Beruflich Dokumente
Kultur Dokumente
Chapter 2
Active Directory Service
Topics Covered
Directory basics
Introduction to Active Directory Service
Physical and Logical Structure of Active Directory
Active Directory Partitions
Active Directory Files
New Features of Active Directory
Authentication in Windows 2003
Windows 2003 Server products
Hardware requirement
Upgrade path and New features of Windows 2003
Page No. : 1
Vision Infosystems (VIS)
What is Directory
Directory is nothing but to organize all sorts of information about a network. The various type of
information stored in Directory is like Network Resources, Network Services, Network users and
groups, etc. A directory is a container, which arranges objects in systematic order according to
our requirement eg. Telephone directory, address directory, company directory, etc.
Application directory : Directory maintained by e-mails software like Lotus notes and
exchanges for maintaining their users, etc
Purpose-specific Directory : A directory maintained by various services like WINS, DNS maintains its
own directory for storing mapping for hostname and IP address.
Network Directory : It is a online directory that stores information about network resources, services and
objects in a network. It stores all information about computers, users, printers and other available
resources in a network. Active Directory of Windows 2000 is an example of network directory
In the field of computing there are various types of directory developed the development of
networking begins, like
Microsoft - Active Directory Service
Xerox - Grapevine
ITU - X.500
IEEE - DNS (Domain Naming Service)
Netware - NDS (Novell Directory Service)
RFC - LDAP (Light Weight Directory Access Protocol)
Page No. : 2
Vision Infosystems (VIS)
Directory is designed to be a single directory for any size of network. The informational (data)
model of the LDAP protocol is a base for Active Directory. Active Directory is based on X.500
— the International Standards Organization (ISO) special standard defining elements of a
distributed directory service. This standard proposes an object-oriented data model; therefore, it
uses such terms as class, objects and attributes
Active Directory Schema : Schema in nothing but a structure which define what objects and
their attributes can be stored in ADS. When a domain is setup it contains a default schema know
as DIT (Directory Information Tree). There are over 140 predefines classes and over 840
attributes stored in DIT. SCHMMGMT.MSC is used to view the schema of ADS
Objects and Attributes : In ADS every component is called as Objects and every objects as
some Attributes. Eg. users, computer, printers are called as objects and properties related to it is
called as Attributes
Class : A Class is nothing but a container or a object containing sub objects like Forest, Tree,
Domain, O.U. etc.
Page No. : 3
Vision Infosystems (VIS)
Domains : A domain in AD is nothing but logical grouping of objects like users, computers,
printers, O.U.
Trees : They are logical grouping of Domains and Sub-Domains under a single hierarchy
Physical Structure
The physical components of Active Directory are sites and domain controllers.
Domain Controller : DC is an object or Computer which runs Windows 2000 Serve Operating
Systems and which maintains a copy of AD. In a domain we can have multiple DCs according to
our requirement.
Sites : A site is a collection of one or more IP subnets connected by a highly reliable and fast
link to localize as much network traffic as possible. With Active Directory, sites are not part of
the namespace. When you browse the logical namespace, you see computers and users grouped
into domains and OUs, not sites. Sites contain only computer objects like Domain Controller and
connection objects used to configure replication between sites. Sites are basically used for
replication of Active Directory database between Domain Controllers in a site.
Global Catalog : GC is called as index file which helps to find objects in a large Active
directory database. The global catalog is the central repository of information about objects in a
tree or forest. The GC stores a full copy of entire Active Directory while each Domain maintains
partial copy of it. DC maintains Global Catalog database. By default the first DC in the forest is
assigned the role of Global Catalog. When a user logs on a machine the GC searches for object
match and send the object query to the specific domain.
Page No. : 4
Vision Infosystems (VIS)
Functions of DNS
• Finding objects in active directory like Domain Controller, Global Catalog, etc. using
SRV records in DNS.
• To resolve names (i.e. Fully Qualified Domain Name) to IP address.
In the above example Ajay Raul is username Full name and Vision.com is domain name
LDAP Ports
The connections via the LDAP protocol between a client and DSA use either a Transmission
Control Protocol (TCP) or User Datagram Protocol (UDP). The table below lists the protocol
sockets used in different access modes:
Page No. : 5
Vision Infosystems (VIS)
Function Port
LDAP 389
LDAP Secure Sockets Layer (SSL) 636
Global Catalog (GC) 3268
Global Catalog Secure Sockets Layer 3269
Directory Partitions
Each DC in a forest maintains a directory partition. Directory partition is logical grouping
objects in AD for easy indexing and searching. There are three types of partitions
Schema Partition : It defines the type of data stored in AD. This partition is shared by all DC in
a forest. When a new object is added to a network schema partition is checked to according
attributes are applied to the object. Scheme partition is replicated to all domains in the forest.
Domain Partitions : This partition stores specific information about a AD domain. It contains
information about users, computers, etc objects for a specific domain only. Each domain
maintains its own domain partitions.
The following list contains the Active Directory support files and their functions:
Ntds.dit : This is the main AD database. NTDS stands for NT Directory Services. The DIT
stands for Directory Information Tree. The Ntds.dit file on a particular domain controller
contains all naming contexts hosted by that domain controller, including the Configuration and
Schema naming contexts. A Global Catalog server stores the partial naming context replicas in
the Ntds.dit right along with the full Domain naming context for its domain.
Edb.log : This is a transaction log. Any changes made to objects in Active Directory are first
saved to a transaction log. During lulls in CPU activity, the database engine commits the
transactions into the main Ntds.dit database. This ensures that the database can be recovered in
Page No. : 6
Vision Infosystems (VIS)
the event of a system crash. Entries that have not been committed to Ntds.dit are kept in memory
to improve performance. Transaction log files used by the ESE engine are always 10MB.
Edbxxxxx.log : These are auxiliary transaction logs used to store changes if the main Edb.log
file gets full before it can be flushed to Ntds.dit. The xxxxx stands for a sequential number in
hex. When the Edb.log file fills up, an Edbtemp.log file is opened. The original Edb.log file is
renamed to Edb00001.log, and Edbtemp.log is renamed to Edb.log file, and the process starts
over again. ESENT uses circular logging. Excess log files are deleted after they have been
committed. You may see more than one Edbxxxxx.log file if a busy domain controller has many
updates pending.
Edb.chk : This is a checkpoint file. It is used by the transaction logging system to mark the point
at which updates are transferred from the log files to Ntds.dit. As transactions are committed, the
checkpoint moves forward in the Edb.chk file. If the system terminates abnormally, the pointer
tells the system how far along a given set of commits had progressed before the termination.
Res1.log and Res2.log : These are reserve log files. If the hard drive fills to capacity just as the
system is attempting to create an Edbxxxxx.log file, the space reserved by the Res log files is
used. The system then puts a dire warning on the screen prompting you to take action to free up
disk space quickly before Active Directory gets corrupted. You should never let a volume
containing Active Directory files get even close to being full. File fragmentation is a big
performance thief, and fragmentation increases exponentially as free space diminishes. Also, you
may run into problems as you run out of drive space with online database defragmentation
(compaction). This can cause Active Directory to stop working if the indexes cannot be rebuilt.
Temp.edb : This is a scratch pad used to store information about in-progress transactions and to
hold pages pulled out of Ntds.dit during compaction.
Schema.ini : This file is used to initialize the Ntds.dit during the initial promotion of a domain
controller. It is not used after that has been accomplished.
Domain Modes
There are two domain modes: mixed mode and native mode.
Mixed Mode
Mixed mode allows the domain controller to interact with any domain controllers in the domain
that are running previous versions of Windows NT. Mixed mode is a mixture of Domain
Controller running Windows 2000 and Windows NT
Page No. : 7
Vision Infosystems (VIS)
Native Mode
Native Mode is mode in which all domain controllers within the domains are running Windows
2000 server operating systems. Native mode does not support pre-windows 2000 compactable
server.
NTLM : This protocol is used for backward compatibility with operating systems like Windows
95, 98 and NT. This protocol is used is in mixed mode and is disable in native mode.
Kerberos V5 : This protocol is an Industry standard authentication protocol that provides higher
level of security and is one of the best secure and fast authentication protocol developed by MIT.
Kerberos V5 is the default protocol used in Windows 2000/2003 for authentication of users,
computers and even trust relationship.
The Domain Controller unencrypted the information and checks the timestamp information and
creates two Kerberos tickets. The tickets are unencrypted using the user stored password key and
sends the ticket back to the user. The two tickets are logon session key ticket which is used to
establish logon session and the other ticket is TGT (Ticket granting ticket) or user ticket which
helps user to access network resources.
Page No. : 8
Vision Infosystems (VIS)
• Standard Edition : This version is basically used for basic services like file-and-print
services and general purpose application support. Windows 2000 Server can be upgraded
to Standard edition. Standard edition comes in 32 bit version only.
• Enterprise Edition : Enterprise edition has enhanced hardware support like large
memory and processor capacity than Standard Edition, along with support for clustering
feature. It is designed for high-end applications like Web Server, Mail Servers, etc.
Windows 2000 Advanced Server can be upgraded to Enterprise edition. Enterprise
edition comes in 32 and 64 bit version.
• Datacenter Edition : Datacenter edition doubles the memory and clustering capacity of
Enterprise Edition and contains features that support superior availability. It is designed
for large, critical datacenter applications like Database Server, etc. Datacenter edition
comes in 32 and 64 bit version.
• Web Edition : Web edition is new feature to Windows 2003 server family product. It is
designed for web services and web hosting applications. It lacks many of the features in
the Standard Edition in return for an attractive price and a simple-to-manage platform
that is easier to keep secure. Web edition comes in 32 bit version.
CPU Speed 550 MHz 550 MHz 733 MHz 733 Mhz
Page No. : 9
Vision Infosystems (VIS)
• NT4 Server : This version can be upgraded to Server 2003, Standard Edition or
Enterprise Edition. It cannot be upgraded to Web Edition.
• NT4 Server, Enterprise Edition : You must upgrade to Windows Server 2003,
Enterprise Edition to retain full functionality.
• NT4 Server, Terminal Services Edition : If you are running Citrix MetaFrame, you
cannot upgrade directly to Windows Server 2003. You must de-install MetaFrame,
upgrade, and then install a current version of MetaFrame. Get more information at the
Citrix web site, www.citrix.com .
• NT4 Small Business Server : You can upgrade to Small Business Server Edition of
Windows Server 2003 when it becomes available and retain existing services along with
the 50-user limit or upgrade to a full version of Windows Server 2003 and BackOffice.
• Four Flavors : There are four different versions of Windows Server 2003, each with a
unique feature set. They are Web Edition, Standard Edition, Enterprise Edition, and
Datacenter Edition.
• New enhancement to Active Directory : Windows 2003 added has enhanced Active
directory by providing many new features like domain controller rename, domain
rename, active directory quota, application directory partition, saved queries, etc.
• Itanium support (64 Bit) : Separate 64-bit Intel Architecture (IA64) versions of
Windows Server 2003, Enterprise and Datacenter Editions, are available. This chapter
covers system setup using the Extensible Firmware Interface (EFI) and preparing GUID
Partition Table (GPT) disks.
• NTFS format done during Setup : Earlier versions of Windows NT/2000 formatted the
boot partition as FAT then converted it to NTFS. Formatting the boot partition directly as
Page No. : 10
Vision Infosystems (VIS)
NTFS reduces Master File Table (MFT) fragmentation and eliminates a restart during
Setup.
• Security settings : Unlike Windows 2000, Setup in Windows Server 2003 does not
install Internet Information Services (IIS) by default. This is good news, because there is
no reason to make a server vulnerable to web assaults unless it's necessary to support
operations. However, IIS installation still places the Inetpub folder at the root of the boot
partition, a serious security deficiency. Always use an unattended installation script when
installing IIS to select a different partition for the web folders.
• Dropped support for legacy software striping and mirroring : When upgrading from
NT, Windows Server 2003 does not convert legacy Fault Tolerant (FT) disk sets to
Logical Disk Manager (LDM) striped and mirrored volumes. This is a departure from
Windows 2000, which does the conversion automatically. If you have an FT disk set on
an NT server, you must back it up then restore from tape following Setup. A Microsoft
utility called FTONLINE can recover the disk set following Setup by mounting it in read-
only mode so you can back it up.
• Product activation : Microsoft has incorporated a copy protection scheme into retail
versions of Windows Server 2003. Activation links the product identification key of the
software with a particular computer to prevent piracy. Volume license versions of
Windows Server 2003 do not require activation.
• Remote desktop and Remote Assistance : Windows Server 2003 provided a new
feature of Remote desktop and remote assistance for windows 2003 server as well as for
windows XP. A new client software is added instead of windows 2000 terminal client.
• Automatic Boot.ini updates : When new drives are introduced into a server, the
Advanced RISC Computing (ARC) path in Boot.ini is updated automatically.
• ASR (Automatic System Recovery) : ASR is disk used to repair a damage windows
2003 server. ASR has replaced ERD used in Windows 2000 server.
• Driver Protection : A new database has been introduced in Windows Server 2003 that
acts as a "bad-boy" list of drivers that are known to cause problems. If you attempt to
install a device using one of these drivers, the system prompts you with a warning and
refuses to do the installation.
• Windows Update : This feature was first introduced in Windows 2000 and has been
improved in Windows Server 2003. You can choose to automatically download digitally
signed updates from Microsoft or you can download them manually to a central server for
evaluation and testing prior to internal deployment. The Software Update Service (SUS)
from Microsoft automates the download of updates to a central server where they can be
deployed after testing.
• Driver Rollback : If you upgrade a device driver and the server becomes unstable, you
Page No. : 11
Vision Infosystems (VIS)
can use Driver Rollback to return to the old driver. This is an improvement over the Last
Known Good Configuration gambit, which restores the pre-existing Registry entries but
not the drivers themselves.
• Larger Registry size : The Registry size in Windows Server 2003 is limited only by the
available space on the operating system volume. Previous versions of Windows,
including Windows 2000, imposed a Registry size limit (RSL) of about 80 percent of
paged pool memory. This change significantly improves the scalability of terminal
servers, where each concurrent user has a copy of the user profile loaded in memory.
• New Registry structure : Related portions of the Registry (called cells) are now kept
closer together, with better support for large cells. This improves seek and load times.
• Improved debugging : Changes to the kernel and kernel-mode debugging tools have
improved the ability of developers to tighten their code. We, as system administrators,
benefit because we can use the same tools for troubleshooting.
• Improved memory usage : Changes to the way paged pool memory is allocated in
Windows Server 2003 greatly conserves memory and makes it possible to handle very
large files during backups. Also, the system now allocates identical 4K memory pages by
assignment rather than by copying, which prevents applications such as web services
from using lots of memory doling out the same information to different users. The total
number of contiguous memory pages has been doubled to improve support for terminal
servers and applications that require large datasets.
• Large driver support : The amount of memory available to a driver has been increased
from about 200K in Windows 2000 to 1GB in Windows Server 2003. This improvement
is especially good news for video adapter manufacturers.
• Hot memory addition : High-availability servers such as Stratus ftServers and the new
IBM Summit technology servers give administrators the ability to add memory while a
machine is running. Windows Server 2003 supports this feature by dynamically resizing
memory when the new RAM is added. This does not work in reverse, however. If
memory must be removed for swapping, the server must be shut down.
• Improved DMA handling : If you have advanced ATA drives that take advantage of the
fast transfer speeds provided by UltraDMA (Direct Memory Access), you'll be happy to
know that Windows Server 2003 does a much better job of determining the correct DMA
Page No. : 12
Vision Infosystems (VIS)
mode for a device than earlier Windows operating systems. Also, Windows Server 2003
dynamically evaluates the DMA performance of a device and shifts it to PIO
(Programmed I/O) operating if it fails DMA too often. This helps maintain support for
older CD-ROM devices.
• IPv6 host records : An IPv6 host address uses a 128-bit address space in contrast to the
32-bit address space used in IPv4.
• Shadow Copy : Volume shadow copy is a newly added feature to windows 2003 to
provide data redundancy of shared folders data.
Page No. : 13