slide1 l.
Skip this Video
Download Presentation
70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 4: Active Directory Architecture

Loading in 2 Seconds...

play fullscreen
1 / 48

70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 4: Active Directory Architecture - PowerPoint PPT Presentation

  • Uploaded on

70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 4: Active Directory Architecture. Objectives. Describe the underlying database of Active Directory Describe the Active Directory schema and how it can be extended

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about '70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 4: Active Directory Architecture' - maitland

Download Now An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, EnhancedChapter 4: Active Directory Architecture

  • Describe the underlying database of Active Directory
  • Describe the Active Directory schema and how it can be extended
  • Describe the different Active Directory partitions and their functions
active directory physical database storage
Active Directory Physical Database Storage
  • Layers
    • Provide the directory service
    • Include:
      • Extensible Storage Engine (ESE)
      • Database layer
      • Directory Service Agent (DSA)
active directory physical database storage5
Active Directory Physical Database Storage
  • Extensible Storage Engine:
    • Lowest level
    • Directly responsible for manipulating database
    • All objects stored in nonhierarchical form
      • Rows in database table
  • Database layer:
    • Responsible for providing object-oriented hierarchical view
  • Directory Service Agent:
    • Third layer
    • Responsible for enforcing rules
      • Govern how objects in Active Directory are created and manipulated
  • Only adjacent layers communicate with one another
extensible storage engine
Extensible Storage Engine
  • Active Directory store:
    • Transactional database
  • Transaction
    • Each addition, modification, or deletion
  • Needed data is loaded from disk to memory.
extensible storage engine continued
Extensible Storage Engine (continued)
  • Example: Viewing properties of a user account
  • ESE loads data user account data form disk to memory.
    • Transaction
        • Operation is logged to hard disk (First thing that happens)
    • Modification transaction performs made to the in-memory copy of data
  • Manipulating in-memory copy of data is faster that going to disk
extensible storage engine continued8
Extensible Storage Engine (continued)
  • AD store can be many gigabytes in size.
  • Storing entire database in memory is not practical because of finite amount of memory available
  • To solve this issue, ESE uses a Least recently used algorithm to write to disk (Data that has not been accessed or modified recently is the first to be written back to disk.)
    • Move data that is no longer needed
    • Write changes back to hard drive
      • When memory is running low
      • System is at a period of low activity
extensible storage engine continued9
Extensible Storage Engine (continued)
  • (In case of driver crashers, UPS failure)
  • Transactions:
    • ESE writes all transactions to log before they are made to in-memory copy
    • Next time domain controller starts, ESE can use transactions recorded in log
    • Reapply changes to copy of data stored on hard disk
    • Called recovering the database
    • Done without user intervention
extensible storage engine continued10
Extensible Storage Engine (continued)
  • Checkpoints:
    • Shorten recovery times
    • Reduce amount of hard drive space logs take up
    • Completed transactions written back to disk
    • Fact that transactions were successfully written is noted
    • ESE only needs to reapply transactions from point of last checkpoint
    • Transactions can be deleted from log
  • Note:
    • Shutdown of domain controller creates a checkpoint in transaction log.
    • When server is started ESE check log, if no checkpoint present, a recovery is performed.
active directory file structure
Active Directory File Structure
  • Files needed by ESE to maintain Active Directory Store integrity:
    • NTDS.DIT
    • EDB.LOG
    • EDB.CHK
    • RES1.LOG and RES2.LOG
    • TEMP.EDB
ntds dit
  • This is the main AD database.
  • NTDS stands for NT Directory Services.
  • The DIT stands for Directory Information Tree.
  • Stores all objects and their attributes
  • Located in %SYSTEMROOT%\ NTDS folder on domain controllers
  • Made up of three tables:
    • Schema table
    • Data table
    • Link table
edb log
  • This is a transaction log.
  • Any changes made to objects in Active Directory are first saved to a transaction log.
  • During lulls in CPU activity, the database engine commits the transactions into the main Ntds.dit database.
  • This ensures that the database can be recovered in the event of a system crash.
  • Entries that have not been committed to Ntds.dit are kept in memory to improve performance.
  • Transaction log files used by the ESE engine are always 10MB.
edbxxxxx log
  • Auxiliary transaction logs used to store changes if the main Edb.log file gets full before it can be flushed to Ntds.dit.
  • When EDB.LOG is filled, it is renamed to EDBXXXXX.LOG
  • The original Edb.log file is renamed to Edb00001.log, and EdbXXXXX.log is renamed to Edb.log file, and the process starts over again.
  • Excess log files are deleted after they have been committed.
    • Every 12 hours:
      • Garbage-collection process runs
      • Deletes old EDBXXXXX.LOG
  • You may see more than one Edbxxxxx.log file if a busy domain controller has many updates pending.
edb chk
  • This is a Checkpoint file
    • It is used by the transaction logging system to mark the point at which updates are transferred from the log files to Ntds.dit.
  • System recovering from failure
    • As transactions are committed, the checkpoint moves forward in the EDB.CHK file. If the system terminates abnormally, the pointer tells the system how far along a given set of commits had progressed before the termination.
  • .
res1 log and res2 log
  • These are reserve log files.
  • If domain controller runs out of free disk space, uses reserved space from files
  • Prevents updates from being lost due to insufficient disk space
  • The system then puts a dire warning on the screen prompting you to take action to free up disk space quickly before Active Directory gets corrupted.
  • You should never let a volume containing Active Directory files get even close to being full.
    • Important:
      • Include additional free space to store Active Directory database as it grows
temp edb
  • Temporary storage space
  • Hold large transactions while they are in process
  • Used during maintenance operations
  • When Microsoft decided to replace the clumsy Registry-based account management system in classic NT with a true directory service, rather than devise a proprietary directory service of their own, they chose to adopt LDAP.
  • Lightweight Directory Access Protocol
  • Primary protocols for accessing information directories.
  • Vital to understand how to use LDAP naming paths
ldap continued
LDAP (continued)
  • DN (Distinguished Name)
    • Every object in Active Directory has unique name
    • Describes exactly where the object is located in the object hierarchy
    • Made up of:
      • Name of the object
      • All of parent objects above it in hierarchy
ldap continued21
LDAP (continued)
  • RDN (Relative Distinguished Name)
    • Identifies object within its container
    • Contains only name of object
  • Acronyms for object names:
    • DC (Domain Component)
      • Part of a domain name
    • OU (Organizational Unit)
      • Name of an organizational unit
    • CN (Common Name)
      • Name of most objects
ldap continued22
LDAP (continued)
  • Name example:
    • Lori Thompson located in domain in Research organizational unit
    • DN:
      • CN=Lori Thompson
      • OU=Research
      • DC=dev, DC=supercorp, DC=net
    • RDN: CN=Lori Thompson
active directory schema
Active Directory Schema
  • All available objects and attributes
  • Sets out exactly:
    • What kind of objects are represented
    • What properties or attributes are required or optional
    • What types of values are acceptable
  • Tool needed to modify the schema is not available by default (regsvr32 schmmgmt.dll)
activity 4 1 registering active directory schema console
Activity 4-1: Registering Active Directory Schema Console
  • Objective: Register the Active Directory Schema snap-in so you can view and modify the schema
  • Follow instructions to register the console
  • Every object class and attribute in the schema must have:
    • Unique common name
    • LDAP display name
    • Object Identifier (OID)
common name rules
Common Name Rules
  • Start name with registered DNS name of company
  • Separate each level of DNS name with hyphens (-) instead of periods
  • Add another hyphen (-) at end of company’s name
  • Enter current year
  • Follow year with another hyphen (-)
common name rules continued
Common Name Rules (continued)
  • Choose product-specific prefix
    • Must be unique within company
    • Identifies product or application of class or attribute
    • Should begin with uppercase letter with additional letters using capitalization of your choice
  • Follow product-specific prefix with hyphen (-)
  • Enter name of class or attribute separated by hyphens
ldap display name rules
LDAP Display Name Rules
  • Start with common name already created for class or attribute
  • Make first character of product-specific prefix lowercase
    • Characters following first character may be uppercase or lowercase
ldap display name rules continued
LDAP Display Name Rules (continued)
  • Make every character in class or attribute part of name that is preceded by a hyphen (-) uppercase
  • Remove all hyphens (-) after product-specific prefix
  • OID space must be obtained separately
    • Not part of registered DNS domain name
  • Two primary ways to obtain an OID space:
    • Through Microsoft
    • International Standards Organization (ISO)
object classes
Object Classes
  • Definition of each type of object
  • Like a template from which objects are created
  • Inheritance
  • Class Types:
    • Structural classes
    • Abstract classes
    • Auxiliary classes
    • 88 classes
object classes continued
Object Classes (continued)
  • Possible superiors
    • Controls which types of objects new object can be instantiated or moved under
    • Example: user object cannot be created (or moved) under a printer object
activity 4 2 creating a structural class
Activity 4-2: Creating a Structural Class
  • Objective: Learn how to extend the Active Directory schema to include additional classes
  • Use Active Directory Schema to create a new class
  • Schema contains list of all possible attributes
  • Class is assigned both mandatory and optional attributes
  • Object is sum of its attributes
  • Syntaxes
    • Defines data type attribute can store
  • Similar in concept to index in back of book
  • Store values (in order) for all objects that have a given attribute
  • Speed up queries
  • Slow down creation of objects and updating of attributes
  • Choose attributes that have highly unique values
activity 4 4 adding an optional attribute to a class
Activity 4-4: Adding an Optional Attribute to a Class
  • Objective: Learn how to add additional attributes to a class
  • Use the Schema console to add an attribute to a class
active directory partitions
Active Directory Partitions
  • Database divided into groups called partitions, or naming contexts
    • Used to manage replication
  • Partitions:
    • Schema partition
    • Domain partition
    • Configuration partition
    • Application partition
active directory partitions continued
Active Directory Partitions (continued)
  • ADSI Edit:
    • Included with Windows Server 2003 Support Tools
    • Used to view and modify objects in various Active Directory partitions
  • Stores schema
  • Contains definitions of all classes and attributes in entire forest
  • Replicated to all domain controllers in forest
    • Content is the same throughout forest
  • Stores information about replication topology used in forest
    • Specifies how domain controller determines with which other specific partners it replicates
  • Found on all domain controllers
  • Same throughout forest
  • Contains users, computers, groups, and organizational units created in Windows domain
  • Replicated to all domain controllers in domain
  • Large amount of data
  • Usually partition that changes most frequently
  • Cannot contain security principals
  • Can be replicated to many different domains in forest
    • Without necessarily being included on all domain controllers
  • Used when developer wants to store information in Active Directory
  • Active Directory is made up of several layers:
    • Extensible Storage Engine (ESE),
    • Database layer
    • Directory Service Agent (DSA)
  • By logging all transactions, ESE can reapply transactions in event of system failure and bring data back to a consistent state
summary continued
Summary (continued)
  • All objects and attributes available in Active Directory are defined in Active Directory schema
  • To effectively manage replication of Active Directory, database is divided into groups called partitions