Professional Documents
Culture Documents
Active Directory
Active Directory
The term "directory" has received a lot of attention in computing environments in the
past several years. As computing environments have become larger and more
complex, with many offering Internet access and even network resources through an
intranet, the task of managing the many resources the network has to offer has
become more and more complex for network administrators — and the user's task of
finding those resources has become just as difficult. The need to not only organize
information, but make that information easy to manage and locate, has become a
serious and complicated issue.
Although Windows NT offered directory services through third party software, the
Active Directory in Windows 2000 is Microsoft's new answer to directory services.
The Active Directory is a powerful tool that allows multiple sites, domains, and even
the Internet to fully integrate together. The Active Directory's purpose is to organize
information about real network objects, such as users, shares, printers, applications,
and so forth, so that users can find the resources they need. Through the Active
Directory, users do not have to keep track of which server holds which resource, or
where a particular printer resides. The Active Directory lists the information, is
completely searchable, and provides a standard folder interface to users so they can
find what they need on the network. From an administrator's point of view, the
Active Directory provides you with a simple, hierarchical design that you can
administer from a single location.
DESIGN GOALS OF THE ACTIVE DIRECTORY
The Active Directory's design goals are simple, yet very powerful, allowing Active
Directory to provide the desired functionality in virtually any computing environment.
The following list describes the major features and goals of the Active Directory
technology.
Scalable — The Active Directory is highly scalable, which means it can function in
small networking environments or global corporations. The Active Directory supports
multiple stores, which are wide groupings of objects, and can hold more than one
million objects per store.
Extensible — The Active Directory is "extensible," which means it can be customized
to meet the needs of an organization.
Secure — The Active Directory is integrated with Windows 2000 security, allowing
administrators to control access to objects.
Seamless — The Active Directory is seamlessly integrated with the local network and
the intranet/Internet.
Open Standards — The Active Directory is based on open communication standards,
which allow integration and communication with other directory services, such as
Novell's NDS.
Backwards Compatible — Although Windows 2000 operating systems make the most
use of the Active Directory, the Active Directory is backwards compatible for earlier
versions of Windows operating systems. This feature allows implementation of the
Active Directory to be taken one step at a time.
Windows 2000 also supports Dynamic DNS (DDNS), a new addition to the DNS
standard. DDNS can dynamically update a DNS server, which had to be manually
performed in the past, with new or changed values. Since name records can be
dynamically updated, true Windows 2000 networks no longer need to use Windows
Internet Naming Service (WINS).
DNS is the naming scheme used in the Active Directory, and LDAP (Lightweight
Directory Access Protocol) is how you access the Active Directory. LDAP is a widely
adopted Internet standard used in newsgroups and search engines. Although often
misunderstood, LDAP is not a part of the X.500 standard. The X.500 standard is a
directory specification that introduced DAP (Directory Access Protocol) to read and
modify a directory database. DAP is an extensible protocol in that it can handle
directory requests and changes, as well as directory security. However, DAP places
much of the processing burden on the client computers and is considered to be a
high overhead protocol. LDAP, which is not defined within the X.500 specification,
was developed to overcome the weaknesses of DAP. LDAP is an open standard, which
means that it can be used by anyone wishing to develop a directory service and is
not restricted to X.500 directories like DAP. Also, a major difference is that LDAP is
not a client-based service. The service runs on the server and the information is
returned to the LDAP enabled client. The Active Directory is not an X.500 directory,
but it supports the information model without requiring systems to implement the
X.500 overhead. The result is an LDAP based directory that supports high levels of
interoperability.
ACTIVE DIRECTORY HIERARCHY
The structure of the Active Directory is a hierarchy, and before installing and
implementing the Active Directory, you must have a firm understanding of the
structure as well as the components that make up the Active Directory. You will use
this hierarchy design to build the Active Directory infrastructure for your
organization, so it is important that you have a firm grasp of their meaning and place
in the hierarchy before you begin planning. The following sections explore the
components in the hierarchy structure. We will work with each of these in more detail
in later chapters.
Object
An Active Directory object represents a physical object of some kind on the network.
Common Active Directory objects are users, groups, printers, shared folders,
applications, databases, contacts, and so forth. Each of these objects represents
something "tangible." Each object is defined by a set of "attributes." An attribute is a
quality that helps define the actual object. For example, a user object could have
attributes of a username, actual name, and email address. Attributes for each kind of
object are defined in the Active Directory. The attributes define the object itself and
allow users to search for the particular object, as in Figure 1.
Organizational Unit
An organizational unit (OU) is like a file folder in a filing cabinet. The OU is designed
to hold objects (or even other OUs). It contains attributes like an object, but has no
functionality on its own. As with a file folder, its purpose is to hold other objects. As
the name implies, an OU helps you "organize" your directory structure. For example,
you could have an accounting OU that contains other OUs, such as Accounting Group
A and Accounting Group B, and inside those OUs can reside objects that belong, such
as users, groups, computers, printers, and so forth (Figure 2). OUs also serve as
securities and administrative boundaries and can be used to replace domains in
multiple Window NT domain networks.
Domain
Tree
The hierarchy structure of the domain, organizational units, and objects is called a
tree. The objects within the tree are referred to as endpoints, while the OUs in the
tree structure are nodes. In terms of a physical tree, you can think of the branches
as OUs or containers and the leaves as objects — an object is the natural endpoint of
the node within the tree.
Domain Trees
A domain tree exists when several domains are linked by trust relationships and
share a common schema, configuration, and global catalog. Trust relationships in
Windows 2000 are based on the Kerberos security protocol. Kerberos trusts are
transitive. In other words, if domain 1 trusts domain 2 and domain 2 trusts domain
3, then domain 1 trusts domain 3, shown in Figure 4.
Forest
A forest is one or more trees that do not share a contiguous name space. The trees
in the forest do share a common schema, configuration, and global catalog, but the
trees do not share a contiguous name space. All trees in the forest trust each other
through Kerberos transitive trusts. In actuality, the forest does not have a distinct
name, but the trees are viewed as a hierarchy of trust relationships. The tree at the
top of the hierarchy normally refers to the tree. For example, corp.com,
production.corp.com, and mgmt.corp.com form a forest with corp.com serving as the
forest root.
Site
A site is not actually considered a part of the Active Directory hierarchy, but is
configured in the Active Directory for replication purposes. A site is defined as a
geographical location in a network containing Active Directory servers with a well-
connected TCP/IP subnet. Well-connected means that the network connection is
highly reliable and fast to other subnets in the network. Administrators use the
Active Directory to configure replication between sites. Users do not have to be
aware of site configuration. As far as the Active Directory is concerned, users only
see domains.
In the Active Directory, every object, such as, a user, a group, a computer, a printer,
and so forth, has a unique name. There are four kinds of names assigned to each
object.
First, each object has a distinguished name (DN). The DN is unique from all other
objects and contains the full information needed to retrieve the object. The DN
contains the domain where the object resides and the path to the object. The DN is
made up of these attributes (or qualities):
DomainComponentName (DC)
OrganizationalUnitName (OU)
CommonName (CN)
For example if you wanted to access a document called "Production Flow" that
resides in a particular domain, the DN might read:
/DC=com/DC=mycompany/OU=prod/CN=documents/CN=Production Flow
By using the DN, the Active Directory can begin at the top of the domain and work
its way down to the actual folder or document.
Next, the Active Directory uses the relative distinguished name (RDN). The RDN is
the part of the DN that defines the actual object, called an attribute. This is the CN,
or common name. Fortunately, all you need to know to search for objects are
common names. You don't have to know or use the DN, and the DN itself is normally
hidden from the users.
Next, the Active Directory also uses the globally unique identifiers (GUID), which is a
128-bit number unique from all others. The GUID is assigned to an object when it is
created in the Active Directory and it never changes.
Finally, Active Directory objects can be identified by the user principal names (UPN),
which is a short friendly name that looks like an email address, such as
kanderson@smithfin.com.
The major point to remember is that the Active Directory provides the DN, RDN,
GUID, and UPN for objects to ensure uniqueness, ease of location for LDAP queries,
and ease of use for users. You will learn more about these names throughout the
book.
GLOBAL CATALOG
The purpose of LDAP is to allow network users to search and find the objects in the
Active Directory they want to use. For this to happen, the Active Directory domain
controllers maintain a "global catalog."
The global catalog allows users and applications to find objects in the Active
Directory by searching for a particular attribute(s). The global catalog holds a partial
"replica" of the objects and their most common attributes. When a user performs a
search operation to find a user (or other object), the global catalog is checked to find
matches for that request. The global catalog looks for that attribute and returns
matches to the user. Data in the global catalog is built and maintained through
replication among domain controllers.
Active Directory is a highly scalable and extensible directory service that makes use
of DNS as its naming scheme. The Active Directory natively uses LDAP to locate
objects within the Active Directory so users can easily locate the information they
need. The Active Directory structure is based on a hierarchy that contains objects,
organizational units, domains, trees, and forests. The Active Directory also allows
you to configure sites and manage site replication. The Active Directory assigns DN,
RDN, GUID, and UPN names to ensure uniqueness and ease of location. All of this
information is stored in a global catalog
Network protocol
Many protocols exist in computer networking ranging from the high level to the low
level. The Internet Protocol family includes IP and all higher-level network protocols
built on top of it, such as TCP, UDP, HTTP, and FTP. Modern operating systems include
services or daemons that implement support for a given network protocol. Some
protocols, like TCP/IP, have also been implemented in silicon hardware for optimized
performance.
TCP IP
Definition: Transmission Control Protocol (TCP) and Internet Protocol (IP) are two
distinct network protocols, technically speaking. TCP and IP are so commonly used
together, however, that TCP/IP has become standard terminology to refer to either
or both of the protocols.
IP corresponds to the Network layer (Layer 3) in the OSI model, whereas TCP
corresponds to the Transport layer (Layer 4) in OSI. In other words, the term TCP/IP
refers to network communications where the TCP transport is used to deliver data
across IP networks.
Topologies
One can think of a topology as a network's virtual shape or structure. This shape
does not necessarily correspond to the actual physical layout of the devices on the
network. For example, the computers on a home LAN may be arranged in a circle in
a family room, but it would be highly unlikely to find an actual ring topology there.
o bus
o ring
o star
o tree
o mesh
More complex networks can be built as hybrids of two or more of the above basic
topologies.
Bus Topology
Bus networks (not to be confused with the system bus of a computer) use a common
backbone to connect all devices. A single cable, the backbone functions as a shared
communication medium that devices attach or tap into with an interface connector. A
device wanting to communicate with another device on the network sends a
broadcast message onto the wire that all other devices see, but only the intended
recipient actually accepts and processes the message.
Ethernet bus topologies are relatively easy to install and don't require much cabling
compared to the alternatives. 10Base-2 ("ThinNet") and 10Base-5 ("ThickNet") both
were popular Ethernet cabling options many years ago for bus topologies. However,
bus networks work best with a limited number of devices. If more than a few dozen
computers are added to a network bus, performance problems will likely result. In
addition, if the backbone cable fails, the entire network effectively becomes
unusable.
Ring Topology
In a ring network, every device has exactly two neighbors for communication
purposes. All messages travel through a ring in the same direction (either
"clockwise" or "counterclockwise"). A failure in any cable or device breaks the loop
and can take down the entire network.
To implement a ring network, one typically uses FDDI, SONET, or Token Ring
technology. Ring topologies are found in some office buildings or school campuses.
Star Topology
Many home networks use the star topology. A star network features a central
connection point called a "hub" that may be a hub, switch or router. Devices typically
connect to the hub with Unshielded Twisted Pair (UTP) Ethernet.
Compared to the bus topology, a star network generally requires more cable, but a
failure in any star network cable will only take down one computer's network access
and not the entire LAN. (If the hub fails, however, the entire network also fails.)
Tree Topology
Tree topologies integrate multiple star topologies together onto a bus. In its simplest
form, only hub devices connect directly to the tree bus, and each hub functions as
the "root" of a tree of devices. This bus/star hybrid approach supports future
expandability of the network much better than a bus (limited in the number of
devices due to the broadcast traffic it generates) or a star (limited by the number of
hub connection points) alone.
Mesh Topology
Mesh topologies involve the concept of routes. Unlike each of the previous
topologies, messages sent on a mesh network can take any of several possible paths
from source to destination. (Recall that even in a ring, although two cable paths
exist, messages can only travel in one direction.) Some WANs, most notably the
Internet, employ mesh routing.
A mesh network in which every device connects to every other is called a full mesh.
As shown in the illustration below, partial mesh networks also exist in which some
devices connect only indirectly to others.
Summary
Topologies remain an important part of network design theory. You can probably
build a home or small business network without understanding the difference
between a bus design and a star design, but understanding the concepts behind
these gives you a deeper understanding of important elements like hubs, broadcasts,
and routes.
OSI MODEL
The standard model for networking protocols and distributed applications is the
International Standard Organization's Open System Interconnect (ISO/OSI) model. It
defines seven network layers.
Control is passed from one layer to the next, starting at the application layer in one
station, proceeding to the bottom layer, over the channel to the next station and
back up the hierarchy.
Layer 1 - Physical
Physical layer defines the cable or physical medium itself, e.g., thinnet, thicknet,
unshielded twisted pairs (UTP). All media are functionally equivalent. The main
difference is in convenience and cost of installation and maintenance. Converters
from one media to another operate at this level.
Data Link layer defines the format of data on the network. A network data frame,
aka packet, includes checksum, source and destination address, and data. The
largest packet that can be sent through a data link layer defines the Maximum
Transmission Unit (MTU). The data link layer handles the physical and logical
connections to the packet's destination, using a network interface. A host connected
to an Ethernet would have an Ethernet interface to handle connections to the outside
world, and a loopback interface to send packets to itself.
Ethernet addresses a host using a unique, 48-bit address called its Ethernet address
or Media Access Control (MAC) address. MAC addresses are usually represented as
six colon-separated pairs of hex digits, e.g., 8:0:20:11:ac:85. This number is unique
and is associated with a particular Ethernet device. Hosts with multiple network
interfaces should use the same MAC address on each. The data link layer's protocol-
specific header specifies the MAC address of the packet's source and destination.
When a packet is sent to all hosts (broadcast), a special MAC address (ff:ff:ff:ff:ff:ff)
is used.
Layer 3 - Network
NFS uses Internetwork Protocol (IP) as its network layer interface. IP is responsible
for routing, directing datagrams from one network to another. The network layer may
have to break large datagrams, larger than MTU, into smaller packets and host
receiving the packet will have to reassemble the fragmented datagram. The
Internetwork Protocol identifies each host with a 32-bit IP address. IP addresses are
written as four dot-separated decimal numbers between 0 and 255, e.g.,
129.79.16.40. The leading 1-3 bytes of the IP identify the network and the remaining
bytes identifies the host on that network. The network portion of the IP is assigned
by InterNIC Registration Services, under the contract to the National Science
Foundation, and the host portion of the IP is assigned by the local network
administrators. For large sites, the first two bytes represents the network portion of
the IP, and the third and fourth bytes identify the subnet and host respectively.
Even though IP packets are addressed using IP addresses, hardware addresses must
be used to actually transport data from one host to another. The Address Resolution
Protocol (ARP) is used to map the IP address to it hardware address.
Layer 4 - Transport
Layer 5 - Session
The session protocol defines the format of the data sent over the connections. The
NFS uses the Remote Procedure Call (RPC) for its session protocol. RPC may be built
on either TCP or UDP. Login sessions uses TCP whereas NFS and broadcast use UDP.
Layer 6 - Presentation
External Data Representation (XDR) sits at the presentation level. It converts local
representation of data to its canonical form and vice versa. The canonical uses a
standard byte ordering and structure packing convention, independent of the host.
Layer 7 - Application
Provides network services to the end-users. Mail, ftp, telnet, DNS, NIS, NFS are
examples of network applications.
802.12 Demand
Priority
Physical Transmits raw bit stream IEEE 802 Repeater
over physical cable
Hardware; Defines cables, cards, and IEEE 802.2 Multiplexer
Raw bit physical aspects
stream Defines NIC attachments ISO 2110 Hubs
to hardware, how cable is
attached to NIC ISDN Passive
Active
Defines techniques to
transfer bit stream to TDR
cable
Oscilloscope
Amplifier