1 / 48

70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 4: Active Directory Architecture

70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 4: Active Directory Architecture. Objectives. Describe the underlying database of Active Directory Describe the Active Directory schema and how it can be extended

maitland
Download Presentation

70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 4: Active Directory Architecture

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, EnhancedChapter 4: Active Directory Architecture

  2. Objectives • Describe the underlying database of Active Directory • Describe the Active Directory schema and how it can be extended • Describe the different Active Directory partitions and their functions

  3. Active Directory Physical Database Storage • Layers • Provide the directory service • Include: • Extensible Storage Engine (ESE) • Database layer • Directory Service Agent (DSA)

  4. Active Directory Layers

  5. Active Directory Physical Database Storage • Extensible Storage Engine: • Lowest level • Directly responsible for manipulating database • All objects stored in nonhierarchical form • Rows in database table • Database layer: • Responsible for providing object-oriented hierarchical view • Directory Service Agent: • Third layer • Responsible for enforcing rules • Govern how objects in Active Directory are created and manipulated • Only adjacent layers communicate with one another

  6. Extensible Storage Engine • Active Directory store: • Transactional database • Transaction • Each addition, modification, or deletion • Needed data is loaded from disk to memory.

  7. Extensible Storage Engine (continued) • Example: Viewing properties of a user account • ESE loads data user account data form disk to memory. • Transaction • Operation is logged to hard disk (First thing that happens) • Modification transaction performs made to the in-memory copy of data • Manipulating in-memory copy of data is faster that going to disk

  8. Extensible Storage Engine (continued) • AD store can be many gigabytes in size. • Storing entire database in memory is not practical because of finite amount of memory available • To solve this issue, ESE uses a Least recently used algorithm to write to disk (Data that has not been accessed or modified recently is the first to be written back to disk.) • Move data that is no longer needed • Write changes back to hard drive • When memory is running low • System is at a period of low activity

  9. Extensible Storage Engine (continued) • (In case of driver crashers, UPS failure) • Transactions: • ESE writes all transactions to log before they are made to in-memory copy • Next time domain controller starts, ESE can use transactions recorded in log • Reapply changes to copy of data stored on hard disk • Called recovering the database • Done without user intervention

  10. Extensible Storage Engine (continued) • Checkpoints: • Shorten recovery times • Reduce amount of hard drive space logs take up • Completed transactions written back to disk • Fact that transactions were successfully written is noted • ESE only needs to reapply transactions from point of last checkpoint • Transactions can be deleted from log • Note: • Shutdown of domain controller creates a checkpoint in transaction log. • When server is started ESE check log, if no checkpoint present, a recovery is performed.

  11. Active Directory File Structure • Files needed by ESE to maintain Active Directory Store integrity: • NTDS.DIT • EDB.LOG • EDBXXXXX.LOG • EDB.CHK • RES1.LOG and RES2.LOG • TEMP.EDB

  12. Active Directory Files

  13. NTDS.DIT • This is the main AD database. • NTDS stands for NT Directory Services. • The DIT stands for Directory Information Tree. • Stores all objects and their attributes • Located in %SYSTEMROOT%\ NTDS folder on domain controllers • Made up of three tables: • Schema table • Data table • Link table

  14. EDB.LOG • This is a transaction log. • Any changes made to objects in Active Directory are first saved to a transaction log. • During lulls in CPU activity, the database engine commits the transactions into the main Ntds.dit database. • This ensures that the database can be recovered in the event of a system crash. • Entries that have not been committed to Ntds.dit are kept in memory to improve performance. • Transaction log files used by the ESE engine are always 10MB.

  15. EDBXXXXX.LOG • Auxiliary transaction logs used to store changes if the main Edb.log file gets full before it can be flushed to Ntds.dit. • When EDB.LOG is filled, it is renamed to EDBXXXXX.LOG • The original Edb.log file is renamed to Edb00001.log, and EdbXXXXX.log is renamed to Edb.log file, and the process starts over again. • Excess log files are deleted after they have been committed. • Every 12 hours: • Garbage-collection process runs • Deletes old EDBXXXXX.LOG • You may see more than one Edbxxxxx.log file if a busy domain controller has many updates pending.

  16. EDB.CHK • This is a Checkpoint file • It is used by the transaction logging system to mark the point at which updates are transferred from the log files to Ntds.dit. • System recovering from failure • As transactions are committed, the checkpoint moves forward in the EDB.CHK file. If the system terminates abnormally, the pointer tells the system how far along a given set of commits had progressed before the termination. • .

  17. RES1.LOG and RES2.LOG • These are reserve log files. • If domain controller runs out of free disk space, uses reserved space from files • Prevents updates from being lost due to insufficient disk space • The system then puts a dire warning on the screen prompting you to take action to free up disk space quickly before Active Directory gets corrupted. • You should never let a volume containing Active Directory files get even close to being full. • Important: • Include additional free space to store Active Directory database as it grows

  18. TEMP.EDB • Temporary storage space • Hold large transactions while they are in process • Used during maintenance operations

  19. LDAP • When Microsoft decided to replace the clumsy Registry-based account management system in classic NT with a true directory service, rather than devise a proprietary directory service of their own, they chose to adopt LDAP. • Lightweight Directory Access Protocol • Primary protocols for accessing information directories. • Vital to understand how to use LDAP naming paths

  20. LDAP (continued) • DN (Distinguished Name) • Every object in Active Directory has unique name • Describes exactly where the object is located in the object hierarchy • Made up of: • Name of the object • All of parent objects above it in hierarchy

  21. LDAP (continued) • RDN (Relative Distinguished Name) • Identifies object within its container • Contains only name of object • Acronyms for object names: • DC (Domain Component) • Part of a domain name • OU (Organizational Unit) • Name of an organizational unit • CN (Common Name) • Name of most objects

  22. LDAP (continued) • Name example: • Lori Thompson located in dev.supercorp.net domain in Research organizational unit • DN: • CN=Lori Thompson • OU=Research • DC=dev, DC=supercorp, DC=net • RDN: CN=Lori Thompson

  23. Active Directory Schema • All available objects and attributes • Sets out exactly: • What kind of objects are represented • What properties or attributes are required or optional • What types of values are acceptable • Tool needed to modify the schema is not available by default (regsvr32 schmmgmt.dll)

  24. Activity 4-1: Registering Active Directory Schema Console • Objective: Register the Active Directory Schema snap-in so you can view and modify the schema • Follow instructions to register the console

  25. Naming • Every object class and attribute in the schema must have: • Unique common name • LDAP display name • Object Identifier (OID)

  26. Common Name Rules • Start name with registered DNS name of company • Separate each level of DNS name with hyphens (-) instead of periods • Add another hyphen (-) at end of company’s name • Enter current year • Follow year with another hyphen (-)

  27. Common Name Rules (continued) • Choose product-specific prefix • Must be unique within company • Identifies product or application of class or attribute • Should begin with uppercase letter with additional letters using capitalization of your choice • Follow product-specific prefix with hyphen (-) • Enter name of class or attribute separated by hyphens

  28. LDAP Display Name Rules • Start with common name already created for class or attribute • Make first character of product-specific prefix lowercase • Characters following first character may be uppercase or lowercase

  29. LDAP Display Name Rules (continued) • Make every character in class or attribute part of name that is preceded by a hyphen (-) uppercase • Remove all hyphens (-) after product-specific prefix

  30. Example common names and LDAP display names

  31. OID • OID space must be obtained separately • Not part of registered DNS domain name • Two primary ways to obtain an OID space: • Through Microsoft • International Standards Organization (ISO)

  32. Object Classes • Definition of each type of object • Like a template from which objects are created • Inheritance • Class Types: • Structural classes • Abstract classes • Auxiliary classes • 88 classes

  33. Object Classes (continued) • Possible superiors • Controls which types of objects new object can be instantiated or moved under • Example: user object cannot be created (or moved) under a printer object

  34. Activity 4-2: Creating a Structural Class • Objective: Learn how to extend the Active Directory schema to include additional classes • Use Active Directory Schema to create a new class

  35. Attributes • Schema contains list of all possible attributes • Class is assigned both mandatory and optional attributes • Object is sum of its attributes • Syntaxes • Defines data type attribute can store

  36. Common Syntaxes

  37. Common Syntaxes (continued)

  38. Indexes • Similar in concept to index in back of book • Store values (in order) for all objects that have a given attribute • Speed up queries • Slow down creation of objects and updating of attributes • Choose attributes that have highly unique values

  39. Activity 4-4: Adding an Optional Attribute to a Class • Objective: Learn how to add additional attributes to a class • Use the Schema console to add an attribute to a class

  40. Active Directory Partitions • Database divided into groups called partitions, or naming contexts • Used to manage replication • Partitions: • Schema partition • Domain partition • Configuration partition • Application partition

  41. Active Directory Partitions (continued) • ADSI Edit: • Included with Windows Server 2003 Support Tools • Used to view and modify objects in various Active Directory partitions

  42. Active Directory Partitions (continued)

  43. Schema • Stores schema • Contains definitions of all classes and attributes in entire forest • Replicated to all domain controllers in forest • Content is the same throughout forest

  44. Configuration • Stores information about replication topology used in forest • Specifies how domain controller determines with which other specific partners it replicates • Found on all domain controllers • Same throughout forest

  45. Domain • Contains users, computers, groups, and organizational units created in Windows domain • Replicated to all domain controllers in domain • Large amount of data • Usually partition that changes most frequently

  46. Application • Cannot contain security principals • Can be replicated to many different domains in forest • Without necessarily being included on all domain controllers • Used when developer wants to store information in Active Directory

  47. Summary • Active Directory is made up of several layers: • Extensible Storage Engine (ESE), • Database layer • Directory Service Agent (DSA) • By logging all transactions, ESE can reapply transactions in event of system failure and bring data back to a consistent state

  48. Summary (continued) • All objects and attributes available in Active Directory are defined in Active Directory schema • To effectively manage replication of Active Directory, database is divided into groups called partitions

More Related