Introduction to Active Directory Directory

Services

• Uniquely identify users and resources on a network

• Provide a single point of network management
What Are Active Directory Directory
Services?

The directory service included with Microsoft Windows 2000

Server products
• A directory service is a network service.
• A directory service identifies all resources on a network.
• A directory service makes all resources available.
What Are Active Directory Directory
Services? (continued)
Active Directory directory services include the Directory.
• The Directory stores information about network resources.
• Resources stored in the Directory are referred to as objects.
Simplified Administration

Active Directory directory services organize resources

hierarchically in domains.
• A domain is a logical grouping of servers and
other network resources under a single domain name.
• A domain is the basic unit of replication and security.
• A domain includes at least one domain controller.
Simplified Administration (continued)

Active Directory directory services provide

• A single point of administration for all objects on the
network
• A single point of logon for all network resources
Scalability

• The Directory stores information by organizing itself

into sections that permit storage for a huge number of objects.
• The Directory can expand to meet the needs of
• Small installations with one server and a few hundred
objects.
• Huge installations with hundreds of servers and millions of
objects.
Open Standards Support

Active Directory directory services

• Integrate the Internet concepts of a namespace
with the Windows 2000 directory service
• Allow you to unify and manage multiple namespaces
• Use DNS for its name system
• Exchange information with any application or
directory that uses LDAP or HTTP
Domain Name System

• DNS is the domain naming and locator service for Active

Directory.
• Windows 2000 domain names are also DNS names.
• Windows 2000 Server uses dynamic DNS (DDNS).
• Clients can update the DNS table dynamically.
• DDNS eliminates the need for other naming services.
Support for LDAP and HTTP

• LDAP is an Internet standard for accessing directory services.

• HTTP is the standard protocol for displaying pages on the
World Wide Web.
• You can display every object in Active Directory as an HTML
page in a Web browser.
Support for Standard Name Formats

RFC 822 somename@domain.com

HTTP URL http://domain/path-to-page

UNC \\microsoft.com\xl\budget.xls

LDAP URL LDAP://someserver.microsoft.com/

CN=FirstnameLastname,OU=sys,
OU=product,OU=division,DC=devel
Logical Structure

• The logical structure is separate from the physical structure.

• Organize resources in a logical structure.
• Find a resource by its name rather than its physical
location.
• The network’s physical structure is transparent to the users.
Objects
Organizational Units
Domain

• The domain is the core unit of logical structure.

• All network objects exist within a domain.
• A domain stores information about only the objects that it
contains.
• A practical limit to the number of objects in a domain is 1
million.
A Domain Is a Security Boundary

• Access to domain objects is controlled by ACLs.

• ACLs contain the permission associated with objects.
• ACLs control which users can gain access to an object.
• ACLs control which type of access users can gain to the
objects.
• Security policies and settings do not cross from one domain to
another.
• A domain administrator has absolute rights to set policies only
within that domain.
Tree

• A tree is a grouping of one or more Windows 2000 domains.

• All domains within a single tree share a contiguous namespace.
• The domain name of a child domain is the relative name
of that child domain appended with the name of the parent
domain.
• All domains within a single tree share a common schema.
• All domains within a single tree share a common global
catalog.
Forest

• A forest is a grouping of one or more domain trees.

• The trees in a forest form a disjointed namespace.
• All trees in a forest share a common schema.
• Trees in a forest have different naming structures.
• All domains in a forest share a common global catalog.
• Domains in a forest operate independently.
Sites

• The physical structure is based on sites.

• A site is a combination of one or more IP subnets.
• Typically a site has the same boundaries as a LAN.
• Sites are not part of the logical namespace.
• Sites contain computer objects and connection objects.
Replication Within a Site

• The Active Directory directory services include a replication

feature.
• Replication ensures that changes to a domain controller
are reflected by all domain controllers within a domain.
Functions of Domain Controllers in a
Domain

• Store a complete copy of all Active Directory information

• Replicate all objects in the domain to each other automatically
• Replicate certain important updates immediately
• Use multimaster replication
• Provide fault tolerance
• Manage all aspects of user domain interactions
Ring Topology for Replication
Schema

• Contains a formal definition of the contents and

structure of Active Directory directory services
• Defines attributes for each object class
Default Schema

• Created by installing Active Directory on first computer in a

new forest
• Contains definitions of commonly used objects and properties
• Contains definitions of objects and properties used by Active
Directory
Extensible Schema

• You can define new directory object types and attributes.

• You can define new attributes for existing objects.
• You can extend the schema
• By using LDAP Data Interchange Format (LDIF) scripts.
• Programmatically or by using the Active Directory
Services Interface (ADSI).
• By using the Active Directory Schema snap-in.
• The schema is stored in the global catalog and can be updated
dynamically.
Global Catalog
Global Catalog Servers

• Installing Active Directory on the first computer in a new

forest makes that domain controller a global catalog server.
• The Active Directory Sites and Services snap-in allows you to
designate additional global catalog servers.
• More global catalog servers means more replication traffic.
• More global catalog servers can provide quicker responses.
• Every major site should have a global catalog server.
Namespace
Naming Conventions

• Every object in Active Directory is identified by a name.

• Active Directory uses a variety of naming conventions.
Distinguished Name

• Every object has a distinguished name (DN).

• The DN uniquely identifies the object.
• The DN contains sufficient information for a client to retrieve
the object.
• The DN includes the name of the domain that holds the
object.
• The DN includes the complete path to the object.
Relative Distinguished Name
Globally Unique Identifier

• A globally unique identifier (GUID) is a 128-bit number that is

guaranteed to be unique.
• GUIDs are assigned when the object is created.
• The GUID for an object never changes.
• Applications use GUIDs to retrieve objects regardless of
current DNs.
User Principal Name

• User accounts have a friendly name, the user principal name

(UPN).
• The UPN is composed of the shorthand name for the user
account and the DNS name of the tree where the user account
object resides.