Windows 2000 Active Directory Second Edition P2

More complex relationships can be created in more complex directory services, such as providing access to network resources and services for users who logon.. Even though many network op

Introduction to Active Directory

Solutions in this chapter:

 Summary

 Solutions Fast Track

 Frequently Asked Questions

Chapter 1

3

In November 1996, Microsoft delivered the first preview of Active Directory for developers at the Professional Developers Conference held in Long Beach,

California At the time, it was just the directory service that was shipped with Windows NT 5.0, and the preview included many of other Windows NT 5.0 features A lot of changes have taken place since then For one,Windows NT 5.0 was renamed Windows 2000, and then it was released to the public officially in February 2000, four years after its original preview to developers

The change of the name from Windows NT 5.0 to Windows 2000 was a sur-face change only.Windows 2000 inherits the NT technology legacy from pre-vious versions It has been established as the basic network operating system for Microsoft’s NET platform All NET services run on Windows 2000 Server Applications developed with the NET framework also require servers to be running Windows 2000.The directory service used by NET applications is Active Directory

The question remains, then, how can you take advantage of Active Directory and use its capabilities to reach your business objectives, not only for the present, but also in the future? That is the question that this book will answer

Introduction to Directory Services

It would be tough to claim that Active Directory is the first directory service ever created In fact, directory services have been available in a variety of network operating systems (NOS) Directory services are used primarily for organizing, locating, and managing network information

People use directory services without even knowing they are doing so

Because it is used to translate server names to Internet Protocol (IP) addresses, the Domain Name System (DNS) is the most widely used directory service in the world DNS is rather “usage-specific,” meaning that it organizes only a lim-ited amount of information about network hosts DNS stores data about servers, their IP addresses, and services that they offer to the network Although this is pretty much the extent of DNS, other directory services do not have the same limitations A directory service can organize all sorts of information about a net-work Usually, this information falls into the following categories:

printing, and e-mail

■ Network users and groups Identifiers for users on a network and for groups of users

As you can see, a directory service organizes the pieces of a network, enabling

a way to create relationships between the pieces.The relationships between these pieces are what make the directory service so powerful For example, in DNS, a DNS client computer can query a DNS server to find out the IP address of a server that it wants to contact.The DNS server receives the host name and returns the IP address in short order More complex relationships can be created

in more complex directory services, such as providing access to network resources and services for users who logon

Directory Enabled Networks

The Distributed Management Task Force (DMTF) is developing a standard for Directory Enabled Networks (DEN).You can access the DMTF Web site at www.dmtf.org Even though many network operating systems support one or more types of directory services, most of those directory services are vendor spe-cific.This means that one server on a network might be able to access one partic-ular directory, but another server on the same network will not be able to access that directory simply because it is running a different vendor’s network operating system As a result of using multiple network operating systems, you might be using multiple directory services on a single internetwork.This poses problems for users who are faced with multiple logons and for network administrators who must manage information that is duplicated across multiple directory services

As vendors create DEN-compliant directories, multiple network operating systems will be able to participate in a single directory service.This will solve the challenges of managing the same information in multiple directory stores It will also reduce the number of logons that a user must execute in order to access net-work resources

The standard directory service being developed for DEN will extend beyond the simple organization of addresses and host names that DNS provides Instead, the directory service will organize all the services and resources participating in a network, depicted in Figure 1.1 Once the DEN standard is finalized, Microsoft intends to make Active Directory comply with that standard

DEN standards eventually will apply to all future directory services, and also

to a variety of network resources and services For example, a router can comply with the DEN standard and automatically integrate with the DEN-compliant directory service running on a network An object would be created in the

directory service to represent that router A variety of values for the router would

be applied and the administrator could apply policies to the router and the traffic that flowed across it In fact, because the DEN-compliant directory service

included user objects, the traffic that was associated to a particular user could be managed with the router performing queries against the directory service In practice, an executive might be granted more bandwidth usage and the router would provide that to traffic associated with that executive All of this would be possible using queries against the directory service’s policies, without needing to know the IP addresses of the computers used or the location of the user

History of the Directory Service

In the not-too-distant past, networks were server-centric Each server had its own security system, which consisted of user accounts, group accounts, and net-work resources It would associate those user accounts to the files, directories, printers, and other services or resources that it had to offer.These associations had

a value to them, such that one person could have more access to one network resource than another person, simply due to the rights assigned to user and group accounts In a way, this server-centric system was one of the first directory services, but one whose scope existed only on a single server

User

Directory Service

• Organizes

• Manages Information

• Applies Security Settings

• Enables Access

Network Printer

Next

>

Canc el

Next >

< B ack Cancel

Next

>

Can

cel OK

File Server

E-Mail Address

DHCP Address DNS Address/Hostname

Application License

Networks first popped up in the military as a method to share data quickly across great distances.They offered a major advantage in times of war Money was one of the main reasons that networking became prevalent in businesses Hard drives were extremely expensive, as were printers Many of the first corporate networks sprang up out of a need to share printers and precious hard-drive space among multiple computers Soon, these servers’ hard drives would fill up.They would run out of printer ports At some point in time, another server would be added to the network to allow further storage of shared files or to add new printers

Once an administrator established a server to share files and printers, the administrator was faced with an issue—how to protect sensitive files and printers from unauthorized users while allowing use of the remaining files and printers In some cases, the administrator wanted to allow some users limited access to a file

or a printer Access rights were added to the system, and users given specific logon IDs.The server could then easily share files and printers to the correct users, depending on the administrator’s configuration

When a network contained more than one server, administration became dif-ficult If a user needed to access files or printers residing on two or more servers, that user needed to know how to access each specific server In addition the user needed a separate logon ID and password for each server Some administrators used naming conventions to ensure that a user did not need to have more than one unique logon ID Sometimes, a network had multiple administrators with different naming conventions, providing users with two or more unique logon IDs For administrators, it was difficult to keep passwords synchronized since each server might have a different timing mechanism to enforce password changes For users, the end result in a multiserver environment was a convoluted and difficult process of remembering the location of resources, remembering the correct logon

ID, and remembering the correct current password, all just to be able to access resources on the network

Network operating systems soon developed a variety of ways to use a single logon ID and password to access multiple servers For example, Microsoft Windows NT uses a domain architecture An NT domain is a group of Windows

NT servers that participate in a single security system listing users, groups, and network resources It consists of a primary domain controller (PDC), any number

of backup domain controllers (BDCs), and any number of member servers and client computers.The PDC is the security manager of the domain BDCs main-tain a read-only copy of the security database, and the PDC remains the single point of change control Member servers and client computers contact the

domain controller (DC) to access network resources Because of their member-ship, a PDC or BDC in the domain can use the security database to authenticate users to access resources A member server can use the security database by querying a PDC or BDC A domain is logically established in the structure shown in Figure 1.2

A domain is a security boundary, which means that if you need to separate one security set from another, you will need to have more than one domain Using trust relationships, you could have multiple domains A trust relationship is established between two domains In order to enable users of domain A to access the resources such as the files and printers of domain B, domain B must trust domain A.When drawn out, this trust relationship is shown as an arrow pointing from the trusting domain to the trusted domain Microsoft defines various

models for a multiple domain structure:

Domain that contains all user accounts.This is depicted in Figure 1.3

Master Domains Master Domains contain user accounts Each Master Domain trusts all other Master Domains

users and resources.There is no trust relationship with other domains

whether they contain users, resources, or both

Domain Controllers

Windows NT Domain

Users Network Printers

Next

>

Canc el

Cancel

Next

>

Can

cel OK

Member Servers

of Client Computers

Domains contain the rudimentary elements of a directory service.They enable multiple servers to look up information and use it for authenticating users and granting those users access to network resources Although a domain is effec-tive as a security model for a small or medium-sized organization, it does not have some of the features that a directory service can offer An NT domain struc-ture is flat rather than hierarchical like most directory services, which means that security cannot be applied at different levels Since each domain is its own administrative area, the only way to implement distributed administration is to have multiple domains Legacy NT domains require a significant amount of traffic between clients and the PDC or a BDC.These domains also require the security database to be copied from a PDC to the BDCs on a periodic basis.This traffic overhead is undesirable over wide area network (WAN) links that may have a limited amount of bandwidth available, or that are costly to transmit traffic across.To reduce this overhead, multiple domains can be created such that no domain spans a WAN link

Trust relationships between multiple domains become cumbersome as more domains are added As a result, trade-offs may be made between WAN performance or administrative needs and domain structures

Domain Controllers

Master

Users Network Printers

Next

>

Canc el

Next > < Back Cancel

Next

>

Can cel OK

Member Servers

of Client Computers

Domain Controllers

Resource Domain

Network Printers

Next

>

Canc el

Next > < Back Cancel

Next

>

Can cel OK

Member Servers

of Client Computers Domain Controllers

Resource Domain

Network Printers

Next

>

Canc el

Next > < Back Cancel

Next

>

Can cel OK

Member Servers

of Client Computers

Directory services were developed as a way to overcome single server and domain architecture limitations.They are usually organized in a hierarchical fashion, encompass multiple servers and resources, and offer fully distributed administration Furthermore, directory services normally are established in an efficient database that is distributed throughout the network to prevent WAN overhead issues

The X.500 Directory Standard

Many directory services state that they are X.500 compliant X.500 is a directory service standard ratified by the International Tele-communications Union (ITU-T) in 1988 and modified in 1993 and 1997.

It was intended to provide a means to develop an easy-to-use electronic directory of people that would be available to all Internet users

The X.500 directory standard specifies a common root of a hierar-chical tree Contrary to its name, the root of the tree is depicted at the top level, and all other containers (which are used to create “branches”) are below it There are several types of containers with a specific naming convention In this naming convention, each portion of a name is spec-ified by the abbreviation of the object type or container it represents A user has a CN= before the username to represent its “Common Name,”

a C= precedes a country, and an organization is heralded by an O= When compared to IP domain names—for example, host.subdomain domain—the X.500 version of CN=host/C=US/O=Org appears exces-sively complicated.

Each X.500 local directory is considered a Directory System Agent (DSA) The DSA can represent either single or multiple organizations Each DSA connects to the others through a Directory Information Tree (DIT), which is a hierarchical naming scheme that provides the naming context for objects within the directory

Although Active Directory is derived from the X.500 model, Active Directory does not implement all of the X.500 protocols because of the excess overhead involved or the lack of their general usage These protocols include:

Designing & Planning…

Continued

What Is in a Directory Service?

A directory is a place to store information.The type of information that is stored

in a directory falls into three basic categories:

■ Resources

■ Services

■ Accounts Resources are the components attached to the network and made available to users Examples of resources are:

■ A server’s hard drive

■ An IP address

■ A fax modem

■ A scanner

■ A printer

■ Any “thing” that can be used by a client workstation Services run from a server and usually interface to the heart of the Network Operating System.They provide functions on the network, usually so that resources can be shared Most services are simply network applications, such as a messaging service that allows users to send e-mail.These two categories typically are related For most services, there is an analogous resource, and for most

resources, there is an analogous service (see Table 1.1) Sometimes, however, a resource or a service stands alone

■ Directory Access Protocol (DAP)

■ Directory Information Shadowing Protocol (DISP)

■ Directory Operational Binding Management Protocol (DOP)

■ Directory System Protocol (DSP) Active Directory does implement the Lightweight Directory Access Protocol (LDAP), which affords an effective combination of DAP and DSP features without involving any excess overhead.