Slide1 l.jpg
This presentation is the property of its rightful owner.
Sponsored Links
1 / 48

70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 4: Active Directory Architecture PowerPoint PPT Presentation


  • 336 Views
  • Uploaded on
  • Presentation posted in: General

70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 4: Active Directory Architecture. Objectives. Describe the underlying database of Active Directory Describe the Active Directory schema and how it can be extended

Download Presentation

70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 4: Active Directory Architecture

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Slide1 l.jpg

70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, EnhancedChapter 4: Active Directory Architecture


Objectives l.jpg

Objectives

  • Describe the underlying database of Active Directory

  • Describe the Active Directory schema and how it can be extended

  • Describe the different Active Directory partitions and their functions


Active directory physical database storage l.jpg

Active Directory Physical Database Storage

  • Layers

    • Provide the directory service

    • Include:

      • Extensible Storage Engine (ESE)

      • Database layer

      • Directory Service Agent (DSA)


Active directory layers l.jpg

Active Directory Layers


Active directory physical database storage5 l.jpg

Active Directory Physical Database Storage

  • Extensible Storage Engine:

    • Lowest level

    • Directly responsible for manipulating database

    • All objects stored in nonhierarchical form

      • Rows in database table

  • Database layer:

    • Responsible for providing object-oriented hierarchical view

  • Directory Service Agent:

    • Third layer

    • Responsible for enforcing rules

      • Govern how objects in Active Directory are created and manipulated

  • Only adjacent layers communicate with one another


Extensible storage engine l.jpg

Extensible Storage Engine

  • Active Directory store:

    • Transactional database

  • Transaction

    • Each addition, modification, or deletion

  • Needed data is loaded from disk to memory.


Extensible storage engine continued l.jpg

Extensible Storage Engine (continued)

  • Example: Viewing properties of a user account

  • ESE loads data user account data form disk to memory.

    • Transaction

      • Operation is logged to hard disk (First thing that happens)

  • Modification transaction performs made to the in-memory copy of data

  • Manipulating in-memory copy of data is faster that going to disk


  • Extensible storage engine continued8 l.jpg

    Extensible Storage Engine (continued)

    • AD store can be many gigabytes in size.

    • Storing entire database in memory is not practical because of finite amount of memory available

    • To solve this issue, ESE uses a Least recently used algorithm to write to disk (Data that has not been accessed or modified recently is the first to be written back to disk.)

      • Move data that is no longer needed

      • Write changes back to hard drive

        • When memory is running low

        • System is at a period of low activity


    Extensible storage engine continued9 l.jpg

    Extensible Storage Engine (continued)

    • (In case of driver crashers, UPS failure)

    • Transactions:

      • ESE writes all transactions to log before they are made to in-memory copy

      • Next time domain controller starts, ESE can use transactions recorded in log

      • Reapply changes to copy of data stored on hard disk

      • Called recovering the database

      • Done without user intervention


    Extensible storage engine continued10 l.jpg

    Extensible Storage Engine (continued)

    • Checkpoints:

      • Shorten recovery times

      • Reduce amount of hard drive space logs take up

      • Completed transactions written back to disk

      • Fact that transactions were successfully written is noted

      • ESE only needs to reapply transactions from point of last checkpoint

      • Transactions can be deleted from log

    • Note:

      • Shutdown of domain controller creates a checkpoint in transaction log.

      • When server is started ESE check log, if no checkpoint present, a recovery is performed.


    Active directory file structure l.jpg

    Active Directory File Structure

    • Files needed by ESE to maintain Active Directory Store integrity:

      • NTDS.DIT

      • EDB.LOG

      • EDBXXXXX.LOG

      • EDB.CHK

      • RES1.LOG and RES2.LOG

      • TEMP.EDB


    Active directory files l.jpg

    Active Directory Files


    Ntds dit l.jpg

    NTDS.DIT

    • This is the main AD database.

    • NTDS stands for NT Directory Services.

    • The DIT stands for Directory Information Tree.

    • Stores all objects and their attributes

    • Located in %SYSTEMROOT%\ NTDS folder on domain controllers

    • Made up of three tables:

      • Schema table

      • Data table

      • Link table


    Edb log l.jpg

    EDB.LOG

    • This is a transaction log.

    • Any changes made to objects in Active Directory are first saved to a transaction log.

    • During lulls in CPU activity, the database engine commits the transactions into the main Ntds.dit database.

    • This ensures that the database can be recovered in the event of a system crash.

    • Entries that have not been committed to Ntds.dit are kept in memory to improve performance.

    • Transaction log files used by the ESE engine are always 10MB.


    Edbxxxxx log l.jpg

    EDBXXXXX.LOG

    • Auxiliary transaction logs used to store changes if the main Edb.log file gets full before it can be flushed to Ntds.dit.

    • When EDB.LOG is filled, it is renamed to EDBXXXXX.LOG

    • The original Edb.log file is renamed to Edb00001.log, and EdbXXXXX.log is renamed to Edb.log file, and the process starts over again.

    • Excess log files are deleted after they have been committed.

      • Every 12 hours:

        • Garbage-collection process runs

        • Deletes old EDBXXXXX.LOG

    • You may see more than one Edbxxxxx.log file if a busy domain controller has many updates pending.


    Edb chk l.jpg

    EDB.CHK

    • This is a Checkpoint file

      • It is used by the transaction logging system to mark the point at which updates are transferred from the log files to Ntds.dit.

    • System recovering from failure

      • As transactions are committed, the checkpoint moves forward in the EDB.CHK file. If the system terminates abnormally, the pointer tells the system how far along a given set of commits had progressed before the termination.

    • .


    Res1 log and res2 log l.jpg

    RES1.LOG and RES2.LOG

    • These are reserve log files.

    • If domain controller runs out of free disk space, uses reserved space from files

    • Prevents updates from being lost due to insufficient disk space

    • The system then puts a dire warning on the screen prompting you to take action to free up disk space quickly before Active Directory gets corrupted.

    • You should never let a volume containing Active Directory files get even close to being full.

      • Important:

        • Include additional free space to store Active Directory database as it grows


    Temp edb l.jpg

    TEMP.EDB

    • Temporary storage space

    • Hold large transactions while they are in process

    • Used during maintenance operations


    Slide19 l.jpg

    LDAP

    • When Microsoft decided to replace the clumsy Registry-based account management system in classic NT with a true directory service, rather than devise a proprietary directory service of their own, they chose to adopt LDAP.

    • Lightweight Directory Access Protocol

    • Primary protocols for accessing information directories.

    • Vital to understand how to use LDAP naming paths


    Ldap continued l.jpg

    LDAP (continued)

    • DN (Distinguished Name)

      • Every object in Active Directory has unique name

      • Describes exactly where the object is located in the object hierarchy

      • Made up of:

        • Name of the object

        • All of parent objects above it in hierarchy


    Ldap continued21 l.jpg

    LDAP (continued)

    • RDN (Relative Distinguished Name)

      • Identifies object within its container

      • Contains only name of object

    • Acronyms for object names:

      • DC (Domain Component)

        • Part of a domain name

      • OU (Organizational Unit)

        • Name of an organizational unit

      • CN (Common Name)

        • Name of most objects


    Ldap continued22 l.jpg

    LDAP (continued)

    • Name example:

      • Lori Thompson located in dev.supercorp.net domain in Research organizational unit

      • DN:

        • CN=Lori Thompson

        • OU=Research

        • DC=dev, DC=supercorp, DC=net

      • RDN: CN=Lori Thompson


    Active directory schema l.jpg

    Active Directory Schema

    • All available objects and attributes

    • Sets out exactly:

      • What kind of objects are represented

      • What properties or attributes are required or optional

      • What types of values are acceptable

    • Tool needed to modify the schema is not available by default (regsvr32 schmmgmt.dll)


    Activity 4 1 registering active directory schema console l.jpg

    Activity 4-1: Registering Active Directory Schema Console

    • Objective: Register the Active Directory Schema snap-in so you can view and modify the schema

    • Follow instructions to register the console


    Naming l.jpg

    Naming

    • Every object class and attribute in the schema must have:

      • Unique common name

      • LDAP display name

      • Object Identifier (OID)


    Common name rules l.jpg

    Common Name Rules

    • Start name with registered DNS name of company

    • Separate each level of DNS name with hyphens (-) instead of periods

    • Add another hyphen (-) at end of company’s name

    • Enter current year

    • Follow year with another hyphen (-)


    Common name rules continued l.jpg

    Common Name Rules (continued)

    • Choose product-specific prefix

      • Must be unique within company

      • Identifies product or application of class or attribute

      • Should begin with uppercase letter with additional letters using capitalization of your choice

    • Follow product-specific prefix with hyphen (-)

    • Enter name of class or attribute separated by hyphens


    Ldap display name rules l.jpg

    LDAP Display Name Rules

    • Start with common name already created for class or attribute

    • Make first character of product-specific prefix lowercase

      • Characters following first character may be uppercase or lowercase


    Ldap display name rules continued l.jpg

    LDAP Display Name Rules (continued)

    • Make every character in class or attribute part of name that is preceded by a hyphen (-) uppercase

    • Remove all hyphens (-) after product-specific prefix


    Example common names and ldap display names l.jpg

    Example common names and LDAP display names


    Slide31 l.jpg

    OID

    • OID space must be obtained separately

      • Not part of registered DNS domain name

    • Two primary ways to obtain an OID space:

      • Through Microsoft

      • International Standards Organization (ISO)


    Object classes l.jpg

    Object Classes

    • Definition of each type of object

    • Like a template from which objects are created

    • Inheritance

    • Class Types:

      • Structural classes

      • Abstract classes

      • Auxiliary classes

      • 88 classes


    Object classes continued l.jpg

    Object Classes (continued)

    • Possible superiors

      • Controls which types of objects new object can be instantiated or moved under

      • Example: user object cannot be created (or moved) under a printer object


    Activity 4 2 creating a structural class l.jpg

    Activity 4-2: Creating a Structural Class

    • Objective: Learn how to extend the Active Directory schema to include additional classes

    • Use Active Directory Schema to create a new class


    Attributes l.jpg

    Attributes

    • Schema contains list of all possible attributes

    • Class is assigned both mandatory and optional attributes

    • Object is sum of its attributes

    • Syntaxes

      • Defines data type attribute can store


    Common syntaxes l.jpg

    Common Syntaxes


    Common syntaxes continued l.jpg

    Common Syntaxes (continued)


    Indexes l.jpg

    Indexes

    • Similar in concept to index in back of book

    • Store values (in order) for all objects that have a given attribute

    • Speed up queries

    • Slow down creation of objects and updating of attributes

    • Choose attributes that have highly unique values


    Activity 4 4 adding an optional attribute to a class l.jpg

    Activity 4-4: Adding an Optional Attribute to a Class

    • Objective: Learn how to add additional attributes to a class

    • Use the Schema console to add an attribute to a class


    Active directory partitions l.jpg

    Active Directory Partitions

    • Database divided into groups called partitions, or naming contexts

      • Used to manage replication

    • Partitions:

      • Schema partition

      • Domain partition

      • Configuration partition

      • Application partition


    Active directory partitions continued l.jpg

    Active Directory Partitions (continued)

    • ADSI Edit:

      • Included with Windows Server 2003 Support Tools

      • Used to view and modify objects in various Active Directory partitions


    Active directory partitions continued42 l.jpg

    Active Directory Partitions (continued)


    Schema l.jpg

    Schema

    • Stores schema

    • Contains definitions of all classes and attributes in entire forest

    • Replicated to all domain controllers in forest

      • Content is the same throughout forest


    Configuration l.jpg

    Configuration

    • Stores information about replication topology used in forest

      • Specifies how domain controller determines with which other specific partners it replicates

    • Found on all domain controllers

    • Same throughout forest


    Domain l.jpg

    Domain

    • Contains users, computers, groups, and organizational units created in Windows domain

    • Replicated to all domain controllers in domain

    • Large amount of data

    • Usually partition that changes most frequently


    Application l.jpg

    Application

    • Cannot contain security principals

    • Can be replicated to many different domains in forest

      • Without necessarily being included on all domain controllers

    • Used when developer wants to store information in Active Directory


    Summary l.jpg

    Summary

    • Active Directory is made up of several layers:

      • Extensible Storage Engine (ESE),

      • Database layer

      • Directory Service Agent (DSA)

    • By logging all transactions, ESE can reapply transactions in event of system failure and bring data back to a consistent state


    Summary continued l.jpg

    Summary (continued)

    • All objects and attributes available in Active Directory are defined in Active Directory schema

    • To effectively manage replication of Active Directory, database is divided into groups called partitions


  • Login