Active Directory FAQ

The release of Microsoft's Windows 2000 Server operating system represented a

significant improvement over previous versions of Windows. Most importantly,
Windows 2000 Server introduced Active Directory - Microsoft's implementation of a
directory service. Through Active Directory - and a major reworking of the Windows NT
domain model - Windows is now able to provide a scalable and robust network
architecture. This page attempts to answer the most common questions regarding Active
Directory and describe the Active Directory architecture ITS has built.

Please note: Active Directory is only available through Windows 2000 and later Server
products (excluding Web-only server editions). Windows 2000 Professional and XP do
not provide Active Directory services. However, Windows 2000 Professional - and later
versions of Windows, such as Windows XP - are natively able to access Active Directory
services (i.e. no further software need be installed on these systems). For more
information, see item 7 below.

1. What is a Directory Service?

2. What is Active Directory?
3. What is IMSS doing in regards to Active Directory?
4. What is the difference between a domain and an OU, and why does IMSS
recommend one over the other?
5. Who can request an OU?
6. How does one join Active Directory?
7. Do I need to upgrade my operating system to take advantage of Active Directory?
8. Where does Exchange 2003 fit in?
9. Where can I get more information regarding Active Directory?

1. What is a Directory Service?

A directory service is primarily a network directory that provides a single, logical and
consistent database in which to store information about the network and all network-
based resources - such as users, computers, files, printers, applications, shares etc. As
businesses and organizations grow in size and become ever-more dependant upon
networked-computing, so the work and overhead involved in managing all these entities
and their complex relationships grows too. A directory service helps alleviate some of the
management overhead by providing a single, consistent point of management. It can also
act as a central authority that can securely authenticate resources and manage the
identities and relationships between them. As it is a central authority, users need not keep
multiple accounts - a single logon means their account is authenticated for all resources to
which they have been granted access.

2. What is Active Directory?

Active Directory is a collective term for Microsoft's integrated set of directory services.
Most significantly, Active Directory provides a central, searchable information repository
(allowing simple sharing of network resource information), while acting as the central
authority for network security.

All network resources are represented in Active Directory as objects and each object can
be assigned certain attributes, which characterize the object. For example, a user object
in Active Directory can have attributes such as First Name, Last Name, Phone Number
etc.

Objects can placed into containers - logical groupings of related objects. For example, a
Math Users container might contain all the users in the Math department. These
containers can then be nested within other containers, creating a hierarchical directory
structure that is used to represent an organization's administrative structure, as in Figure
1. The most common container object in Active Directory is known as an
Organizational Unit or OU.

Figure 1 - Active Directory has an object-oriented, hierarchical structure.

The largest unit in Active Directory is known as a Domain. It can also be considered the
largest container object. Each domain is a both a security and administrative boundary.
The top-level domain is known as the Root Domain and subsequent domains sit below
the root domain, and are known as Child Domains. These child domains can themselves
be parents to further child domains. Together, the root domain and it's offspring comprise
a Domain Tree. Within each domain, the hierarchical structure is continued with
Organizational Units. Finally, and outside of the OU structure, user accounts can be put
into Groups, as in Figure 2.

The hierarchical nature of Active Directory, combined with user groups, allows for easy
delegation of administrative tasks and application of administrative policies, as in Figure
2. For example, Administrator A can be assigned full permissions to administer OU A.
Administrator A can now create and manage users, printers, containers and other
directory objects within their own OU. However, their administrative rights are restricted
entirely to that OU - elsewhere they only have regular user rights.

In addition, a Policy can be defined for that OU, such that all objects within the OU are
subjected to that policy. These policies, which can be applied to users and groups (as well
as OUs) are are known as Group Policies. For example, a group policy is defined for the
Dept A Users group, stating that all user passwords must have at least eight characters.
Any user whose account is a member of Dept A Users, must now have a password that
contains at least 8 characters.

Figure 2 - The hierarchical structure of Active Directory allows for easy delegation of
authority,
and application of administrative and security policies (Group Policies).

3. What is IMSS doing in regards to Active Directory?

IMSS, in collaboration with various groups on campus, has developed an Active
Directory infrastructure that we feel best meets the needs of Caltech and its decentralized
structure. Our research and Microsoft's own recommendations have led to a design that
comprises a single tree anchored by the root domain, ad.caltech.edu. In this scenario,
the root domain will house the vast majority of divisions, departments and groups across
campus, as in Figure 3.

IMSS envisions that the vast majority of groups on campus will be assigned an
Organizational Unit within the ad.caltech.edu domain, to which they will be granted
full administrative control. Likewise, IMSS' Windows-based services will be hosted on
servers sitting in the ad.caltech.edu domain. IMSS will continue to create user
accounts for all Caltech associates who currently are eligible for an IMSS account, there
by reducing the administrate overhead of account maintenance for departments. These
accounts will also sit in the ad.caltech.edu domain.

Figure 3 - Simplified graphical representation of IMSS' Active Directory structure.

4. What is the difference between a domain and an OU, and why does
IMSS recommend one over the other?
In Active Directory, each domain is responsible for storing and updating its individual
domain-directory - which collectively comprise the organization's Active Directory. In
addition, a domain is responsible for authenticating access to all resources that are housed
in its domain. In reality, these tasks are accomplished by the Domain Controllers -
servers that run Active Directory services. These domain controllers are similar to
Windows NT's Primary Domain Controllers, although the hardware requirements for
Active Directory domain controllers are significantly greater than those of NT. In
addition, administering and maintaining an Active Directory domain is substantially more
challenging and complex than the older, NT-style domain structure.

Thus, it can be seen that there is considerable overhead involved in running a domain
within Active Directory - in administrative, financial and personnel terms. There are also
other, significant, network issues that are involved in running a separate domain. IMSS
envisions that most groups may wish to avoid investing the time and resources involved
in maintaining a separate domain, yet still desire the control and autonomy implied by
such a domain. For those groups we recommend they are assigned an Organizational
Unit, within the ad.caltech.edu domain.

Organizational Units are conceptually similar to domains, in that they are essentially
administrative boundaries. For groups who are assigned an OU, IMSS will delegate
complete administrative control of the top-level OU to a defined group of OU
Administrators. The OU Administrators will then be able to create users, groups,
computers, further OUs etc. within their top-level OU, at their discretion. They can also
set rights and access permissions to resources in their OU structure and define Group
Policies that apply to their resources. However, these rights and policies will be entirely
limited to their OU structure - i.e. a given group of OU Administrators would have no
administrative rights to users, groups, computers etc. that existed outside of their OU
structure, unless explicitly granted to them.

5. Who can request an OU?

One of the primary benefits of Active Directory is to allow full autonomy and self-
administration to the various departments on campus, within a campus-wide architecture.
Thus, IMSS will primarily create and assign top-level OUs within the ad.caltech.edu
domain at the division or department level. The hierarchical structure of Active Directory
then allows for sub-OUs to be created below the top-level OU, at the discretion of the
top-level OU administrators. This means that requests for OUs by individual labs within a
certain department should go to their department's or division's OU administrators, and
not to IMSS. However, certain Caltech-affiliated groups, organizations and labs may
request a top-level OU if a suitable requirement can be shown. These requests will be
dealt with on a case-by-case basis.

6. How does one join Active Directory?

IMSS is currently accepting requests to join Active Directory. We require a name for
the OU and a list of names of those people who will be responsible for administering the
OU. Before requesting entrance to Active Directory, we strongly recommend that those
who will be responsible for administering an OU begin researching Active Directory and
how common administrative tasks are carried out. Some relevant links are provided at the
bottom of this page.

7. Do I need to upgrade my operating system to take advantage of Active

Directory?

Although only Windows 2000, XP, and 2003 will be able to benefit from all the features
of Active Directory, other versions (Windows 9x and NT) can still take advantage of the
primary benefit - searching the directory. This will enable any Windows client to locate
the resources they desire by simply querying Active Directory. One important thing to
note, however, is that only Windows 2000, XP, and 2003 operating systems are natively
Active Directory-aware. This means that no extra software is needed to benefit from
Active Directory.

In order for a Windows 95, Windows 98, Windows ME - collectively known as Windows
9x computers - or Windows NT system to access Active Directory, it is necessary to
install the Active Directory Client Extension software. In addition, after installing the
client software, it is necessary to configure those systems to be able to use NTLMv2 - a
stronger security protocol that will be enforced in the new domain. We have created two
simple guides that detail, step-by-step, the installation process.

For users who have computers running Windows 9x or Windows NT computers, please
see the following guides:

• Installing the (DSClient) Active Directory Client Extension for Windows NT 4.0
Computers
• Installing the (DSClient) Active Directory Client Extension for Windows 9x
Computers

8. Where does Exchange 2003 fit in?

For those groups who are still running Exchange 5.5 and are thinking of upgrading to
Exchange 2003 (or are thinking of setting up an Exchange 2003 server), please be aware
that Exchange 2003 is completely dependent upon Active Directory - you cannot have
Exchange 2003 without Active Directory. However, the migration to Exchange 2003 -
like the migration to Active Directory - is a complicated process that must be undertaken
with care and follow a successful migration to Active Directory.

There are a number of migration paths to Exchange 2003, and where as one path may be
suitable for one group, it may be unsuitable for another and negatively effect or even bar
that groups migration options. Thus, it is important those groups on campus moving to
Exchange 2003 are in consultation to develop a migration strategy that is best for all
parties involved. Questions regarding Exchange 2003 from groups that are planning
future Exchange installations should be directed to win-admins@caltech.edu.
IMSS also offers its own paid-service Exchange 2003 server cluster, if a individual or
group does not want to go through the process of maintaining this type of server and
service. More information about this, please view the Exchange 2003: Service Overview.

9. Where can I get more information regarding Active Directory?

There are a multitude of resources on the Internet that relate to Active Directory. Not
surprisingly, many of the best can be found on Microsoft's own web pages. The following
resources contain additional information that is relevant to this section.

• "Microsoft Windows Server 2003 Active Directory" in Windows Server

TechCenter is a good starting point for anything Active Directory related.
• "Active Directory Step-by-Step Guides" in Windows Server TechCenter provides
instructions on features of Active Directory.

ESC Home

• ESC Home
• Active Directory
o Overview
o Frequently Asked Questions (FAQ)
o AD Client Extension for Windows NT
o AD Client Extension for Windows 9x
• Enabling NTLMv2 Authentication
• Logon to IMSS Windows Computers
• Connecting to IMSS Windows Servers
• Windows File Services
• Windows Print Services