Active Directory

Installation

N. Ganesan, Ph.D. , All rights reserved.

Overview of Active
Directory
Directory service included in Windows
server
Stores information about network object
and makes the information available to
administrators, users, and applications
Provides a single point of network
management allowing people to add,
remove, and relocate users and
resources easily

1. What is Active Directory? What is

the purpose of using Active
Directory?
2. What is the function of a directory
service? How is it structure?
3. How Active Directory communicate
with a wide variety of other
technologies?

What is Active Directory? What

is the purpose of using Active
Directory?
Active directory is the directory
service
included in Windows servers.

Active Directory stores information about

network object and makes the
information available to administrators,
users, and applications.

Active Directory provides a single point

of network management, allowing people
to add, remove, and relocate users and
resources easily.

1).
2).
3).
4).
5).

Active Directory Provides

Benefits

Integration with DNS

Flexible querying
Information security
Simplified administration
Scalability

1) Active directory as a namespace that is integrated

with
the Internets Domain Name System (DNS).
Active Directory domains and DNS domains have the
same hierarchical structure.
DNS zones can be stored in Active Directory.
Active Directory clients use DNS to locate domain
controllers.

(diagram 1) here:

2) Flexible querying
Users and administrators can use the
Search command on the Start menu, the
My Network Places icon on the desktop, or
the Active Directory Users and Computer
snap-in to quickly find an object on the
network using object properties.
For example, one can find a user by first
name, last name, e-mail name, office
location, or other properties of that
persons user account.

3) Information security
Protects network objects from
unauthorized access and replicates
objects across a network so that
data is not lost if one domain
controller fails.

4) Simplified
administration
Since all domain controllers in the
domain are equal, the process of
making changes to one domain
controller can be replicated to all other
domain controllers in the domain.
Providing a single point of
administration for all objects on the
network.

5) Scalability
With one or more domain
controllers, Active Directory
enables you to scale the directory
to meet any network requirement.
Multiple domains can be combined
into a domain tree and multiple
domain trees can be combined into
a forest.

How is it structure?

Using Active Directory, the network

and
its objects are organized by
constructs
such as domains, trees, forests, trust
relationships, organizational units
(OUs),
and sites.

How Active Directory

communicate with a wide
variety of other technologies?
Because Active Directory is based on
standard directory access protocols,
it can interoperate with other
directory services and can be
accessed by third-party applications
that follow these protocols.

Active Directory

Figure 1 How Microsoft fits into the Internet's DNS namespace

Active Directory

Figure 2 Comparing DNS and Active Directory namespace roots

Objects
The entities that make up a
network
A distinct, named set of attributes
that represents something
concrete. i.e.a user
A globally unique identifier (GUID)
is assign when it is created

Schema
A description of the object classes
The attribute for those object classes
Every Active Directory is an instance
of an object class. Each attribute is
define only once and can be used in
multiple classes.

Schema Attributes and

Querying
Using the Active Directory Schema tool
Mark an attribute as indexed
Include attributes in the global catalog
Contains a default set of attributes for every
object in the forest

Globally useful
Not volatile
Small

Schema Object Names

LDAP display name
Common name
Object identifier (OID)

Object Naming
Conventions
Security principal names
Security identifier
LDAP-related names
Object GUIDs
Logon names

Security Principal Names

Can be a user account, computer
account, or a group.
A name that uniquely identifies a
user, computer, or group within a
single domain.
Unique across domains for
backward compatibility.

Security IDs (SIDs)

A unique number created by the
security subsystem of the Windows
2000 operating system, and assigned
to security principal object. i.e. user,
group, and computer accounts.
Every account on the network is
issued a unique SID that account is
first created.

LDAP-related Names
Defines what operations can be
perform in order to query and
modify information in a directory
and how information in a directory
can be securely access.

LDAP-related Names
Three object-naming format based
on the LDAP distinguished name:
LDAP DN and RDN names
LDAP URLs
LDAP-based canonical names

LDAP-related Names
Example:
User = John
Country = USA (forest)
State = CA (tree)
City = Rosemead (domain)
Department = Marketing (OU)

LDAP-related Names
LDAP DN Name:
cn=John,ou=Marketing,dc=Rosemead,dc=CA,dc=USA

LDAP URL Name:

LDAP://server1.CA.USA.com/cm=John,ou=Marketing,dc
=Rosemead,dc=CA,dc=USA

Canonical Name:
CA.USA.com/Rosemead/Marketing/John

Object Publishing
Publishing - is the act of creating
objects in the directory that either
directly contain the information
you want to make available or
provide a reference for it.
Share Publishing
Printer Publishing

When to Publish
Relatively static
Publish only information that changes
infrequently

Structured
Publish information that is structured
and can be represented as a set of
discrete attributes.

How to Publish
Remote Procedure Call (RPC)
Windows Sockets
Distributed Component Object
Model (DCOM)

You Use Domains to Accomplish the

Following Network Management Goals:

Administrative boundaries
Replicate information
Apply group policy
Structure the network
Delegate administrative authority

Domains:
Trees
Forests
Trusts
And Ous (organizational units )

Tree

Figure 3 Parent and child domains in a domain tree.

Double-headed arrows indicate two-way transitive trust
relationships

Forests

Figure 4 One forest with three domain trees. The three root
domains are not contiguous with each other, but
EuropeRoot.com and AsiaRoot.com are child domains of HQRoot.com.

Forest

Figure 5 Shortcut trusts between Domains B and D, and

between Domains D and 2

Trust Relationships

Transitive
Two-way
Shortcut trusts
External trusts

Trust
Relationships
Trust Relationships

Figure 7 A network with two forests and one extranet

Organizational Units

Figure 9 Intra-site replication with just one domain

Trust Relationships

Figure 10 Intra-site replication with two domains and

two global catalogs

Trust Relationships

Figure 11 Two sites connected by a site link. Each site's preferred

bridgehead server is used preferentially for inter-site information
exchange.

Domain and OU
Delegation
Domain Common Tasks You Can
Delegate

Organizational Unit Common

Tasks You Can Delegate

Join a computer to a domain

Manage Group Policy links

Create, delete, and manage user

accounts
Reset passwords for user accounts
Read all user information
Create, delete, and manage groups
Modify the membership of a group
Manage printers
Create and delete printers
Manage Group Policy links

Table 4 Security Permission Settings for a GPO

Groups (or Users)

Security Permission

Authenticated User

Read with Apply Group Policy ACE

Domain Administrators
Enterprise Administrators
Creator Owner Local System

Full control without Apply Group Policy

ACE

Group Policy
Group Policy (GP): Defines a
variety of users environments that
administrators can manage. GP
configurations apply to computers.
GP settings apply to users and
computers in sites, domains &
OUs.

Group Policy
Components:
Registry based policies
Security options
Software deployment options
Scripts
Redirections to special folders

Group Policy
GP affect all users and computers in the linked container
unless the administrators explicitly change permissions.
By using security groups, policies are applied
specifically to sets of objects within a container.
Within security groups, Group Policy Objects (GPO)
determine the following for specific containers:
Using security groups to represent business
organizational
structure is more efficient than using
domains or organizational units for administration.
Policy settings that are domain wide applied to OUs
containing other OUs are inherited by child containers,
unless inheritance is otherwise specified.

Delegating Control of Group

Policies
Network administrators which is composed of
enterprise administrators or domain
administrators can determine which other
administrators groups can modify policy
settings.
Delegation can also be granted to other
administrators to perform the following tasks:
managing group policy for domains, sites and
organizational units.
creating group policy objects
editing group policy objects

Interoperability
Active Directory (A.D) supports a number of
standards to ensure interoperability of Windows 2000
environment with other vendors (Novell, Unix)
The following are supported by Active Directory:
Lightweight Directory Access Protocol (LDAP) which is an
industry std for directory access. This service is on the Internet
Engineering Task Force (IETF) for becoming an internet std.
o LDAP it is used to add, modify, delete and query
information stored in AD.
o LDAP to AD is like SQL to Oracle
o LDAP determines how a client can access the directory,
operations within the directory and share directory data

o Application Programming Interfaces (API) uses

Active Directory Service Interfaces

and LDAP C API for:
ADSI enables access to AD by exposing objects
stored in the directory as Component
Object Model (COM) objects through scripts
COMs have access to different types of
directories for which a provider exists
Several providers: Novell Directory Services
(NDS), WinNT, LDAP and Internet Information
Services metabase.
Do you guys know what an object is?

Active Directory Service Interfaces

and LDAP C API for:

Example: You can add a method to the user

object that creates an Exchange mailbox for a
user when the method is invoked.
LDAP C API (RFC 1823) is a set of low level Clanguage APIs to the LDAP protocol.
Used by developers, however, ADSI is more
powerful and more appropriate for developers.

Synchronizing AD with other

Directory Services (DS)
AD interacts with other DS by using an Active
Directory Connector which offers bi-directional
synchronization for:
MS Exchange (Email)
Lotus Notes (Email)
GroupWise (Email and common
attributes)
LDAP Data Interchange Format (LDIFDE):
Supports importing and exporting directory
information. This is an internet std format.

(LDIFDE):
Usage:
Perform batch operations such as
add, delete, rename, modify
Can be also used to backup or
extend the schema.

Internal and external

references
Administrators can create cross-reference object
that points to a server in a directory in another
forest.
They take the form of containers.
Internally, the external reference will appear as a
child of an existing AD object
Externally, it will not appear at all
For both internal and external references, AD
contains the name of the DNS server holding a
copy of the external directory and the
distinguished name of the root external directory.

Kerberos Role and Interoperability

Win 2000 and above operating systems

support multiple configurations for cross
platform interoperability ranging from:
Clients: A domain controller will authenticate
clients running RFC-1510 Kerberos. This will
include other clients running other operating
systems.
Unix clients and services: A Kerberos principal
is mapped to a Windows 2000 user or
computer account.

Kerberos Role and Interoperability

Applications and operating systems: Applications

and other operating systems can obtain tickets for
services within a Windows 2000 environment.
Provides backwards support for earlier versions of
operating systems through a mixed-mode network
configuration.
Mixed mode domain is a networked set of
computers that run both NT 4.0 and Win 2000 and
above

Summary
Active Directory helps centralize and simplify
network manageability and provides the necessary
resources to support the organizations objectives.
AD stores information about network objects and
makes information available to administrators,
users and applications.
Interacts with Domain Name Space (DNS) by
providing a name space that defines all objects.

Summary
Uses domains, trees, forests, trust
relationships, organizational units, and sites
to structure the network and its objects.
Administrative tasks can be delegated to
manage OUs, domains, sites to appropriate
support groups
AD is built on std directory access protocols
and along with APIs can access other
Directory Services to expand its flexibility
Data can be exported or imported as
required.

Glossary
Active Directory
An enterprise-class directory service that is
scalable, built from the ground up using
Internet-standard technologies, and fully
integrated at the operating-system level.
Active Directory simplifies administration and
makes it easier for users to find resources.
Active Directory provides a wide range of
features and capabilities, including group
policy, scalability without complexity, support
for multiple authentication protocol, and the
use of Internet standards.

Glossary
Active Directory Service Interfaces
(ADSI)
ADSI is a directory service model and a set
of Component Object Model (COM)
interfaces. It enables Windows 95,
Windows 98, Windows NT, and Windows
2000 applications to access several
network directory service, including Actives
Directory. It is supplied as a Software
Development Kit (SDK).

Glossary
Asynchronous Transfer Mode (ATM)
ATM is a high-speed, connection-oriented
protocol designed to transport multiple
types of traffic across a network. It is
applicable to both local area networks
(LANs) and wide area networks (WANs).
Using ATM, your network can
simultaneously transport a wide variety of
network traffic; voice, data, image, and
video.

Glossary
Dynamic Host Configuration Protocol
(DHCP) with Domain Name System
(DNS) and Active Directory
DHCP works with DNS and Active Directory
on Internet Protocol (IP) networks, freeing
you from assigning and tracking static IP
addresses. DHCP dynamically assigns IP
addresses to computers or other resources
connected to an IP network.

Glossary
Indexing Service
Indexing provides a fast, easy, and secure
way for users to search for information
locally or on the network. User can use
powerful queries to search in files in
different formats and languages, either
through the Start menu Search command
or through Hypertext Markup Language
(HTML) pages that they view in a browser.

Glossary
Internet Authentication Service (IAS)
IAS provides you with a central point for
managing authentication, authorization,
accounting, and auditing of dial-up or
Virtual Private Network users. IAS uses
the Internet Engineering Task Force
(IETF) protocol called Remote
Authentication Dial-In User Service
(RADIUS).

Glossary
Internet Information Services (IIS) 5.0
The powerful features in Internet
Information Service (IIS), a part of Microsoft
Windows 2000 Server, make it easy to share
documents and information across a
company intranet or the Internet. Using IIS,
you can deploy scalable and reliable Webbased applications, and you can bring
existing data and applications to the Web,
IIS includes Active Server Pages and other
features.

Glossary
Lightweight Directory Access
Protocol (LDAP) support
LDAP, an industry standard, is the
primary access protocol for Active
Directory. LDAP version 3 was
defined by the IETF.

Glossary
Terminal Services
The Windows 2000 Server family offers the only
server operating systems that integrate terminal
emulation services. Using Terminal Services, a
user can access programs running on the server
from a variety of older devices. For example, a
user could access a virtual Windows 2000
Professional desktop and 32-bit Windows-based
applications from hardware that couldnt run the
software locally. Terminal Services provides this
capability for both Windows and non-Windowsbased client devices.

Glossary
Virtual Private Network (VPN)
You can allow users ready access to the network even
when theyre out of the office, and reduce the cost of this
access, by implementing a VPN. Using VPNs, users can
easily and securely connect to the corporate network.
The connection is through a local Internet Service
Provider (ISP), which reduces connect-time charges. With
Windows 2000 Server, you can use several new, more
secure protocols for creating Virtual Private networks,
including: L2TP, a more secure version of PPTP (L2TP is
used for tunneling, address assignment, and
authentication) and IPSec, a standard-based protocol that
provides the highest levels of VPN security. Using IPSec,
virtually everything above the networking layer can

END