Tài liệu hạn chế xem trước, để xem đầy đủ mời bạn chọn Tải xuống
1
/ 20 trang
THÔNG TIN TÀI LIỆU
Thông tin cơ bản
Định dạng
Số trang
20
Dung lượng
338,93 KB
Nội dung
180_AD2e_01P1 8/30/01 10:39 AM Page 180_AD2e_01P1 8/30/01 10:39 AM Page Chapter Introduction to Active Directory Solutions in this chapter: ■ Introduction to Directory Services ■ Introduction to Active Directory ■ Active Directory Architecture Summary Solutions Fast Track Frequently Asked Questions 180_AD2e_01P1 8/30/01 10:39 AM Page Chapter • Introduction to Active Directory Introduction In November 1996, Microsoft delivered the first preview of Active Directory for developers at the Professional Developers Conference held in Long Beach, California At the time, it was just the directory service that was shipped with Windows NT 5.0, and the preview included many of other Windows NT 5.0 features A lot of changes have taken place since then For one,Windows NT 5.0 was renamed Windows 2000, and then it was released to the public officially in February 2000, four years after its original preview to developers The change of the name from Windows NT 5.0 to Windows 2000 was a surface change only.Windows 2000 inherits the NT technology legacy from previous versions It has been established as the basic network operating system for Microsoft’s NET platform All NET services run on Windows 2000 Server Applications developed with the NET framework also require servers to be running Windows 2000.The directory service used by NET applications is Active Directory The question remains, then, how can you take advantage of Active Directory and use its capabilities to reach your business objectives, not only for the present, but also in the future? That is the question that this book will answer Introduction to Directory Services It would be tough to claim that Active Directory is the first directory service ever created In fact, directory services have been available in a variety of network operating systems (NOS) Directory services are used primarily for organizing, locating, and managing network information People use directory services without even knowing they are doing so Because it is used to translate server names to Internet Protocol (IP) addresses, the Domain Name System (DNS) is the most widely used directory service in the world DNS is rather “usage-specific,” meaning that it organizes only a limited amount of information about network hosts DNS stores data about servers, their IP addresses, and services that they offer to the network Although this is pretty much the extent of DNS, other directory services not have the same limitations A directory service can organize all sorts of information about a network Usually, this information falls into the following categories: ■ Network resources Servers, printers, and other devices on a network ■ Network services Capabilities on the network such as file storage, printing, and e-mail www.syngress.com 180_AD2e_01P1 8/30/01 10:39 AM Page Introduction to Active Directory • Chapter ■ Network users and groups Identifiers for users on a network and for groups of users As you can see, a directory service organizes the pieces of a network, enabling a way to create relationships between the pieces.The relationships between these pieces are what make the directory service so powerful For example, in DNS, a DNS client computer can query a DNS server to find out the IP address of a server that it wants to contact.The DNS server receives the host name and returns the IP address in short order More complex relationships can be created in more complex directory services, such as providing access to network resources and services for users who logon Directory Enabled Networks The Distributed Management Task Force (DMTF) is developing a standard for Directory Enabled Networks (DEN).You can access the DMTF Web site at www.dmtf.org Even though many network operating systems support one or more types of directory services, most of those directory services are vendor specific.This means that one server on a network might be able to access one particular directory, but another server on the same network will not be able to access that directory simply because it is running a different vendor’s network operating system As a result of using multiple network operating systems, you might be using multiple directory services on a single internetwork.This poses problems for users who are faced with multiple logons and for network administrators who must manage information that is duplicated across multiple directory services As vendors create DEN-compliant directories, multiple network operating systems will be able to participate in a single directory service.This will solve the challenges of managing the same information in multiple directory stores It will also reduce the number of logons that a user must execute in order to access network resources The standard directory service being developed for DEN will extend beyond the simple organization of addresses and host names that DNS provides Instead, the directory service will organize all the services and resources participating in a network, depicted in Figure 1.1 Once the DEN standard is finalized, Microsoft intends to make Active Directory comply with that standard DEN standards eventually will apply to all future directory services, and also to a variety of network resources and services For example, a router can comply with the DEN standard and automatically integrate with the DEN-compliant directory service running on a network An object would be created in the www.syngress.com 180_AD2e_01P1 10:39 AM Page Chapter • Introduction to Active Directory directory service to represent that router A variety of values for the router would be applied and the administrator could apply policies to the router and the traffic that flowed across it In fact, because the DEN-compliant directory service included user objects, the traffic that was associated to a particular user could be managed with the router performing queries against the directory service In practice, an executive might be granted more bandwidth usage and the router would provide that to traffic associated with that executive All of this would be possible using queries against the directory service’s policies, without needing to know the IP addresses of the computers used or the location of the user Figure 1.1 Directory Service Structure Application License Network Printer File Server Canc Next Can OK celel> 8/30/01 Cancel Directory Service User • • • • Organizes Manages Information Applies Security Settings Enables Access E-Mail Address DHCP Address DNS Address/Hostname History of the Directory Service In the not-too-distant past, networks were server-centric Each server had its own security system, which consisted of user accounts, group accounts, and network resources It would associate those user accounts to the files, directories, printers, and other services or resources that it had to offer.These associations had a value to them, such that one person could have more access to one network resource than another person, simply due to the rights assigned to user and group accounts In a way, this server-centric system was one of the first directory services, but one whose scope existed only on a single server www.syngress.com 180_AD2e_01P1 8/30/01 10:39 AM Page Introduction to Active Directory • Chapter Networks first popped up in the military as a method to share data quickly across great distances.They offered a major advantage in times of war Money was one of the main reasons that networking became prevalent in businesses Hard drives were extremely expensive, as were printers Many of the first corporate networks sprang up out of a need to share printers and precious hard-drive space among multiple computers Soon, these servers’ hard drives would fill up.They would run out of printer ports At some point in time, another server would be added to the network to allow further storage of shared files or to add new printers Once an administrator established a server to share files and printers, the administrator was faced with an issue—how to protect sensitive files and printers from unauthorized users while allowing use of the remaining files and printers In some cases, the administrator wanted to allow some users limited access to a file or a printer Access rights were added to the system, and users given specific logon IDs.The server could then easily share files and printers to the correct users, depending on the administrator’s configuration When a network contained more than one server, administration became difficult If a user needed to access files or printers residing on two or more servers, that user needed to know how to access each specific server In addition the user needed a separate logon ID and password for each server Some administrators used naming conventions to ensure that a user did not need to have more than one unique logon ID Sometimes, a network had multiple administrators with different naming conventions, providing users with two or more unique logon IDs For administrators, it was difficult to keep passwords synchronized since each server might have a different timing mechanism to enforce password changes For users, the end result in a multiserver environment was a convoluted and difficult process of remembering the location of resources, remembering the correct logon ID, and remembering the correct current password, all just to be able to access resources on the network Network operating systems soon developed a variety of ways to use a single logon ID and password to access multiple servers For example, Microsoft Windows NT uses a domain architecture An NT domain is a group of Windows NT servers that participate in a single security system listing users, groups, and network resources It consists of a primary domain controller (PDC), any number of backup domain controllers (BDCs), and any number of member servers and client computers.The PDC is the security manager of the domain BDCs maintain a read-only copy of the security database, and the PDC remains the single point of change control Member servers and client computers contact the www.syngress.com 180_AD2e_01P1 10:39 AM Page Chapter • Introduction to Active Directory domain controller (DC) to access network resources Because of their membership, a PDC or BDC in the domain can use the security database to authenticate users to access resources A member server can use the security database by querying a PDC or BDC A domain is logically established in the structure shown in Figure 1.2 Figure 1.2 The Components of a Single Domain Next Canc Can OK celel> 8/30/01 Cancel Next < >Back Member Servers of Client Computers Domain Controllers Windows NT Domain Network Printers Users A domain is a security boundary, which means that if you need to separate one security set from another, you will need to have more than one domain Using trust relationships, you could have multiple domains A trust relationship is established between two domains In order to enable users of domain A to access the resources such as the files and printers of domain B, domain B must trust domain A.When drawn out, this trust relationship is shown as an arrow pointing from the trusting domain to the trusted domain Microsoft defines various models for a multiple domain structure: ■ Master Domain model All resource domains trust a single Master Domain that contains all user accounts.This is depicted in Figure 1.3 ■ Multiple Master Domain model All resource domains trust all Master Domains Master Domains contain user accounts Each Master Domain trusts all other Master Domains ■ Single Domain model There is only a single domain that contains all users and resources.There is no trust relationship with other domains ■ Complete Trust model All domains trust each other, regardless of whether they contain users, resources, or both www.syngress.com 8/30/01 10:39 AM Page Introduction to Active Directory • Chapter Figure 1.3 Legacy Windows NT Master Domain Model Next Canc Can OK celel> Cancel Next < >Back Domain Controllers Master Network Printers Member Servers of Client Computers Users Next Canc Can OK celel> Next Canc Can OK celel> 180_AD2e_01P1 Cancel Next < >Back Domain Controllers Member Servers of Client Computers Cancel Next < >Back Domain Controllers Resource Domain Resource Domain Network Printers Member Servers of Client Computers Network Printers Domains contain the rudimentary elements of a directory service.They enable multiple servers to look up information and use it for authenticating users and granting those users access to network resources Although a domain is effective as a security model for a small or medium-sized organization, it does not have some of the features that a directory service can offer An NT domain structure is flat rather than hierarchical like most directory services, which means that security cannot be applied at different levels Since each domain is its own administrative area, the only way to implement distributed administration is to have multiple domains Legacy NT domains require a significant amount of traffic between clients and the PDC or a BDC.These domains also require the security database to be copied from a PDC to the BDCs on a periodic basis.This traffic overhead is undesirable over wide area network (WAN) links that may have a limited amount of bandwidth available, or that are costly to transmit traffic across.To reduce this overhead, multiple domains can be created such that no domain spans a WAN link Trust relationships between multiple domains become cumbersome as more domains are added As a result, trade-offs may be made between WAN performance or administrative needs and domain structures www.syngress.com 180_AD2e_01P1 10 8/30/01 10:39 AM Page 10 Chapter • Introduction to Active Directory Directory services were developed as a way to overcome single server and domain architecture limitations.They are usually organized in a hierarchical fashion, encompass multiple servers and resources, and offer fully distributed administration Furthermore, directory services normally are established in an efficient database that is distributed throughout the network to prevent WAN overhead issues Designing & Planning… The X.500 Directory Standard Many directory services state that they are X.500 compliant X.500 is a directory service standard ratified by the International Telecommunications Union (ITU-T) in 1988 and modified in 1993 and 1997 It was intended to provide a means to develop an easy-to-use electronic directory of people that would be available to all Internet users The X.500 directory standard specifies a common root of a hierarchical tree Contrary to its name, the root of the tree is depicted at the top level, and all other containers (which are used to create “branches”) are below it There are several types of containers with a specific naming convention In this naming convention, each portion of a name is specified by the abbreviation of the object type or container it represents A user has a CN= before the username to represent its “Common Name,” a C= precedes a country, and an organization is heralded by an O= When compared to IP domain names—for example, host.subdomain domain—the X.500 version of CN=host/C=US/O=Org appears excessively complicated Each X.500 local directory is considered a Directory System Agent (DSA) The DSA can represent either single or multiple organizations Each DSA connects to the others through a Directory Information Tree (DIT), which is a hierarchical naming scheme that provides the naming context for objects within the directory Although Active Directory is derived from the X.500 model, Active Directory does not implement all of the X.500 protocols because of the excess overhead involved or the lack of their general usage These protocols include: Continued www.syngress.com 180_AD2e_01P1 8/30/01 10:39 AM Page 11 Introduction to Active Directory • Chapter ■ Directory Access Protocol (DAP) ■ Directory Information Shadowing Protocol (DISP) ■ Directory Operational Binding Management Protocol (DOP) ■ Directory System Protocol (DSP) Active Directory does implement the Lightweight Directory Access Protocol (LDAP), which affords an effective combination of DAP and DSP features without involving any excess overhead What Is in a Directory Service? A directory is a place to store information.The type of information that is stored in a directory falls into three basic categories: ■ Resources ■ Services ■ Accounts Resources are the components attached to the network and made available to users Examples of resources are: ■ A server’s hard drive ■ An IP address ■ A fax modem ■ A scanner ■ A printer ■ Any “thing” that can be used by a client workstation Services run from a server and usually interface to the heart of the Network Operating System.They provide functions on the network, usually so that resources can be shared Most services are simply network applications, such as a messaging service that allows users to send e-mail.These two categories typically are related For most services, there is an analogous resource, and for most resources, there is an analogous service (see Table 1.1) Sometimes, however, a resource or a service stands alone www.syngress.com 11 180_AD2e_01P1 12 8/30/01 10:39 AM Page 12 Chapter • Introduction to Active Directory Table 1.1 Examples of Resources and Analogous Services Resource Service that Supplies the Resource to Users Server hard drive IP address Application Printer Messaging database Terminal Modem VPN Connection File service Dynamic Host Control Protocol (DHCP) Application service Printing service Messaging service Terminal service such as Telnet FAX service Remote Access Service (RAS) The final category in a directory is an account An account is usually a logon ID and associated password used for access to the network Groups work in a similar manner to user accounts Directory services can contain a variety of other objects that are security principals, such as aliases All objects that are used principally for logon or authentication to resources for a user fall in the account category A security principal is an object that can be granted the right to use a service or a resource Each resource, service, and account is stored as an object in the directory.The hierarchy within the directory service, along with some planning, offers a consistent way to name, organize, access, administer, and secure the network A directory service, then, becomes the center of network operations for all servers providing services and resources, and for all client workstations and users requesting access to the services and resources.The information in the directory service manages how the services, resources, and accounts relate to each other Each object in the directory service includes a set of properties, or attributes For example, a user account property might be the city in which the user resides, or a DNS hostname would have the property for the IP address that host has been assigned Each one of the attributes for a specific object in the directory can be given a value For example, a user account property named “City” may have the value of “Paris” for the user account named “Joe.” Not all properties must be given values Access Control Lists (ACLs) manage the security relationship between resources, services, and accounts ACLs maintain a list containing the information about whether an account has been granted the privilege to access a given service or resource located in the directory An ACL can even grant the privilege to access other accounts and their properties for administration purposes www.syngress.com 180_AD2e_01P1 8/30/01 10:39 AM Page 13 Introduction to Active Directory • Chapter A directory service may have one of three different structures: ■ A flat file, where all the elements are lumped together in a single group, and all rights and privileges must be granted explicitly ■ Multiple groups in a relationship with each other to provide a flowthrough path for rights and privileges ■ A hierarchical tree structure, where rights and privileges can be inherited through nested Organizational Units (OUs) A well-planned organization of the directory service is critical to reducing administrative overhead Administrative functions can benefit from a hierarchical structure, but only when it is organized to take advantage of the hierarchy Even when a directory service has a hierarchical structure, if you don’t implement that hierarchy or don’t design it to reduce administrative functions, then the native structure does not offer any benefits The Directory Database A directory typically is implemented in the form of a database, or directory store Databases have a specific organizational composition called a schema A schema defines the types of objects and properties that can exist in the directory The database store is distributed throughout an internetwork with partitions of it being placed on special servers known as domain controllers Many times, these partitions are called replicas because there are copies of them on multiple servers for redundancy A directory service that is distributed and copied across multiple servers enables the same information to be accessible to a person in Tokyo, Japan as it is to a person in London, England Distributed directory services are highly effective, with replicas offering failover so that users can always log on or query the database from any network location It would not be efficient if all people around the world were required to access a single server to find information.That situation would present serious bandwidth concerns, not to mention the fact that it presents a single point of failure if that one server went down However, placing replicas on strategic servers throughout an enterprise network provides a method of access that does not overwhelm the network, as well as a method of fault tolerance When there are multiple replicas of a database, they must be synchronized so that updates to the information are identical throughout the entire installed set The process of synchronization of information between multiple hosts is usually www.syngress.com 13 180_AD2e_01P1 14 8/30/01 10:39 AM Page 14 Chapter • Introduction to Active Directory called convergence.The more efficient a network is, the less time it takes for the network to be fully converged once a change has been made Communication between the servers during convergence is handled best via a transaction-oriented database update protocol A transaction-oriented database update protocol does not send entire copies of the directory across the network Instead, as the name implies, it sends only the information changed due to some database transaction.This process is less time-consuming and bandwidth-intensive because only updates need to be changed throughout the replicas and not the entire database copied from server to server Even when an object has a single property update, such as a change to a user account’s phone number, it is not necessary to copy the entire object with all its properties to each database replica Instead, only the property value that changed needs to be updated along with enough information to locate the object for which the value has changed For example, when a user is married, she may change her name.The Network Administrator would edit the Last Name property of the user account.The only information that must changed on the database replicas is that last-name property and the location of the user account object in the directory.This update-based replication will minimize the synchronization traffic on the network, as well as the processing burden on the servers running the directory service.There are two fundamental tactics when replicating databases: ■ Master-Slave All changes to the directory must first be made to a designated master server and then propagated to all slave servers Although effective from a change management perspective since there is a single point of administration, this method provides a single point of failure in the event the master server were to fail.Windows NT domains used the Master-Slave tactic ■ Multi-Master Any changes made to the directory can be made to any directory server, which then propagates that change to the remaining directory servers.This method provides fault tolerance and distributed administration However, the Multi-Master method requires a way to handle conflicting changes in the directory.Windows 2000 Active Directory domains use the Multi-Master replication tactic to address this issue www.syngress.com 180_AD2e_01P1 8/30/01 10:39 AM Page 15 Introduction to Active Directory • Chapter Directory Service Domino Effect When a directory service consists of a distributed database using Multi-Master replication and a hierarchical organization, it has a domino effect on the network’s management, dissolving administrative headaches suffered by networks that use Master-Slave replication and have a flat file structure.These benefits include: ■ Straightforward Administration It collapses the management for users, applications, and network devices into a single point, but can be administered from anywhere in the network ■ Centralized Security It provides a single logon and consistent security mode throughout the network, reducing user administration ■ Extensible and Interoperable It extends the capabilities of the network into the future Not only is there a base of standards within the schema, but the schema can be extended to include new objects and properties An extended schema may enable other systems, directory services, and applications to interoperate with the directory service As a result of the hierarchy and Multi-Master replication, more resources and services can take advantage of the directory service, making the entire network an open system.This model and its rewards are all representative of the Active Directory Service that is part of the Windows 2000 Server family Introduction to Active Directory Active Directory is the directory service provided with Windows 2000 Server products Active Directory has the following characteristics: ■ It is a database that is distributed across multiple servers ■ It uses a Multi-Master replication model to propagate updates throughout the network ■ It has an extensible schema representing user accounts, group accounts, resources, and services as objects ■ The database is organized in a hierarchical tree, which uses containers called Organizational Units (OUs) to enable rights and privileges to be inherited www.syngress.com 15 180_AD2e_01P1 16 8/30/01 10:39 AM Page 16 Chapter • Introduction to Active Directory Active Directory can provide a single directory and logon, its administration can be distributed, and the directory and its inherent security can be extended and scaled for small to large enterprises Active Directory includes a few other features, too Active Directory is an Extensible Storage Engine (ESE) database.This is the same type of database as that used by Microsoft Exchange Server Exchange Server 2000 uses a newer ESE98 interface, whereas both Active Directory and Exchange Server 5.5 use the ESE97 interface ESE allocates a database store of up to 17 terabytes and 10 million objects per domain (One million objects is the recommended limit and approximate size of the largest tested number of objects per domain.) ESE efficiently utilizes only the disk space necessary to store the values for each object and its properties.When adding data to the data store, ESE uses the most rapid method possible; however, ESE gives up some database efficiency to so.The data store can easily become fragmented Active Directory does perform online defragmentation to rearrange data after it has been stored, plus it provides a utility NTDSUTIL to perform offline defragmentation Offline defragmentation will not only rearrange the data, but it will also reclaim disk space from the directory store, which is a file called NTDS.DIT ESE does not claim a full object’s space when the object’s values are not fully completed If an object class has multiple attributes available for data, but an object of that class is created with values assigned to a couple of those attributes, then the ESE engine will acquire only the space necessary to store the values assigned For example, if there is a user account object in which the phone number and address are not filled out, then no space is reserved in the data store for that information—only enough space to store what values have been assigned to the user object .NET Since many of the standards used with Active Directory are also Internet standards, Active Directory can be integrated into any Internet or intranet environment.The ability to extend the enterprise system into the Internet is one of the bases of Microsoft’s NET strategy .NET is based on Windows 2000 Server and extends to a host of services, as well as the NET development framework For developers, Microsoft provides a software development kit (SDK) for Windows 2000 and Active Directory that contains the Application Programming Interfaces (APIs) that a Web-based component can hook into.You can obtain SDKs and developer information for the NET framework from the Microsoft Developer Network Web site at msdn.microsoft.com Developers can use the NET www.syngress.com 180_AD2e_01P1 8/30/01 10:39 AM Page 17 Introduction to Active Directory • Chapter framework for integrating Active Directory into a Web solution A program can use the native Active Directory APIs to hook a Web site into the Windows 2000 Active Directory Since Web browsers are available on nearly every platform, this means that the Active Directory service can be universally accessible via the Web Protocol Interoperability Active Directory uses a naming convention that is similar to X.500, an Internet standard for directory service namespaces Although not exactly an X.500 directory, Active Directory uses Lightweight Directory Access Protocol (LDAP), which was developed for use with X.500 directories and reduces the traffic overhead that is associated with the X.500 system Being able to use LDAP and to support the X.500 naming model enables Active Directory to manage other, applicationspecific directories.To take advantage of this capability, you must integrate the directories via some protocol or API, and usually this means LDAP because LDAP commonly is used by many directory services.The future of Active Directory may eventually bring about a single logon and password that can be synchronized throughout various directories in an enterprise network, even though those directories might otherwise be incompatible All of this is possible through the use of standard protocols for communications One thing that you must be prepared for is using IP for all communications involving the directory service.This may be an issue for a network that primarily depends on another protocol stack However, with today’s proliferation of Internet-capable systems, using IP natively across an enterprise network is not usually an issue.The reason that you must use IP is that Active Directory is dependent upon the IP protocol stack In particular, it is entirely dependent upon DNS to help both servers and workstations locate Active Directory servers called domain controllers The IP protocol stack, also called TCP/IP, consists of multiple protocols; the main two are the Internet Protocol (IP) and Transmission Control Protocol (TCP).The IP protocol assigns a logical address to each station on the network, so that they can be found.The 32-bit IP address is usually illustrated in dotteddecimal notation, a format of four numbers, each ranging from to 255 and separated by dots Each of the four numbers commonly is referred to as an octet For example, 10.155.3.253 is an IP address.This format, though easier to remember than a string of 32 ones and zeroes, is not all that easy for humans to remember Mnemonic systems usually associate a word to a visual, auditory, or tactile sensation in order to stimulate memory Numbers are difficult to associate that way, and remembering multiple strings of numbers is difficult for an average Internet www.syngress.com 17 180_AD2e_01P1 18 8/30/01 10:39 AM Page 18 Chapter • Introduction to Active Directory user.To make it easier for people to remember which server is which, host names were given to the server.To make certain that the user could access the host using a host name, a file named “hosts” was placed on each computer, associating the host name of a computer to its IP address.This way, the user could access the host using a host name rather than having to remember the 32-bit numerical address If a user needed to access a new computer, the user or the administrator had to update the host file with the new host name and IP address, or the user still was forced to use the IP address After some time, it became obvious that managing multiple host files was time-consuming and tedious.Thus, DNS was born DNS was developed to provide a central, hierarchical directory for IP addresses that reduced the host name-to-IP address management by reducing the number of machines that needed to be managed Assuming network clients are utilizing DNS, a user simply can enter a host name and the computer queries its DNS server for the IP address If the host that the user is trying to access is not listed on that server, the DNS server can pass the DNS query up to other DNS servers within the DNS hierarchy to a server that does have that listing for Name resolution It takes only a short time for DNS to respond because of its well-organized hierarchy In fact, the system is so transparent that most users are unaware that this host name-to-IP address translation is taking place each time they type in a new Universal Resource Locator (URL) into their Web browser Active Directory depends on DNS to locate domain controllers on the network through a special type of DNS record that maps a service to an IP address.This type of record is called a Service Location Resource Record, or SRV RR for short Single Point of Administration Being able to manage the network from a single location reduces time and effort for administrators Instead of logging off one server and then logging onto another, or even moving physically from one management station to another, all Active Directory servers, resources, and accounts are stored in a single location An administrator can create custom Microsoft Management Consoles (MMCs) to provide quick access to the information that the administrator uses most, or the administrator can use the standard consoles provided with Windows 2000 Server The reason that administrators no longer need to log off one server and onto another is partially due to Multi-Master replication, in addition to the MMC Active Directory domains no longer use a PDC or BDCs because they have changed to a Multi-Master architecture in which all copies of the Active Directory database are maintained on DCs that are peers of each other.This www.syngress.com 180_AD2e_01P1 8/30/01 10:39 AM Page 19 Introduction to Active Directory • Chapter means that a single Active Directory database is the repository for multiple published resources and can be administered from the same application using any replica of the Active Directory database through Multi-Master replication Therefore, when an administrator logs onto a DC in a particular domain, it doesn’t matter which DC, because all the data will be converged at the time specified for synchronization Active Directory brings about the concept of published resources Published resources reduce time and effort for end-users A published resource can be a file, network device, access sessions to mainframe and minicomputers, databases,Web services, and any other resource or service that is installed into Active Directory and secured for user access Publishing a resource means that a user can execute a simple query to locate the resource anywhere on the network In the case of printers, this capability is very powerful—printers can be published with information about their features For example, a user can look for a printer in a particular building with the ability to print in color and duplex If such a printer is published, the user’s query is returned with any information Administrators can customize printer location with maps, if such are required The NOS Windows 2000 Server is the network operating system (NOS) that is seamlessly integrated with Active Directory.Windows 2000 Server is scalable at the server level, with three products—Windows 2000 Server,Windows 2000 Advanced Server, and Windows 2000 DataCenter Server—that support different sizes of server equipment, as shown in Table 1.2 Active Directory takes the scalability of the Windows 2000 Server family of products and raises it to the network level, since multiple Windows 2000 servers of varying types (whether Advanced, DataCenter, or standard Server) can all participate in a single Active Directory Table 1.2 Scalability of Windows 2000 Component Number of processors RAM (Intel servers) Network load balancing Clustering Windows 2000 Server Windows 2000 Advanced Server Windows 2000 DataCenter Server 32 4GB 8GB using Physical Address Extensions Up to 32 nodes supported Up to nodes in a failover group 64GB using Physical Address Extensions Up to 32 nodes supported Up to nodes in a failover group Not supported Not supported www.syngress.com 19 180_AD2e_01P1 20 8/30/01 10:39 AM Page 20 Chapter • Introduction to Active Directory Active Directory Architecture Active Directory is not automatically part of the Windows 2000 Server installation process, although the capability is available should you need it.When a Windows 2000 Server (any version) is installed as a new install, by default it becomes a member server of a workgroup or domain (Upgrades are handled differently if a Windows NT PDC or BDC is being upgraded to Windows 2000 In the case of upgrades of an NT PDC or BDC, the installer is prompted to upgrade the domain to Active Directory If that did not occur, all information from the former domain would be lost.) Member servers use a security architecture identical to the Windows 2000 Professional client workstations, in which they have a flat file local database with a set of local users and groups.This does not allow other servers or workstations to share in that security database In fact, it hearkens back to the days of a servercentric network.The flat file database allows local users and groups, as well as shared local files and printers, in a server-centric model Only when a member server or client workstation joins an Active Directory domain can it participate in Active Directory.When a client workstation or member server joins a domain, that server-centric local database remains However, if a member server is upgraded to a Domain Controller, the local database is removed When a Windows 2000 Server joins an Active Directory domain as a member server, it can communicate with any DC for Active Directory security information Domains are configured as top-level containers in a tree structure that is created through trust relationships and uses DNS naming Domains sharing a contiguous DNS namespace are organized into domain trees A contiguous namespace means that the domains are linked via the DNS names For example, a domain named root.com and its subdomain named trunk.root.com are both part of the same contiguous namespace However, a domain named trunk.com is not part of that contiguous namespace, and in fact, forms the basis for another domain tree.There can be multiple domains in Active Directory either with or without contiguous namespaces Multiple domains with different namespaces that participate in a single Active Directory commonly are considered a forest of multiple domain trees, as depicted in Figure 1.4 However, it is important to note that a domain on its own can be its own forest Internal to each domain, Active Directory provides OUs to create a tree structure.The OU tree is unique to each domain, and completely configurable by an administrator.Within the OU containers, Active Directory enables the administrator to create objects that represent user accounts, network services, and www.syngress.com 180_AD2e_01P1 8/30/01 10:39 AM Page 21 Introduction to Active Directory • Chapter resources such as users, groups, workstations, and printers.The result is a logical structure that can be scaled to any enterprise of any size and organizational formation Figure 1.4 Active Directory as a Forest of Trees Two-Way Transparent Trust Domain A Domain B Forest Subdomain A SubSubdomain A Designing & Planning… Multi-Master Replication Multi-Master replication occurs when a change is made to any object within a replica of the Active Directory database on any DC is updated automatically on all the others In an Active Directory domain, each DC is a peer to all the other DCs Furthermore, replication of forest-wide information, such as the schema and configuration, occurs between all DCs in the forest And Global Catalog replication occurs between all Global Catalog servers in the forest This replication does not happen by all servers talking to all the other servers at once In fact, Multi-Master replication is a controlled Continued www.syngress.com 21 ... to Active Directory • Chapter framework for integrating Active Directory into a Web solution A program can use the native Active Directory APIs to hook a Web site into the Windows 2000 Active Directory. .. Windows 2000 Server family Introduction to Active Directory Active Directory is the directory service provided with Windows 2000 Server products Active Directory has the following characteristics:... single Active Directory Table 1.2 Scalability of Windows 2000 Component Number of processors RAM (Intel servers) Network load balancing Clustering Windows 2000 Server Windows 2000 Advanced Server Windows