ACTIVE DIRECTORY,

OSI Model, Networking protocols and

Topologies
 WHAT IS THE ACTIVE DIRECTORY?

The term "directory" has received a lot of attention in computing environments in the
past several years. As computing environments have become larger and more
complex, with many offering Internet access and even network resources through an
intranet, the task of managing the many resources the network has to offer has
become more and more complex for network administrators — and the user's task of
finding those resources has become just as difficult. The need to not only organize
information, but make that information easy to manage and locate, has become a
serious and complicated issue.

By definition, a directory is an information storage location that uses a systematic

scheme to organize the information. The Active Directory refers to this systematic
scheme as a "namespace." A common example is the telephone book. All information
in a telephone book is stored by city/region, last name, then first name(s). By
referencing a particular name in a particular city/region, you can find that person's
telephone number. The phone book uses a "namespace" in that all names are
organized in alphabetical order using the last name and first name of the phone user.
If the telephone book did not follow a namespace — in other words, if some names
listed were by first name, some by last, some by nicknames, and some by address —
you would never find what you needed. So, a directory organizes information using a
namespace so you can find more information about the people or things listed in the
directory.

Although Windows NT offered directory services through third party software, the
Active Directory in Windows 2000 is Microsoft's new answer to directory services.
The Active Directory is a powerful tool that allows multiple sites, domains, and even
the Internet to fully integrate together. The Active Directory's purpose is to organize
information about real network objects, such as users, shares, printers, applications,
and so forth, so that users can find the resources they need. Through the Active
Directory, users do not have to keep track of which server holds which resource, or
where a particular printer resides. The Active Directory lists the information, is
completely searchable, and provides a standard folder interface to users so they can
find what they need on the network. From an administrator's point of view, the
Active Directory provides you with a simple, hierarchical design that you can
administer from a single location.
DESIGN GOALS OF THE ACTIVE DIRECTORY

The Active Directory's design goals are simple, yet very powerful, allowing Active
Directory to provide the desired functionality in virtually any computing environment.
The following list describes the major features and goals of the Active Directory
technology.

Scalable — The Active Directory is highly scalable, which means it can function in
small networking environments or global corporations. The Active Directory supports
multiple stores, which are wide groupings of objects, and can hold more than one
million objects per store.
Extensible — The Active Directory is "extensible," which means it can be customized
to meet the needs of an organization.
Secure — The Active Directory is integrated with Windows 2000 security, allowing
administrators to control access to objects.
Seamless — The Active Directory is seamlessly integrated with the local network and
the intranet/Internet.
Open Standards — The Active Directory is based on open communication standards,
which allow integration and communication with other directory services, such as
Novell's NDS.
Backwards Compatible — Although Windows 2000 operating systems make the most
use of the Active Directory, the Active Directory is backwards compatible for earlier
versions of Windows operating systems. This feature allows implementation of the
Active Directory to be taken one step at a time.

ACTIVE DIRECTORY NAMESPACE

As mentioned previously, the Active Directory functions through the use of an

extensible namespace, and the namespace used in the Active Directory follows the
Domain Name System (DNS). DNS is the most widely used directory namespace in
the world and it is highly scalable. Each time you use the Internet, you are using
DNS. DNS takes a host name, such as www.microsoft.com, and resolves it into a
TCP/IP address, such as 131.107.2.200, which is required for communication on
TCP/IP networks. Since computers must have the TCP/IP address to communicate,
and we need the language-based names to communicate, DNS' job is to resolve the
two.
The Active Directory is integrated with DNS and the naming schemes used in the
Active Directory are DNS names. The DNS integration allows you to use the same
domain name for your network as you would on the Internet. For example,
smithfin.com is a valid DNS name and can also be used as a Windows 2000 domain
name. With DNS as the locator service in the Active Directory, the local area network
becomes more seamless with the Internet and intranet. Smithfin.com can be an
Internet name or a local area name. Kanderson@smithfin.com is both an Internet
email address and a user name in the local network. This structure allows you to find
items on your network in the same manner you find them on the Internet.

Windows 2000 also supports Dynamic DNS (DDNS), a new addition to the DNS
standard. DDNS can dynamically update a DNS server, which had to be manually
performed in the past, with new or changed values. Since name records can be
dynamically updated, true Windows 2000 networks no longer need to use Windows
Internet Naming Service (WINS).

LDAP IN THE ACTIVE DIRECTORY

DNS is the naming scheme used in the Active Directory, and LDAP (Lightweight
Directory Access Protocol) is how you access the Active Directory. LDAP is a widely
adopted Internet standard used in newsgroups and search engines. Although often
misunderstood, LDAP is not a part of the X.500 standard. The X.500 standard is a
directory specification that introduced DAP (Directory Access Protocol) to read and
modify a directory database. DAP is an extensible protocol in that it can handle
directory requests and changes, as well as directory security. However, DAP places
much of the processing burden on the client computers and is considered to be a
high overhead protocol. LDAP, which is not defined within the X.500 specification,
was developed to overcome the weaknesses of DAP. LDAP is an open standard, which
means that it can be used by anyone wishing to develop a directory service and is
not restricted to X.500 directories like DAP. Also, a major difference is that LDAP is
not a client-based service. The service runs on the server and the information is
returned to the LDAP enabled client. The Active Directory is not an X.500 directory,
but it supports the information model without requiring systems to implement the
X.500 overhead. The result is an LDAP based directory that supports high levels of
interoperability.
ACTIVE DIRECTORY HIERARCHY

The structure of the Active Directory is a hierarchy, and before installing and
implementing the Active Directory, you must have a firm understanding of the
structure as well as the components that make up the Active Directory. You will use
this hierarchy design to build the Active Directory infrastructure for your
organization, so it is important that you have a firm grasp of their meaning and place
in the hierarchy before you begin planning. The following sections explore the
components in the hierarchy structure. We will work with each of these in more detail
in later chapters.

Object

An Active Directory object represents a physical object of some kind on the network.
Common Active Directory objects are users, groups, printers, shared folders,
applications, databases, contacts, and so forth. Each of these objects represents
something "tangible." Each object is defined by a set of "attributes." An attribute is a
quality that helps define the actual object. For example, a user object could have
attributes of a username, actual name, and email address. Attributes for each kind of
object are defined in the Active Directory. The attributes define the object itself and
allow users to search for the particular object, as in Figure 1.

Organizational Unit

An organizational unit (OU) is like a file folder in a filing cabinet. The OU is designed
to hold objects (or even other OUs). It contains attributes like an object, but has no
functionality on its own. As with a file folder, its purpose is to hold other objects. As
the name implies, an OU helps you "organize" your directory structure. For example,
you could have an accounting OU that contains other OUs, such as Accounting Group
A and Accounting Group B, and inside those OUs can reside objects that belong, such
as users, groups, computers, printers, and so forth (Figure 2). OUs also serve as
securities and administrative boundaries and can be used to replace domains in
multiple Window NT domain networks.
Domain

By definition, a domain is a logical grouping of users and computers. A domain

typically resides in a localized geographic location, but this is not always the case. In
reality, a domain is more than a logical grouping — it is actually a security boundary
in a Windows 2000 or NT network. You can think of a network with multiple domains
as being like a residential neighborhood. All of the homes make up the
neighborhood, but each home is a security boundary that holds certain objects inside
and keeps others out. The domain is the same (Figure 3). Each domain can have its
own security policies and can establish trust relationships with other domains. The
Active Directory is made up of one or more domains. Domains contain a schema,
which is a set of object class instances. The schema determines how objects are
defined with the Active Directory. The schema itself resides within the Active
Directory and can be dynamically changed. You can learn more about the Active
Directory schema in Chapter 18.

Tree

The hierarchy structure of the domain, organizational units, and objects is called a
tree. The objects within the tree are referred to as endpoints, while the OUs in the
tree structure are nodes. In terms of a physical tree, you can think of the branches
as OUs or containers and the leaves as objects — an object is the natural endpoint of
the node within the tree.

Domain Trees

A domain tree exists when several domains are linked by trust relationships and
share a common schema, configuration, and global catalog. Trust relationships in
Windows 2000 are based on the Kerberos security protocol. Kerberos trusts are
transitive. In other words, if domain 1 trusts domain 2 and domain 2 trusts domain
3, then domain 1 trusts domain 3, shown in Figure 4.

A domain tree also shares a contiguous namespace (Figure 5). A contiguous

namespace follows the same naming DNS hierarchy within the domain tree. For
example, if the root domain is smithfin.com and domain A and domain B exist in a
domain tree, the contiguous namespace for the two would be domaina.smithfin.com
and domainb.smithfin.com. If domain A resides in smithfindal.com and domain B
resides in the smithfin.com root, then the two would not share a contiguous name
space.

Forest

A forest is one or more trees that do not share a contiguous name space. The trees
in the forest do share a common schema, configuration, and global catalog, but the
trees do not share a contiguous name space. All trees in the forest trust each other
through Kerberos transitive trusts. In actuality, the forest does not have a distinct
name, but the trees are viewed as a hierarchy of trust relationships. The tree at the
top of the hierarchy normally refers to the tree. For example, corp.com,
production.corp.com, and mgmt.corp.com form a forest with corp.com serving as the
forest root.

Site

A site is not actually considered a part of the Active Directory hierarchy, but is
configured in the Active Directory for replication purposes. A site is defined as a
geographical location in a network containing Active Directory servers with a well-
connected TCP/IP subnet. Well-connected means that the network connection is
highly reliable and fast to other subnets in the network. Administrators use the
Active Directory to configure replication between sites. Users do not have to be
aware of site configuration. As far as the Active Directory is concerned, users only
see domains.

ACTIVE DIRECTORY NAMES

In the Active Directory, every object, such as, a user, a group, a computer, a printer,
and so forth, has a unique name. There are four kinds of names assigned to each
object.

First, each object has a distinguished name (DN). The DN is unique from all other
objects and contains the full information needed to retrieve the object. The DN
contains the domain where the object resides and the path to the object. The DN is
made up of these attributes (or qualities):
DomainComponentName (DC)
OrganizationalUnitName (OU)
CommonName (CN)

For example if you wanted to access a document called "Production Flow" that
resides in a particular domain, the DN might read:

/DC=com/DC=mycompany/OU=prod/CN=documents/CN=Production Flow

By using the DN, the Active Directory can begin at the top of the domain and work
its way down to the actual folder or document.

Next, the Active Directory uses the relative distinguished name (RDN). The RDN is
the part of the DN that defines the actual object, called an attribute. This is the CN,
or common name. Fortunately, all you need to know to search for objects are
common names. You don't have to know or use the DN, and the DN itself is normally
hidden from the users.

Next, the Active Directory also uses the globally unique identifiers (GUID), which is a
128-bit number unique from all others. The GUID is assigned to an object when it is
created in the Active Directory and it never changes.

Finally, Active Directory objects can be identified by the user principal names (UPN),
which is a short friendly name that looks like an email address, such as
kanderson@smithfin.com.

The major point to remember is that the Active Directory provides the DN, RDN,
GUID, and UPN for objects to ensure uniqueness, ease of location for LDAP queries,
and ease of use for users. You will learn more about these names throughout the
book.

GLOBAL CATALOG

The purpose of LDAP is to allow network users to search and find the objects in the
Active Directory they want to use. For this to happen, the Active Directory domain
controllers maintain a "global catalog."
The global catalog allows users and applications to find objects in the Active
Directory by searching for a particular attribute(s). The global catalog holds a partial
"replica" of the objects and their most common attributes. When a user performs a
search operation to find a user (or other object), the global catalog is checked to find
matches for that request. The global catalog looks for that attribute and returns
matches to the user. Data in the global catalog is built and maintained through
replication among domain controllers.

Active Directory is a highly scalable and extensible directory service that makes use
of DNS as its naming scheme. The Active Directory natively uses LDAP to locate
objects within the Active Directory so users can easily locate the information they
need. The Active Directory structure is based on a hierarchy that contains objects,
organizational units, domains, trees, and forests. The Active Directory also allows
you to configure sites and manage site replication. The Active Directory assigns DN,
RDN, GUID, and UPN names to ensure uniqueness and ease of location. All of this
information is stored in a global catalog

Networking concepts, protocols and topologies

Network protocol

Definition: A network protocol defines a "language" of rules and conventions for

communication between network devices. A protocol includes formatting rules that
specify how data is packaged into messages. It also may include conventions like
message acknowledgement or data compression to support reliable and/or high-
performance network communication.

In networking, the communication language used by computer devices is called the

protocol. Yet another way to classify computer networks is by the set of protocols
they support. Networks often implement multiple protocols to support specific
applications. Popular protocols include TCP/IP, the most common protocol found on
the Internet and in home networks.

Many protocols exist in computer networking ranging from the high level to the low
level. The Internet Protocol family includes IP and all higher-level network protocols
built on top of it, such as TCP, UDP, HTTP, and FTP. Modern operating systems include
services or daemons that implement support for a given network protocol. Some
protocols, like TCP/IP, have also been implemented in silicon hardware for optimized
performance.

TCP IP

Definition: Transmission Control Protocol (TCP) and Internet Protocol (IP) are two
distinct network protocols, technically speaking. TCP and IP are so commonly used
together, however, that TCP/IP has become standard terminology to refer to either
or both of the protocols.

IP corresponds to the Network layer (Layer 3) in the OSI model, whereas TCP
corresponds to the Transport layer (Layer 4) in OSI. In other words, the term TCP/IP
refers to network communications where the TCP transport is used to deliver data
across IP networks.

The average person on the Internet works in a predominately TCP/IP environment.

Web browsers, for example, use TCP/IP to communicate with Web servers.

Topologies

Bus, ring, star, and other types of network topology

In networking, the term "topology" refers to the layout of connected devices on a

network. This article introduces the standard topologies of computer networking.

Topology in Network Design

One can think of a topology as a network's virtual shape or structure. This shape
does not necessarily correspond to the actual physical layout of the devices on the
network. For example, the computers on a home LAN may be arranged in a circle in
a family room, but it would be highly unlikely to find an actual ring topology there.

Network topologies are categorized into the following basic types:

o bus
o ring
o star
o tree
 o mesh

More complex networks can be built as hybrids of two or more of the above basic
topologies.

Bus Topology

Bus networks (not to be confused with the system bus of a computer) use a common
backbone to connect all devices. A single cable, the backbone functions as a shared
communication medium that devices attach or tap into with an interface connector. A
device wanting to communicate with another device on the network sends a
broadcast message onto the wire that all other devices see, but only the intended
recipient actually accepts and processes the message.

Ethernet bus topologies are relatively easy to install and don't require much cabling
compared to the alternatives. 10Base-2 ("ThinNet") and 10Base-5 ("ThickNet") both
were popular Ethernet cabling options many years ago for bus topologies. However,
bus networks work best with a limited number of devices. If more than a few dozen
computers are added to a network bus, performance problems will likely result. In
addition, if the backbone cable fails, the entire network effectively becomes
unusable.

Ring Topology

In a ring network, every device has exactly two neighbors for communication
purposes. All messages travel through a ring in the same direction (either
"clockwise" or "counterclockwise"). A failure in any cable or device breaks the loop
and can take down the entire network.

To implement a ring network, one typically uses FDDI, SONET, or Token Ring
technology. Ring topologies are found in some office buildings or school campuses.

Star Topology

Many home networks use the star topology. A star network features a central
connection point called a "hub" that may be a hub, switch or router. Devices typically
connect to the hub with Unshielded Twisted Pair (UTP) Ethernet.

Compared to the bus topology, a star network generally requires more cable, but a
failure in any star network cable will only take down one computer's network access
and not the entire LAN. (If the hub fails, however, the entire network also fails.)
Tree Topology

Tree topologies integrate multiple star topologies together onto a bus. In its simplest
form, only hub devices connect directly to the tree bus, and each hub functions as
the "root" of a tree of devices. This bus/star hybrid approach supports future
expandability of the network much better than a bus (limited in the number of
devices due to the broadcast traffic it generates) or a star (limited by the number of
hub connection points) alone.

Mesh Topology

Mesh topologies involve the concept of routes. Unlike each of the previous
topologies, messages sent on a mesh network can take any of several possible paths
from source to destination. (Recall that even in a ring, although two cable paths
exist, messages can only travel in one direction.) Some WANs, most notably the
Internet, employ mesh routing.

A mesh network in which every device connects to every other is called a full mesh.
As shown in the illustration below, partial mesh networks also exist in which some
devices connect only indirectly to others.

Summary

Topologies remain an important part of network design theory. You can probably
build a home or small business network without understanding the difference
between a bus design and a star design, but understanding the concepts behind
these gives you a deeper understanding of important elements like hubs, broadcasts,
and routes.

OSI MODEL

The standard model for networking protocols and distributed applications is the
International Standard Organization's Open System Interconnect (ISO/OSI) model. It
defines seven network layers.

Short for Open System Interconnection, an ISO standard for worldwide

communications that defines a networking framework for implementing protocols in
seven layers. Control is passed from one layer to the next, starting at the application
layer in one station, proceeding to the bottom layer, over the channel to the next
station and back up the hierarchy.
At one time, most vendors agreed to support OSI in one form or another, but OSI
was too loosely defined and proprietary standards were too entrenched. Except for
the OSI-compliant X.400 and X.500 e-mail and directory standards, which are widely
used, what was once thought to become the universal communications standard now
serves as the teaching model for all other protocols.

Control is passed from one layer to the next, starting at the application layer in one
station, proceeding to the bottom layer, over the channel to the next station and
back up the hierarchy.

Layer 1 - Physical

Physical layer defines the cable or physical medium itself, e.g., thinnet, thicknet,
unshielded twisted pairs (UTP). All media are functionally equivalent. The main
difference is in convenience and cost of installation and maintenance. Converters
from one media to another operate at this level.

Layer 2 - Data Link

Data Link layer defines the format of data on the network. A network data frame,
aka packet, includes checksum, source and destination address, and data. The
largest packet that can be sent through a data link layer defines the Maximum
Transmission Unit (MTU). The data link layer handles the physical and logical
connections to the packet's destination, using a network interface. A host connected
to an Ethernet would have an Ethernet interface to handle connections to the outside
world, and a loopback interface to send packets to itself.

Ethernet addresses a host using a unique, 48-bit address called its Ethernet address
or Media Access Control (MAC) address. MAC addresses are usually represented as
six colon-separated pairs of hex digits, e.g., 8:0:20:11:ac:85. This number is unique
and is associated with a particular Ethernet device. Hosts with multiple network
interfaces should use the same MAC address on each. The data link layer's protocol-
specific header specifies the MAC address of the packet's source and destination.
When a packet is sent to all hosts (broadcast), a special MAC address (ff:ff:ff:ff:ff:ff)
is used.
Layer 3 - Network

NFS uses Internetwork Protocol (IP) as its network layer interface. IP is responsible
for routing, directing datagrams from one network to another. The network layer may
have to break large datagrams, larger than MTU, into smaller packets and host
receiving the packet will have to reassemble the fragmented datagram. The
Internetwork Protocol identifies each host with a 32-bit IP address. IP addresses are
written as four dot-separated decimal numbers between 0 and 255, e.g.,
129.79.16.40. The leading 1-3 bytes of the IP identify the network and the remaining
bytes identifies the host on that network. The network portion of the IP is assigned
by InterNIC Registration Services, under the contract to the National Science
Foundation, and the host portion of the IP is assigned by the local network
administrators. For large sites, the first two bytes represents the network portion of
the IP, and the third and fourth bytes identify the subnet and host respectively.

Even though IP packets are addressed using IP addresses, hardware addresses must
be used to actually transport data from one host to another. The Address Resolution
Protocol (ARP) is used to map the IP address to it hardware address.

Layer 4 - Transport

Transport layer subdivides user-buffer into network-buffer sized datagrams and

enforces desired transmission control. Two transport protocols, Transmission Control
Protocol (TCP) and User Datagram Protocol (UDP), sits at the transport layer.
Reliability and speed are the primary difference between these two protocols. TCP
establishes connections between two hosts on the network through 'sockets' which
are determined by the IP address and port number. TCP keeps track of the packet
delivery order and the packets that must be resent. Maintaining this information for
each connection makes TCP a stateful protocol. UDP on the other hand provides a
low overhead transmission service, but with less error checking. NFS is built on top
of UDP because of its speed and statelessness. Statelessness simplifies the crash
recovery.

Layer 5 - Session

The session protocol defines the format of the data sent over the connections. The
NFS uses the Remote Procedure Call (RPC) for its session protocol. RPC may be built
on either TCP or UDP. Login sessions uses TCP whereas NFS and broadcast use UDP.
Layer 6 - Presentation

External Data Representation (XDR) sits at the presentation level. It converts local
representation of data to its canonical form and vice versa. The canonical uses a
standard byte ordering and structure packing convention, independent of the host.

Layer 7 - Application

Provides network services to the end-users. Mail, ftp, telnet, DNS, NIS, NFS are
examples of network applications.

OSI Model Reference Table

Layer Function Protocols Network

Components
Application Used for applications DNS; FTP; TFTP; Gateway
specifically written to run BOOTP;
User Interface over the network SNMP;RLOGIN;
Allows access to network SMTP; MIME; NFS;
services that support FINGER; TELNET;
applications; NCP; APPC; AFP;
Directly represents the SMB
services that directly
support user applications
Handles network access,
flow control and error
recovery

Example apps are file

transfer,e-mail, NetBIOS-
based applications

Presentation Translates from Gateway

application to network
Translation format and vice-versa Redirector
All different formats from
all sources are made into
a common uniform format
that the rest of the OSI
model can understand
Responsible for protocol
conversion, character
conversion,data
encryption / decryption,
expanding graphics
commands, data
compression
Sets standards for
 different systems to
provide seamless
communication from
multiple protocol stacks

Not always implemented

in a network protocol
Session Establishes, maintains NetBIOS Gateway
and ends sessions across
Syncs and the network Names Pipes
Sessions Responsible for name
recognition (identification) Mail Slots
so only the designated
parties can participate in
RPC
the session
Provides synchronization
services by planning
check points in the data
stream => if session fails,
only data after the most
recent checkpoint need be
transmitted
Manages who can
transmit data at a certain
time and for how long

Examples are interactive

login and file transfer
connections, the session
would connect and re-
connect if there was an
interruption; recognize
names in sessions and
register names in history
Transport Additional connection TCP, ARP, RARP; Gateway
below the session layer
Packets; Flow Manages the flow control SPX Advanced Cable
control & of data between parties Tester
Error- across the network NWLink
handling Divides streams of data Brouter
into chunks or packets; NetBIOS / NetBEUI
the transport layer of the
receiving computer
ATP
reassembles the message
from packets
A train is a good analogy
=> the data is divided
into identical units
Provides error-checking to
guarantee error-free data
delivery, with on losses or
duplications
Provides acknowledgment
 of successful
transmissions; requests
retransmission if some
packets don’t arrive error-
free

Provides flow control and

error-handling
Network Translates logical network IP; ARP; RARP, ICMP; Brouter
address and names to RIP; OSFP;
Addressing; their physical address Router
Routing (e.g. computername ==> IGMP;
MAC address) Frame Relay
Responsible for IPX Device
o addressing
o determining routes NWLink ATM Switch
for sending
o managing network
NetBEUI Advanced Cable
problems such as Tester
packet switching,
OSI
data congestion
and routing
If router can’t send data DDP
frame as large as the
source computer sends, DECnet
the network layer
compensates by breaking
the data into smaller
units. At the receiving
end, the network layer
reassembles the data

Think of this layer

stamping the addresses
on each train car
Data Link Turns packets into raw Logical Link Control Bridge
bits 100101 and at the
Data frames receiving end turns bits error Switch
to bits into packets. correction and
Handles data frames flow control ISDN Router
between the Network and manages link
Physical layers control and Intelligent Hub
The receiving end defines SAPs
packages raw data from
NIC
the Physical layer into 802.1 OSI Model
data frames for delivery
to the Network layer Advanced Cable
802.2 Logical Link Tester
Responsible for error-free Control
transfer of frames to
other computer via the Media Access Control
Physical Layer
communicates
This layer defines the with the
methods used to transmit adapter card
and receive data on the controls the
network. It consists of the type of media
wiring, the devices use to being used:
connect the NIC to the
wiring, the signaling 802.3 CSMA/CD
involved to transmit / (Ethernet)
receive data and the
ability to detect signaling 802.4 Token Bus
errors on the network (ARCnet)
media
802.5 Token Ring

802.12 Demand
Priority
Physical Transmits raw bit stream IEEE 802 Repeater
over physical cable
Hardware; Defines cables, cards, and IEEE 802.2 Multiplexer
Raw bit physical aspects
stream Defines NIC attachments ISO 2110 Hubs
to hardware, how cable is
attached to NIC ISDN Passive
Active
Defines techniques to
transfer bit stream to TDR
cable
Oscilloscope

Amplifier