Understanding Active Directory

ITworld.com –

To administer a Windows 2000-based network, you need to be grounded in Windows 2000's new directory service, Active Directory (AD). This week and next, I'll describe the components that make up AD. In future installments, I'll discuss its benefits in detail.

New directory service functionality for Windows servers

Like all directory services, AD is a database that centralizes the data and instructions that user applications need to communicate over a network. User identification, configuration, and site information are examples of stored data.

AD replaces NT's SAM (security accounts manager) database with an extensible and highly scalable database that follows X.500 standards. It is accessible via LDAP, and utilizes DNS, instead of WINS, for name resolution. DNS requires TCP/IP; therefore, Active Directory requires TCP/IP.

This new networking model allows administrators to manage Windows 2000 environments in ways that weren't possible under NT 4.0. Windows 2000 Server, Advanced Server, and Datacenter Server all provide Active Directory services.

Let's take a look at AD's component hierarchy.


At AD's lowest level are objects, which are composed of attributes (see Figure 1).

Objects can be anything from user accounts to file shares, printer shares, or DFS roots. Shares are a way of making resources available on the network; an example of a file share is

<font face="Courier">\\servername\sharename</font>
. DFS roots, which with which you can hide a underlying network infrastructure from users, help simplify system management.

The schema

The schema contains definitions of every possible object type, corresponding attributes, and the data types that attributes can be composed of. An object

<font face="Courier">user</font>
, for example, might have
<font face="Courier">firstname</font>
<font face="Courier">lastname</font>
<font face="Courier">officephone</font>
, and
<font face="Courier">email</font>
attributes that can be composed of letters and/or numbers.

An object or attribute cannot exist if it is not first defined within the schema.

Organizational units

You can use organizational units (OUs) -- basically containers within which you group objects logically -- to delegate administrative functions (see Figure 1). For example, you could create an OU called Accounting and then assign its administrator the rights to add users and change passwords within it -- but nowhere else!

Figure 1. Active Directory objects and OUs

Domains and domain trees

Windows 2000 domains are similar to NT domains; they define administrative boundaries on a network, as well as replication and security boundaries. Note that Windows NT/2000 domains are somewhat different from DNS domains. A Windows NT/2000 domain is a container for objects and resources, whereas a DNS domain is a tree or subtree within the DNS namespace.

Windows 2000 domains, which contain objects and OUs, are named according to DNS naming conventions. (Although DNS domain names do usually correspond to Windows 2000 domain names, the two should not be confused.)

Typically, domain names will correspond to your company's name in some way. For example, if you are the administrator of the Abigco Corporation, which has a DNS domain of Abigco.com, the first domain in Active Directory will most likely be called Abigco.com as well.

Domain trees

Grouping domains together creates a domain tree -- a group of domains that share a common namespace (see Figure 2). By using trees to structure your network, you can logically break your enterprise into separate, manageable entities. The number of domains you'll create depends upon many factors, including politics, administrative delegation, bandwidth between sites, etc.

Refer to our previous example, where we used the domain name Abigco.com. If you added another domain to the Abigco.com tree, it would be named by default Newdomain.abigco.com. A parent/child relationship has been created, where the parent of the Newdomain.abigco.com domain is Abigco.com and the child of the Abigco.com domain is Newdomain.abigco.com.

When you add domains to a tree, two-way transitive trusts are automatically established. A trust is a logical relationship between domains that allows one domain to honor the logon authentications of another.

Figure 2. Active Directory trees

Trusts are considered two-way because parent and child domains trust each other automatically -- as soon as you create Newdomain.abigco.com, it trusts Abigco.com, and vice versa, without any further effort on your part. Under NT 4.0, you would've had to have created two trusts -- one for each domain.

Trusts are transitive because child domains added to a tree automatically trust their parent's parent. For example, the new domain Test.newdomain.abigco.com (a child of Newdomain.abigco.com), automatically trusts Abigco.com. The definition of transitive applies -- if A trusts B, and B trusts C, then A trusts C.

Next week, we'll move up the AD hierarchy, with an exploration of forests, sites, and replication.

Insider: How the basic tech behind the Internet works
Join the discussion
Be the first to comment on this article. Our Commenting Policies