180_AD2e_01P1 8/30/01 10:39 AM Page 2
Introduction to
Active Directory
Solutions in this chapter:
■
Introduction to Directory Services
■
Introduction to Active Directory
■
Active Directory Architecture
Summary
Solutions Fast Track
Frequently Asked Questions
Chapter 1
3
180_AD2e_01P1 8/30/01 10:39 AM Page 3
4 Chapter 1 • Introduction to Active Directory
Introduction
In November 1996, Microsoft delivered the first preview of Active Directory for
developers at the Professional Developers Conference held in Long Beach,
California. At the time, it was just the directory service that was shipped with
Windows NT 5.0, and the preview included many of other Windows NT 5.0
features.A lot of changes have taken place since then. For one,Windows NT 5.0
was renamed Windows 2000, and then it was released to the public officially in
February 2000, four years after its original preview to developers.
The change of the name from Windows NT 5.0 to Windows 2000 was a sur-
face change only.Windows 2000 inherits the NT technology legacy from pre-
vious versions. It has been established as the basic network operating system for
Microsoft’s .NET platform. All .NET services run on Windows 2000 Server.
Applications developed with the .NET framework also require servers to be
running Windows 2000.The directory service used by .NET applications is
Active Directory.
The question remains, then, how can you take advantage of Active Directory
and use its capabilities to reach your business objectives, not only for the present,
but also in the future? That is the question that this book will answer.
Introduction to Directory Services
It would be tough to claim that Active Directory is the first directory service ever
created. In fact, directory services have been available in a variety of network
operating systems (NOS). Directory services are used primarily for organizing,
locating, and managing network information.
People use directory services without even knowing they are doing so.
Because it is used to translate server names to Internet Protocol (IP) addresses,
the Domain Name System (DNS) is the most widely used directory service in
the world. DNS is rather “usage-specific,” meaning that it organizes only a lim-
ited amount of information about network hosts. DNS stores data about servers,
their IP addresses, and services that they offer to the network. Although this is
pretty much the extent of DNS, other directory services do not have the same
limitations. A directory service can organize all sorts of information about a net-
work. Usually, this information falls into the following categories:
■
Network resources Servers, printers, and other devices on a network.
■
Network services Capabilities on the network such as file storage,
printing, and e-mail.
www.syngress.com
180_AD2e_01P1 8/30/01 10:39 AM Page 4
www.syngress.com
■
Network users and groups Identifiers for users on a network and for
groups of users.
As you can see, a directory service organizes the pieces of a network, enabling
a way to create relationships between the pieces.The relationships between these
pieces are what make the directory service so powerful. For example, in DNS, a
DNS client computer can query a DNS server to find out the IP address of a
server that it wants to contact.The DNS server receives the host name and
returns the IP address in short order. More complex relationships can be created
in more complex directory services, such as providing access to network resources
and services for users who logon.
Directory Enabled Networks
The Distributed Management Task Force (DMTF) is developing a standard for
Directory Enabled Networks (DEN).You can access the DMTF Web site at
www.dmtf.org. Even though many network operating systems support one or
more types of directory services, most of those directory services are vendor spe-
cific.This means that one server on a network might be able to access one partic-
ular directory, but another server on the same network will not be able to access
that directory simply because it is running a different vendor’s network operating
system. As a result of using multiple network operating systems, you might be
using multiple directory services on a single internetwork.This poses problems
for users who are faced with multiple logons and for network administrators who
must manage information that is duplicated across multiple directory services.
As vendors create DEN-compliant directories, multiple network operating
systems will be able to participate in a single directory service.This will solve the
challenges of managing the same information in multiple directory stores. It will
also reduce the number of logons that a user must execute in order to access net-
work resources.
The standard directory service being developed for DEN will extend beyond
the simple organization of addresses and host names that DNS provides. Instead,
the directory service will organize all the services and resources participating in a
network, depicted in Figure 1.1. Once the DEN standard is finalized, Microsoft
intends to make Active Directory comply with that standard.
DEN standards eventually will apply to all future directory services, and also
to a variety of network resources and services. For example, a router can comply
with the DEN standard and automatically integrate with the DEN-compliant
directory service running on a network. An object would be created in the
Introduction to Active Directory • Chapter 1 5
180_AD2e_01P1 8/30/01 10:39 AM Page 5
6 Chapter 1 • Introduction to Active Directory
directory service to represent that router. A variety of values for the router would
be applied and the administrator could apply policies to the router and the traffic
that flowed across it. In fact, because the DEN-compliant directory service
included user objects, the traffic that was associated to a particular user could be
managed with the router performing queries against the directory service. In
practice, an executive might be granted more bandwidth usage and the router
would provide that to traffic associated with that executive. All of this would be
possible using queries against the directory service’s policies, without needing to
know the IP addresses of the computers used or the location of the user.
History of the Directory Service
In the not-too-distant past, networks were server-centric.. Each server had its
own security system, which consisted of user accounts, group accounts, and net-
work resources. It would associate those user accounts to the files, directories,
printers, and other services or resources that it had to offer.These associations had
a value to them, such that one person could have more access to one network
resource than another person, simply due to the rights assigned to user and
group accounts. In a way, this server-centric system was one of the first directory
services, but one whose scope existed only on a single server.
www.syngress.com
Figure 1.1
Directory Service Structure
User
Directory Service
•
Organizes
•
Manages Information
•
Applies Security Settings
•
Enables Access
Network Printer
Next
>
Canc
el
Next >< B ackCancel
Next
>
Can
cel
OK
File Server
E-Mail Address
DHCP Address
DNS Address/Hostname
Application License
180_AD2e_01P1 8/30/01 10:39 AM Page 6
Introduction to Active Directory • Chapter 1 7
Networks first popped up in the military as a method to share data quickly
across great distances.They offered a major advantage in times of war. Money was
one of the main reasons that networking became prevalent in businesses. Hard
drives were extremely expensive, as were printers. Many of the first corporate
networks sprang up out of a need to share printers and precious hard-drive space
among multiple computers. Soon, these servers’ hard drives would fill up.They
would run out of printer ports. At some point in time, another server would be
added to the network to allow further storage of shared files or to add new
printers.
Once an administrator established a server to share files and printers, the
administrator was faced with an issue—how to protect sensitive files and printers
from unauthorized users while allowing use of the remaining files and printers. In
some cases, the administrator wanted to allow some users limited access to a file
or a printer. Access rights were added to the system, and users given specific
logon IDs.The server could then easily share files and printers to the correct
users, depending on the administrator’s configuration.
When a network contained more than one server, administration became dif-
ficult. If a user needed to access files or printers residing on two or more servers,
that user needed to know how to access each specific server. In addition the user
needed a separate logon ID and password for each server. Some administrators
used naming conventions to ensure that a user did not need to have more than
one unique logon ID. Sometimes, a network had multiple administrators with
different naming conventions, providing users with two or more unique logon
IDs. For administrators, it was difficult to keep passwords synchronized since each
server might have a different timing mechanism to enforce password changes. For
users, the end result in a multiserver environment was a convoluted and difficult
process of remembering the location of resources, remembering the correct logon
ID, and remembering the correct current password, all just to be able to access
resources on the network.
Network operating systems soon developed a variety of ways to use a single
logon ID and password to access multiple servers. For example, Microsoft
Windows NT uses a domain architecture. An NT domain is a group of Windows
NT servers that participate in a single security system listing users, groups, and
network resources. It consists of a primary domain controller (PDC), any number
of backup domain controllers (BDCs), and any number of member servers and
client computers.The PDC is the security manager of the domain. BDCs main-
tain a read-only copy of the security database, and the PDC remains the single
point of change control. Member servers and client computers contact the
www.syngress.com
180_AD2e_01P1 8/30/01 10:39 AM Page 7
8 Chapter 1 • Introduction to Active Directory
domain controller (DC) to access network resources. Because of their member-
ship, a PDC or BDC in the domain can use the security database to authenticate
users to access resources.A member server can use the security database by
querying a PDC or BDC. A domain is logically established in the structure
shown in Figure 1.2.
A domain is a security boundary, which means that if you need to separate
one security set from another, you will need to have more than one domain.
Using trust relationships, you could have multiple domains. A trust relationship is
established between two domains. In order to enable users of domain A to access
the resources such as the files and printers of domain B, domain B must trust
domain A.When drawn out, this trust relationship is shown as an arrow pointing
from the trusting domain to the trusted domain. Microsoft defines various
models for a multiple domain structure:
■
Master Domain model All resource domains trust a single Master
Domain that contains all user accounts.This is depicted in Figure 1.3.
■
Multiple Master Domain model All resource domains trust all
Master Domains. Master Domains contain user accounts. Each Master
Domain trusts all other Master Domains.
■
Single Domain model There is only a single domain that contains all
users and resources.There is no trust relationship with other domains.
■
Complete Trust model All domains trust each other, regardless of
whether they contain users, resources, or both.
www.syngress.com
Figure 1.2
The Components of a Single Domain
Domain Controllers
Windows NT Domain
Users
Network Printers
Next
>
Canc
el
Next >< BackCancel
Next
>
Can
cel
OK
Member Servers
of Client Computers
180_AD2e_01P1 8/30/01 10:39 AM Page 8
Introduction to Active Directory • Chapter 1 9
Domains contain the rudimentary elements of a directory service.They
enable multiple servers to look up information and use it for authenticating users
and granting those users access to network resources.Although a domain is effec-
tive as a security model for a small or medium-sized organization, it does not
have some of the features that a directory service can offer. An NT domain struc-
ture is flat rather than hierarchical like most directory services, which means that
security cannot be applied at different levels. Since each domain is its own
administrative area, the only way to implement distributed administration is to
have multiple domains. Legacy NT domains require a significant amount of
traffic between clients and the PDC or a BDC.These domains also require the
security database to be copied from a PDC to the BDCs on a periodic basis.This
traffic overhead is undesirable over wide area network (WAN) links that may
have a limited amount of bandwidth available, or that are costly to transmit traffic
across.To reduce this overhead, multiple domains can be created such that no
domain spans a WAN link.
Trust relationships between multiple domains become cumbersome as
more domains are added. As a result, trade-offs may be made between WAN
performance or administrative needs and domain structures.
www.syngress.com
Figure 1.3
Legacy Windows NT Master Domain Model
Domain Controllers
Master
Users
Network Printers
Next
>
Canc
el
Next >< BackCancel
Next
>
Can
cel
OK
Member Servers
of Client Computers
Domain Controllers
Resource Domain
Network Printers
Next
>
Canc
el
Next >< BackCancel
Next
>
Can
cel
OK
Member Servers
of Client Computers
Domain Controllers
Resource Domain
Network Printers
Next
>
Canc
el
Next >< BackCancel
Next
>
Can
cel
OK
Member Servers
of Client Computers
180_AD2e_01P1 8/30/01 10:39 AM Page 9