Active Directory Basics

Active Directory
‡ Having a foundational knowledge of active directory is immensely
helpful in the MCSE 2003 Certification Track.

‡ All courses require a knowledge and understanding of the active
directory environment.

‡ Active Directory is the foundation of the Microsoft 2003 client /
server environment.


‡ Active Directory is the directory service for all Windows server
editions except for Web Server.

‡ Active Directory stores information about objects on the network in
a centralized location, making it easy for administrators and users to find and use this information. Microsoft Access product, as the basis for a logical, hierarchical organization of directory information .

‡ Active Directory uses a structured database, modeled after the


‡ This presentation discusses the basics of the
Active Directory environment, including:
± The Physical Structure of Active Directory ± The Logical Structure of Active Directory


The Physical Structure of Active Directory

Directory Database
Definition ‡ This database is often simply
referred to as the directory.

‡ The directory contains information
about objects such as users, groups, computers, domains, organizational units (OUs), and security policies.

‡ This information can be published
for use by users and administrators.


Directory Database
Storage and Replication
‡ The directory is stored on servers known as domain controllers and
can be accessed by network applications or services.

‡ A domain can have one or more domain controllers. ‡ Each domain controller has a writeable copy of the directory for the
domain in which it is located.

‡ Changes made to the directory are replicated from the originating ‡ Because the directory is replicated, and because each domain
controller has a writeable copy of the directory, the directory is highly available to users and administrators throughout the domain.

domain controller to other domain controllers in the domain, domain tree, or forest.


Directory Database
Physical Files ‡ Directory data is stored in
the Ntds.dit file on the domain controller. It must be stored on an NTFS partition.

‡ Some data is stored in the
directory database file, and some data is stored in a replicated file system, like logon scripts and Group Policies.


Directory Database

‡ There are three categories of data replicated
between domain controllers:
± Domain Data ± Configuration Data ± Schema Data


Directory Database
Domain Data ‡ The domain data contains information about objects within a
domain. This is the information typically thought of as directory information such as e-mail contacts, user and computer account attributes, and published resources that are of interest to administrators and users. ‡ For example, when a user account is added to your network, a user account object and attribute data are stored in the domain data. When changes to your organization's directory objects occur, such as object creation, deletion, or attribute modification, this data is stored in the domain data.


Directory Database
Configuration Data

‡ The configuration data describes
the topology of the directory.

‡ This configuration data includes
a list of all domains, trees, and forests, and the locations of the domain controllers and global catalogs.


Directory Database
Schema Data ‡ The schema is the formal definition of all object and attribute
data that can be stored in the directory. Windows Server 2003 includes a default schema that defines many object types, such as user and computer accounts, groups, domains, organizational units, and security policies.

‡ Only enterprise admins or schema admins can modify the

schema. They can extend the schema by defining new object types and attributes, or by adding new attributes for existing objects. ensuring that only authorized users can alter the schema.

‡ Schema objects are protected by access control lists (ACLs),


Active Directory Security

‡ Security is Integrated
with Active Directory:
± Through logon authentication ± Through access control of objects in the directory


Active Directory Security
Logon Authentication ‡ Active Directory Uses logon authentication to secure user and
account information. Authentication is the verification of the identity of a party who generated some data, and of the integrity of the data.

‡ With a single network logon, administrators can manage directory
data and organization throughout their network, and authorized network users can access resources anywhere on the network. most complex network.

‡ Policy-based administration eases the management of even the


Active Directory Security
Logon Authentication ‡ Microsoft Uses Kerberos to create and encrypt Authentication

‡ Kerberos is a network authentication protocol. ‡ It is designed to provide strong authentication for client/server
applications by using secret-key cryptography.

‡ Cryptography consists of the sending of multiple encrypted

messages between a client and server to ensure that the client is who they say they are. Once this is verified, the client is issued a ticket, granting them access to the network.


Active Directory Security
Access Control Lists ‡ Active Directory Data is protected by limiting access to users
through the use of Access Control Lists.

‡ Users who log on to the network have to obtain both authentication
and authorization to access system resources.

‡ When a user logs on to the network, the security system

authenticates the user with information stored in Active Directory. Then, when the user attempts to access a service on the network, the system checks the properties defined in the discretionary access control list (DACL) for that service. granular control of resource access.

‡ This multi-tier system creates a more protected environment and


Global Catalog
‡ A global catalog is a domain controller
that stores a copy of all Active Directory objects in a forest. each object¶s most common searchable attributes.

‡ In addition, the global catalog stores ‡ The global catalog stores a full copy of
all objects in the directory for its host domain and a partial copy of all objects for all other domains in the forest, which provides efficient searches without unnecessary referrals to domain controllers.

‡ A global catalog is created automatically on the initial domain

controller in the forest. You can add global catalog functionality to other domain controllers or change the default location of the global catalog to another domain controller.

Global Catalog
Roles ‡ A global catalog performs the following roles:
± Finds Objects ± Provides User Authentication Information across multiple domains. If a DC can¶t find a user located in a second domain, it contacts the global catalog server for the authentication information ± Supplies Universal Group Membership information across domains


Active Directory Search Capabilities
‡ Database search tools allow easy search and access of users,
groups, and objects stored in the active directory database. Directory Users and Computers snap-in to perform management tasks with greater efficiency and to easily customize and filter data retrieved from the directory.

‡ Administrators can use the advanced Find dialogs in the Active

‡ Administrators can add objects to groups quickly and with

minimal network impact by utilizing browse-less queries to help find likely members.


Active Directory
‡ Replication provides information
availability, fault tolerance, load balancing, and performance benefits for the directory.

‡ Active Directory uses
³multimaster´ replication, enabling you to update the directory at any domain controller, rather than at a single, primary domain controller.

‡ The multimaster model has the
benefit of greater fault tolerance, since, with multiple domain controllers, replication continues, even if any single domain controller stops working.

Active Directory

‡ A domain controller stores and replicates:
± Schema Information. The schema is the objects that are created in active directory and their attributes. ± Configuration Information. This is the logical database design including the domain structure and replication information. ± Domain Information. Describes all objects in a domain only stored in that domain. A subset is stored in the global catalog in a multidomain environment. ± Application Information. Application information is stored to limit replication traffic among domain controllers.


The Logical Structure of Active Directory

Active Directory Objects
Domains, OUs, Trees and Forests

‡ Active Directory Objects Consist of Four
Building Blocks:
± ± ± ± Domains Organizational Units Trees Forests


Overview ‡ A domain is a logical grouping of computers and users managed
through a central security accounts database.

‡ Domains act as the basic building blocks of an AD environment. As
such, AD design starts here, at the domain level.

‡ It¶s imperative that you have a solid, secure, and efficient domain

plan in place before you move to any other aspect of creating your Active Directory tree.


Root Domain ‡ The first domain created in your active directory environment is
known as the ³root´ domain.

‡ The name given to the root domain will act as the base for the
name of all domains created later.

‡ As each subsequent domain is added to the structure, it will be

added somewhere below the root domain. Additional domains are always children of some other domain in the tree.

‡ The only domain that is not a child is the root (topmost) domain.


Root and Child Domains






Design Considerations

‡ Key Considerations When Creating a Domain
± ± ± ± ± Number of objects Replication traffic Domains as security boundaries Language Security policies


Number of Objects

‡ There is really no limit to
the amount of users, groups and objects that can be supported in the Active Directory Database.

‡ Tests have been performed with literally millions of


Replication Traffic ‡ All domain controllers within a domain must contain the same
database. In other words, a replication process is used to synchronize any changes made to the database to all domain controllers for the domain. The net effect is more network traffic. and other types of records), the more potential replication traffic will be generated. more replication traffic will travel through your network.

‡ The larger the database (meaning more users, computers, groups, ‡ A corollary to this is that the more domain controllers you have, the


Security Boundaries ‡ Since a domain represents a separate database, the domain
boundary is often seen as a built-in security boundary. Administrators of a domain are limited (by default) to the management of resources within their own domain.

‡ While administrative accounts can be given privileges in more than
one domain, this is a manual configuration -- in other words, a conscious decision, rather than a default.


Language Considerations ‡ Within a domain, servers can be

configured for a single language: French, German, etc., although English is supported by all installations.

‡ If your company crosses international

boundaries, you might need additional domains so that local administrators can manage their resources in their native tongue.


Domains Security Policies
‡ Security Policies control and limit access to resources on the

‡ Certain policy elements are ³domainwide.´ These include some

very common settings, things like password policies (complexity, length, and lifetime), account lockout policies (when and for how long an account will be locked due to unsuccessful logon attempts), and Kerberos v5 policies (ticket lifetimes, renewal, and logon restrictions). policy elements need to differ, you must create multiple domains.

‡ If you have different areas of your environment in which these


Organizational Units
Overview ‡ An organizational unit (OU) is a container used to organize objects
within a domain into logical administrative groups. Those groups should mirror your organizational structure.

‡ OUs are the smallest scope to which you can delegate
administrative authority. Therefore, they can provide a means for handling administrative tasks and a way to delegate administration of users and resources.


Organizational Units
OUs and Objects

Sales OU

IT OU IT OU Objects

Medical OU Domain


Organizational Units

‡ An OU can contain objects such as:
± ± ± ± ± ± ± User accounts Groups Computers Printers Applications, File shares Other OUs from the same domain


Organizational Units
Security Objects: User Accounts ‡ User Accounts represent people and are used to log on to a
Windows domain. User accounts are used for the following:
± Authentication This is the process of proving your identity. User accounts and passwords are used to authenticate users to a domain. ± Authorization This is the process of being granted permissions to a resource. ± Auditing By requiring all your users to use a unique user account, you can easily audit access to resources.

‡ Active Directory contains three

default user accounts: Administrator, Guest, and Help Assistant.


Organizational Units
Security Objects: Groups Overview ‡ Without groups, you would have to
manually assign all permissions to individual user accounts. users. You can group user accounts and assign permissions to everyone in the group at once.

‡ Groups enable you to organize your

‡ Any permissions assigned to a

group are automatically granted to members of that group.


Organizational Units
Security Objects: Group Types

‡ In Active Directory, there are two different types, which
are used for two different purposes:
± Security groups ± Distribution groups

‡ The difference between these groups resides in how
they are used:
± Security groups are designed to be used for security purposes. ± Distribution groups are designed to be used for distributing applications to collections of users.


Organizational Units
Security Objects: Group Scopes ‡ Scope is the range that a group will extend over a domain, tree, and

‡ The scope is used to determine the level of security that will apply
to a group, which users can be added to its membership, and the resources that they will have permission to access.
± Universal ± Global ± Domain Local

‡ Active Directory provides three different scopes for groups:


Organizational Units
Security Objects: Group Scopes ‡ Universal. Universal groups have the widest scope of any of the
different group scopes. Members of this group are able to contain accounts and groups from any domain in the forest, and can be assigned permissions to resources in any domain in the forest. domain in which it is created, and be assigned permissions to resources in any domain in a tree or forest.

‡ Global. A global group can contain accounts and groups from the ‡ Domain Local. The difference between domain local and global

groups is that user accounts, global groups, and universal groups from any domain can be added to a domain local group. Because of its limited scope, however, members can only be assigned permissions within the domain in which this group is created.


Organizational Units
Security Objects: Computers ‡ Just like user accounts represent
people, computer accounts represent machines.

‡ Computer accounts provide
authentication and auditing for machines.

‡ Computer accounts are created for all computers that run
Windows NT, Windows 2000, Windows XP, and Windows Server 2003 if the computer is joined to a domain.

‡ Computers running Windows 3.x, Windows 9x, or Windows
ME do not have computer accounts and can¶t be members of a domain, although a user who has an account in the domain can use it to log on to the domain.

‡ When multiple domains are necessary for administration, trees are then ‡
necessary. Each Tree represents a separate directory database, or domain. Each database also acts as a security boundary and is individually protected against unwanted access.


Trusts ‡ You can set up your system so that a small group of administrators
have security privileges over the entire structure, or you can give a group administrative abilities in a select few domains.

‡ You can also give users permission to access resources

throughout the tree. This permission is granted through the use of trusts. This creates a logical link between domains for the select individuals granted that right.

‡ Trusts can be granted from one domain to another and back again.


Overview ‡ When management and space considerations dictate, two separate
trees, with separate namespaces, can be joined together as a forest. and Global Catalog server. their root domains.

‡ A forest is just a collection of trees that share a common schema ‡ The trees establish a two-way transitive trust relationship between ‡ If separate namespaces are required with a simple external
relationship then trees will suffice. If that relationship needs to be formalized then a forest is required.








‡ Active Directory is the foundation of the Microsoft 2003 client /
server environment.

‡ The physical structure of Active Directory includes the directory
database that stores information about active directory objects in the ntds file.

‡ The logical structure of active directory indicates the organization
of users, groups, computers, applications and data into logical units: domains, organizational units, trees and forests.


Sign up to vote on this title
UsefulNot useful