Active Directory™:
Part One

Ben Christenbury
Technical Lead
Microsoft Platforms Support
Microsoft Corporation

What is Active Directory ??

It Is Not:

A locator service

A file system

It Is:

A query-centric system

Consists of objects with attributes

Data replication for performance and availability

Special purpose database, many, many reads, few updates

The Directory

The Objects

The Schema

A template defining the objects and attributes that can be stored in the Active Directory

A class is the list of attributes that the class must or may contain

Defines required vs. optional attributes

“First Name” is required for a user
account

“Address” is optional

Extensible: new objects and attributes can be added

The Active Directory Goals

Address customer needs for a Directory Service

Hierarchical namespace

Partitioning for scalability

Multimaster replication

Dynamically extensible schema

Online backup and restore

Open and extensible directory synchronization interfaces

LDAP as the core protocol for interoperability

The Active Directory Features

Easy UI administration

Scriptable

Extensible

Interoperable

Integrated with security

Directory Management

Microsoft® Management Console

Richer UI (drag-and-drop, multiple select, persistence)

Greater extensibility

Can extend DS admin to add your object/property management behavior

Scripting

ADSI makes scripting easy

Windows^® Scripting Host (Wscript.exe)

Slide 10

Directory API

ADSI—Active Directory Service Interface

Directory objects, schema, rich query

Directory independent

NetWare 3/4, NT3/4, LDAP providers

Language independent

Use from Java, Visual Basic^®, C/C++

Scriptable

LDAP API

Slide 12

Programmatic Access

User Interface
Easily Extensible

Active Directory
Support for Standard Protocols Means Interoperability

Active Directory
Integrated with Security

Windows 2000 Security Goals

Integrated with Active Directory

Single enterprise logon

Delegated administration

Comprehensive solution

Efficient and standard Kerberos
for the intranet

Scales with Public Key technologies
to the Internet and extranet

What Is A Domain?
Old (and Familiar)

The domain concept is (in part) unchanged from Windows NT 4.0

A unit of partitioning

A unit of authentication

A unit of domain-level policy

Manifested by domain controllers

What Is A Domain?
New (and Exciting)

Active Directory
Logical Organization

Logical: nested hierarchy

Domain hierarchy: domain tree

Container hierarchy within a domain

Physical: Sites

Active Directory
Logical Organization

Domain Structures

Definition: Domain Tree

One or more domains with contiguous names

DESK.COM & HLP.DESK.COM

Definition: Forest

One or more domain trees (DESK.COM & DEVELOP.COM)

Each domain shares common:

Schema

Site and service configuration

Global catalog

Domain Structures
Naming: The Forest Root

Start with one tree

The first domain in the forest

This domain is the forest root

Use any DNS node for the name

All domain names must match DNS nodes

Cannot be renamed

Domain Structures

Add subsequent domains as children

Assign each domain a DNS name

Domain Trees Versus Forests

A domain tree is one or more domains with:

A common schema, configuration, and
global catalog

Transitive trust

A contiguous namespace

A forest is one or more domain trees with:

A common schema, configuration, and
global catalog

Transitive trust

A noncontiguous namespace

Domain Structures
Forest

Create additional trees if you have business units with distinct names

All domains in a forest are connected by transitive trust

Trust Relationships

The Global Catalog

A service and store that contains a replica of every object in the Active Directory throughout the forest

Contains a subset of the object attributes, those that are most frequently used for searches

Enables users to find objects of interest quickly, without knowing in which domain they are located

Do not want every DC to be a global catalog server

Logical Structure

Active Directory
Physical Organization

Sites are limited to a single forest

Not part of the namespace structure

DCs for a given domain can be distributed across many sites

A single site can hold many different DCs

The physical organization provides fault tolerance and performance for the logical organization

Active Directory
Physical Organization

Sites are areas of good connectivity, e.g., LANs, ATM nets, etc.

A Site is a collection of IP subnets

Used do define areas of “good connectivity”

Determines boundaries for replication topologies

Clients discover their site based on the subnet mask received from DHCP (or hand configured)

Slide 32

Slide 33


	It Is Not:
		A locator service
		A file system
	It Is:
		A query-centric system
		Consists of objects with attributes
		Data replication for performance and availability
		Special purpose database, many, many reads, few updates


		A template defining the objects and attributes that can be stored in the Active Directory
			A class is the list of attributes that the class must or may contain
		Defines required vs. optional attributes
			“First Name” is required for a user account
			“Address” is optional
		Extensible: new objects and attributes can be added


	Address customer needs for a Directory Service
		Hierarchical namespace
		Partitioning for scalability
		Multimaster replication
		Dynamically extensible schema
		Online backup and restore
		Open and extensible directory synchronization interfaces
	LDAP as the core protocol for interoperability


	Easy UI administration
	Scriptable
	Extensible
	Interoperable
	Integrated with security


	Microsoft® Management Console
		Richer UI (drag-and-drop, multiple select, persistence)
		Greater extensibility
		Can extend DS admin to add your object/property management behavior
	Scripting
		ADSI makes scripting easy
		Windows^® Scripting Host (Wscript.exe)


ADSI—Active Directory Service Interface
	Directory objects, schema, rich query
	Directory independent
		NetWare 3/4, NT3/4, LDAP providers
	Language independent
		Use from Java, Visual Basic^®, C/C++
	Scriptable
LDAP API


	Integrated with Active Directory
		Single enterprise logon
	Delegated administration
	Comprehensive solution
		Efficient and standard Kerberos for the intranet
		Scales with Public Key technologies to the Internet and extranet


	The domain concept is (in part) unchanged from Windows NT 4.0
		A unit of partitioning
		A unit of authentication
		A unit of domain-level policy
		Manifested by domain controllers


	Logical: nested hierarchy
		Domain hierarchy: domain tree
		Container hierarchy within a domain
	Physical: Sites


Definition: Domain Tree
	One or more domains with contiguous names
	DESK.COM & HLP.DESK.COM
Definition: Forest
	One or more domain trees (DESK.COM & DEVELOP.COM)
	Each domain shares common:
		Schema
		Site and service configuration
		Global catalog


	Start with one tree
	The first domain in the forest
		This domain is the forest root
		Use any DNS node for the name
		All domain names must match DNS nodes
	Cannot be renamed


	Add subsequent domains as children
	Assign each domain a DNS name


	A domain tree is one or more domains with:
		A common schema, configuration, and global catalog
		Transitive trust
		A contiguous namespace
	A forest is one or more domain trees with:
		A common schema, configuration, and global catalog
		Transitive trust
		A noncontiguous namespace


	Create additional trees if you have business units with distinct names
	All domains in a forest are connected by transitive trust


	A service and store that contains a replica of every object in the Active Directory throughout the forest
	Contains a subset of the object attributes, those that are most frequently used for searches
	Enables users to find objects of interest quickly, without knowing in which domain they are located
	Do not want every DC to be a global catalog server


	Sites are limited to a single forest
	Not part of the namespace structure
	DCs for a given domain can be distributed across many sites
	A single site can hold many different DCs
	The physical organization provides fault tolerance and performance for the logical organization


	Sites are areas of good connectivity, e.g., LANs, ATM nets, etc.
	A Site is a collection of IP subnets
		Used do define areas of “good connectivity”
		Determines boundaries for replication topologies
		Clients discover their site based on the subnet mask received from DHCP (or hand configured)