PlayUKlottery.com - win up to 42 million Pounds
Lesson 3: Active Directory Concepts

Cover
LOC Page
About This Book
Chapter and Appendix Overview
Getting Started
The Microsoft Certified Professional Program
Technical Support
Chapter 1 -- The Microsoft Windows 2000 Platform
Lesson 1: Overview of the Windows 2000 Platform
Lesson 2: Windows 2000 Professional
Lesson 3: Windows 2000 Server
Lesson 4: Windows 2000 Advanced Server and Windows 2000 Datacenter Server
Review
Chapter 2 -- Installing Windows 2000
Lesson 1: Preparing to Install
Lesson 2: Installing Windows 2000 from a CD-ROM
Lesson 3: Installing Windows 2000 over the Network
Lesson 4: Troubleshooting Windows 2000 Setup
Review
Chapter 3 -- Configuring the DNS Service
Lesson 1: Understanding DNS
Lesson 2: Resolving Names
Lesson 3: Installing the DNS Service
Lesson 4: Configuring the DNS Service
Lesson 5: Configuring a DNS Client
Lesson 6: Troubleshooting the DNS Service
Review
Chapter 4 -- Implementing Active Directory Directory Services
Lesson 1: Introduction to Active Directory Directory Services
Lesson 2: Active Directory Structure and Site Replication
Lesson 3: Active Directory Concepts
Lesson 4: Introduction to Planning
Lesson 5: Installing Active Directory Directory Services
Lesson 6: Configuring Active Directory Replication
Review
Chapter 5 -- Administering Active Directory Directory Services
Lesson 1: Creating Organizational Units
Lesson 2: Creating User and Computer Accounts
Lesson 3: Managing Groups
Lesson 4: Controlling Access to Active Directory Objects
Review
Chapter 6 -- Managing Desktop Environments with Group Policy
Lesson 1: Understanding Group Policy
Lesson 2: Applying Group Policy
Lesson 3: Configuring Group Policy
Review
Chapter 7 -- Managing Software by Using Group Policy
Lesson 1: Introducing the Software Installation and Maintenance Technology
Lesson 2: Deploying Software
Lesson 3: Upgrading Software
Lesson 4: Managing Software
Review
Chapter 8 -- Managing File Resources
Lesson 1: Sharing and Publishing File Resources
Lesson 2: Administering Shared Folders by Using Dfs
Lesson 3: Using NTFS Special Access Permissions
Lesson 4: Managing Disk Quotas on NTFS Volumes
Lesson 5: Increasing Security with EFS
Lesson 6: Using Disk Defragmenter
Review
Chapter 9 -- Configuring Remote Access
Lesson 1: Understanding the New Authentication Protocols in Windows 2000
Lesson 2: Configuring Inbound Connections
Lesson 3: Configuring Outbound Connections
Lesson 4: Examining Remote Access Policies
Lesson 5: Creating a Remote Access Policy
Review
Chapter 10 -- Supporting DHCP and WINS
Lesson 1: New DHCP Functionality
Lesson 2: New WINS Functionality
Review
Chapter 11 -- Managing Disks
Lesson 1: Introduction to Disk Management
Lesson 2: Common Disk Management Tasks
Review
Chapter 12 -- Implementing Disaster Protection
Lesson 1: Using Fault-Tolerant Volumes
Lesson 2: Using Advanced Startup Options
Lesson 3: Using the Recovery Console
Lesson 4: Using the Backup Utility
Lesson 5: Performing an Emergency Repair
Review
Chapter 13 -- Upgrading a Network to Windows 2000
Lesson 1: Planning a Network Upgrade
Lesson 2: Establishing the Root Domain
Lesson 3: Upgrading Domain Controllers and Member Servers
Lesson 4: Upgrading Client Operating Systems
Review
Chapter 14 -- Using Remote Installation Services
Lesson 1: Performing Remote Installations
Lesson 2: Creating Distribution Servers
Review
Appendix A -- Questions and Answers
Appendix B -- Creating Setup Disks
About This Electronic Book
About Microsoft Press


[Previous] [Next]

Lesson 3: Active Directory Concepts

Several new concepts are introduced with Active Directory directory services. It is important that you understand their meaning as applied to Active Directory directory services.

After this lesson, you will be able to

  • Explain concepts associated with Active Directory directory services.

Estimated lesson time: 15 minutes

Schema

The schema contains a formal definition of the contents and structure of Active Directory directory services, including all attributes, classes, and class properties, as shown in Figure 4.7. For each object class, the schema defines what attributes an instance of the class must have, what additional attributes it can have, and what object class can be a parent of the current object class.

NOTE
All domains within a single tree and all trees in a forest share a common schema.

Click to view at full size.

Figure 4.7 Schema is extensible.

Installing Active Directory directory services on the first domain controller in a network creates a default schema. The default schema contains definitions of commonly used objects and properties (such as user accounts, computers, printers, groups, and so on). The default schema also contains definitions of objects and properties that Active Directory directory services use internally to function.

The Active Directory schema is extensible, which means that you can define new directory object types and attributes and new attributes for existing objects (see Figure 4.7). You can extend the schema by using the Active Directory Schema Manager snap-in or the Active Directory Services Interface (ADSI). Both of these tools are available in the Windows 2000 Resource Kit.

The schema is implemented and stored in the global catalog, and it can be updated dynamically. As a result, an application can extend the schema with new attributes and classes and then can use the extensions immediately.

NOTE
Write access to the schema is limited to members of the Administrators group, by default.

Global Catalog

The global catalog is the central repository of information about objects in a tree or forest, as shown in Figure 4.8. Active Directory directory services automatically generate the contents of the global catalog from the domains that make up the directory through the normal replication process.

Click to view at full size.

Figure 4.8 The global catalog contains information about objects.

NOTE
All domains within a single tree and all domains in a forest share a common global catalog.

The global catalog is a service and a physical storage location that contains a replica of selected attributes for every object in Active Directory directory services. By default, the attributes stored in the global catalog are those most frequently used in search operations (such as a user's first and last names, logon name, and so forth), and those necessary to locate a full replica of the object. As a result, you can use the global catalog to locate objects anywhere in the network without replication of all domain information between domain controllers.

When you install Active Directory directory services on the first domain controller in a new forest, that domain controller is, by default, a global catalog server. A global catalog server is a domain controller that stores a copy of the global catalog and processes queries to the global catalog (see Figure 4.8). Global catalog servers improve the performance of forestwide searches in Active Directory directory services. For example, if you search for all of the printers in a forest, a global catalog server processes the query against the global catalog and then returns the results. Without a global catalog server, this query would require a search of every domain controller in every domain in the forest.

The configuration of the initial global catalog server should have the capacity to support several hundred thousand to one million objects, with the potential for growth beyond those numbers. You can designate additional domain controllers as global catalog servers by using the Active Directory Sites and Services snap-in. When considering which domain controllers to designate as global catalog servers, base your decision on the ability of your network structure to handle replication and query traffic. The more global catalog servers that you have, the greater the replication traffic. However, the availability of additional servers can provide quicker responses to user inquiries. It is recommended that every major site in your enterprise have a global catalog server.

Trust Relationships

A trust relationship is a link between two domains such that the trusting domain honors logon authentications of the trusted domain.

NOTE
Authentication with Windows 2000 trust relationships supports the Kerberos 5 protocol, which is an industry standard for authentication across different operating systems.

Active Directory directory services support two forms of trust relationships: one-way, nontransitive trusts and two-way, transitive trusts.

One-Way, Nontransitive Trusts

In a one-way trust relationship, if DomainA trusts DomainB, DomainB does not automatically trust DomainA (see bottom portion of Figure 4.9).

In a nontransitive trust relationship, if DomainA trusts DomainB and DomainB trusts DomainC, then DomainA does not automatically trust DomainC.

Networks running Windows NT 4.0 and earlier versions of Windows NT use one-way, nontransitive trust relationships. You manually create one-way, nontransitive trust relationships between existing domains. As a result, a Windows NT 4.0 (or earlier Windows NT) network with several domains requires the creation of many trust relationships.

Active Directory directory services support this type of trust for connections to existing Windows NT 4.0 and earlier domains and to allow the configuration of trust relationships with domains in other trees.

Click to view at full size.

Figure 4.9 Trust relationships

Two-Way, Transitive Trusts

A two-way, transitive trust is the relationship between parent and child domains within a tree and between the top-level domains in a forest. This is the default; trust relationships among domains in a tree are established and maintained automatically. Transitive trust is a feature of the Kerberos authentication protocol, which provides the distributed authentication and authorization in Windows 2000 (see top portion of Figure 4.9).

In a two-way trust relationship, if DomainA trusts DomainB, then DomainB trusts DomainA. In a transitive trust relationship, if DomainA trusts DomainB and DomainB trusts DomainC, then DomainA trusts DomainC. Therefore in a two-way, transitive trust relationship, if DomainA trusts DomainB and DomainB trusts DomainC, then DomainA trusts DomainC and DomainC trusts DomainA.

If a two-way, transitive trust exists between two domains, you can assign permissions to resources in one domain to user and group accounts in the other domain, and vice versa.

Two-way, transitive trust relationships are the default in Windows 2000. When you create a new child domain, a trust relationship is established automatically with its parent domain, which imparts a trust relationship with every other domain in the tree. As a result, users in one domain can access resources to which they have been granted permission in all other domains in a tree.

Naming Conventions

Every object in Active Directory directory services is identified by a name. Active Directory directory services use a variety of naming conventions: distinguished names, relative distinguished names, globally unique identifiers, and user principal names.

Distinguished Name

Every object in Active Directory directory services has a distinguished name (DN), which uniquely identifies an object and contains sufficient information for a client to retrieve the object from the directory. The DN includes the name of the domain that holds the object, as well as the complete path through the container hierarchy to the object.

For example, the following DN identifies the James Smith user object in the microsoft.com domain:

/DC=COM/DC=Microsoft/OU=Dev/CN=Users/CN=James Smith

Table 4.2 describes the attributes in the example.

Table 4.2 Distinguished Name Attributes

Attribute Description
DC DomainComponentName
OU OrganizationalUnitName
CN CommonName

DNs must be unique. Active Directory directory services do not allow duplicate DNs.

Relative Distinguished Name

Active Directory directory services support querying by attributes, so you can locate an object even if the exact DN is unknown or has changed. The relative distinguished name (RDN) of an object is the part of the name that is an attribute of the object itself. In the preceding example, the RDN of the James Smith user object is James Smith. The RDN of the parent object is Users.

You can have duplicate RDNs for Active Directory objects, but you cannot have two objects with the same RDN in the same OU. For example, if a user account is named Amy Jones, you cannot have another user account called Amy Jones in the same OU. However, objects with duplicate RDN names can exist in separate OUs because they have different DNs (see Figure 4.10).

Click to view at full size.

Figure 4.10 Distinguished names and relative distinguished names

Globally Unique Identifier

A globally unique identifier (GUID) is a 128-bit number that is guaranteed to be unique. GUIDs are assigned to objects when the objects are created. The GUID never changes, even if you move or rename the object. Applications can store the GUID of an object and use the GUID to retrieve that object regardless of its current DN.

User Principal Name

User accounts have a "friendly" name, the user principal name (UPN). The UPN is composed of a "shorthand" name for the user account and the DNS name of the tree where the user account object resides. For example, user James Smith in the microsoft.com tree might have a UPN of JamesS@microsoft.com.

Lesson Summary

The schema contains a formal definition of the contents and structure of Active Directory directory services, including all attributes, classes, and class properties. For each object class, the schema defines what attributes an instance of the class must have, what additional attributes it can have, and what object class can be a parent of the current object class. The schema is extensible, and installing Active Directory directory services on the first domain controller in a network creates a default schema.

The global catalog is a service and a physical storage location that contains a replica of selected attributes for every object in Active Directory directory services. Active Directory directory services automatically generate the contents of the global catalog from the domains that make up the directory through the normal replication process. By default, the attributes stored in the global catalog are those most frequently used in search operations (such as a user's first and last names, logon name, and so forth), and those necessary to locate a full replica of the object. As a result, you can use the global catalog to locate objects anywhere in the network without replication of all domain information between domain controllers.

There are two types of namespaces: contiguous namespaces and disjointed namespaces. In a contiguous namespace, the name of the child object in an object hierarchy always contains the name of the parent domain. A tree is an example of a contiguous namespace. In a disjointed namespace, the names of a parent object and of a child of the same parent object are not directly related to one another. A forest is an example of a disjointed namespace.