Introducing Active Directory T he directory service has become one of the hottest new technologies on corporate networks. Microsoft, a new member of the directory service club, has created a directory service on which almost its entire product line depends. Understanding Active Directory is thus a prerequisite to any management or deployment of Windows 2000. In the 1970s, all the computing resources you needed, or could use, were on the same computer or the terminal you logged on at. In the 1980s, with the advent of the PC LAN, many files were located on remote machines, and there were definitive paths to these machines. LAN users shared the files and printers, and exchanged e-mail on the LAN. Before the end of the 1990s, we witnessed the beginning of the paradigm shift where all information and functionality could be accessed on any server on any network anywhere . . . and the user did not need to know where the objects were physically located. This is the ideal computing model in which all network objects — servers, devices, functionality, information, authen- tication, and the transports — combine to become a single contiguous information system and computing environment. This environ-ment allows users, whether human or machine, to attach — or remain attached—to systems from a consis- tent user interface at any point of entry on the network. No matter what users require — be they functions of a device, communication, process, algorithms, or perhaps just infor- mation and knowledge — they must be able to access such an object without regard for its physical location. The Active Directory is Microsoft’s bold leap to realizing the dream of a truly distributed environment and IS architecture. It has been talked about for many years. Headlines in the technical trades were always gloomy. And thus, many network administrators and systems engineers forgot about the 2 2 CHAPTER ✦✦✦✦ In This Chapter The Origins of Active Directory The Elements of Active Directory Comparing Windows NT and Windows 2000 domains ✦✦✦✦ 4667-8 ch02.f.qc 5/15/00 1:56 PM Page 25 26 Part I ✦ Windows 2000 Server Architecture directory and worked hard to refine or improve what was already in place, at considerable investment. But now the directory is here. And you probably have little idea what it is and how to use it. You should not feel ashamed, because not only are you not alone, but also it is unlike anything you have ever used before. Every day people ask us about the Active Directory (and these are not only Windows NT or UNIX and NetWare professionals, but also mid-range and mainframe engineers). The purpose of this chapter is to drill down to its core, to expose the elements, and to lay the foundations to bring what’s precious to the surface, and then move for- ward. First, you must understand everything about the Active Directory (AD) before you can make the transition from the old ways of managing networks and computing environments to the promise that waits. In this chapter, we discuss the elements of AD. We will kick off with a brief discussion of how and why we will use AD, and from whence it came. Then we break it down into its constituent components (its logical structure), and finally we discuss how the components work and interoperate with each other. You will notice that the subject of Windows domains and trusts is going to be left until a full discussion of the AD has been achieved. This chapter also features the first appearance of Millennium City, or mcity.org , which is the example Windows 2000 network infrastructure we use throughout the book. It’s a network that runs the infrastructure of an entire city, and its Active Directory is what we used to test the limits of what Microsoft says it’s capable of. MCITY is essentially one huge Active Directory laboratory. You don’t need to be in front of your monitor for this chapter. Just curl up with some snacks and postpone any appointments you might have. The Omniscient Active Directory: Dawn of a New Era The Windows NT client-server architecture was a great improvement over other server and network offerings, both from Microsoft and other companies. However, it had a shortcoming that, had it not been resolved in Windows 2000, would have suffocated the advancement of this highly sophisticated operating system. On Windows NT— actually any network — resources are not easily distributed. The interoperation and scalability of numerous NT servers, printers, shares, devices, files, knowledge resources, functionality, and the sustained availability thereof, collapse when the ability for all network components and objects to share information is absent. As discussed briefly in Chapter 1, one of the most significant additions to Microsoft’s technology is the Active Directory. There is perhaps no other aspect of Windows 2000 that will have the impact the directory service will, because just about every new feature or ability of this product depends on a directory service. 4667-8 ch02.f.qc 5/15/00 1:56 PM Page 26 27 Chapter 2 ✦ Introducing Active Directory Before we haul out the dissecting tools, know this: ✦ The Active Directory service is critical to the deployment and management of Windows 2000 networks, the integration and interoperation of Windows 2000 networks and legacy NT networks, and the interoperation and unification of Windows 2000 networks with the Internet. Its arrival is a result of the evolu- tionary process of Microsoft’s server and network technology. One way or another, the directory service is in your future. ✦ The Active Directory is a powerful directory service, either as part of a Windows network or as a standalone service on the Internet. In the latter role, it is an apt contender as a directory service in the same fashion Internet Information Server is an apt contender for a Web server. In other words, no querying client on the Internet needs to know the directory is Windows 2000 AD. Active Directory is 100 percent LDAP-compliant and 100 percent IP-compliant. Why Do We Need Directories? A directory provides information. At its most basic level, it is like a giant white pages, allowing a user to query a name and get back a phone number . . . and then possibly being connected to the person by automatically dialing that number. But a directory in the IT world is a lot more than a telephone book. Before getting into the specifics of AD, let’s look at some reasons why we need directories. We kick off by placing AD at the center of all services provided by Windows 2000. Single Sign-On and distributed security Active Directory makes it easier to log in to and roam cyberspace. Imagine if you had to log in at every mall, highway, turnpike, newsstand, public facility, sports amenity, shop, fast food outlet, movie house, and so on, in the brick and mortar world we live in. Why then should we have to do this in cyberspace? In every company today, it is almost impossible to get anywhere on the network without going through at least three logins. Everyday, we log into NetWare, the Windows NT domains, voice mail, the host system (to the AS/400 via Rumba), FTP, and then finally the Internet; we won’t go into how many accounts and logins we have. Not only do we have to log in dozens of times a day, and remember dozens of passwords and user or login IDs, but we also have to know exactly where information and resources are located on the network. The uniform resource locator on the World Wide Web has alleviated the resource location problem to some extent (it obviates having to know exactly where something lives on the Internet), but it is still not ideal and not very smooth. URLs are perishable, and for the most part unmanageable in large numbers, which means they often do not get updated. They are not managed in any sensible, cohesive system. 4667-8 ch02.f.qc 5/15/00 1:56 PM Page 27 28 Part I ✦ Windows 2000 Server Architecture The ideal is some sort of badge that allows us to log in once and then flash it wherever we go. For starters, every application and service on our LANs, from e-mail to voice mail to data access to printer access, should be made available to us through one universal login, at home or at work. The type or level of access we have will depend on the attributes or “clearance level” of our badges. The access token provided by Windows NT security comes close to this, but it is not accepted by other technologies as a valid means of authentication. Figure 2-1 illustrates several systems that should be accessed and managed from a central login authority. In many cases, this is already possible with Active Directory- compliant applications such as SQL Server 2000 and Exchange 2000. Figure 2-1: Active Directory as a central login authority Active Directory Intranet Cloud Internet Cloud Customers: Orders Customers: Help Desk Customers: Catalogs Customers: Websites Suppliers Manufacturers Public Relations Partners Investors Extranet Applications Security Administrators Technical Support People Groups and Users Printers, Computers, Equipment Data and SQL Server Users ERP and CRM and Payroll Systems Helpdesk Users E-mail and Groupware Users Voicemail and Fax Users Internal Applications Remote Users and Road Warriors Vertical and Horizontal Application Security Host Access LDAP entry point and other LDAP compliant directories Organization White Pages (e-mail, phone, and fax addresses) Catalog Searching Interconnection with other directories Internet Users Internet Road Warriors Extranet Access Security Extranet Cloud 4667-8 ch02.f.qc 5/15/00 1:56 PM Page 28 29 Chapter 2 ✦ Introducing Active Directory As you will learn in Chapter 3 and in the chapters in Part III, the single login dream is achieved using the services of AD and Windows 2000 support for MIT’s Kerberos authentication. This service is known as Single Sign-On (SSO). SSO has become a quasi-standard among supporters of the Kerberos protocol, such as Microsoft, Apple, Sun, and Novell. Once a trusted user is authenticated via the Kerberos protocol, all other services that support the Kerberos protocol can accept and allow access to the principal. This is made possible by the Kerberos use of tickets— the badge idea previously discussed — which are issued by the directory service. In Chapter 1, we also told you that the Microsoft network domain architecture in Windows 2000 has been radically overhauled to seamlessly integrate with the AD and to extend out to the Internet. Imagine being able to log in to your domain from anywhere. We will be discussing this in much more depth in a later chapter. Change management Active Directory makes it easier to manage the roamers and users of cyberspace and corporate networks and the computers they use to attach to the network. We administrators want to be able to manage our users and computing resources in one central omnipresent repository. We don’t want to repeatedly manage users in the voice mail directory, on the NetWare servers’ directory, in the Host systems database, in our e-mail directory, on our Windows domains, and so on. And we, as managers, need to be able to manage this information easier with change. Mergers, acquisitions, new products, and services need to be continually managed on a cohesive and consistent basis. Group Policy, the change control and change management service of Windows 2000, stores all user and computer information in AD (as discussed in the section on ZAW in Chapter 1). Distributed administration Active Directory lets you delegate administrative function and responsibility and lets you parcel out chunks of the network or domain for controlled administration. A distributed directory service makes it possible to delegate the administration of network resources and users throughout the enterprise. On legacy NT, you can create users and groups with administrative rights, but it is well nigh impossible to hide other network resources from these administrators. Because Active Directory can be partitioned as a mirror of the structure or organization of the enterprise, it is also possible to partition the administration of the compartments. In other words, it makes more sense to appoint a member of a department to perform repetitive management of that department’s resources. You will see later how administration of the directory can be delegated to individuals who are only given selective access or right of passage to delegated areas of the directory. 4667-8 ch02.f.qc 5/15/00 1:56 PM Page 29 30 Part I ✦ Windows 2000 Server Architecture Application management Active Directory makes it easier to develop and distribute applications. Application developers need consistent, open, and interoperable interfaces and APIs against which they can code functionality that stores and manages information relating to applications, processes, and services in a distributed information store. We want to be able to create applications and store application and persistent data to an “invisible” repository through an open interface. This information should be available from anywhere and everywhere on the network. Developers want to be able to create methods that install an application into a directory on the network for initial configuration and manipulation over the lifetime or use of the application. We do not want to concern ourselves with the inner workings of the directory. We want to create our information or config- uration object, initialize, use it, and be done . . . no matter where the user installs or invokes our product. And wherever the object we created is moved to, it should always be accessible to the application. With all of the above, the cost of access and management has in the past been high. We are looking for solutions that will, albeit in the long to medium term, reduce the cost of both management and operation of cyberspace and the information technology systems running our companies and our lives. What Is Active Directory? There are registries and databases that provide directory-type facility for applications and users. But not one is interconnected, share-centric, or distributed in any way. AD is a universal distributed information storehouse into which all network objects, such as application configurations, services, computers, users, and processes, can be accessed, in a consistent manner, over the full expanse of a network or internetwork. This is made possible by the logical structure of the directory. And before you start scratching your head, you should understand that without Active Directory you cannot log in to a Windows 2000 domain, period. Chapters 7 and 8 discuss this and illustrate the control you have over AD’s logical and physical structure. We compare AD to a database later on in this chapter and in Chapter 7 in much more detail. Meanwhile, if you’re keen to adopt this child, then you need to know something about its parents. The Grandfather of the Modern Directory: The X.500 Specification The directory service as we are coming to know it began with an interconnection model proposed by the International Standards Organization (ISO) little more than 20 years ago. This model is popularly known as OSI, which stands for open-systems interconnection. In the late eighties, OSI was given a huge boost by big business and government and quickly became the foundation for the information revolution we are experiencing today. 4667-8 ch02.f.qc 5/15/00 1:56 PM Page 30 31 Chapter 2 ✦ Introducing Active Directory The OSI model and its seven layers lie at the very genesis of modern information technology. Without a fundamental understanding of OSI, it is difficult to be an effec- tive systems engineer, software developer, network administrator, CIO, or Webmaster. OSI is to IT what anatomy is to medicine. While we assume that you are familiar with the OSI model, this brief discussion of X.500 serves to provide a common departure point for all systems engineers not familiar with a directory service. The X.500 directory service can be found at the OSI application layer, where it sits as a group of protocols approved and governed by the International Telecommunications Union (ITU), formerly the CCITT. The objective of X.500 was to provide standards and interfaces to an open and interoperable global and distributed directory service. X.500 is made up of many components (databases) all interoperating as a single contiguous entity. Its backbone is the Directory Information Base (DIB). The entries in the DIB provide information about objects stored in the directory. Figure 2-2 represents the information contained in the DIB. Figure 2-2: The X.500 hierarchy (a), and the DIB and the information it contains (b) In order to access the information stored in the DIB, both users and computers needed a structure or model that would make it easier to understand where data could be located. The model proposed was an object-oriented, hierarchical structure that resembles an upside-down tree, as illustrated in Figure 2-3. The root of the tree is X.500 Root C2 a Classes b Attribute ValuesEntry Identifier Country Organization Person US MCITY Jeffrey Shapiro P1 C1 C3 O2O1 O3 P2P1 P3 4667-8 ch02.f.qc 5/15/00 1:56 PM Page 31 32 Part I ✦ Windows 2000 Server Architecture at the top, and the branches and leaves hang down, free to proliferate. This model assured that any object in the tree is always unique as long as it is inherently part of the tree and can trace its “roots” to the single node at the top. Active Directory trees (and DNS) work the same way, as discussed later. The tree is read from the bottom to the top. Figure 2-3: The X.500 tree structure The objects in the X.500 tree represented containers for information representing people, places, and things. These objects would also be organized or grouped into classes (for example, groups of countries, companies, localities, and so on). The X.500 standard included the following container objects: ✦ Countries ✦ Location ✦ OU or organizational unit Unfortunately, X.500 suffered from several limitations in its early days. It became bogged down under its own weight (the specification was exhaustive), and in many respects it was ahead of its time (especially with respect to its ties to OSI). It made its appearance in the late 1980s at a time when most innovators could care less about managing information openly and globally, when we were all huddled in our garages inventing or writing code like crazy, and when we were all competing for market share at every turn. X.500 was also born before the advent of the World Wide Web and the mass utiliza- tion of the Internet by both the public and businesses. And what really dragged it 4667-8 ch02.f.qc 5/15/00 1:56 PM Page 32 33 Chapter 2 ✦ Introducing Active Directory down was its ties to the OSI protocols (the datalink protocols — DLC — such as 802.2 and 802.3), which turned out to be its Achilles’ heel, because the way of the Internet world was IP. Meanwhile, the Internet took off on the coattails of TCP/IP, leaving X.500 struggling in a protocol desert landscape. Like so many innovations before it, X.500 provided nourishment for other inventions that followed. And much of the foundation for the modern directory service, especially Active Directory, can be directly attributed to the vision of X.500, as we will soon see. The Father of the Modern Directory: LDAP The X.500 specifications defined a protocol by which services would be able to access the information stored in X.500 databases. This protocol was known as the Directory Access Protocol, or DAP. It consisted of a comprehensive set of functions that would provide the ability for clients to add and modify or delete information in the X.500 directory. DAP, however, was overkill and consisted of far more functionality than was required for the implementation of a directory service. Therefore, a simplified version of DAP was created, called the lightweight directory access protocol (LDAP). After several refinements, LDAP has begun to stand in its own right as a directory service. After adoption by the Internet Engineering Task Force (IETF), several important features of LDAP have garnered its widespread support: ✦ LDAP sits atop the TCP/IP stack rather than the OSI stack. This means that every client with an IP address, able to send and receive packets over IP, can access and exploit LDAP-compliant directory services. The client needs only to know how to “talk” to LDAP (IP). TCP, the transport, takes care of the rest. ✦ LDAP performs hyper-searching, which is the ability of a directory to refer to another for authoritative information. In other words, one LDAP directory can defer to another to chase information. An example of this is how Web-based search engines look to other search engines, via hyper-linking, for collateral information or information that does not exist in their own databases. Directory services on a worldwide Internet thus can become contiguous and distributed to form a transparent massive service, limited only by available servers and network resources. The replication mechanisms Microsoft is building into its products are so advanced that products such as SQL Server 2000 will become fully distributed before 2003. ✦ Early on its childhood, LDAP implemented a rich C-based API, making C the de facto programming language of the directory service. Using the most popular language of the day with which to call directory functionality ensured LDAP widespread support in the bustling developer community. Note 4667-8 ch02.f.qc 5/15/00 1:56 PM Page 33 34 Part I ✦ Windows 2000 Server Architecture LDAP consists of the following components, which in some shape or form are the foundations of all modern directories, including the AD: ✦ The data model: This model represents how data is accessed in the directory. The data model is inherited directly from the data model of the X.500 specification. Objects are infused with information by way of assigning attributes to them. Each attribute is type-casted and contains one or more distinct values. The objects are classified into groups of classes, such as organizational units (OUs) or Companies. ✦ The organization model: This is the inverted tree paradigm we earlier discussed, which is also inherited directly from the X.500 specification. It is the structure adopted by all modern directory services. Of particular note is how the Domain Name System (DNS) of the Internet is arranged around inverted trees. The DNS consists of several trees, the root or topmost levels, that sprout downward and contain millions of leaves (or nodes). Figure 2-4 illustrates the DNS forest and the seven roots. It also illustrates the .com tree and how it has fired the Internet into the commercial juggernaut it is today. Figure 2-4: The organizational model revolves around the inverted tree, a hierarchical collection of objects. ✦ The security model: This model specifies how information is securely and safely accessed. LDAP adopted Kerberos password authentication and has since added additional authentication layers with the inclusion of the Simple Authentication Security Layer (SASL). This SASL provides a tiered architecture for a multitude of service providers. Version 3.0 of LDAP also supports the SSL or secure socket layer of TCP/IP, which was developed independently by the Internet community. Windows 2000 supports SSL in its browser, Internet Explorer. 4667-8 ch02.f.qc 5/15/00 1:56 PM Page 34 [...]... software and hardware The Elements of Active Directory Active Directory is a highly complex product that will no doubt become more complex and more advanced in future versions At the core of the product, we find a number of elements that are native to directory services in general and AD in particular 4667-8 ch02.f.qc 5/15/00 1:56 PM Page 39 Chapter 2 ✦ Introducing Active Directory Namespaces and Naming... atomic structure without the fear of overpopulation, as was the case with Windows NT 4.0, and NetWare 3.x and 4.x 4667-8 ch02.f.qc 5/15/00 1:56 PM Page 41 Chapter 2 ✦ Introducing Active Directory Inside Active Directory The core of the Active Directory is largely accessible only to geeks who see heaven in a line of C++ code (authors included) It does not ship with special viewer tools, like MS Access, that... Directory lukewarm to say the least ✦ Active Directory is built into the Windows NT operating system (still at the core of Windows 2000), making it backward compatible with earlier versions of Windows NT ✦ Active Directory is a fully distributed architecture allowing administrators to write once and update everywhere from a single point of access, across any network ✦ Active Directory is highly scalable and... ch02.f.qc 5/15/00 1:56 PM Page 35 Chapter 2 ✦ Introducing Active Directory ✦ The functional model: This model specifies the methods for querying and modifying the directory objects It includes operations to add entries and to edit, populate the attribute fields, delete, and query objects in the directory ✦ The topological model: This model specifies how the directory services integrates or interoperates... scientifically as attributed naming, which consists of the server name holding the directory (which we refer to as the directory host), user name, organizational unit, and so on For example: LDAP://anldapserver.bigbrother.com/cn=jsmithers,ou=trucksales, dc=bigbrother,dc=com LDAP names are used to query the Active Directory Active Directory and the Internet It is possible to locate AD servers anywhere on the... the Active Directory For the speed required by complex code and advanced development, such as creating service providers, C++ is best For RAD and the majority of component-based development, Visual Basic, using the Active Directory Services Interface (ADSI), is best Java is useful when you need to make calls to the LDAP API, but we have found Microsoft’s support for Java-based access to Active Directory. .. is an object-oriented representation of a user object in the Active Directory (The actual data structure is a table of columns or fields.) CN = Jeffrey.Shapiro Employee ID = JRS6904 UserObject PW = ***************** Figure 2-8: An Active Directory user object and three attributes or properties There can be many different objects in Active Directory Some hold exploitable information, and some are merely... ch02.f.qc 5/15/00 1:56 PM Page 37 Chapter 2 ✦ Introducing Active Directory ✦ Able to be programmed against ✦ A replicating structure (single master), providing some vestige of a distributed system ✦ A system of hierarchical structures, which contains records that hold configuration data For the most part, the similarities end here Comparing the registry to Active Directory is like comparing a JetSki to the... compulsory and optional information that make up the objects such as user names, login names, passwords, groups, and application-specific data Active Directory Objects If Active Directory is a casserole, then the objects are its ingredients Without objects, the directory is a meaningless, lifeless shell When you first install AD, the system installs a host of user objects you can begin accessing immediately... on) ✦ Active Directory supports and coexists with both DNS and LDAP Both are modeled on the X.500 standard, especially with respect to its structural and organizational model ✦ Active Directory supports open and interoperable standards, especially with regard to the widespread naming conventions in use today 37 4667-8 ch02.f.qc 38 5/15/00 1:56 PM Page 38 Part I ✦ Windows 2000 Server Architecture ✦ Active . 5/15/00 1:56 PM Page 40 41 Chapter 2 ✦ Introducing Active Directory Inside Active Directory The core of the Active Directory is largely accessible only to. with Active Directory- compliant applications such as SQL Server 2000 and Exchange 2000. Figure 2-1: Active Directory as a central login authority Active Directory