Understanding Active Directory
The Limitations of the Windows NT Domain Model and Network Security
With Windows NT, domains were utilized to manage users, and to manage and secure network resources. A domain is the logical grouping of servers and network resources under a single domain name. In Windows NT, a domain could be considered as a central database containing security information which was then basically used to manage users and network resources. The Windows NT computers operated as domain controllers, with each domain essentially having one Primary Domain Controller (PDC) and one or multiple Backup Domain Controllers (BDCs). The PDC held the centralized database that contained the security information to manage users and resources. This was how domains were put into operation in Windows NT network environments.
The centralized database or accounts database was replicated to the BDCs to ensure reliability. The master copy of the database however only resided on the PDC. Any changes had to be made on the PDC, and were then replicated to the BDCs. Network resources such as network printers and files were typically located in resource domains. Resource domains had their own PDC and BDCs. What this meant for most environments was that these resource domains were often managed on its own, often separate to the master domain(s). A master domain(s) normally managed network accounts. Because users typically need to access resources, the resource domains needed to trust the master domain(s). In the Windows NT domain model, trust relationships could only operate in one direction.
For administrative purposes, the users stored in master domains were organized into global groups, and the global groups were then set with permissions to access the resource domain's network resources. Because of manner in which the Windows NT domain is structured, excessive network traffic can be generated by domain controllers synchronizing. In addition, managing a large number of trust relationships can become a cumbersome task and if not managed appropriately, can indeed become uncontrollable. This has led to the Windows NT 4 domain structure not scaling well to cater for larger complicated networks. Although it is possible to implement multiple Windows NT domains, managing multiple domains can too be an intricate process. Bandwidth costs would also typically increase due to domain controller synchronization.
As mentioned earlier, the security information of users were stored in a centralized database. In Windows NT domain environments, the security account information is kept in the Security Account Manager (SAM) database. The SAM database is a flat file database that contains users and groups. Computer accounts are stored as a particular type of user account. Because the SAM is a component of the Registry, and the Registry has a Registry size limit (RSL), the SAM database in a Windows NT environment can only grow to a particular size. The Registry itself can not exceed 80 percent of paged pool memory. In Windows NT, this is 192MB. For Windows 2000 and Windows Server 2003, it is 470MB. In addition to this, in large Windows NT network environments where multiple BDC exists, a considerable load can be placed on the PDC to ensure that the databases are replicated.
One of the major shortcomings of the Windows NT domain model is that the PDC is the only domain controller that can access the SAM database. When the PDC is unavailable, no computers can be joined to the particular domain, and new users and groups cannot be specified for the domain. Users cannot change their passwords when the PDC is unavailable. They can however access the BDC. To ensure access to the SAM database, administrators in a Windows NT domain would have to promote a robust enough BDC to a PDC. In cases where a wide area network (WAN) connection actually links the PDC to the remainder of the network, having an unavailable PDC can present an even greater problem. You would generally refrain from promoting a BDC to PDC.
With global networks, the speed of he WAN links influences the speed at which changes are effected on the SAM of the PDC. The local BDC is not utilized.
Because of the characteristics of domains, users need to be located into groups in order to access network resources. Since these groups could not be nested, the number of groups within a Windows NT domain could run into hundreds. Managing large numbers of groups can be an administrative challenge, and granting access to groups to resources could turn into an administrative nightmare.
Improvements made by Active Directory to address the limitations of Windows NT domains
Active Directory was designed to provide a centralized repository of information, or data store that could securely manage the resources of an organization. Active Directory makes it possible for different types of information to be stored in a centralized distributed database. The Active Directory directory services ensure that network resources are available to, and can be accessed by users, applications and programs. The directory included with the Active Directory directory services contains information on network resources. It also includes additional information on each service that can make this information accessible.
Network resources contained in the directory are known as objects. Objects typically consist of user, group and computer information, databases, printers, security policies and servers. With Active Directory trust relationships are completely transitive between domains.
Active Directory also makes it possible for administrators to log on to a one network computer, and then manage Active Directory objects on a different computer within the domain.
Unlike the Windows NT domain model that could not mirror the structure of the organization, Active Directory makes is possible to mirror this structure because of the hierarchical organization of objects within Active Directory. Active Directory can be set up with as many branches required to classify administrative functions.
Because all information stored in Active Directory is located in one centralized, distributed data store; administrative needs are reduced, the availability of security information is increased, and there is an improvement in the structure of information. With Windows Server 2003, the Active Directory account database can accommodate a billion objects, and multiple domain controllers can host copies of the Active Directory directory store. These features resolve the scalability, poor performance and single point of failure issues experienced with the Windows NT domain model. Active Directory also has an extensible schema. Schema refers to the structure of the database. What this means is that you can expand and customize the types of information stored within Active Directory.
With Active Directory, all domain controllers in a domain are regarded as peers. Each domain controller contains a copy of the domain directory, and when changes are made to a domain controller, the updates are replicated to the remainder of the domain controller within the domain.
Active Directory Structure
Active Directory has a hierarchical structure that consists of various components which mirror the network of the organization. The components included in the Active Directory hierarchical structure are listed below:
-
Sites
-
Domains
-
Domain Trees
-
Forests
-
Organizational Units (OUs)
-
Objects
-
Domain Controllers
-
Global Catalog
-
Schema
The Global Catalog and Schema components actually manage the Active Directory hierarchical structure. In Active Directory, logically grouping resources to reflect the structure of the organization enables you to locate resources using the resource's name instead of its physical location. Active Directory logical structures also enable you to manage network accounts and shared resources.
The components of Active Directory that represent the logical structure in an organization are:
-
Domains, Organizational Units (OUs), Trees, Forests, Objects
The components of Active Directory that are regarded as Active Directory physical structures are used to reflect the organization's physical structure. The components of Active Directory that are physical structures are:
-
Sites, Subnets, Domain Controllers
The following section examines the logical and physical components of Active Directory.
A domain in Active Directory consists of a set of computers and resources that all share a common directory database which can store a multitude of objects. Domains contain all the objects that exist in the network. Each domain contains information on the objects that they contain. In Active Directory, domains are considered the core unit in its logical structure. Domains in Active Directory actually differ quite substantially from domains in Windows NT networks. In Windows NT networks, domains are able to store far less objects than what Active Directory domains can store. Windows NT domains are structured as peers to one another. What this means is that you cannot structure domains into a hierarchical structure. Active Directory domains on the other hand can be organized into a hierarchical structure through the use of forests and domain trees.
An Active Directory domain holds the following:
-
Logical partition of users and groups
-
All other objects in the environments
In Active Directory, domains have the following common characteristics:
-
The domain contains all network objects
-
The domain is a security boundary – access control lists (ACLs) control access to the objects within a domain.
Within a domain, objects all have the following common characteristics:
-
Group Policy and security permissions
-
Hierarchical object naming
-
Hierarchical properties
-
Trust relationships
The majority of components in Active Directory are objects. In Active Directory, objects represent network resources in the network. Objects in Active Directory have a unique name that identifies the object. This is known as the distinguished name of the object. Objects can be organized and divided into object classes. Object classes can be regarded as the logical grouping of objects. An object class contains a set of object attributes which are characteristics of objects in the directory. Attributes can be looked at as properties that contain information on characteristics and configurations. The Active Directory objects that an Administrator would most likely be concerned with managing are users, groups and computers. In Active Directory, the main groups are security groups and distribution groups. It is easier to place users into groups and then assign permissions to network resources via these groups. Through implementing groups and using groups effectively, you would be in a good position to manage security and permissions in Active Directory.
Organizational units (OUs) can be considered logical units that can be used to organize objects into logical groups. OUs can be hierarchically arranged within a domain. An organization unit can contain objects such as user accounts, groups, computers, shared resources, and other OUs. You can also assign permissions to OUs to delegate administrative control. Domains can have their own OU hierarchy. Organizational units are depicted as folders in the Active Directory Users And Computers administrative tool.
In Active Directory, a domain tree is the grouping of one or multiple Windows 2000 or Windows Server 2003 domains. Domain trees are essentially a hierarchical arrangement of these domains. Domain trees are created by adding child domains to a parent domain. Domains that are grouped into a domain tree have a hierarchical naming structure and also share a contiguous namespace.
Multipledomains are typically utilized to:
-
Improve performance
-
Decentralize administration
-
Manage and control replication in Active Directory
-
Through the utilization of multiple domains, you can implement different security policies for each domain.
-
Multiple domains are also implemented when the number of objects in the directory is quite substantial.
A forest in Active Directory is the grouping of one or multiple domain trees. The characteristics of forests are summarized below:
-
Domains in a forest share a common schema and global catalog, and are connected by implicit two-way transitive trusts. A global catalog is used to increase performance in Active Directory when users search for attributes of an object. The global catalog server contains a copy of all objects in its associated host domain, as well as a partial copy of objects in the other domains in the forest.
-
Domains in a forest function independently, with the forest making communication possible with the whole organization.
-
Domain trees in a forest do not have the same naming structures.
In Active Directory, a site is basically the grouping of one or more Internet Protocol (IP) subnets which are connected by a reliable high-speed link. Sites normally have the same boundaries as a local area network (LAN). Sites should be defined as locations that enable fast and cheap network access. Sites are essentially created to enable users to connect to a domain controller using the reliable high-speed link; and to optimize replication network traffic. Sites determine the time and the manner in which information should be replicated between domain controllers.
A site contains the objects listed below that are used to configure replication among sites.
-
Computer objects
-
Connection objects
A domain controller is a computer running Windows 2000 or Windows Server 2003 that contains a replica of the domain directory. Domain controllers in Active Directory maintain the Active Directory data store and security policy of the domain. Domain controllers therefore also provide security for the domain by authenticating user logon attempts. The main functions of domain controllers within Active Directory are summarized in the following section:
-
Each domain controller in a domain stores and maintains a replica of the Active Directory data store for the particular domain.
-
Domain controllers in Active Directory utilize multimaster replication. What this means is that no single domain controller is the master domain controller. All domain controllers are considered peers.
-
Domain controllers also automatically replicate directory information for objects stored in the domain between one another.
-
Updates that are considered important are replicated immediately to the remainder of the domain controllers within the domain.
-
Implementing multiple domain controllers within a domain provides fault tolerance for the domain.
-
In Active Directory, domain controllers can detect collisions. Collisions take place when an attribute modified on one particular domain, is changed on a different domain controller prior to the change on the initial domain controller being fully propagated.
Apart from domain controllers, you can have servers configured in your environment that operate as member servers of the domain but who do not host Active Directory information. Member servers do not provide any domain security functions either such as authenticating users. Typical examples of member servers are file servers, print servers, and Web servers.
Standalone severs on the other hand operate in workgroups and are not members of the Active Directory domain. Standalone servers have, and manage their own security databases.
Active Directory Namespace Structure
The Domain Name System (DNS) is the Internet service that Active Directory utilizes to structure computers into domains. DNS domains have a hierarchical structure that identifies computers, organizational domains and top-level domains. Because DNS also maps host names to numeric Transmission Control Protocol/Internet Protocol (TCP/IP) addresses, you define the Active Directory domain hierarchy on an Internet-wide basis, or privately. Because DNS is an important component of Active Directory, it has to be configured before you install Active Directory.
The information typically stored in Active Directory can be categorized as follows:
-
Network security entities: This category contains information such as users, groups, computers, applications.
-
Active Directory mechanisms: This category includes permissions, replication, and network services.
-
Active Directory schema: Active Directory objects that define the attributes and classes in Active Directory are included here.
To ensure compatibility with the Windows NT domain model, Active Directory is designed and structured on the idea of domains and trust relationships. Because the SAM databases in Windows NT could not be combined, domains have to be joined using trust relationships.
With Active Directory, a domain defines the following:
-
A namespace
-
A naming context
-
A security structure
-
A management structure
Within the domain, you have users and computers that are members of the domain, and group policies. In Active Directory, you can only create a naming context at a domain boundary, or by creating an Application naming context. An Application naming context is a new Active Directory feature introduced in Windows Server 2003. Other than a Domain naming context, each installation of Active Directory must have a Schema naming context, and a Configuration naming context.
-
Schema naming context: Domain controllers in the forest each have a read-only replica of the Schema naming context which contains the ClassSchema and AttributeSchema objects. These objects signify the classes and attributes in Active Directory. The domain controller acting the role of Schema Role Master is the only domain controller that can change the schema.
-
Configuration naming context: Domain controllers in the forest each have a read and write replica of the Configuration naming context. The Configuration naming context contains the top-level containers listed below which basically manage those services that support Active Directory:
-
Display Specifiers container: Objects which change the attributes that can be viewed for the remainder of the object classes are stored in this container. Display Specifiers supply localization and define context menus and property pages. Localization deals with determining the country code utilized during installation, and then moves all content via the proper Display Specifier. Context menus and property pages are defined for each user according to whether the user attempting to access a particular object has Administrator privileges.
-
Extended Rights container: Because you can assign permissions to objects and the properties of an object, Extended Rights merges various property permissions to form a single unit. In this manner, Extended Rights manages and controls access to objects.
-
Lost and Found Config container: The Domain naming context and Configuration context each have a Lost and Found Config container that holds objects which have gone astray.
-
Partitions container: The Partitions container contains the cross-reference objects that depict all the other domains in a forest. The Partitions container's data is referenced by domain controllers when they create referrals to these domains. The data in the Partitions container can only be altered by a single domain controller within he forest.
-
Physical Locations container: The Physical Locations container contains physical Location DN objects which are related to Directory Enabled Networking (DEN).
-
Services container: This container stores the objects of distributed applications and is replicated to all domain controllers within the forest. You can view the contents of the container in the Active Directory Sites and Services console.
-
Sites container: The objects stored in the Sites container control Active Directory replication, among other site functions. You can also view the contents of this container in the Active Directory Sites and Services console.
-
Well-Known Security Principals container: This container stores the names and unique Security Identifiers (SIDs) for groups such as Interactive and Network.
-
Replication and Active Directory
In Active Directory, directory data that is classified into the categories listed below are replicated between domain controllers in the domain:
-
Domain data includes information on the objects stored in a particular domain. This includes objects for user accounts, Group Policy, shared resources and OUs.
-
Configuration data includes information on the components of Active Directory that illustrates the structure of the directory. Configuration data therefore define the domains, trees, forests and location of domain controllers and global catalog servers.
-
Schema data lists the objects and types of data that can be stored in Active Directory.
Active Directory utilizes multimaster replication. This means that changes can be made to the directory from any domain controller because the domain controllers operate as peers. The domain controller then replicates the changes that were made. Domain data is replicated to each domain controller within that domain. Configuration data and schema data are replicated to each domain in a domain tree and forest. Objects stored in the domain are replicated to global catalogs. A subset of object properties in the forest is also replicated to global catalogs. Replication that occurs within a site is known as intra-site replication. Replication between sites is known as inter-site replication.
Support Files of Active Directory
The Active Directory support files are listed below. These are the files that you specify a location for when you promote a server to a domain controller:
-
Ntds.dit (NT Directory Services): Ntds.dit is the core Active Directory database. This file on a domain controller lists the naming contexts hosted by that particular domain controller.
-
Edb.log: The Edb.log file is a transaction log. When changes occur to Active Directory objects, the changes are initially saved to the transaction log before they are written to the Active Directory database.
-
Edbxxxxx.log: This is auxiliary transaction logs that can be used in cases where the primary Edb.log file fills up prior to it being written to the Ntds.dit Active Directory database.
-
Edb.chk: Edb.chk is a checkpoint file that is used by the transaction logging process.
-
Res log files: These are reserve log files whose space is used if insufficient space exists to create the Edbxxxxx.log file.
-
Temp.edb: Temp.edb contains information on the transactions that are being processed.
-
Schema.ini: The Schema.ini file is used to initialize the Ntds.dit Active Directory database when a domain controller is promoted.
Comments - No Responses to “Understanding Active Directory”
Sorry but comments are closed at this time.