70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced
1 / 48

70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 4: Active Directory Architectur - PowerPoint PPT Presentation

  • Uploaded on

70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 4: Active Directory Architecture. Objectives. Describe the underlying database of Active Directory Describe the Active Directory schema and how it can be extended

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about '70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 4: Active Directory Architectur' - maitland

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Slide1 l.jpg

70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, EnhancedChapter 4: Active Directory Architecture

Objectives l.jpg
Objectives Directory, Enhanced

  • Describe the underlying database of Active Directory

  • Describe the Active Directory schema and how it can be extended

  • Describe the different Active Directory partitions and their functions

Active directory physical database storage l.jpg
Active Directory Physical Database Storage Directory, Enhanced

  • Layers

    • Provide the directory service

    • Include:

      • Extensible Storage Engine (ESE)

      • Database layer

      • Directory Service Agent (DSA)

Active directory layers l.jpg
Active Directory Layers Directory, Enhanced

Active directory physical database storage5 l.jpg
Active Directory Physical Database Storage Directory, Enhanced

  • Extensible Storage Engine:

    • Lowest level

    • Directly responsible for manipulating database

    • All objects stored in nonhierarchical form

      • Rows in database table

  • Database layer:

    • Responsible for providing object-oriented hierarchical view

  • Directory Service Agent:

    • Third layer

    • Responsible for enforcing rules

      • Govern how objects in Active Directory are created and manipulated

  • Only adjacent layers communicate with one another

Extensible storage engine l.jpg
Extensible Storage Engine Directory, Enhanced

  • Active Directory store:

    • Transactional database

  • Transaction

    • Each addition, modification, or deletion

  • Needed data is loaded from disk to memory.

Extensible storage engine continued l.jpg
Extensible Storage Engine (continued) Directory, Enhanced

  • Example: Viewing properties of a user account

  • ESE loads data user account data form disk to memory.

    • Transaction

      • Operation is logged to hard disk (First thing that happens)

  • Modification transaction performs made to the in-memory copy of data

  • Manipulating in-memory copy of data is faster that going to disk

  • Extensible storage engine continued8 l.jpg
    Extensible Storage Engine (continued) Directory, Enhanced

    • AD store can be many gigabytes in size.

    • Storing entire database in memory is not practical because of finite amount of memory available

    • To solve this issue, ESE uses a Least recently used algorithm to write to disk (Data that has not been accessed or modified recently is the first to be written back to disk.)

      • Move data that is no longer needed

      • Write changes back to hard drive

        • When memory is running low

        • System is at a period of low activity

    Extensible storage engine continued9 l.jpg
    Extensible Storage Engine (continued) Directory, Enhanced

    • (In case of driver crashers, UPS failure)

    • Transactions:

      • ESE writes all transactions to log before they are made to in-memory copy

      • Next time domain controller starts, ESE can use transactions recorded in log

      • Reapply changes to copy of data stored on hard disk

      • Called recovering the database

      • Done without user intervention

    Extensible storage engine continued10 l.jpg
    Extensible Storage Engine (continued) Directory, Enhanced

    • Checkpoints:

      • Shorten recovery times

      • Reduce amount of hard drive space logs take up

      • Completed transactions written back to disk

      • Fact that transactions were successfully written is noted

      • ESE only needs to reapply transactions from point of last checkpoint

      • Transactions can be deleted from log

    • Note:

      • Shutdown of domain controller creates a checkpoint in transaction log.

      • When server is started ESE check log, if no checkpoint present, a recovery is performed.

    Active directory file structure l.jpg
    Active Directory File Structure Directory, Enhanced

    • Files needed by ESE to maintain Active Directory Store integrity:

      • NTDS.DIT

      • EDB.LOG


      • EDB.CHK

      • RES1.LOG and RES2.LOG

      • TEMP.EDB

    Active directory files l.jpg
    Active Directory Files Directory, Enhanced

    Ntds dit l.jpg
    NTDS.DIT Directory, Enhanced

    • This is the main AD database.

    • NTDS stands for NT Directory Services.

    • The DIT stands for Directory Information Tree.

    • Stores all objects and their attributes

    • Located in %SYSTEMROOT%\ NTDS folder on domain controllers

    • Made up of three tables:

      • Schema table

      • Data table

      • Link table

    Edb log l.jpg
    EDB.LOG Directory, Enhanced

    • This is a transaction log.

    • Any changes made to objects in Active Directory are first saved to a transaction log.

    • During lulls in CPU activity, the database engine commits the transactions into the main Ntds.dit database.

    • This ensures that the database can be recovered in the event of a system crash.

    • Entries that have not been committed to Ntds.dit are kept in memory to improve performance.

    • Transaction log files used by the ESE engine are always 10MB.

    Edbxxxxx log l.jpg
    EDBXXXXX.LOG Directory, Enhanced

    • Auxiliary transaction logs used to store changes if the main Edb.log file gets full before it can be flushed to Ntds.dit.

    • When EDB.LOG is filled, it is renamed to EDBXXXXX.LOG

    • The original Edb.log file is renamed to Edb00001.log, and EdbXXXXX.log is renamed to Edb.log file, and the process starts over again.

    • Excess log files are deleted after they have been committed.

      • Every 12 hours:

        • Garbage-collection process runs

        • Deletes old EDBXXXXX.LOG

    • You may see more than one Edbxxxxx.log file if a busy domain controller has many updates pending.

    Edb chk l.jpg
    EDB.CHK Directory, Enhanced

    • This is a Checkpoint file

      • It is used by the transaction logging system to mark the point at which updates are transferred from the log files to Ntds.dit.

    • System recovering from failure

      • As transactions are committed, the checkpoint moves forward in the EDB.CHK file. If the system terminates abnormally, the pointer tells the system how far along a given set of commits had progressed before the termination.

    • .

    Res1 log and res2 log l.jpg
    RES1.LOG and RES2.LOG Directory, Enhanced

    • These are reserve log files.

    • If domain controller runs out of free disk space, uses reserved space from files

    • Prevents updates from being lost due to insufficient disk space

    • The system then puts a dire warning on the screen prompting you to take action to free up disk space quickly before Active Directory gets corrupted.

    • You should never let a volume containing Active Directory files get even close to being full.

      • Important:

        • Include additional free space to store Active Directory database as it grows

    Temp edb l.jpg
    TEMP.EDB Directory, Enhanced

    • Temporary storage space

    • Hold large transactions while they are in process

    • Used during maintenance operations

    Slide19 l.jpg
    LDAP Directory, Enhanced

    • When Microsoft decided to replace the clumsy Registry-based account management system in classic NT with a true directory service, rather than devise a proprietary directory service of their own, they chose to adopt LDAP.

    • Lightweight Directory Access Protocol

    • Primary protocols for accessing information directories.

    • Vital to understand how to use LDAP naming paths

    Ldap continued l.jpg
    LDAP (continued) Directory, Enhanced

    • DN (Distinguished Name)

      • Every object in Active Directory has unique name

      • Describes exactly where the object is located in the object hierarchy

      • Made up of:

        • Name of the object

        • All of parent objects above it in hierarchy

    Ldap continued21 l.jpg
    LDAP (continued) Directory, Enhanced

    • RDN (Relative Distinguished Name)

      • Identifies object within its container

      • Contains only name of object

    • Acronyms for object names:

      • DC (Domain Component)

        • Part of a domain name

      • OU (Organizational Unit)

        • Name of an organizational unit

      • CN (Common Name)

        • Name of most objects

    Ldap continued22 l.jpg
    LDAP (continued) Directory, Enhanced

    • Name example:

      • Lori Thompson located in dev.supercorp.net domain in Research organizational unit

      • DN:

        • CN=Lori Thompson

        • OU=Research

        • DC=dev, DC=supercorp, DC=net

      • RDN: CN=Lori Thompson

    Active directory schema l.jpg
    Active Directory Schema Directory, Enhanced

    • All available objects and attributes

    • Sets out exactly:

      • What kind of objects are represented

      • What properties or attributes are required or optional

      • What types of values are acceptable

    • Tool needed to modify the schema is not available by default (regsvr32 schmmgmt.dll)

    Activity 4 1 registering active directory schema console l.jpg
    Activity 4-1: Registering Active Directory Schema Console Directory, Enhanced

    • Objective: Register the Active Directory Schema snap-in so you can view and modify the schema

    • Follow instructions to register the console

    Naming l.jpg
    Naming Directory, Enhanced

    • Every object class and attribute in the schema must have:

      • Unique common name

      • LDAP display name

      • Object Identifier (OID)

    Common name rules l.jpg
    Common Name Rules Directory, Enhanced

    • Start name with registered DNS name of company

    • Separate each level of DNS name with hyphens (-) instead of periods

    • Add another hyphen (-) at end of company’s name

    • Enter current year

    • Follow year with another hyphen (-)

    Common name rules continued l.jpg
    Common Name Rules (continued) Directory, Enhanced

    • Choose product-specific prefix

      • Must be unique within company

      • Identifies product or application of class or attribute

      • Should begin with uppercase letter with additional letters using capitalization of your choice

    • Follow product-specific prefix with hyphen (-)

    • Enter name of class or attribute separated by hyphens

    Ldap display name rules l.jpg
    LDAP Display Name Rules Directory, Enhanced

    • Start with common name already created for class or attribute

    • Make first character of product-specific prefix lowercase

      • Characters following first character may be uppercase or lowercase

    Ldap display name rules continued l.jpg
    LDAP Display Name Rules (continued) Directory, Enhanced

    • Make every character in class or attribute part of name that is preceded by a hyphen (-) uppercase

    • Remove all hyphens (-) after product-specific prefix

    Slide31 l.jpg
    OID Directory, Enhanced

    • OID space must be obtained separately

      • Not part of registered DNS domain name

    • Two primary ways to obtain an OID space:

      • Through Microsoft

      • International Standards Organization (ISO)

    Object classes l.jpg
    Object Classes Directory, Enhanced

    • Definition of each type of object

    • Like a template from which objects are created

    • Inheritance

    • Class Types:

      • Structural classes

      • Abstract classes

      • Auxiliary classes

      • 88 classes

    Object classes continued l.jpg
    Object Classes (continued) Directory, Enhanced

    • Possible superiors

      • Controls which types of objects new object can be instantiated or moved under

      • Example: user object cannot be created (or moved) under a printer object

    Activity 4 2 creating a structural class l.jpg
    Activity 4-2: Creating a Structural Class Directory, Enhanced

    • Objective: Learn how to extend the Active Directory schema to include additional classes

    • Use Active Directory Schema to create a new class

    Attributes l.jpg
    Attributes Directory, Enhanced

    • Schema contains list of all possible attributes

    • Class is assigned both mandatory and optional attributes

    • Object is sum of its attributes

    • Syntaxes

      • Defines data type attribute can store

    Common syntaxes l.jpg
    Common Syntaxes Directory, Enhanced

    Common syntaxes continued l.jpg
    Common Syntaxes (continued) Directory, Enhanced

    Indexes l.jpg
    Indexes Directory, Enhanced

    • Similar in concept to index in back of book

    • Store values (in order) for all objects that have a given attribute

    • Speed up queries

    • Slow down creation of objects and updating of attributes

    • Choose attributes that have highly unique values

    Activity 4 4 adding an optional attribute to a class l.jpg
    Activity 4-4: Adding an Optional Attribute to a Class Directory, Enhanced

    • Objective: Learn how to add additional attributes to a class

    • Use the Schema console to add an attribute to a class

    Active directory partitions l.jpg
    Active Directory Partitions Directory, Enhanced

    • Database divided into groups called partitions, or naming contexts

      • Used to manage replication

    • Partitions:

      • Schema partition

      • Domain partition

      • Configuration partition

      • Application partition

    Active directory partitions continued l.jpg
    Active Directory Partitions (continued) Directory, Enhanced

    • ADSI Edit:

      • Included with Windows Server 2003 Support Tools

      • Used to view and modify objects in various Active Directory partitions

    Schema l.jpg
    Schema Directory, Enhanced

    • Stores schema

    • Contains definitions of all classes and attributes in entire forest

    • Replicated to all domain controllers in forest

      • Content is the same throughout forest

    Configuration l.jpg
    Configuration Directory, Enhanced

    • Stores information about replication topology used in forest

      • Specifies how domain controller determines with which other specific partners it replicates

    • Found on all domain controllers

    • Same throughout forest

    Domain l.jpg
    Domain Directory, Enhanced

    • Contains users, computers, groups, and organizational units created in Windows domain

    • Replicated to all domain controllers in domain

    • Large amount of data

    • Usually partition that changes most frequently

    Application l.jpg
    Application Directory, Enhanced

    • Cannot contain security principals

    • Can be replicated to many different domains in forest

      • Without necessarily being included on all domain controllers

    • Used when developer wants to store information in Active Directory

    Summary l.jpg
    Summary Directory, Enhanced

    • Active Directory is made up of several layers:

      • Extensible Storage Engine (ESE),

      • Database layer

      • Directory Service Agent (DSA)

    • By logging all transactions, ESE can reapply transactions in event of system failure and bring data back to a consistent state

    Summary continued l.jpg
    Summary (continued) Directory, Enhanced

    • All objects and attributes available in Active Directory are defined in Active Directory schema

    • To effectively manage replication of Active Directory, database is divided into groups called partitions