One of the most important changes in the Windows architecture between Windows NT 4.0 and Windows 2000 is Active Directory and the use of DNS for name resolution. Active Directory extends the Windows 4.0 directory into a fully extensible, scalable directory service that can meet the needs of corporate intranets. Version 4.0 and earlier versions of Windows NT Server depend on NetBIOS names and have implemented the Windows Internet Name Service (WINS) to resolve computer names to IP addresses. Windows 2000 Server introduces DNS as the name resolution mechanism. Windows NT Server 4.0 can be implemented in an organization, and, although it supports DNS, it requires no integration with the DNS infrastructure. As a result, you can easily install Windows NT in divisional or regional networks. At the enterprise level, you can roll out Windows NT 4.0 with very little impact on or concern for the DNS infrastructure of the organization.
DNS is at the heart of Windows 2000 directory service, and therefore, to deploy Windows 2000 in an enterprise requires coordination at the highest enterprise level. Most organizations have DNS services already in place and must configure Windows 2000 Server to integrate within the existing name space.
In a nutshell, Active Directory is a registry of everything on the network. Even on small networks, most users trying to access network file and printer shares find the task technically challenging. Even browsing for network resources has its problems, not the least of which is the network’s reliance on the browser to find network resources, an erratic service at best. Without some kind of network directory, medium-sized and large networks can be an impossible challenge to users and a full-time task for administrators to manage, even at a superficial level.
Network Neighborhood is useful in many environments, but users find the interface clumsy, and many administrators find its unpredictability gives them nightmares. WINS Manager, Server Manager, and User Manager are useful tools for administrators, but they are not readily available to users and are somewhat inefficient—especially in large networks. They have to refer back to the PDC or the WINS server, which means you face a single point of failure.
All network objects reside in the Microsoft Windows NT domain. Windows NT domains work best in small to medium-sized environments. Large environments have to be partitioned into multiple domains interconnected with trusts. In Windows 2000 Server, Active Directory replaces domain functionality. Active Directory brings together the various objects into one standard container, with a single administrative tool. Active Directory can be replicated between multiple domain controllers, so no single system is critical. In this way, the crucial data stored within Active Directory is both redundant and load-balanced.
Active Directory can be compared to a phone book in several ways, but it is far more flexible. It can record information about organizations, sites, systems, users, shares, and just about any other network object you can imagine. Not all objects are as similar to each other as those stored in the phone book, so Active Directory lets you record various types of information about different objects.
Active Directory components
As I mentioned earlier, Active Directory stores information about network components. There are a number of terms with which you should make yourself familiar.
This term refers to the area in which a network component is located. For example, WINS is a namespace that resolves host names to IP addresses and vice versa; the SAM database is a namespace that resolves account names to full names or to SIDs; and, a less technical example, a telephone book provides a namespace for resolving names to telephone numbers. Active Directory provides a namespace for resolving the names of network objects to the objects themselves. Active Directory can resolve a wide range of objects, including users, systems, and services on a network.
Everything that Active Directory keeps a record of is considered an object. An object is any user, system, resource, or service held within Active Directory. The generic term object is used because Active Directory is capable of tracking a variety of items, and many objects can share common attributes.
Attributes describe objects in Active Directory. For example, all User objects have the attributes username, full name, and description. Network printers are also objects, but they are obviously different from Users, so they have a separate set of attributes that includes a host name, an IP address, and a location.
Schema is the name given to the set of attributes that is used for a particular object type. The schema is what makes object classes, or types, different from each other. Schema information itself is also stored within Active Directory, so administrators can add attributes to object classes if necessary. These changes can then be automatically distributed across the network to the whole domain. This new information will be instantly available—there’s no need to restart any domain controllers or services on domain controllers.
Each object in Active Directory has a name. These names are based on Lightweight Directory Access Protocol (LDAP), a structured protocol that is used to view and manipulate information stored in a hierarchical database. Active Directory supports both LDAP version 2 (LDAP v2) and LDAP version 3 (LDAP v3).
Object names are referred to, in LDAP terminology, as distinguished names. LDAP distinguished names are complicated, but basically they allow any object within a directory to be identified uniquely, regardless of type. For example, a user entry may be represented by the distinguished name of “/O=Internet/DC=COM/DC=MyCompany/DC=MyCompanyIT
This is the name given to a special type of object used to organize Active Directory. It does not represent anything physical, like a user or a system, but is used to group other objects, such as servers, printers, or users. Container objects can be nested within other containers.
A tree is a set of objects within Active Directory. When containers and objects are combined hierarchically, they tend to form connected branches, i.e., a tree.
Unsurprisingly, the term forest describes a collection of trees that are not part of the same namespace but that share a common schema, configuration, and global catalog. Trees in a forest all trust each other, so objects in these trees are available to all users if the user’s security allows it. Organizations that are divided into multiple domains should group the trees into a single forest.
Sites correspond to logical IP subnets. This grouping of information enables an application to locate the closest server on a network. Using site information from Active Directory can greatly reduce the traffic on WANs.
Managing Active Directory
The Active Directory Users And Computers Management Console snap-in is the most useful tool for administering Active Directory. Found in the Administrative Tools program group on the Start menu, this snap-in replaces and improves Server Manager and User Manager in Windows NT 4.0. If you have Windows 2000 installed, take a few minutes to familiarize yourself with this tool, but do not make any modifications until you understand how Active Directory works. The Management Console comes with a collection of wizards that will help you carry out most administrative tasks.
I recommend that you log on as a normal user and issue the Run As command to use Active Directory administrative tools with appropriate permissions.
The Active Directory security model associates an access control list (ACL) with each container, object, and object attribute within the directory. This gives Active Directory an important role in the future of Windows networking, allowing administrators to protect a directory from attackers (and users), while delegating tasks to other administrators when necessary. The Delegation Of Control wizard makes it simple to assign permissions to Active Directory objects.
This high level of control allows an administrator to grant individual users and groups varying levels of permissions for objects and their properties. Administrators can even add attributes to objects and hide those attributes from certain groups of users. For example, the administrator could set the ACLs so that only managers could view the home phone numbers of other users. Anyone who was not a member of the Managers ACL would not even know the attribute existed.
This is a new concept to Windows 2000 Server. It allows administrators to assign administrative tasks to other users, without granting those users more power than necessary. Delegated administration can be assigned over specific objects or contiguous subtrees of a directory. This is a much more effective method of giving authority over the networks. Rather than granting someone the all-powerful and possibly dangerous Domain Administrator permissions, the administrator can give this user permissions for just those systems and users within a specific subtree. Active Directory supports inheritance, so any new objects inherit the ACL of their container in much the same way as in NTFS.
Whom to trust
Although the term trusts is still used in Windows 2000, trusts now have a very different functionality. There is no distinction between one-way and two-way trusts, because all Active Directory trusts are bi-directional. Also, unlike in Windows NT, all trusts are transitive. So, if Domain A is configured to trust Domain B, and Domain B is configured to trust Domain C, then there is an automatic implicit trust between Domain A and Domain C.
Another Active Directory security feature is auditing. Just as you can audit NTFS partitions in Windows NT, you can audit objects and containers within Active Directory in Windows 2000. This is a useful way to determine who is attempting to access objects and whether or not they succeeded.
Use of DNS
DNS is necessary to any Internet-connected organization. DNS provides name resolution between common names, such as www.charrington.net, and the raw IP addresses that are actually used in communications. Active Directory makes extensive use of DNS technology and relies on DNS to locate objects within Active Directory. This is a substantial change from previous versions of Windows that required NetBIOS names to be resolved to IP addresses and relied on WINS or another NetBIOS name resolution technique.
Active Directory works best when used with Windows 2000–based DNS servers. Microsoft has made it easy for administrators to transition to these DNS servers by providing migration wizards that walk the administrator through the process. Other DNS servers can be used, but administrators will need to spend more time managing the DNS databases. If you decide not to use Windows 2000–based DNS servers, you should make sure your DNS servers comply with the new DNS dynamic update protocol. Active Directory servers rely on dynamic updates to modify their pointer records, and clients rely on these records to locate domain controllers. If dynamic update is not supported, you will have to update the databases manually, which is something we should strive to get away from.
Windows domains and Internet domains are now completely compatible. A domain name such as mspress.microsoft.com will identify Active Directory domain controllers responsible for the domain, so any client with DNS access can locate a domain controller. Active Directory clients can use DNS resolution to locate any number of services because Active Directory servers publish a list of addresses to DNS using the new features of dynamic update. These addresses identify both the domain and the service being provided and are published via Service Resource Records. Service Resource Records follow this format:
For example, Active Directory servers provide the LDAP service for object location, and LDAP relies on TCP as the underlying transport-layer protocol. Therefore, a client searching for an Active Directory server within the members.tripod.com domain would look up the DNS record for ldap.tcp.members.tripod.com.
In part two of this series, I will talk about the Global Catalog, which a user can use to find on the network anything to which they have been granted access. I will also describe Active Directory replication and partitioning. I will finish with a short discussion on editing schemas.
The authors and editors have taken care in preparation of the content contained herein but make no expressed or implied warranty of any kind and assume no responsibility for errors or omissions. No liability is assumed for any damages. Always have a verified backup before making any changes.