ACTIVE DIRECTORY SERVICES
Overview
Back to top
Microsoft made many changes and improvements
to their operating system (OS) when they designed Windows
2000. The most important change was the addition of Active
Directory (AD). Nearly every facet of the OS now revolves
around AD and we’re already seeing the next generation
of BackOffice products that are dependent upon it (i.e., Exchange
2000). Active Directory is the central holding space for all
objects making up our enterprise: domains, organizational
units, users, groups, computers, printers, etc. By using some
of the specifications of the X.500 directory services, the
hierarchical structure of AD removes many of the deficiencies
of the flat domain structure found in NT 4.0.
Put simply, the AD is a hierarchical database
of all objects in the entire enterprise. These objects include
users, groups, computers, domain controllers, printers, contacts,
shared folders, and organizational units. Active Directory
must use TCP/IP as its network protocol.
Active Directory uses a basic top-down hierarchical
model. At the top is a single forest of one or more trees,
that must contain at least one (root) domain, which must contain
at least one organizational unit (OU), and several other containers.
There is a recommended size limitation of one million objects
per domain for the initial Windows 2000 release, however tests
have run the number of objects up to ten times that without
failures.
All Windows 2000 computers can use the AD.
Legacy computers (those running Windows NT 4.0, NT 3.51, Windows
98, Windows 95, Windows 3.x) can log into a Windows 2000 domain,
but they won’t be able to take advantage of the features
of AD. Windows 95 and Windows 98 computers will require a
new Directory Services add-on client (dsclient.exe) that ships
with 2000 Server to interact with AD. There is no such tool
for OS’s prior to 95/98.
TERMINOLOGY
Back to top
Domains
Back to top
The concept of domain as we remember it from
the NT 4.0 days stays the same in Windows 2000. The architecture,
however changes from the flat model from NT 4.0 to a hierarchical
model with a parent domain and child domains under it. The
parent (also known as the root) domain and all of its child
domains are defined as a single domain tree. Multiple trees
within the same AD are defined as a forest.
Naming Contexts
Back to top
A change in Windows 2000 affects the naming contexts within
a domain. Now they are done according to the Internet’s
Domain Name System (DNS) standard (RFCs 1034 & 1035).
To better explain this concept, let’s assume the root
domain in our tree is called “mycompany.com”.
The sales “child” domain under it is names “sales.mycompany.com”;
the finance “child” domain is called “finance.mycompany.com”,
and so on.
There must be a separate naming context for
each parent, or root. Each root domain begins a new tree within
the forest. This naming context allows DNS to be used for
all Windows 2000 name resolutions.
Design Tip: 1 DNS server per site.
Global Catalog
Back to top
Also new in Windows 2000 is the Global Catalog (GC). The GC
is a search engine that helps users and applications find
objects that are published in the AD. Without the GC it could
be difficult and quite time consuming to search the AD database
since there could potentially be hundreds, or even hundreds
of thousands of objects in any single directory.
The Global Catalog can only exist on a Domain
Controller (DC). It contains a listing of every object in
every domain in the entire forest, however, it does not contain
every property of every object. By default, only one GC server
exists in the entire forest and it’s on the first DC
that was created in the forest. It’s replication is
forest wide.
Design Tip: 1 Global Catalog server per site.
Forest
Back to top
An Active Directory forest sets the boundaries of the Windows
2000 AD. There is a single forest in the AD. Within it are
trees, and within the trees are domains. The forest allows
us to facilitate movement of objects within its boundaries.
In a forest, all objects of the same type share the same properties
(schema).
Organizational Units
Back to top
Another new term with Windows 2000 – Organizational
Units (OUs). Within a domain, there exists OUs. They can be
thought of as a subdomain containing AD objects grouped by
similar function or geographic location. The primary purpose
for OUs is to delegate administrative authority and group
policy application. Organizational Units can contain just
about any AD object, including another OU. By default OUs
inherit their permissions and group policies from their parent.
Domain Controllers
Back to top
A big change with Windows 2000 is the master/slave PDC/BDC
roles of the servers. Now they are all Domain Controllers
and they are all masters, accepting updates at any time. This
multi-master model allows for replication throughout the domain
and increases fault tolerance for the domain.
Whether a server is going to become a Domain
Controller is a decision that is left until after the server
installation is complete. Any Windows 2000 Server can be promoted
to a domain controller and any domain controller can be demoted
back down to a stand alone server or a member server.
Domain Controllers default to running in
a mixed mode. Running in mixed mode allows the NT4 servers’
PDC/BDC replication to continue. Once all the servers are
upgraded to Windows 2000 then the switch can be made to native
mode. It’s important to note, however, that once the
switch is made from mixed to native mode it cannot be reversed.
Design Tip: 1 domain controller per site.
Sites
Back to top
If you’ve worked with Exchange, then the concept of
a site is not new to you. A site is a physical boundary defined
within Active Directory, unlike forests, trees, domains, and
OUs, which are all logical elements of AD. A site is defined
as one or more well-connected IP subnets. Well-connected implies
a reasonably fast, reliable connection (usually a T-1).
There is only one site per forest, by default.
Sites are used to control domain replication, allow for faster
user logons, and quicken response times to queries and searches
by users. Sites can only contain computers and administrators
have to manually create and configure all sites, site links,
and site link bridges.
So, if you were counting along, the
design tips recommended:
• 1 DC
• 1 DNS server
• 1 GC server
(all of these roles can be housed on the same computer)
Members-only
Printer-friendly version
Discuss this TechNote 