Microsoft KB Archive/196464

{|
 * width="100%"|

An Overview of Active Directory

 * }

Q196464

-

The information in this article applies to:


 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server

-

SUMMARY
Directory Services is a distributed database that allows you to store information related to your network resources to facilitate their location and management. Microsoft Active Directory is the latest implementation of Directory Services for Windows 2000. The basic issues involving a directory service center around what information may be stored in the database, how it is stored, how you can query for specific information, and what you can do with the results. Active Directory consists of the directory service itself coupled with a secondary service allowing access to the database supporting X.500 naming conventions.

You can query the directory with a user name to obtain such information as the user's phone number or e-mail address. Directory services is also flexible enough to allow generalized inquiries ("where are the printers?" or "what are the server names?") to view a summarized list of available printers or servers.

Directory services also offers the advantage of a single point of entry to your entire enterprise network for users. Users can find and use resources across the network without knowing the exact name or location of the resource. You can also manage you entire network with a unified, logical view of the network organization and its resources.

MORE INFORMATION
To insure that you can create an efficient and reliable Active Directory design, an understanding of both the logical and physical structures of your network is necessary. An examination and understanding of your organization's business structure and operations is also important. Active Directory separates the logical structure of the domain from the actual physical structure.

THE LOGICAL STRUCTURE
The logical structure of a network consists of intangible items such as objects, domains, trees, and forests.

The basic building block of Active Directory is an object, a distinct, named set of attributes that represent a network resource. Object attributes are characteristics of objects in the directory. Objects can be organized into classes, which are logical groupings of objects. Users, groups, and computers are examples of different object classes.

At the lowest level, some objects represent individual entities on your network such as a user or computer. These are called leaf objects and cannot contain other objects. However, to provide ease of management and simplified organization of the directory, you can place leaf objects inside of other objects called container objects. Container objects may also hold other containers in a nested (or hierarchical) format.

The most common type of container object is an Oganizational Unit (OU). You can use an OU to categorize objects with a domain into some type of logical administrative grouping. It is important to note that an OU's structure and hierarchy within a domain is independent of the structure of any other domain.

All network objects, whether leaf or container, can only exist within a domain. You use domains to group related objects together to reflect your organization's network. Each domain you create only stores information about the objects it contains and no others. Currently, the supported limit on the number of objects you can maintain in a domain is one million.

Each domain represents a security boundary. Access to objects within each domain is controlled by Access Control Entries (ACE) that are contained in Access Control Lists (ACL). These security settings do not cross from one domain boundary to another. Within Active Directory, a domain can also be called a partition. Since a domain is the physical partition of the Active Directory database, you can structure them either by business function (HR, Sales, or Accounting) or by location (geographic or relative).

When you group related domains together to allow global resource sharing, you create a Tree. While a tree can consist of just one domain, you can join multiple domains within the same namespace in a hierarchical structure. The domains within a tree are connected together transparently through two-way trust relationships with Kerberos-based security. These trusts are both permanent (and cannot be deleted) and transitive. In other words, if Domain A trusts Domain B, and Domain B trusts Domain C, then Domain A trusts Domain C.

All domains within a tree share a formal definition of all object types, called the Schema. Additionally, the Global Catalog (GC) is also shared by all domains within any given tree. The GC is a central repository for objects in the tree.

Each tree is also represented by a contiguous namespace. For example, if your company's root domain is "company.com" and you create separate domains for your Sales and Support divisions, their domain names would be "sales.company.com' and "support.company.com". These are called child domains. Unlike Windows NT 4.0, each domain automatically generates trust relationships.

At the highest level, disparate trees can be grouped together to form a Forest. A forest allows you to combine different divisions in an organization, or even different organizations to be grouped together. They do not have to share the same naming scheme and can operate independently but can still communicate with each other. All trees in a forest share the same schema, global catalog, and configuration container. Again, Kerberos-based security provides truss relationships between the trees.

Another benefit with Windows NT 2000 Directory Services is that you can uninstall Active Directory without having to reinstall the entire server operating system. To make a member server a DC, all you need to do is run the DCPROMO tool to add the Active Directory server. To remove the Active Directory server, run the DCPROMO tool again.

THE PHYSICAL STRUCTURE
Domain controllers and sites are the two basic components that deal with the physical structure of a local area network configuration.

Unlike Windows NT 4.0, a network consisting solely of computers running Windows 2000 does not have Primary Domain Controllers (PDC) and Backup Domain Controllers (BDC). All servers that participate in network administration in a Windows 2000 environment are considered domain controllers. A domain controller (DC) stores a replicated copy of the directory database and the replication process is automatic between controllers in the domain.

With enterprise networks that span multiple geographical locations, the implications of wide area network design and structure are extremely important when understanding the impact that directory database replication may have on domain controllers and network performance.

NAMESPACES
A namespace is a designated area that has specific bounds where a logical name assigned to a computer can be resolved. The primary use of a namespace is to organize the descriptions of resources to allow users to locate those resources by their characteristics or properties. The directory database for a given namespace can be used to locate an object without knowing its name. If a user knows a resource's name, they can query for useful information about that object.

An important point to note is that the design of the namespace ultimately determines how useful the directory database is to users as it grows. Sorting and search algorithms cannot overcome an inadequate logical directory design

At a logical level, Windows 2000 Active Directory is simply another namespace. In Active Directory, two main types of information stored:


 * The logical location of the object.
 * A list of attributes about the object.

These objects have attributes assigned to them (such as phone number, room location, etc.) and can be used for locating objects in the directory database. Using attributes for searching is even more important when the Active Directory schema is extended (modified). When objects, classes of objects, and/or attributes for those objects are added to the directory database, their structure determines their usefulness for directory users.

Each container and object in a tree has a unique name. A namespace is a collection of the complete path of all the container and objects, or branches and leaves, in the tree. The location of an object in a tree determines the distinguished name.

An object's Distinguished Name (DN) is comprised of the complete path from the top of a specific namespace through the complete tree hierarchy. Because a DN is useful for organizing a directory database, but may not be helpful in remembering the object, a Relative Distinguished Name (RDN) is also used in Active Directory. An RDN is the part of the name of an object that is an attribute of the object itself.

The foundation for the namespace used for many networks is based on the current Domain Name System (DNS) used on the Internet. This linkage to DNS helps determine the shape of the Active Directory tree and the relationship of the objects to each other. Domain controller entries are the domains listed for distinguished names while Common Name (CN) entries are the specific paths for the user objects in the directory.

GLOBAL CATALOG
The Global Catalog contains a partial replica of every Windows 2000 domain in the directory and is built automatically by the Active Directory replication system. This lets users and applications find objects in an Active Directory domain tree given one or more attributes of the target object. The catalog also contains the schema and configuration of directory partitions. This means the global catalog holds a replica of every object in the Active Directory, but with only a small number of their attributes. Attributes in the global catalog are those most frequently used in search operations (such as a user's first and last names, logon names, and so on), and those required to locate a full replica of the object.

Using this common information, users can find objects of interest quickly without knowing what domain holds them and without requiring a contiguous extended namespace in the enterprise. If the object cannot be found in the Global Catalog, then the search utility can query your local domain partition for information.

You can use the Schema Manager tool to change the schema and define which attributes are stored in the Global Catalog. Since the Global Catalog is replicated on changes made to all Global Catalog servers, it is a good practice to limit the amount of attributes stored in the local partition for both performance and maintenance purposes.

INTERGRATING DNS WITH AD
DNS and Active Directory integration is a core feature in Windows 2000 Server. DNS domains and Active Directory domains use identical domain names for different namespaces. It is important to understand that they are not the same namespace even though the two namespaces share an identical domain structure. Each stores different data and manages different objects. Zones and resource records are used by DNS while Active Directory use domains and domain objects.

For example, if one of the properties of an object is a server's fully qualified domain name, (such as SERVER1.SALES.MYCOMPANY.COM), Active Directory queries DNS to request the server's TCP/IP address and the Windows 2000 requestor can then establishes a TCP/IP session with the server.

The integration between Active Directory and DNS is achieved by each Active Directory server publishing its own address in Service Resource Records on a DNS host.

GLOBAL UNIQUE IDENTIFIER
Since every object on a network must be identified by a unique property, Active Directory accomplishes this by associating a Global Unique Identifier (GUID) with each object. This number is guaranteed to be unique and is never changed by the directory database, even if the object's logical name is changed. The GUID is generated when a user or an application first creates the Distinguished Name (DN) in the directory.

REPLICATION
While a network's structure in Windows NT 4.0 was based on a PDC and BDC model, all servers on a Windows 2000 network are known as domain controllers (DC) and function as peers of one another. With Active Directory, all DCs replicate within a site automatically and support multi-master replication, replicating Active Directory information among all domain controllers. The introduction of multi-master replication means that administrators can make updates to Active Directory on any Windows 2000 domain controller in the domain.

Multi-master database replication also helps control the decisions when to synchronize changes, which information is most current, and when to stop replicating data to avoid duplication or redundancy. To determine what information needs to be updated, Active Directory uses 64-bit Update Sequence Numbers (USN). These are created and associated with all properties. Every time an object is modified, its USN is incremented and stored with the property.

Each Active Directory server maintains a table of the latest USNs from all replication partners within a site. This table is composed of the highest USN for each property. When the replication interval is reached, each server requests only the changes with an USN greater than what's listed in it's own table.

Occasionally, changes may be made to two different Active Directory servers for the same property before all changes are replicated. This causes a replication collision. One of the changes must be declared more accurate and used as the source for all of the other replication partners. To reconcile this potential problem, Active Directory uses a site-wide Property Version Number (PVN) value. A PVN is incremented when an originating write takes place. An originating write is one that occurs directly at a particular Active Directory server.

When 2 or more property values with the same PVN have been changed in different locations, the Active Directory server receiving the change checks the timestamps on each change and use the most recent one for the update. The most important ramification of this issue is the setup and maintenances of a central clock for your network.

Another replication issue is looping. Active Directory lets administrators configure multiple paths for redundancy purposes. To prevent changes from endlessly updating, Active Directory creates lists of USN pairs on each server. These list are called Up-to-date Vectors (UDVs). These maintain the highest USN of each originating write. Each UDV lists all of the other servers within it's own membership site. When replication occurs, the requesting server sends it's own UDV to the sending server. The highest USN for each originating write is used to determine if the change still needs to be replicated. If the USN number is the same or higher, then no change is needed because the requesting server is already updated.

CHANGES WITH GROUPS
Another aspect of the logical planning process for Active Directory is the concept of groups. In Windows NT 4.0, two basic types of groups were available to a network administrator, local and global. With the limitations inherent in this structure, Windows 2000 now provides increased functionality and flexibility for network administrators with the following groups:


 * Groups with local scope (also called local groups)
 * Groups with domain local scope (also called domain local groups)
 * Groups with global scope (also called global groups)
 * Groups with universal scope (also called universal groups)

An important change to note is that global groups can now contain other global groups. While global groups are still used to collect users, the ability to place one group inside another allows an administrator to place them anywhere in a forest for easier maintenance. However, global groups can only contain users and groups from a domain in the Active Directory forest.

Because many networks may contain a mixture of Windows 2000 and Windows NT 4.0 servers, you must determine the number and type of domains on your network and which of those domains are mixed-mode or native-mode before you create groups:


 * Mixed-mode domain. The Windows 2000 operating system installs, by default, in a mixed-mode network configuration. A mixed-mode domain is a networked set of computers running both Windows NT 4.0 and Windows 2000 domain controllers. (You can also have a mixed-mode domain running only Windows 2000 domain controllers.)
 * Native-mode domain. You can convert a domain to native mode when it contains only Windows 2000 Server domain controllers.

The universal group (new for Windows 2000) can contains all other groups and users from any tree in the forest and can be used with any Access Control List (ACL) within the forest.

Global, domain-local, and universal groups can be combined to control access to network resources. The basic use of global groups is for organizing users into administrative containers that represent their respective domains. Universal groups are used to contain the global groups from the various domains to further manage the domain hierarchy when granting permissions. Global groups can be added to universal groups and then assigned permissions to domain-local groups where the resource physically exists. By structuring groups this way, administrators can add or remove users from each domain's global group to control access to resources throughout the enterprise without having to make changes in multiple locations.

Additional query words: nt5info kbfaqw2kds

Keywords :

Issue type : kbinfo

Technology : kbwin2000AdvServ kbwin2000AdvServSearch kbwin2000Serv kbwin2000ServSearch kbwin2000Search kbWinAdvServSearch