Introduction to Active Directory Directory Services • Uniquely identify users and resources on a network • Provide a single point of network management
What Are Active Directory Directory Services? The directory service included with Microsoft Windows 2000 Server products • A directory service is a network service. • A directory service identifies all resources on a network. • A directory service makes all resources available.
What Are Active Directory Directory Services? (continued) Active Directory directory services include the Directory. • The Directory stores information about network resources. • Resources stored in the Directory are referred to as objects.
Simplified Administration Active Directory directory services organize resources hierarchically in domains. • A domain is a logical grouping of servers andother network resources under a single domain name. • A domain is the basic unit of replication and security. • A domain includes at least one domain controller.
Simplified Administration (continued) Active Directory directory services provide • A single point of administration for all objects on the network • A single point of logon for all network resources
Scalability • The Directory stores information by organizing itselfinto sections that permit storage for a huge number of objects. • The Directory can expand to meet the needs of • Small installations with one server and a few hundred objects. • Huge installations with hundreds of servers and millions of objects.
Open Standards Support Active Directory directory services • Integrate the Internet concepts of a namespacewith the Windows 2000 directory service • Allow you to unify and manage multiple namespaces • Use DNS for its name system • Exchange information with any application ordirectory that uses LDAP or HTTP
Domain Name System • DNS is the domain naming and locator service for Active Directory. • Windows 2000 domain names are also DNS names. • Windows 2000 Server uses dynamic DNS (DDNS). • Clients can update the DNS table dynamically. • DDNS eliminates the need for other naming services.
Support for LDAP and HTTP • LDAP is an Internet standard for accessing directory services. • HTTP is the standard protocol for displaying pages on the World Wide Web. • You can display every object in Active Directory as an HTML page in a Web browser.
Logical Structure • The logical structure is separate from the physical structure. • Organize resources in a logical structure. • Find a resource by its name rather than its physical location. • The network’s physical structure is transparent to the users.
Domain • The domain is the core unit of logical structure. • All network objects exist within a domain. • A domain stores information about only the objects that it contains. • A practical limit to the number of objects in a domain is 1 million.
A Domain Is a Security Boundary • Access to domain objects is controlled by ACLs. • ACLs contain the permission associated with objects. • ACLs control which users can gain access to an object. • ACLs control which type of access users can gain to the objects. • Security policies and settings do not cross from one domain to another. • A domain administrator has absolute rights to set policies only within that domain.
Tree • A tree is a grouping of one or more Windows 2000 domains. • All domains within a single tree share a contiguous namespace. • The domain name of a child domain is the relative nameof that child domain appended with the name of the parent domain. • All domains within a single tree share a common schema. • All domains within a single tree share a common global catalog.
Forest • A forest is a grouping of one or more domain trees. • The trees in a forest form a disjointed namespace. • All trees in a forest share a common schema. • Trees in a forest have different naming structures. • All domains in a forest share a common global catalog. • Domains in a forest operate independently.
Sites • The physical structure is based on sites. • A site is a combination of one or more IP subnets. • Typically a site has the same boundaries as a LAN. • Sites are not part of the logical namespace. • Sites contain computer objects and connection objects.
Replication Within a Site • The Active Directory directory services include a replication feature. • Replication ensures that changes to a domain controllerare reflected by all domain controllers within a domain.
Functions of Domain Controllers in a Domain • Store a complete copy of all Active Directory information • Replicate all objects in the domain to each other automatically • Replicate certain important updates immediately • Use multimaster replication • Provide fault tolerance • Manage all aspects of user domain interactions
Schema • Contains a formal definition of the contents andstructure of Active Directory directory services • Defines attributes for each object class
Default Schema • Created by installing Active Directory on first computer in a new forest • Contains definitions of commonly used objects and properties • Contains definitions of objects and properties used by Active Directory
Extensible Schema • You can define new directory object types and attributes. • You can define new attributes for existing objects. • You can extend the schema • By using LDAP Data Interchange Format (LDIF) scripts. • Programmatically or by using the Active Directory Services Interface (ADSI). • By using the Active Directory Schema snap-in. • The schema is stored in the global catalog and can be updated dynamically.
Global Catalog Servers • Installing Active Directory on the first computer in a newforest makes that domain controller a global catalog server. • The Active Directory Sites and Services snap-in allows you to designate additional global catalog servers. • More global catalog servers means more replication traffic. • More global catalog servers can provide quicker responses. • Every major site should have a global catalog server.
Naming Conventions • Every object in Active Directory is identified by a name. • Active Directory uses a variety of naming conventions.
Distinguished Name • Every object has a distinguished name (DN). • The DN uniquely identifies the object. • The DN contains sufficient information for a client to retrieve the object. • The DN includes the name of the domain that holds the object. • The DN includes the complete path to the object.
Globally Unique Identifier • A globally unique identifier (GUID) is a 128-bit number that is guaranteed to be unique. • GUIDs are assigned when the object is created. • The GUID for an object never changes. • Applications use GUIDs to retrieve objects regardless of current DNs.
User Principal Name • User accounts have a friendly name, the user principal name (UPN). • The UPN is composed of the shorthand name for the user account and the DNS name of the tree where the user account object resides.