Vision Infosystems (VIS)

Chapter 2
Active Directory Service

Topics Covered
Directory basics
Introduction to Active Directory Service
Physical and Logical Structure of Active Directory
Active Directory Partitions
Active Directory Files
New Features of Active Directory
Authentication in Windows 2003
Windows 2003 Server products
Hardware requirement
Upgrade path and New features of Windows 2003

Page No. : 1
Vision Infosystems (VIS)

What is Directory
Directory is nothing but to organize all sorts of information about a network. The various type of
information stored in Directory is like Network Resources, Network Services, Network users and
groups, etc. A directory is a container, which arranges objects in systematic order according to
our requirement eg. Telephone directory, address directory, company directory, etc.

There are various types of directory available, they are as under:

Application directory : Directory maintained by e-mails software like Lotus notes and
exchanges for maintaining their users, etc

Purpose-specific Directory : A directory maintained by various services like WINS, DNS maintains its
own directory for storing mapping for hostname and IP address.

Network Directory : It is a online directory that stores information about network resources, services and
objects in a network. It stores all information about computers, users, printers and other available
resources in a network. Active Directory of Windows 2000 is an example of network directory

What is Directory Service

In simple a directory service can be define as "The friendly telephone operator who guides or
looks up people's phone numbers for your assistance.". If the directory is the actual data—
the list of people and telephone numbers—the operators and the method for calling them is the
directory service. In windows 2000 Active Directory is a database while the computers which
maintain this database are called as Domain Controllers.

In the field of computing there are various types of directory developed the development of
networking begins, like
Microsoft - Active Directory Service
Xerox - Grapevine
ITU - X.500
IEEE - DNS (Domain Naming Service)
Netware - NDS (Novell Directory Service)
RFC - LDAP (Light Weight Directory Access Protocol)

What is Active Directory Service

ADS is a truly network directory that includes all the features and benefits of traditional
directory service. In November 1996, Microsoft delivered the first preview of Active Directory
for developers at the Professional Developers Conference held in Long Beach, California. Active

Page No. : 2
Vision Infosystems (VIS)

Directory is designed to be a single directory for any size of network. The informational (data)
model of the LDAP protocol is a base for Active Directory. Active Directory is based on X.500
— the International Standards Organization (ISO) special standard defining elements of a
distributed directory service. This standard proposes an object-oriented data model; therefore, it
uses such terms as class, objects and attributes

Active Directory Concepts

Active Directory has several components that work together to provide a complete directory
service. They are as under :

Active Directory Schema : Schema in nothing but a structure which define what objects and
their attributes can be stored in ADS. When a domain is setup it contains a default schema know
as DIT (Directory Information Tree). There are over 140 predefines classes and over 840
attributes stored in DIT. SCHMMGMT.MSC is used to view the schema of ADS

Objects and Attributes : In ADS every component is called as Objects and every objects as
some Attributes. Eg. users, computer, printers are called as objects and properties related to it is
called as Attributes

Class : A Class is nothing but a container or a object containing sub objects like Forest, Tree,
Domain, O.U. etc.

Logical Structure of Active Directory

In Active Directory objects are grouped logically like Domains, Tress, Forest, Org. Unit, etc.
Grouping objects logically enables you to find a objects by its name rather than by its physical
location.

Page No. : 3
Vision Infosystems (VIS)

Domains : A domain in AD is nothing but logical grouping of objects like users, computers,
printers, O.U.

Trees : They are logical grouping of Domains and Sub-Domains under a single hierarchy

Forest : They are logical grouping of Trees having multiple namespace.

Organisation Unit : It is a sub-division of domain into multiple logical classes by administration

for easy administration and management of objects in a container.

Physical Structure
The physical components of Active Directory are sites and domain controllers.

Domain Controller : DC is an object or Computer which runs Windows 2000 Serve Operating
Systems and which maintains a copy of AD. In a domain we can have multiple DCs according to
our requirement.

Sites : A site is a collection of one or more IP subnets connected by a highly reliable and fast
link to localize as much network traffic as possible. With Active Directory, sites are not part of
the namespace. When you browse the logical namespace, you see computers and users grouped
into domains and OUs, not sites. Sites contain only computer objects like Domain Controller and
connection objects used to configure replication between sites. Sites are basically used for
replication of Active Directory database between Domain Controllers in a site.

Global Catalog : GC is called as index file which helps to find objects in a large Active
directory database. The global catalog is the central repository of information about objects in a
tree or forest. The GC stores a full copy of entire Active Directory while each Domain maintains
partial copy of it. DC maintains Global Catalog database. By default the first DC in the forest is
assigned the role of Global Catalog. When a user logs on a machine the GC searches for object
match and send the object query to the specific domain.

The global catalog performs following tasks:

Page No. : 4
Vision Infosystems (VIS)

• It helps network logon by providing universal group membership information to a

domain controller when a logon process is initiated.
• It helps finding information about objects within the forest.
• If a global catalog is not available when a user initiates a network logon process, the user
is only able to log on to the local computer (except member of Domain Admin group)
• We can maintain multiple global catalog servers according to requirement of organization
and network traffic.

Dynamic DNS Service

Service that uses Active Directory is the Domain Name System (DNS) service. Active Directory
relies on DNS to find or identify objects like DC, GC, etc. The DNS service is configured to
integrate with Active Directory for storing and network or computer information.

Functions of DNS
• Finding objects in active directory like Domain Controller, Global Catalog, etc. using
SRV records in DNS.
• To resolve names (i.e. Fully Qualified Domain Name) to IP address.

LDAP (Lightwight Directory Access Protocol)

LDAP is protocol that defines how AD service is designed and how objects are managed in ADs.
It defines the schema of AD. It defines how objects are organized in AD. It also defines how
objects or resources can be access from AD. All objects naming in AD is based on LDAP
protocol.

LDAP Namaing of objects

CN=Schema,CN=Configuration,DC=forest name,DC=forest root

eg : CN=Ajay Raul, CN=Users, DN=Vision, DC=com

In the above example Ajay Raul is username Full name and Vision.com is domain name

LDAP Ports
The connections via the LDAP protocol between a client and DSA use either a Transmission
Control Protocol (TCP) or User Datagram Protocol (UDP). The table below lists the protocol
sockets used in different access modes:

Page No. : 5
Vision Infosystems (VIS)

Function Port
LDAP 389
LDAP Secure Sockets Layer (SSL) 636
Global Catalog (GC) 3268
Global Catalog Secure Sockets Layer 3269

Directory Partitions
Each DC in a forest maintains a directory partition. Directory partition is logical grouping
objects in AD for easy indexing and searching. There are three types of partitions

Schema Partition : It defines the type of data stored in AD. This partition is shared by all DC in
a forest. When a new object is added to a network schema partition is checked to according
attributes are applied to the object. Scheme partition is replicated to all domains in the forest.

Configuration Partition : It is used to store configuration data of network, such as topology,

replication setting and other network wide resources. Configuration partition is replicated to all
domains in the forest.

Domain Partitions : This partition stores specific information about a AD domain. It contains
information about users, computers, etc objects for a specific domain only. Each domain
maintains its own domain partitions.

Active Directory Support Files

The engine used by Active Directory is based on Microsoft's Jet database technology. Jet uses a
b-tree file structure with transaction logs to ensure recoverability in the event of a system or
drive failure.
When you promote a server to a domain controller, you select where to put the Active Directory
files. The default path is in the boot partition under \WINNT\NTDS. Generally, it is a good idea
to put them on a separate volume from the operating system files to improve performance.

The following list contains the Active Directory support files and their functions:

Ntds.dit : This is the main AD database. NTDS stands for NT Directory Services. The DIT
stands for Directory Information Tree. The Ntds.dit file on a particular domain controller
contains all naming contexts hosted by that domain controller, including the Configuration and
Schema naming contexts. A Global Catalog server stores the partial naming context replicas in
the Ntds.dit right along with the full Domain naming context for its domain.

Edb.log : This is a transaction log. Any changes made to objects in Active Directory are first
saved to a transaction log. During lulls in CPU activity, the database engine commits the
transactions into the main Ntds.dit database. This ensures that the database can be recovered in

Page No. : 6
Vision Infosystems (VIS)

the event of a system crash. Entries that have not been committed to Ntds.dit are kept in memory
to improve performance. Transaction log files used by the ESE engine are always 10MB.

Edbxxxxx.log : These are auxiliary transaction logs used to store changes if the main Edb.log
file gets full before it can be flushed to Ntds.dit. The xxxxx stands for a sequential number in
hex. When the Edb.log file fills up, an Edbtemp.log file is opened. The original Edb.log file is
renamed to Edb00001.log, and Edbtemp.log is renamed to Edb.log file, and the process starts
over again. ESENT uses circular logging. Excess log files are deleted after they have been
committed. You may see more than one Edbxxxxx.log file if a busy domain controller has many
updates pending.

Edb.chk : This is a checkpoint file. It is used by the transaction logging system to mark the point
at which updates are transferred from the log files to Ntds.dit. As transactions are committed, the
checkpoint moves forward in the Edb.chk file. If the system terminates abnormally, the pointer
tells the system how far along a given set of commits had progressed before the termination.

Res1.log and Res2.log : These are reserve log files. If the hard drive fills to capacity just as the
system is attempting to create an Edbxxxxx.log file, the space reserved by the Res log files is
used. The system then puts a dire warning on the screen prompting you to take action to free up
disk space quickly before Active Directory gets corrupted. You should never let a volume
containing Active Directory files get even close to being full. File fragmentation is a big
performance thief, and fragmentation increases exponentially as free space diminishes. Also, you
may run into problems as you run out of drive space with online database defragmentation
(compaction). This can cause Active Directory to stop working if the indexes cannot be rebuilt.

Temp.edb : This is a scratch pad used to store information about in-progress transactions and to
hold pages pulled out of Ntds.dit during compaction.

Schema.ini : This file is used to initialize the Ntds.dit during the initial promotion of a domain
controller. It is not used after that has been accomplished.

How big is Active Directory service

Active Directory : 100,000 users, 100,000 computers, 10,000 groups, 10,000 printers, and
10,000 volumes. The size of the resulting Ntds.dit is about 1,400 MB, or 1.4 gigabytes! This is
with minimal attributes set on the objects. If all the attributes are set and new schema is update
then the size can grow too long.

Domain Modes
There are two domain modes: mixed mode and native mode.

Mixed Mode
Mixed mode allows the domain controller to interact with any domain controllers in the domain
that are running previous versions of Windows NT. Mixed mode is a mixture of Domain
Controller running Windows 2000 and Windows NT

Page No. : 7
Vision Infosystems (VIS)

Native Mode
Native Mode is mode in which all domain controllers within the domains are running Windows
2000 server operating systems. Native mode does not support pre-windows 2000 compactable
server.

New features of Active Directory Service in Windows 20003

• Drag and drop functionality
• Saved queries
• Active directory command-line tools
• Application directory partition
• Domain rename feature
• Domain controller rename feature
• Active directory quota
• Universal group membership caching

Authentication in Windows 2003

Windows 2003 support 2 types of authentication protocol. They are Kerberos V5 and NTLM
(NT Lan Manager)

NTLM : This protocol is used for backward compatibility with operating systems like Windows
95, 98 and NT. This protocol is used is in mixed mode and is disable in native mode.

Kerberos V5 : This protocol is an Industry standard authentication protocol that provides higher
level of security and is one of the best secure and fast authentication protocol developed by MIT.
Kerberos V5 is the default protocol used in Windows 2000/2003 for authentication of users,
computers and even trust relationship.

How Kerberos V5 works

When a user logs on to domain the user password is converted into an encrypted key. The local
computer uses this key to encrypt timestamp information and sends the same to Domain
controller. To find the domain controller client uses DNS SRV record.

The Domain Controller unencrypted the information and checks the timestamp information and
creates two Kerberos tickets. The tickets are unencrypted using the user stored password key and
sends the ticket back to the user. The two tickets are logon session key ticket which is used to
establish logon session and the other ticket is TGT (Ticket granting ticket) or user ticket which
helps user to access network resources.

Page No. : 8
Vision Infosystems (VIS)

Windows 2003 Server Version Comparisons

There are four different versions of Windows Server 2003.

• Standard Edition : This version is basically used for basic services like file-and-print
services and general purpose application support. Windows 2000 Server can be upgraded
to Standard edition. Standard edition comes in 32 bit version only.

• Enterprise Edition : Enterprise edition has enhanced hardware support like large
memory and processor capacity than Standard Edition, along with support for clustering
feature. It is designed for high-end applications like Web Server, Mail Servers, etc.
Windows 2000 Advanced Server can be upgraded to Enterprise edition. Enterprise
edition comes in 32 and 64 bit version.

• Datacenter Edition : Datacenter edition doubles the memory and clustering capacity of
Enterprise Edition and contains features that support superior availability. It is designed
for large, critical datacenter applications like Database Server, etc. Datacenter edition
comes in 32 and 64 bit version.

• Web Edition : Web edition is new feature to Windows 2003 server family product. It is
designed for web services and web hosting applications. It lacks many of the features in
the Standard Edition in return for an attractive price and a simple-to-manage platform
that is easier to keep secure. Web edition comes in 32 bit version.

Hardware configuration requirements

Hardware Web Standard Enterprise Datacenter Edition

Variable Edition Edition Edition

CPU Speed 550 MHz 550 MHz 733 MHz 733 Mhz

RAM 256 MB 256 MB 256 MB 1 GB

Maximum 2 GB 4 GB 32 GB (64 GB 64 GB (512 GB for IA64)

RAM for IA64)

Clusters N/A N/A 4 node 8 node

Processor 1 or 2 1 or 2 Up to 8 8 to 32 max (64 for IA64)

Page No. : 9
Vision Infosystems (VIS)

Upgrade Paths for windows 2003

Windows Server 2003, Standard and Enterprise Editions do not support upgrading from
Windows 9x, Windows ME, or any version of NT Professional (NT4, NT3.51, or NT3.50). The
server upgrade paths are as follows.
Upgrading from NT 3.1, NT 3.50, and NT 3.51 requires a two-step process. First, upgrade to
NT4, and then you can upgrade to Windows Server 2003.
You can upgrade directly to Windows Server 2003 from any of the following NT4 server
versions (all NT4 upgrades require Service Pack 6a):

• NT4 Server : This version can be upgraded to Server 2003, Standard Edition or
Enterprise Edition. It cannot be upgraded to Web Edition.

• NT4 Server, Enterprise Edition : You must upgrade to Windows Server 2003,
Enterprise Edition to retain full functionality.

• NT4 Server, Terminal Services Edition : If you are running Citrix MetaFrame, you
cannot upgrade directly to Windows Server 2003. You must de-install MetaFrame,
upgrade, and then install a current version of MetaFrame. Get more information at the
Citrix web site, www.citrix.com .

• NT4 Small Business Server : You can upgrade to Small Business Server Edition of
Windows Server 2003 when it becomes available and retain existing services along with
the 50-user limit or upgrade to a full version of Windows Server 2003 and BackOffice.

New Features in Windows Server 2003

This chapter covers new features in Windows Server 2003:

• Four Flavors : There are four different versions of Windows Server 2003, each with a
unique feature set. They are Web Edition, Standard Edition, Enterprise Edition, and
Datacenter Edition.

• New enhancement to Active Directory : Windows 2003 added has enhanced Active
directory by providing many new features like domain controller rename, domain
rename, active directory quota, application directory partition, saved queries, etc.

• Enhanced hardware requirements : Windows Server 2003 requires more memory,

faster processors, and more storage capacity.

• Itanium support (64 Bit) : Separate 64-bit Intel Architecture (IA64) versions of
Windows Server 2003, Enterprise and Datacenter Editions, are available. This chapter
covers system setup using the Extensible Firmware Interface (EFI) and preparing GUID
Partition Table (GPT) disks.

• NTFS format done during Setup : Earlier versions of Windows NT/2000 formatted the
boot partition as FAT then converted it to NTFS. Formatting the boot partition directly as

Page No. : 10
Vision Infosystems (VIS)

NTFS reduces Master File Table (MFT) fragmentation and eliminates a restart during
Setup.

• Security settings : Unlike Windows 2000, Setup in Windows Server 2003 does not
install Internet Information Services (IIS) by default. This is good news, because there is
no reason to make a server vulnerable to web assaults unless it's necessary to support
operations. However, IIS installation still places the Inetpub folder at the root of the boot
partition, a serious security deficiency. Always use an unattended installation script when
installing IIS to select a different partition for the web folders.

• Dropped support for legacy software striping and mirroring : When upgrading from
NT, Windows Server 2003 does not convert legacy Fault Tolerant (FT) disk sets to
Logical Disk Manager (LDM) striped and mirrored volumes. This is a departure from
Windows 2000, which does the conversion automatically. If you have an FT disk set on
an NT server, you must back it up then restore from tape following Setup. A Microsoft
utility called FTONLINE can recover the disk set following Setup by mounting it in read-
only mode so you can back it up.

• Product activation : Microsoft has incorporated a copy protection scheme into retail
versions of Windows Server 2003. Activation links the product identification key of the
software with a particular computer to prevent piracy. Volume license versions of
Windows Server 2003 do not require activation.

• Remote desktop and Remote Assistance : Windows Server 2003 provided a new
feature of Remote desktop and remote assistance for windows 2003 server as well as for
windows XP. A new client software is added instead of windows 2000 terminal client.

• Automatic Boot.ini updates : When new drives are introduced into a server, the
Advanced RISC Computing (ARC) path in Boot.ini is updated automatically.

• ASR (Automatic System Recovery) : ASR is disk used to repair a damage windows
2003 server. ASR has replaced ERD used in Windows 2000 server.

• EMS (Emergency Management Services) : EMS is a new feature added to connect to

Windows 2003 server via serial port.

• Driver Protection : A new database has been introduced in Windows Server 2003 that
acts as a "bad-boy" list of drivers that are known to cause problems. If you attempt to
install a device using one of these drivers, the system prompts you with a warning and
refuses to do the installation.

• Windows Update : This feature was first introduced in Windows 2000 and has been
improved in Windows Server 2003. You can choose to automatically download digitally
signed updates from Microsoft or you can download them manually to a central server for
evaluation and testing prior to internal deployment. The Software Update Service (SUS)
from Microsoft automates the download of updates to a central server where they can be
deployed after testing.

• Driver Rollback : If you upgrade a device driver and the server becomes unstable, you

Page No. : 11
Vision Infosystems (VIS)

can use Driver Rollback to return to the old driver. This is an improvement over the Last
Known Good Configuration gambit, which restores the pre-existing Registry entries but
not the drivers themselves.

• Larger Registry size : The Registry size in Windows Server 2003 is limited only by the
available space on the operating system volume. Previous versions of Windows,
including Windows 2000, imposed a Registry size limit (RSL) of about 80 percent of
paged pool memory. This change significantly improves the scalability of terminal
servers, where each concurrent user has a copy of the user profile loaded in memory.

• New Registry structure : Related portions of the Registry (called cells) are now kept
closer together, with better support for large cells. This improves seek and load times.

• Improved debugging : Changes to the kernel and kernel-mode debugging tools have
improved the ability of developers to tighten their code. We, as system administrators,
benefit because we can use the same tools for troubleshooting.

• Improved memory usage : Changes to the way paged pool memory is allocated in
Windows Server 2003 greatly conserves memory and makes it possible to handle very
large files during backups. Also, the system now allocates identical 4K memory pages by
assignment rather than by copying, which prevents applications such as web services
from using lots of memory doling out the same information to different users. The total
number of contiguous memory pages has been doubled to improve support for terminal
servers and applications that require large datasets.

• Large driver support : The amount of memory available to a driver has been increased
from about 200K in Windows 2000 to 1GB in Windows Server 2003. This improvement
is especially good news for video adapter manufacturers.

• Hot memory addition : High-availability servers such as Stratus ftServers and the new
IBM Summit technology servers give administrators the ability to add memory while a
machine is running. Windows Server 2003 supports this feature by dynamically resizing
memory when the new RAM is added. This does not work in reverse, however. If
memory must be removed for swapping, the server must be shut down.

• Improved multiprocessor support : Classic Symmetric Multiprocessor (SMP) servers

share their processors on a single bus, which creates bottlenecks. Newer servers use a
cache-coherent Non-Uniform Memory Allocation (ccNUMA) scheme for sharing
processors. In ccNUMA, processors are married to RAM that is physically situated
nearby. These sections of closely allied CPU and RAM connect to each other via a series
of crossbars in much the same way that cities in southern California are connected
together by freeways. Windows Server 2003 supports ccNUMA architecture by
allocating memory calls between "near" memory and "far" memory so that threads and
memory stay in the same location.

• Improved DMA handling : If you have advanced ATA drives that take advantage of the
fast transfer speeds provided by UltraDMA (Direct Memory Access), you'll be happy to
know that Windows Server 2003 does a much better job of determining the correct DMA

Page No. : 12
Vision Infosystems (VIS)

mode for a device than earlier Windows operating systems. Also, Windows Server 2003
dynamically evaluates the DMA performance of a device and shifts it to PIO
(Programmed I/O) operating if it fails DMA too often. This helps maintain support for
older CD-ROM devices.

• Improved Device Removal handling : Although it is not common to yank components

off a running server, you may have servers with removable drives or Universal Serial Bus
(USB) peripherals. The proper way to remove a device is to inform the operating system
first, but surprise removals are more the rule than the exception. Windows Server 2003
prepares for the surprise removal of drives and drive media by disabling write caching on
all removable media drives except IEEE 1394 FireWire.

• IPv6 host records : An IPv6 host address uses a 128-bit address space in contrast to the
32-bit address space used in IPv4.

• Shadow Copy : Volume shadow copy is a newly added feature to windows 2003 to
provide data redundancy of shared folders data.

Page No. : 13