure, because all objects in
Active Directory are protected through Access Control Lists (ACLs); any attempt to
access an object or attribute in Active Directory is validated against the ACL.
The Security Subsystem consists of several components (the Resource Kit for Win-
dows 2000 Server provides a complete review of the Security Subsystem), one of
which is the Local Security Authority (LSASS.EXE). LSASS.EXE is a protected sub-
system that maintains the security for the local computer, ensuring that users have
the proper system access permissions.
Active Directory is located in the Directory Service module inside LSASS.EXE, as
shown in Figure 4.8.
Specifically, the LSASS.EXE subsystem of Windows 2000 Server includes the com-
ponents listed in Table 4.1.

94 Chapter 4
 POSIX Win32 OS/2 Active
Application Application Application Directory

POSIX Win32 OS/2 Security

Subsystem Subsystem Subsystem Subsystem

System
Threads

Executive Services
I/O Manager Cache Processes Memory Win32 User,
Security
Manager and Threads Manager GDI
File
Systems Object Manager
Device Drivers Kernel
Hardware Abstraction Layer (HAL)

Hardware

Figure 4.7
The Windows 2000 Server architecture looks exactly like the architecture of Windows NT 4, except
for the Active Directory addition to the Security Subsystem in Windows 2000 Server.

Table 4.1 The components of LSASS.EXE.

Component Description
Netlogon.DLL A command-line utility that maintains the computer’s secure channel to a
DC. In Windows 2000 Server, Netlogon uses DNS to locate the DCs.
MSUL0.DLL The NTLM authentication protocol that is used by previous versions of
Windows NT.
Kerberos.DLL The Kerberos authentication protocol, the default authentication protocol of
Active Directory.
SCHANNEL.DLL The SSL authentication protocol, which can be used as a supplement—or
substitute—to Kerberos.
LSASRV.DLL Enforces security policies.
SAMSRV.DLL Enforces stored policies and supports legacy Windows NT APIs.
NTDSA.DLL The Directory Service Module, the Windows 2000 Server replication
protocol that supports LDAP and manages partitions of data.
SECUR32.DLL The multi-authentication provider that holds together all the components.

Understanding Active Directory 95

 NTLM SSL Kerberos
MSV1_0.DLL SCHANNLL.DLL Kerberos.DLL

Secur32.DLL
RPC Netlogon
NETLOGON.DLL RPC
LSASRV
LSASRV.DLL

RPC Security Accounts Manager

SAMSRV.DLL

LDAP
Directory Service
RPC NTDSA.DLL

Figure 4.8
Active Directory is located in the Local Security Authority (LSASS.EXE) component inside the
Security Subsystem.

Of these components, the Directory Service Module (NTDSA.DLL) is the most

important with regard to Active Directory. The Directory Service Module consists of
three components and several interface agents (see Figure 4.9) that work together to
provide directory services that are compatible with legacy systems (such as Windows
NT 4) and other systems (such as Outlook clients and Exchange Server).
Table 4.2 describes the three components of the Directory Service Module, which
act as layers (from the top down).

Table 4.2 The components of the Directory Service Module (NTDSA.DLL).

Component Description
Directory Service Agent (DSA) Creates a hierarchical tree-like namespace from an existing
flat namespace, which in turn enables others to view users
and resources in a more logical manner. Also includes
support for replication, enforces the directory schema, and
contains Active Directory policy information, such as
partitioning and referrals.
(continued)

96 Chapter 4
 Table 4.2 The components of the Directory Service Module (NTDSA.DLL) (continued).
Component
DataBase Layer (DB layer)
Extensible Storage Engine (ESE)
Description
An internal abstraction layer that provides access to
database storage and search functionality. All database
access is routed through the DB layer.
An improved version of the Jet database engine that is used
in Microsoft Exchange Server 4 and 5 (and that will be used
for new versions, starting with release 6). ESE stores all
Active Directory objects. The database currently has a limit
of 17TB, which means that every domain theoretically can
hold at least ten million objects. Also worth mentioning is
that ESE reserves storage only for the space that actually is
used (for example, if an object can have 50 attributes, but a
new instance of that object is created with only 4 attributes,
space is consumed only for the 4 attributes actually used).

Table 4.3 lists and describes the five interface agents that access the Directory Ser-
vices module.

Active Directory, In Summary

Table 4.4 contains the most important terms and features of Active Directory, for
your review.

LDAP REPL NSPI XDS SAM

Directory System Agent (DSA)

DB Layer

Extensible Storage Engine (ESE) Store

Figure 4.9
Directory Service Module (NTDSA.DLL) is a central part of Active Directory.

Understanding Active Directory 97

 Table 4.3 The interface agents that access Directory Services.
Interface Agent Description
LDAP Used to communicate with LDAP and ADSI clients.
REPL Governs the intersite and intrasite replication that can use different
transports (RPC and SMTP).
NSPI Name Support Provider Interface, used to communicate with Outlook clients.
XDS Exchange Directory Service, used to communicate with legacy Exchange
Servers (Exchange Server 5.5 and earlier).
SAM Security Account Manager, used for legacy communication with NT 4 BDCs
and use NT 4 NET APIs.

Table 4.4 The primary features of Active Directory.

Feature Description
Domains The fundamental logical building block for the partitioning of Active
Directory. Partitioning is a very important concept of directory
services, because it allows the use of multiple directory partitions
rather than one massive store. Consequently, each domain’s
directory needs to store only the information about the objects
located in that domain, and Active Directory as a whole becomes
very scalable.
Domain tree The prevalent way of connecting several domains. The connections
are done so that the domains form a hierarchical structure.
Forests A way of connecting several domain trees. A forest enables
administrators to join two domain trees that have no common parts
(for example, in a merger of two separate companies).
OU (Organizational Unit) Gives access to partition a domain. The intended use of OUs is to
build a hierarchy that models the real properties (departments,
teams, and so forth) of a particular organization.
Directory schema Defines which objects can be created in the directory and which
attributes can be assigned to those objects. The directory schema of
Active Directory is fully extensible, allowing administrators or
applications to add to the directory new object types or attributes
that service the specific needs of the network users or the
applications in use, thus using the directory as a data store.
(continued)

98 Chapter 4
Table 4.4 The primary features of Active Directory (continued).
Feature Description
Global Catalog A service that allows users and administrators to query for and find
any network object very quickly. The Global Catalog (GC) can be
thought of as the index engine of Active Directory that makes
queries fast and easy. The GC service lists only the resources
available to the person that posed the query, as a matter of security.
Replication Active Directory is based on multimaster replication, which means
that directory changes can be written to any DC in the domain. The
DC then replicates the changes to its replication partners.
Multimaster replication provides the scalability and fault tolerance
needed to handle a crucial network service such as Active Directory.
DNS integration Active Directory uses DNS as its domain naming and location
service. DNS is the most widely used directory service in the world,
because DNS is the locator service used on the Internet and in most
private intranets. Because Active Directory uses DNS as its location
service, Windows 2000 Server domain names are also DNS names.

Understanding Active Directory 99