As a system administrator or as a technical support professional, you will need to have a thorough understanding of Active Directory.
In this lesson, we will provide a global view of Active Directory, what it is, how it works, and how it relates to network topology.
The topics discussed here will be explored in greater detail later in this course.
Overview of Active Directory
The diagrams below will give you a global view of Active Directory's contents.
Windows Directory Service
Define the Active Directory Database
The Active Directory (AD) database plays a crucial role in Microsoft's Active Directory service, which is used for managing and securing identities, resources, and services within a Windows domain environment. The primary function of the Active Directory database is to store and manage all the information related to the objects in the directory. This includes users, groups, computers, printers, and other resources.
Key Functions of the Active Directory Database:
Storage of Directory Data:
The AD database stores detailed information about every object within the domain. This includes user accounts, security groups, computers, organizational units (OUs), group policies, and more.
Each object in the directory has attributes (such as a user’s name, email, and password) that are stored in the database.
Data Management and Replication:
The AD database is designed to be highly scalable and supports a large number of objects. It manages the efficient storage and retrieval of this data.
Active Directory uses a multi-master replication model, which means that changes to the database can be made on any Domain Controller (DC) and are then replicated to other DCs to ensure consistency across the domain.
Authentication and Authorization:
One of the core functions of the AD database is to authenticate users and computers. When a user logs in, AD verifies their credentials against the information stored in the database.
After authentication, AD provides the necessary authorization information, determining what resources the user or computer has access to based on their permissions and group memberships.
Centralized Management:
The AD database enables centralized management of the network, making it easier for administrators to control and secure resources, apply policies, and manage user accounts.
Group Policies, which are rules that define how user and computer settings are configured, are stored in the AD database and can be applied across the domain from a central location.
Hierarchical Structure:
The database maintains a hierarchical structure, organizing objects into domains, trees, and forests. This structure reflects the organization’s logical structure and helps in organizing and managing objects effectively.
Schema Management:
The AD database includes a schema, which defines the classes of objects and attributes that can be created. This schema can be extended or modified as needed by the organization, allowing for customization of the directory to meet specific needs.
Database File: The actual data for Active Directory is stored in a database file named `NTDS.dit`. This file is located on each Domain Controller (DC) and contains all the AD objects for the domain. The `NTDS.dit` file is critical for the functioning of AD, as it is the central repository for all directory data.
Conclusion:
The Active Directory database is the backbone of the AD infrastructure, enabling centralized management, secure authentication, and efficient data replication across a Windows domain environment. It plays a vital role in ensuring that users and resources are managed effectively and that security policies are consistently enforced across the organization.
Active Directory versus Registry
Active Directory is a special-purpose database and is not a registry replacement. The directory is designed to handle a large number of read and search operations and a significantly smaller number of changes and updates. Active Directory data is hierarchical, replicated, and extensible. Because it is replicated, you do not want to store dynamic data, such as corporate stock prices or CPU performance. If your data is machine-specific, store the data in the registry.
Typical examples of data stored in the directory include
printer queue data,
user contact data, and
network/computer configuration data.
The Active Directory database consists of objects and attributes. Objects and attribute definitions are stored in the Active Directory schema.
The Active Directory is the foundational networking component in Windows 2000. The Active Directory completely redesigns Microsoft networking from the days of Windows NT and brings Windows networking to a hierarchical, directory service model. This model modernizes NT and paves the way for the future. With the Active Directory, you have more manageability, more support for network resources, standardized naming, and excellent query capabilities.
In short, the Active Directory opens an entire new world for Windows.
A directory is, at its most fundamental level, a collection of information that is organized in a particular way. The organizational method makes sorting through the information fast and easy so you can find the desired data. Directory services are often compared to a phone book. A phone book is a collection of data organized by last name, first name, phone number, city, and state. Because the information is organized in a particular way, you can quickly find a particular person and get his or her telephone number. Directories, of course, are nothing new and have been used for about as long as books have been available; but in terms of networking, directories are still on the cutting edge of networking technology.
It is important to note that the Active Directory namespace is not the DNS namespace.
The DNS namespace is used on the Internet while the Active Directory namespace is used for private networks.
However, the Active Directory namespace is based on DNS, and it connects into the DNS namespace. In other words, DNS is a
global namespace that makes up the entire Internet, and the Active Directory namespace is built on the DNS hierarchical structure so that it connects into the DNS global namespace. For now, it is important to remember that you cannot implement
the Active Directory without DNS, and all Active Directory names are DNS names.
Active Directory and Network Topology
If Active Directory has geographically different locations, you may wish to divide or partition a network into
sites, which you will learn about in detail in the module that follows. In sum, Active Directory not only lets you view the contents of a system from the most general to the most particular. It also provides you with the tools to make that information accessible, no matter what the size or configuration of your network. In subsequent lessons, we will examine the Active Directory and its structure in greater depth. In the next lesson, you will learn about the technologies supported by Active Directory.
What Does the Active Directory Do?
The Active Directory is a directory service and provides a number of different services relating to the organized storage of network resources.
The following points highlight some of the Active Directory’s features:
Organized Approach: The Active Directory brings order to your network by organizing network resources, such as user accounts, group accounts, shared folders, printers, and so on. With the Active Directory, users can quickly find information they need.
Ease of administration: Windows 2000 networks no longer use primary domain controllers (PDCs) and backup domain controllers (BDCs). All domain controllers are simply peers, providing you a single point of administration and excellent fault tolerance..
Removes Topology from Users: The Active Directory helps remove knowledge of the network topology from end users. End users do not have to know which server holds which resource and where it is located on the network. The Active Directory contains powerful query capabilities so users can perform full text searches to find what resources they need
Reduction of NT Domains: This is the part where all Windows NT network administrators cringe. A major goal of the Active Directory is to make large networks more manageable and part of that lofty goal is to reduce the number of NT domains. The Active Directory does not have a domain user/group account limit (well, it does have one of about 1 million), and due to its design, many networks that currently have several existing NT domains now need only one Windows 2000 domain.
Growth Potential: Two buzzwords thrown around about the Active Directory are scalability and extensibility. Scalability means that a service can grow with the needs of your network. The Active Directory is a scalable product because it can grow to meet the needs of your network.
The Active Directory works on a network of a few hundred computers or on a network of thousands of computers. Extensibility means that service can be extended. The Active Directory can be extended in terms of its namespace and through resources it contains.
Standardization: The Active Directory is completely built on networking and protocol standards that currently exist and are heavily used. In other words, there are no totally new standards that must be mastered. The Active Directory is built on a TCP/IP network, which is the networking protocol of choice these days, and it is completely integrated with Domain Name System (DNS) and Lightweight Directory Access Protocol (LDAP), both of which are explored in detail later in this book.
Network Control: The Active Directory offers a very fine level of network management, both in terms of server management and desktop management. Through Windows 2000’s Group Policy, you can manage network user desktop configurations much more easily and effectively. Through the Active Directory, you can finely control resource security and even delegate administrative tasks to other people through Delegation of Control.
Easier WAN Management: Once you get Active Directory correctly set up, it manages its own replication topology. The Active Directory includes more internal services that help it manage and control its own processes, including replication. This feature keeps administrators out of such deathly details and enables software to take care of itself and replicate data between domain controllers and sites as needed.
Why Active Directory Sites are useful
A site is one or more IP subnets connected by a high-speed link, as shown here:
Partitioning versus not Partitioning:
What consequences are there of partitioning or not partitioning? Consider a user at a branch office, whose LAN is connected to the main office by a 56K modem link. Without sites, when he attempts to log on to the network, his computer could use any domain controller (DC) on the network to authenticate his username and password. If a DC on the other side of the 56K link is used, this will result in slow performance and congestion of the link. With sites, his computer would look for a local DC, which results in a faster logon for him, and he doesn't use up sparse bandwidth on the wide area link. Sites are also used in determining frequency of replication of Active Directory information from one domain controller to another, to further cut down on excessive usage of bandwidth over the slow links.
What do you think?
What potential do sites hold for you as an administrator?
Have there been situations where sites could have helped you administer a network better.
Active Directory Sites
An Active Directory site is generally defined as a collection of well-connected AD subnets. You use sites to group subnets together into logical collections to help define replication flow and resource location boundaries. Active Directory uses sites directly to generate its replication topology, and also to help clients find the nearest distributed resources to use in the environment (such as DFS shares or domain controllers). The client's IP address is used to determine which Active Directory subnet the client belongs to, and then that subnet information, in turn, is used to look up the AD site. The site information can then be used to perform DNS queries via the DC locator service to determine the closest domain controller or Global Catalog. Most members of a domain dynamically determine their site when they start up, and they continue to validate what site they are in in the background. This allows administrators to make modifications to the site topology and have them take effect properly in relatively short order with the least amount of manual work. Domain controllers, on the other hand, select their site when they are promoted and will not
automatically change unless an administrator wants them to become part of another site.
Domain Controller:
Moving a domain controller to another site is an administrative task that is most easily performed via the Active Directory Sites and Services tool.
By default, there is one site defined in Active Directory, the Default-First-Site-Name site. If there are no subnet objects defined, all members of the domain are magically assumed to be part of this initial site, or any other single defined site if you have replaced the default site with another site. Once there are multiple site objects, or after subnet objects are defined and assigned, the magic feature goes away and subnet objects must be defined for the subnets in which domain members reside. There is nothing special about this initial site other than that it is the first one created; you can rename it as you see fit. You can even delete it, as long as you have created at least one other site and moved any domain controllers located within the Default-First-Site-Name site to another site.
Multiple sites: can be defined for a single physical location. This can allow you to better segregate which resources are used for which requestors.
For instance, it is common practice in large companies to build a separate site just to harbor the Microsoft Exchange 2000 and 2003 servers and the global catalogs that are used to respond to Exchange and Outlook queries. This allows an administrator to easily control which GCs are used without having to hardcode preferred GC settings into Exchange. You can define the subnets as small as you need them, including down to a single IP address (32-bit subnet), to place servers in the proper site.