Before we haul out the dissecting tools, know this:✦ The Active Directory service is critical to the deployment and management ofWindows 2000 networks, the integration and interoperation
Trang 1Introducing Active Directory
The directory service has become one of the hottest new
technologies on corporate networks Microsoft, a newmember of the directory service club, has created a directoryservice on which almost its entire product line depends
Understanding Active Directory is thus a prerequisite to any management or deployment of Windows 2000
In the 1970s, all the computing resources you needed, or coulduse, were on the same computer or the terminal you logged on
at In the 1980s, with the advent of the PC LAN, many files werelocated on remote machines, and there were definitive paths
to these machines LAN users shared the files and printers,and exchanged e-mail on the LAN Before the end of the 1990s,
we witnessed the beginning of the paradigm shift where all
information and functionality could be accessed on any server
on any network anywhere and the user did not need toknow where the objects were physically located
This is the ideal computing model in which all networkobjects — servers, devices, functionality, information, authen-tication, and the transports — combine to become a singlecontiguous information system and computing environment
This environ-ment allows users, whether human or machine,
to attach — or remain attached — to systems from a tent user interface at any point of entry on the network Nomatter what users require — be they functions of a device,communication, process, algorithms, or perhaps just infor-mation and knowledge — they must be able to access such
consis-an object without regard for its physical location
The Active Directory is Microsoft’s bold leap to realizing thedream of a truly distributed environment and IS architecture
It has been talked about for many years Headlines in thetechnical trades were always gloomy And thus, many networkadministrators and systems engineers forgot about the
NT and Windows
2000 domains
Trang 2directory and worked hard to refine or improve what was already in place, atconsiderable investment But now the directory is here And you probably havelittle idea what it is and how to use it You should not feel ashamed, because notonly are you not alone, but also it is unlike anything you have ever used before.Every day people ask us about the Active Directory (and these are not only Windows
NT or UNIX and NetWare professionals, but also mid-range and mainframe engineers).The purpose of this chapter is to drill down to its core, to expose the elements, and
to lay the foundations to bring what’s precious to the surface, and then move ward First, you must understand everything about the Active Directory (AD) beforeyou can make the transition from the old ways of managing networks and computingenvironments to the promise that waits
for-In this chapter, we discuss the elements of AD We will kick off with a brief discussion
of how and why we will use AD, and from whence it came Then we break it down intoits constituent components (its logical structure), and finally we discuss how thecomponents work and interoperate with each other You will notice that the subject
of Windows domains and trusts is going to be left until a full discussion of the AD hasbeen achieved
This chapter also features the first appearance of Millennium City, or mcity.org,which is the example Windows 2000 network infrastructure we use throughout thebook It’s a network that runs the infrastructure of an entire city, and its ActiveDirectory is what we used to test the limits of what Microsoft says it’s capable of.MCITY is essentially one huge Active Directory laboratory
You don’t need to be in front of your monitor for this chapter Just curl up withsome snacks and postpone any appointments you might have
The Omniscient Active Directory:
Dawn of a New Era
The Windows NT client-server architecture was a great improvement over otherserver and network offerings, both from Microsoft and other companies However,
it had a shortcoming that, had it not been resolved in Windows 2000, would havesuffocated the advancement of this highly sophisticated operating system OnWindows NT — actually any network — resources are not easily distributed Theinteroperation and scalability of numerous NT servers, printers, shares, devices, files,knowledge resources, functionality, and the sustained availability thereof, collapsewhen the ability for all network components and objects to share information isabsent As discussed briefly in Chapter 1, one of the most significant additions toMicrosoft’s technology is the Active Directory There is perhaps no other aspect ofWindows 2000 that will have the impact the directory service will, because just aboutevery new feature or ability of this product depends on a directory service
Trang 3Before we haul out the dissecting tools, know this:
✦ The Active Directory service is critical to the deployment and management ofWindows 2000 networks, the integration and interoperation of Windows 2000networks and legacy NT networks, and the interoperation and unification ofWindows 2000 networks with the Internet Its arrival is a result of the evolu-tionary process of Microsoft’s server and network technology One way oranother, the directory service is in your future
✦ The Active Directory is a powerful directory service, either as part of aWindows network or as a standalone service on the Internet In the latter role, it is an apt contender as a directory service in the same fashion InternetInformation Server is an apt contender for a Web server In other words, noquerying client on the Internet needs to know the directory is Windows 2000
AD Active Directory is 100 percent LDAP-compliant and 100 percent IP-compliant
Why Do We Need Directories?
A directory provides information At its most basic level, it is like a giant whitepages, allowing a user to query a name and get back a phone number and thenpossibly being connected to the person by automatically dialing that number But adirectory in the IT world is a lot more than a telephone book Before getting into thespecifics of AD, let’s look at some reasons why we need directories We kick off byplacing AD at the center of all services provided by Windows 2000
Single Sign-On and distributed security
Active Directory makes it easier to log in to and roam cyberspace Imagine if youhad to log in at every mall, highway, turnpike, newsstand, public facility, sportsamenity, shop, fast food outlet, movie house, and so on, in the brick and mortarworld we live in Why then should we have to do this in cyberspace?
In every company today, it is almost impossible to get anywhere on the networkwithout going through at least three logins Everyday, we log into NetWare, theWindows NT domains, voice mail, the host system (to the AS/400 via Rumba), FTP, and then finally the Internet; we won’t go into how many accounts and logins
we have
Not only do we have to log in dozens of times a day, and remember dozens
of passwords and user or login IDs, but we also have to know exactly whereinformation and resources are located on the network The uniform resourcelocator on the World Wide Web has alleviated the resource location problem tosome extent (it obviates having to know exactly where something lives on theInternet), but it is still not ideal and not very smooth URLs are perishable, and for the most part unmanageable in large numbers, which means they often do not get updated They are not managed in any sensible, cohesive system
Trang 4The ideal is some sort of badge that allows us to log in once and then flash itwherever we go For starters, every application and service on our LANs, frome-mail to voice mail to data access to printer access, should be made available
to us through one universal login, at home or at work The type or level of access
we have will depend on the attributes or “clearance level” of our badges Theaccess token provided by Windows NT security comes close to this, but it is notaccepted by other technologies as a valid means of authentication Figure 2-1illustrates several systems that should be accessed and managed from a centrallogin authority In many cases, this is already possible with Active Directory-compliant applications such as SQL Server 2000 and Exchange 2000
Figure 2-1: Active Directory as a central login authority
Active Directory Intranet Cloud
Internet Cloud
Customers: Orders Customers: Help Desk Customers: Catalogs Customers: Websites Suppliers Manufacturers Public Relations Partners Investors Extranet Applications Security
Administrators Technical Support People Groups and Users Printers, Computers, Equipment Data and SQL Server Users ERP and CRM and Payroll Systems Helpdesk Users E-mail and Groupware Users Voicemail and Fax Users Internal Applications Remote Users and Road Warriors Vertical and Horizontal Application
Security Host Access
LDAP entry point and other LDAP compliant directories Organization White Pages (e-mail, phone, and fax addresses) Catalog Searching Interconnection with other directories
Internet Users Internet Road Warriors Extranet Access Security
Extranet Cloud
Trang 5As you will learn in Chapter 3 and in the chapters in Part III, the single login dream
is achieved using the services of AD and Windows 2000 support for MIT’s Kerberos
authentication This service is known as Single Sign-On (SSO) SSO has become a
quasi-standard among supporters of the Kerberos protocol, such as Microsoft,Apple, Sun, and Novell
Once a trusted user is authenticated via the Kerberos protocol, all other servicesthat support the Kerberos protocol can accept and allow access to the principal
This is made possible by the Kerberos use of tickets — the badge idea previouslydiscussed — which are issued by the directory service
In Chapter 1, we also told you that the Microsoft network domain architecture inWindows 2000 has been radically overhauled to seamlessly integrate with the ADand to extend out to the Internet Imagine being able to log in to your domain fromanywhere We will be discussing this in much more depth in a later chapter
Change management
Active Directory makes it easier to manage the roamers and users of cyberspaceand corporate networks and the computers they use to attach to the network Weadministrators want to be able to manage our users and computing resources inone central omnipresent repository We don’t want to repeatedly manage users inthe voice mail directory, on the NetWare servers’ directory, in the Host systemsdatabase, in our e-mail directory, on our Windows domains, and so on
And we, as managers, need to be able to manage this information easier withchange Mergers, acquisitions, new products, and services need to be continuallymanaged on a cohesive and consistent basis Group Policy, the change control andchange management service of Windows 2000, stores all user and computerinformation in AD (as discussed in the section on ZAW in Chapter 1)
to hide other network resources from these administrators
Because Active Directory can be partitioned as a mirror of the structure ororganization of the enterprise, it is also possible to partition the administration
of the compartments In other words, it makes more sense to appoint a member
of a department to perform repetitive management of that department’s resources
You will see later how administration of the directory can be delegated to individualswho are only given selective access or right of passage to delegated areas of thedirectory
Trang 6Application management
Active Directory makes it easier to develop and distribute applications Applicationdevelopers need consistent, open, and interoperable interfaces and APIs againstwhich they can code functionality that stores and manages information relating
to applications, processes, and services in a distributed information store We want
to be able to create applications and store application and persistent data to an
“invisible” repository through an open interface This information should beavailable from anywhere and everywhere on the network
Developers want to be able to create methods that install an application into
a directory on the network for initial configuration and manipulation over thelifetime or use of the application We do not want to concern ourselves with the inner workings of the directory We want to create our information or config-uration object, initialize, use it, and be done no matter where the user installs
or invokes our product And wherever the object we created is moved to, it shouldalways be accessible to the application
With all of the above, the cost of access and management has in the past been high
We are looking for solutions that will, albeit in the long to medium term, reduce thecost of both management and operation of cyberspace and the information
technology systems running our companies and our lives
What Is Active Directory?
There are registries and databases that provide directory-type facility for applicationsand users But not one is interconnected, share-centric, or distributed in any way AD
is a universal distributed information storehouse into which all network objects, such
as application configurations, services, computers, users, and processes, can beaccessed, in a consistent manner, over the full expanse of a network or internetwork.This is made possible by the logical structure of the directory And before you startscratching your head, you should understand that without Active Directory you
cannot log in to a Windows 2000 domain, period Chapters 7 and 8 discuss this and
illustrate the control you have over AD’s logical and physical structure
We compare AD to a database later on in this chapter and in Chapter 7 in muchmore detail Meanwhile, if you’re keen to adopt this child, then you need to knowsomething about its parents
The Grandfather of the Modern Directory:
The X.500 Specification
The directory service as we are coming to know it began with an interconnectionmodel proposed by the International Standards Organization (ISO) little more than
20 years ago This model is popularly known as OSI, which stands for open-systems
interconnection In the late eighties, OSI was given a huge boost by big business and
government and quickly became the foundation for the information revolution weare experiencing today
Trang 7The OSI model and its seven layers lie at the very genesis of modern informationtechnology Without a fundamental understanding of OSI, it is difficult to be an effec-tive systems engineer, software developer, network administrator, CIO, or Webmaster.
OSI is to IT what anatomy is to medicine While we assume that you are familiar withthe OSI model, this brief discussion of X.500 serves to provide a common departurepoint for all systems engineers not familiar with a directory service
The X.500 directory service can be found at the OSI application layer, where it sits as agroup of protocols approved and governed by the International TelecommunicationsUnion (ITU), formerly the CCITT The objective of X.500 was to provide standards andinterfaces to an open and interoperable global and distributed directory service
X.500 is made up of many components (databases) all interoperating as a singlecontiguous entity Its backbone is the Directory Information Base (DIB) The entries
in the DIB provide information about objects stored in the directory Figure 2-2represents the information contained in the DIB
Figure 2-2: The X.500 hierarchy (a), and the DIB and the information
it contains (b)
In order to access the information stored in the DIB, both users and computersneeded a structure or model that would make it easier to understand where datacould be located The model proposed was an object-oriented, hierarchical structurethat resembles an upside-down tree, as illustrated in Figure 2-3 The root of the tree is
X.500 Root
C2a
Classes
b
Attribute ValuesEntry Identifier
CountryOrganizationPerson
US MCITYJeffrey ShapiroP1
Trang 8at the top, and the branches and leaves hang down, free to proliferate This modelassured that any object in the tree is always unique as long as it is inherently part ofthe tree and can trace its “roots” to the single node at the top Active Directory trees(and DNS) work the same way, as discussed later The tree is read from the bottom
to the top
Figure 2-3: The X.500 tree structure
The objects in the X.500 tree represented containers for information representingpeople, places, and things These objects would also be organized or grouped intoclasses (for example, groups of countries, companies, localities, and so on).The X.500 standard included the following container objects:
✦ Countries
✦ Location
✦ OU or organizational unitUnfortunately, X.500 suffered from several limitations in its early days It becamebogged down under its own weight (the specification was exhaustive), and in manyrespects it was ahead of its time (especially with respect to its ties to OSI) It madeits appearance in the late 1980s at a time when most innovators could care lessabout managing information openly and globally, when we were all huddled in ourgarages inventing or writing code like crazy, and when we were all competing formarket share at every turn
X.500 was also born before the advent of the World Wide Web and the mass tion of the Internet by both the public and businesses And what really dragged it
Trang 9utiliza-down was its ties to the OSI protocols (the datalink protocols — DLC — such as802.2 and 802.3), which turned out to be its Achilles’ heel, because the way of theInternet world was IP Meanwhile, the Internet took off on the coattails of TCP/IP,leaving X.500 struggling in a protocol desert landscape.
Like so many innovations before it, X.500 provided nourishment for otherinventions that followed And much of the foundation for the modern directoryservice, especially Active Directory, can be directly attributed to the vision of X.500, as we will soon see
The Father of the Modern Directory: LDAP
The X.500 specifications defined a protocol by which services would be able toaccess the information stored in X.500 databases This protocol was known as the
Directory Access Protocol, or DAP It consisted of a comprehensive set of functions
that would provide the ability for clients to add and modify or delete information inthe X.500 directory
DAP, however, was overkill and consisted of far more functionality than wasrequired for the implementation of a directory service Therefore, a simplified
version of DAP was created, called the lightweight directory access protocol (LDAP).
After several refinements, LDAP has begun to stand in its own right as a directoryservice After adoption by the Internet Engineering Task Force (IETF), severalimportant features of LDAP have garnered its widespread support:
✦ LDAP sits atop the TCP/IP stack rather than the OSI stack This means thatevery client with an IP address, able to send and receive packets over IP, canaccess and exploit LDAP-compliant directory services The client needs only
to know how to “talk” to LDAP (IP) TCP, the transport, takes care of the rest
✦ LDAP performs hyper-searching, which is the ability of a directory to refer toanother for authoritative information In other words, one LDAP directory candefer to another to chase information An example of this is how Web-basedsearch engines look to other search engines, via hyper-linking, for collateralinformation or information that does not exist in their own databases Directoryservices on a worldwide Internet thus can become contiguous and distributed
to form a transparent massive service, limited only by available servers andnetwork resources
The replication mechanisms Microsoft is building into its products are so advancedthat products such as SQL Server 2000 will become fully distributed before 2003
✦ Early on its childhood, LDAP implemented a rich C-based API, making C the defacto programming language of the directory service Using the most popularlanguage of the day with which to call directory functionality ensured LDAPwidespread support in the bustling developer community
Note
Trang 10LDAP consists of the following components, which in some shape or form are thefoundations of all modern directories, including the AD:
✦ The data model: This model represents how data is accessed in the
directory The data model is inherited directly from the data model of the X.500 specification Objects are infused with information by way ofassigning attributes to them Each attribute is type-casted and contains one or more distinct values The objects are classified into groups of classes, such as organizational units (OUs) or Companies
✦ The organization model: This is the inverted tree paradigm we earlier
discussed, which is also inherited directly from the X.500 specification It isthe structure adopted by all modern directory services Of particular note
is how the Domain Name System (DNS) of the Internet is arranged aroundinverted trees The DNS consists of several trees, the root or topmost levels,that sprout downward and contain millions of leaves (or nodes) Figure 2-4illustrates the DNS forest and the seven roots It also illustrates the comtreeand how it has fired the Internet into the commercial juggernaut it is today
Figure 2-4: The organizational model revolves around
the inverted tree, a hierarchical collection of objects
✦ The security model: This model specifies how information is securely and
safely accessed LDAP adopted Kerberos password authentication and hassince added additional authentication layers with the inclusion of the SimpleAuthentication Security Layer (SASL) This SASL provides a tiered architecturefor a multitude of service providers Version 3.0 of LDAP also supports the SSL
or secure socket layer of TCP/IP, which was developed independently by theInternet community Windows 2000 supports SSL in its browser, InternetExplorer
Trang 11✦ The functional model: This model specifies the methods for querying and
modifying the directory objects It includes operations to add entries and toedit, populate the attribute fields, delete, and query objects in the directory
✦ The topological model: This model specifies how the directory services
integrates or interoperates with other compliant directories The ability ofLDAP directories to refer or defer to other directories is inherent in thismodel
LDAP’s popularity flourished with the sudden popularity of the Internet Today,many popular applications and server technologies support the protocol It can
be accessed from most e-mail applications, Web-based applications, and evenembedded systems such as routers and gateway devices
After X.500
A number of large technology companies are hard at work on directory services
The two of note who appear to have been at it longer than Microsoft are BanyanSystems and Novell Others include Netscape and IBM (Lotus Notes)
Banyan perhaps has been at it the longest with its StreetTalk product that has beenpart of the Vines OS for more than a decade Novell entered the market mid-waythrough the 1990s with a directory service aimed at its installed NetWare base, calledthe Novell Directory Service (NDS), and it has been working on versions of NDS thatwill be independent of the NetWare OS, including a version for Windows NT
Despite its immaturity, AD has been built on proven technology One area onwhich it heavily depends is replication, and the technology for this comes fromMicrosoft Exchange The Exchange site integration and replication technology hasbeen proven on millions of installations around the world
From the ground up, Active Directory has been built on open, internationalstandards It is important to note that AD is not an X.500 directory, but it hasborrowed heavily from the X.500 specifications In particular, it uses LDAP
as the access protocol, which opens it to everyone and everything In short,Microsoft has taken everything that was great about X.500 and LDAP and combined it with proven technologies it has develop-ed for other purposes over the years (such as Microsoft’s Component Object Model [COM]) AD can exchange information with any application or service that uses LDAP
AD also relies on DNS as its locator service, allowing clients to transparently locate domain controllers (AD hosts) by merely connecting to a DNS server andlooking up the IP addresses for the closest domain controller (We will discuss this further in Chapters 7 and 8.)
Note
Trang 12The Open Active Directory
AD also provides a rich set of APIs to encourage the development of tools andapplications The AD will thus serve as a repository for application-specificinformation, particularly software that is group-driven For example: We havedeveloped a customer relationship management (CRM) system for several medical and dental clients Our users typically log in to the application and become apparent as a community of active users to the rest of the practice orhospital, once authenticated in the AD
The application is able to obtain enterprise-wide information about the state of theapplication at any given time, and we are able to group users according to serviceand access levels, governed by objects in the AD In particular, the applicationpublishes information about who is logged in and using the system, the files (data)they have checked out of the database management system (such as SQL Server orOracle), and what they are currently doing
We do not need to provide users with a second login just to use the application.Instead, when they run the CRM, it checks to see if the AD has authenticated them,the machine they are accessing the system from, and what they are allowed toaccess Based on this information, we populate the GUI that drives the CRM withinformation the user is allowed to see or use
What About the Registry?
Now that you can see why we need directory services, and where they came from,where does the registry fit in? In the early days of Windows 95 and Windows NT,Microsoft improved the information repositories of applications running on theWindows platform with the creation of the registry It was a great relief from themess created by initialization and configuration files, insecure text files that anyone could access
The registry, however, was more a technology or system created to stabilize theplatform or the OS and is a repository for managing information and the configuration
of applications and computers When users deleted their Windows 3.11 and earlierversion inifiles in error, the application was, for better or worse, destroyed (if the
.inifiles were not backed up) The registry set out to change all that Today, some ofthe largest software houses in the world still do not use it; I can’t imagine why.What’s more, the registry also became the home for the so-called Security AccountManager (SAM) This database stores and manages all the security and accesscontrol authority of network resources
There are some similarities between the registry and the AD Specifically, theregistry is:
✦ Also a database, somewhat cryptic and complex, but still a database
✦ Open and accessible (except for the SAM part)
Trang 13✦ Able to be programmed against.
✦ A replicating structure (single master), providing some vestige of adistributed system
✦ A system of hierarchical structures, which contains records that holdconfiguration data
For the most part, the similarities end here Comparing the registry to ActiveDirectory is like comparing a JetSki to the USS Kitty Hawk AD is a completelydifferent animal Yes, you can still use the registry to store configuration data, and you would still use the registry on a standalone workstation or server, even a domain controller Specifically, the difference is that AD is:
✦ A distributed multi-master database (peer directories update each other
in real time, latency aside)
✦ Built on open, Internet-based standards
✦ Object-oriented
✦ Interoperable (almost coexistent) with the Domain Name System of theInternet
✦ Able to service any network client using TCP/IP
✦ Able to grow to gargantuan proportions
Unfortunately, many applications today still store configuration information inunguarded flat text files, ignoring the registry for the most part Ignoring both theregistry and the AD will likely render your application incompatible with Windows
2000, from both a functional perspective and as a Microsoft logo requirement
AD does not set out to replace the registry The registry still plays an important role
in Windows 2000, as you will discover in Chapter 18 and in various other places inthis book In fact, even AD uses the registry to store some configuration-relatedinformation Microsoft began working on a directory or distributed informationstorage facility some time ago, possibly even at the same time it was developingthe registry
From the outset, Microsoft believed it could only succeed with AD by ensuring
it was based on open standards and interoperable with the Internet, period Inother words, any IP-based (LDAP) client will be able to access the AD, and like the Internet Information Server (IIS), FTP, and other services, this access istransparent (in terms of what OS it is sitting on)
✦ Active Directory supports and coexists with both DNS and LDAP Both aremodeled on the X.500 standard, especially with respect to its structural andorganizational model
✦ Active Directory supports open and interoperable standards, especially withregard to the widespread naming conventions in use today
Note
Trang 14✦ Active Directory is seamlessly integrated into the Internet by virtue ofMicrosoft’s total adoption and commitment to TCP/IP All other protocols that Microsoft supports are essentially provided for backward compatibilitywith earlier versions of NT, other network operating systems, legacy
transports such as SNA and the DLC protocols, and NetBEUI clients
✦ Active Directory provides a rich set of C/C++, Java, VB, and scripting languageinterfaces, allowing it to be fully programmed against
We have investigated which languages or programming environments should beused to program the Active Directory For the speed required by complex code andadvanced development, such as creating service providers, C++ is best For RADand the majority of component-based development, Visual Basic, using the ActiveDirectory Services Interface (ADSI), is best Java is useful when you need to makecalls to the LDAP API, but we have found Microsoft’s support for Java-based access
to Active Directory lukewarm to say the least
✦ Active Directory is built into the Windows NT operating system (still at thecore of Windows 2000), making it backward compatible with earlier versions
of Windows NT
✦ Active Directory is a fully distributed architecture allowing administrators towrite once and update everywhere from a single point of access, across anynetwork
✦ Active Directory is highly scalable and self-replicating It can be implemented
on one machine, or the smallest network, and can scale to support the largestcompanies in the world Resources and adoption permitting, once the kinks(and it has a few) are worked out, it will likely become a pervasive technologywithin a short time
✦ Active Directory’s structural model is extensible, allowing its schema to evolvealmost without limits In this regard, Active Directory has to comply with theX.500 specification that extending the schema requires you to register the newclass with a X.500 governing body This compliance is achieved by registering
an Object Identifier (OID) with the authorities In the United States, theauthority is the American National Standards Institute (ANSI)
AD has fully adopted the most popular namespace models in use today It embracesthe concept of an extendable namespace and marries this concept with the operatingsystems, networks, and applications Companies deploying AD are able to manage
multiple namespaces that exist in their heterogeneous software and hardware.
The Elements of Active Directory
Active Directory is a highly complex product that will no doubt become morecomplex and more advanced in future versions At the core of the product, we find
a number of elements that are native to directory services in general and AD inparticular
Caution
Trang 15Namespaces and Naming Schemes
AD has adopted several naming schemes, which allows applications and users toaccess the AD using the formats they have most heavily invested in These nameformats are as follows:
RFC822 names
RFC822 is the naming convention most of us are familiar with, by virtue of our using e-mail and surfing the World Wide Web These names are also known as user principal names (UPN) in the form of somename@somedomain, for example,
thepresident@thewhitehouse.gov AD provides the RFC822 namespace for all users If you need to find a person’s extension number at a company (if theypublish it), you need only query the directory and look up someone@somedomain
com(your software will translate that into the correct LDAP query, as shown later)
The UPN is also the login name or user ID to a Windows 2000 domain Windowsusers can now log in to a Windows 2000 network by simply entering their user IDand password, like this:
User: jeffrey.shapiro@mcity.orgPassword: *************
It is possible to assign any UPN to a domain for login In other words, you mightcreate a domain called MCITY but prefer users to log in as someone@acmesales.com
so that they do not need to remember more than their e-mail addresses
LDAP and X.500 names
The LDAP and X.500 naming conventions are known scientifically as attributed
naming, which consists of the server name holding the directory (which we refer
to as the directory host), user name, organizational unit, and so on For example:
LDAP://anldapserver.bigbrother.com/cn=jsmithers,ou=trucksales,dc=bigbrother,dc=com
LDAP names are used to query the Active Directory
Active Directory and the Internet
It is possible to locate AD servers anywhere on the Internet or a private intranet
These AD servers can be full-blown Windows 2000 domain controllers, or they canserve the single purpose of being LDAP directory servers The information andaccess that users and clients enjoy from these servers is transparent
The client needs only resolve the closest AD server to it to get information Theclosest server might be on the same site as the client, in which case the DNS serverwill resolve to an AD server on the same subnet as the client Or it may be located
Tip
Trang 16on a site far away This means that AD can and will be used as an Internet directoryserver without ever being accessed for domain authentication Multiple AD serverswill link together to provide a global directory service that spans the continent.
Active Directory Everywhere
Microsoft also set out to ensure that the AD was highly scalable and would becomepervasive as quickly as resources permitted AD, as you will discover in Chapter 8,
is easy to install and set up on a simple server It is also easy to set up and install
AD as a single-user repository, and it carries virtually no noticeable overhead onthe simplest configuration (we will discuss AD configuration in Part III) In otherwords, when AD needs to be small, it can be small, and when it needs to be big, itcan grow at an astonishing rate
This makes it ideal to use the AD for even the simplest of application informationstorage requirements Although it is no substitute for database managementsystems that provide advanced information management services such as infor-mation analysis and data mining (or the management of corporate data), it may not be uncommon to find a single-user application deploying AD in the hope thatlater scaling up will be as easy as merely further populating the directory AD eveninstalls on a standalone 133MHz desktop machine with 64MB of RAM, and is easilydeployable as a domain controller supporting a small company (this configuration isnot what Microsoft officially recommends, and such a configuration should supportlittle else but a directory with a small helping of user and computer accounts)
On the other hand, it is possible to deploy AD in such a way that it scales toastonishing levels As a domain repository, Windows NT 4.0 maxes out at about100,000 users, but AD can scale to the millions — it can grow as large as the Internet.All the replicas of the AD are synchronized (which itself is quite an administrationfeat, as we will soon see) All copies of an organization’s AD system propagatechanges to one another, similar to how DNS servers propagate domain records
In practice, an NT domain becomes shaky at between 30,000 and 40,000accounts, which is why many large companies create multiple resource andaccount domains
The key to the scalability of AD is the domain tree a data hierarchy that canexpand, theoretically, indefinitely The AD provides a simple and intuitive bottom-
up method for building a large tree In AD, a single domain is a complete partition ofthe directory Domains are then subdivided or partitioned into organizational units,allowing administrators to model the domain after their physical organizationstructure or relevant business models A single domain can start very small andgrow to contain tens of millions of objects; thus, objects can be defined at thesmallest corporate atomic structure without the fear of overpopulation, as was
the case with Windows NT 4.0, and NetWare 3.x and 4.x.
Note
Trang 17Inside Active Directory
The core of the Active Directory is largely accessible only to geeks who see heaven
in a line of C++ code (authors included) It does not ship with special viewer tools,like MS Access, that give you a feel for what exists in its structures or what thesestructures look like ( a few Resource Kit tools provide some access) The following,however, describes the key components with the objective of providing an insightinto the innards of this directory service
If It Walks Like a Duck
One area seriously lacking in administrator education is database knowledge
Database 101 should be in every engineering course All too often, we see trators “reinitializing” databases to free up space, only to discover that they wipedout valuable corporate data in the process Later on in this chapter, we will studythe anatomy of the directory from a very high level To fully understand how the ADengine works, the following is a mini-course on Active Directory, the database:
adminis-On the physical level, AD is two things: It is a database and a database managementsystem (DBMS) pure and simple The data it keeps can be viewed hierarchically
A database is a repository for data It is a software structure in which data is stored,
manipulated, and retrieved by any process seeking to gain access to and exploit theinformation it contains If you are not sure this is a valid definition of the AD, thenlet’s apply the definition of a database (the rules) to the AD
A database is a database if:
✦ It contains functional layers — which include a schema — that define thestructure of the database: how data is stored, retrieved, reviewed, andmanipulated Other functional layers include an “engine” that comprises I/O functions, maintenance routines, query routines, and an interface to astorehouse for the data This is often known as a storage engine
✦ The data, properties, and attributes of a thing are stored in containers, whichcomprise collections of records, known as tables (such as in relational database)
or some other cubby (such as in an object database)
The simplest definition of a DBMS is that it is a software application, on top of whichsits a user interface, used to manage the data in a database and the database itself ADBMS can be used to extract data (query), format it, present it to users, and to print
or transfer it into a comprehensible form Modern DBMS systems, like SQL Server,provide users with the technology to interpret or analyze data, as opposed to simplequantification
Trang 18Users of databases and DBMS include both humans and machines Software used
by machines and computers saves and accesses data because it is a means bywhich a process can gain access to persistent information Persistent data can andshould be shared by multiple users, both human and man-made For example, anengineer puts data into a database so that a robot can perform repetitive workbased on the data
Active Directory is all the above and more, but you would not use it to, say, extractrecords of a group of individuals who pose a credit risk to your company becausesuch support is beyond the purpose of a directory service Whether AD is arelational database or an object database brings us to debateable levels in ourdiscussion, so we won’t go there Our analysis of AD will help you to make thatassumption on your own
A relational database is made up of tables; it is made up of columns (collections)that represent things, such as a column or collection of first names Information
about each individual entry is stored chronologically (for example, the fifth first
name or fn in the collection is David) Figure 2-5 represents a column of first names.
Figure 2-5: The column in a relational
database contains records, which are members of collections or groups
You can have multiple tables in a relational database You can also have “things” inone table that relate to things in another table, not only by chance, but also bydesign and purpose In relational tables, you access the properties of a thing, andthe information that it represents, by referencing its place in the collection, asshown in Figure 2-6
An object database is a little harder to define, mostly because many forms of objectdatabases evolved from relational databases An object model-compliant databasemight be more about how the information it contains is exposed to the users andhow the underlying schema can be accessed than about the underlying makeup andtechnology or how it was created
But an object database might also be best described as a database that conforms tothe object model as opposed to the relational model We do not know enough abouthow the AD works because at the very core, it is a proprietary technology What we
Trang 19do know is that data is stored in the AD in a structure that resembles tables withcolumns and rows In fact, Microsoft has used the very same database engine (Jet) itdeployed in Exchange Server in the AD It is thus a blood relative of Microsoft Access.
Figure 2-6: Two columns in a relational database contain records that are
related to each other
The Active Directory Database Structure
AD has been implemented as a layered system comprising the Core DirectoryService Agent (DSA), the Database Layer (DB), and the Extensible Storage Engine(ESE) Above these layers lie the interfaces that comprise the replication service,the Security Account Manager or SAM (as with the NT 4.0 SAM), the LDAP interface,and the API (ADSI) The LDAP interface, as you will see later, provides the interface
or access to LDAP clients LDAP is supported in all 32-bit desktop and workstationenvironments LDAP is also built into Outlook SAM provides the security interfaces
to the AD, and hooks in the access control technology See Figure 2-7
The time has come to dispense with the acronym SAM The problem is that SAMstands for Security Account Manager, Security Accounts Manager, and SecurityAccess Manager, and Surface to Air Missile fits as well If Microsoft would simplifythis to SM for Security Manager, the industry and Microsoft’s people might thenagree on what the acronym stands for
Trang 20Figure 2-7: AD consists of three functional layers, on top
of which lie the access and replication layers and the Security Account Manager (SAM)
The ESE comprises two tables: a data table and a link table The ESE database is used
to maintain data on the structure of the directory and is not apparent to clients The
AD database, NTDS.DIT, on the other hand, contains the following collection ofdatabase tables that users will relate to, either transparently, via some cognitiveprocessing, or directly
✦ Schema Table: The schema dictates the type of objects that can be created in
the AD, how the objects relate to each other, and the optional and compulsoryattributes applied to each object It is important to note that the schema isextensible, and it can thus be expanded to contain custom objects that arecreated by third-party applications and services
✦ Link Table: The link table contains the link information and how the objects
relate to each other in the database
✦ Data Table: The data table is the most important structure in the AD database
system because it stores all the information or attributes about the objectscreated It contains all the compulsory and optional information that make
up the objects such as user names, login names, passwords, groups, andapplication-specific data
Active Directory Objects
If Active Directory is a casserole, then the objects are its ingredients Withoutobjects, the directory is a meaningless, lifeless shell When you first install AD, thesystem installs a host of user objects you can begin accessing immediately Some ofthese objects represent user accounts, such as Administrator, without which youwould not be able to log in and obtain authentication from the directory
Database LayerCore Directory Service Agent (DSA)SAM
Extensible Storage Engine
LDAP Replication