Active Directory in Windows Server 2003
Active Directory is Microsoft's trademarked directory service, an integral part of the Windows 2000 architecture. Like other directory services, such as Novell Directory Services (NDS), Active Directory is a centralized and standardized system that automates network management of user data, security, and distributed resources, and enables interoperation with other directories. It is primarily used for online information and was originally created in 1996. It was first used with Windows 2000. An active directory can be defined as a hierarchical structure and this structure is usually broken up into three main categories, the resources which might include hardware such as printers, services for end users such as web email servers and objects which are the main functions of the domain and network.
This page is designed to help those who are new to Microsoft's Active Directory. My goal is to get you started with the key terms and concepts
Seven aspects of Active Directory
1) Active Directory as the Successor to NT 4.0's SAM database
Every successful operating system needs an authentication mechanism. Novell developed the marvellous NDS tree, while UNIX has the powerful directory services to manage their users. By the year 2000, NT 4.0's SAM had become an embarrassment and Microsoft developed their directory service we know as Active Directory. As a matter of interest the physical file corresponding to NT 4.0's SAM is called NTDS.DIT (Directory Information Tree).
2) Active Directory as an object based system
The NT 4.0 SAM database was very thin, both in respect to the number of users it could hold and their range of properties. The only information SAM stored was usernames and their passwords. Active Directory on the other hand, can store many many more attributes of the user object. To examine and configure these attributes, launch the Active Directory Users and Computers and browse through a user's Properties tabs. There you will discover a whole range of attributes, for example, telephone number, manager, email address, certificates, dial-in properties.
3) Active Directory's search mechanism
Microsoft do not change menu names without good reason; if you go to the Start Menu in Windows Server 2003 you will see that Find (NT 4.0) has been replaced by Search. Once you launch Search, you will see the file system in the upper window, however, it is the lower section that I am interested in, because this where you can search for Computers, Printers or People. Using this part of Search, you are actually querying Active Directory to retrieve the objects you are interested in.
Technically you are using a protocol, or query language called LDAP (Lightweight Directory Access Protocol). What LDAP does is to provide directions and so find objects in the Active Directory database. LDAP is an important language particularly useful for advanced troubleshooting and making changes suggested by TechNet articles.
4) The physical side of Active Directory
The physical side of Active Directory means your sites and subnets. If you are familiar with Exchange then the site concept is the same in Server 2003. SUB NET = split the network, so you split your network into subnets. The network routers join these subnets to form sites. Your practical task is to tell Active Directory about the physical sites; Microsoft provide a snap-in to help you define the sites. Once the sites are created, you configure the Active Directory replication through Site Links. Lastly, double check that the domain controller objects are in the correct subnet of the correct site.
Their are two main reasons for creating a site, slow network connections and the need to control Active Directory replication traffic. What confuses beginners is that there is no relationship between sites and domains. Amateurs think there is a one to one relationship between a site and a domain - wrong. You can have one domain with many sites. Multi-nationals may need one site to have domain controller from three different domains.
Plan your sites with a TCP/IP and router expert; thereafter you will only need an occasional change to the configuration. Users and computer on the other hand, always seem to need their Active Directory settings changing.
5) The logical structure of Active Directory
How you view the logical side of Active Directory depends on your company background. Small companies will start with just one Domain and focus their efforts on how many Organization Units they need. A network architect of a large companies will be primarily concerned with how to link DNS names with Domain names, should they have a blank root domain, would that subsidiary be best in its own tree.
Logical Components
Forest - Two or more trees. Each tree has a distinct name e.g. OurCompany.com and SubsiaryCo.org
Tree - Two or more domains with the same namespace e.g. OurCompany.com and son.OurCompany.com
Domain - Remains the basic unit of security and replication
Organization Unit - Sub division of a Domain. Used with delegation, management and Group Policy
Parent / Child - The two way, transitive trust relationship between two domains
Root Domain - The first domain that you create, has additional powerful groups e.g. Enterprise Admins
Contiguous namespace - Catchphrase to describe a tree where all the domains have a common word
Schema - The definition of objects and attributes for the whole forest. Every every domain, in every tree has the same schema partition in Active Directory.
6) The Active Directory Schema
At its heart, Active Directory is an object based system. The main objects are Users, Computers, Sites and Printers. Microsoft have built these objects using attributes, for example Common name (CN), Location, Department and many more. The role of we the administrators, is to set the values, for example Common name = guyt, Location = Worcester. At this stage in our education, all we need to know is: we just configure the values through the Active Directory Users and Computers, we do not mess with the Schema itself - that is a job for a developer.
The only other practical point we need to be aware of is that when you install Exchange 2000 or 2003, you have to be a member of the Schema Admins and Enterprise Admins. Also, once Exchange is installed the User objects will have more tabs with attributes like Mailbox, email address and instant messaging.
7) Group Policy and Active Directory
My first point is that without Active Directory, there would be no Group Policies. Group policies encourage central control of the desktop. Your mantra should be 'prevention is better than cure'. My vision of a group policy is to pamper users with all the software they need, yet deny them access to any part of the computer where they have no business to roam.
The best kept secret of group policy is the chance to assign software to users. Many administrators get so carried away locking down the desktop that they overlook the change to deploy software. The advantage of this method of rolling out software is the ease with which you can service pack or update the .MSI installer files.
Do you remember the Organization Units? Well part of the reason for creating them was so that you could apply group polices. I mention this as a justification for studying all the facets to Active Directory before you start configuring. The one group policy that you need to apply at the domain level is the security policy. Reluctantly, I will leave further discussion to the Group Policy 2003 section.