Microsoft is touting several Windows 2000 (Win2K) selling points, and Active Directory (AD) is definitely one of them. The big deal about AD is that it lets you easily locate network resources across your enterprise. To fully understand AD, you need a good book and lots of hands-on experience with a Win2K network environment. But for now, let's take an introductory look at AD and its components.
What Is AD?
AD is Microsoft’s version of directory services, a feature that stores information about network resources. Directory services offer a consistent method for administrators to manage and secure resources and centrally organize and control access to network resources. AD supports several industry standard protocols and APIs, including DHCP, DNS, Kerberos 5, LDAP, and X.509 certificates.
AD objects (e.g., users, computers, and printers) are the most basic component of AD. AD containers are objects that can contain other containers, such as Organizational Units (OU), which I'll explain later. Each object has one or more attributes, also known as properties. For example, a user object has dozens of attributes, such as a first name, last name, and a pager number. A printer object has attributes such as the printer's location and memory. AD is a database of these objects that lets you perform very specific queries to locate the objects. For example, I can query I can query for a laser printer that can print and staple double-sided, 11x17 paper in full color at 1200dpi and can print at least 12 ppm, as Screen 1 shows.
AD Structure
AD's main components, which you use to design the hierarchy and to optimize network traffic, are its logical structure and its physical structure. The logical structure, which simply organizes network resources, consists of OUs, domains, trees, and forests. The logical structure helps you design a network hierarchy that suits your organizational needs. You use the physical structure, which consists of sites and domain controllers, to manage and optimize network traffic by customizing the network configuration.
Logical structure. The core component of AD’s logical structure is the domain. A domain is a unit of replication—all domain controllers in a domain replicate information to each other and contain a complete copy of directory information for their domain. Domains also act as security boundaries. Domain administrators have complete access and control of their domains only. To administer another domain, an administrator has to attain explicit permissions.
One component of AD's logical structure are the OUs. You use OUs to organize objects within a domain and to delegate authority to individuals or groups who need to manage those objects. For example, if the finance department wants to manage its own resources, you can create an OU container called Finance, create objects (e.g., users, computers, printers) within that container, and assign someone from the finance department to manage these resources (known as delegating the authority). You can also move existing objects between OUs. Don't confuse OUs with groups; groups have no relationship to OUs and have a completely different functionality.
Because AD is scalable, you can create additional domains as your network grows. AD supports more than a million objects per domain (Compaq has successfully tested AD domains with up to 16 million objects). The first Win2K domain in your network creates a root of a new tree, which is one or more AD domains that share a contiguous namespace. If, for example, I create a root of a domain tree and name it win2000mag.com, all other domains that I add to the tree will share the win2000mag.com namespace. The name of the child domain combines with the parent’s domain name. For example, if I add two child domains under the root called Sales and Marketing, their fully qualified domain names will become sales.win2000mag.com and marketing.win2000mag.com, as Figure 1 shows. All domains in a tree link automatically with a bidirectional transitive trust relationship. Because Sales trusts the root domain, which in turns trusts the Marketing domain, Sales and Marketing trust each other.
We can extend the logical structure of AD further with forests. A forest is one or more trees that don't share a contiguous namespace. We can have two trees in a forest representing two namespaces in one organization, as Figure 2 shows. Such a forest will share a common configuration (e.g., information about domains, computers, and trust relationships), schema (e.g., classes and attributes), and a Global Catalog.
Physical structure. AD's physical structure consists of sites and domain controllers. A site, which is one or more well-connected IP subnets, controls replication traffic between domain controllers and lets users authenticate with a domain controller within their site. This functionality helps you optimize network traffic and logon authentication in large enterprises.
A domain controller, which is a Win2K server running AD, contains a complete replica of the domain database. In Win2K, no single domain controller acts as a master domain controller. All domain controllers use a multimaster replication model and are peers.
Global Catalog Server
As I mentioned earlier, AD lets users easily locate AD objects. So how do users locate these objects? They use LDAP to query a Global Catalog server, which is a domain controller that contains information about all AD objects and a subset of their attributes. Think of a Global Catalog server as an index of AD. Just as you would use an index to locate information about a topic (e.g., planets) in an encyclopedia, you can use the Global Catalog to determine the location of an object (e.g., a printer) in AD. Because the Global Catalog server indexes the entire forest, you can locate objects all across your forest regardless of their location. You typically place Global Catalog servers at each site, but the placement of these servers might vary depending on your AD architecture.
Global Catalog servers also provide universal group information to domain controllers during the user logon process. If a Global Catalog server isn't accessible, a network user won't be able to log on. Once logged on to the network, a user with the right permissions can access resources anywhere within a Win2K forest. Before users can find network resources, such as shared folders and printers, you have to publish the resources in AD—but that's a topic for a future column.
End of Article
)
Register
Thanks and continue the good work.
David Mbonu February 22, 2000