Introduction to Active

Directory Services

Completely integrated with Microsoft Windows 2000

Server

Integrates the Internet concept of namespace with the

operating systems directory service

Allows a single point of administration for all published

resources

Understanding Active
Directory Concepts

Extensible schema
Global catalog
Namespace
Naming conventions

Extensible Schema
Extending the schema is an advanced operation, intended
to be performed by experienced programmers and system
administrators.

Global Catalog

The global catalog is the central repository of

information about objects in a domain tree or forest.

The global catalog is a service as well as a physical

storage location that contains a replica of selected
attributes of every object in the Active Directory store.

By default, the first domain controller is a global catalog

server.

Additional domain controllers can also be designated as

global catalog servers by using the Active Directory Sites
And Services snap-in.

Namespace

Naming Conventions

Distinguished names (DNs)

Relative distinguished names (RDNs)
Globally unique identifiers (GUIDs)
User principal names (UPNs)

Distinguished Names
(DNs)

Objects are located within Active Directory domains

according to a hierarchical path.

Every object in the Active Directory store has a DN,

which uniquely identifies the object.

The DN includes the name of the domain that holds the

object as well as the complete path through the
container hierarchy to the object. For example:
DC=msft/DC=Contoso/CN=Users/CN=John Smith

Relative Distinguished
Names (RDNs)

The RDN is one of an objects attributes.

Active Directory services allows duplicate RDNs for

objects, but no two objects with the same RDN can exist
within the same OU.

The RDN is part of the full DN. For example: CN=John

Smith

Globally Unique
Identifiers (GUIDs)

User Principal Names

(UPNs)

The UPN is a friendly name that is shorter than the DN

and easier to remember.

The UPN consists of a shorthand name that represents

the user and usually the DNS name of the domain where
the object resides.

Example: johns@contoso.msft

Structure of Active
Directory Architecture

Data model
Schema
Security model
Administration model

Access to Active
Directory Services

Protocol Support
Application programming interfaces (APIs)
Virtual containers

Protocol Support

LDAP is the Active Directory core protocol.

The Active Directory information model is derived from

the X.500 information model.

Active Directory services supports remote procedure call

(RPC) interfaces that support Messaging Application
Programming Interface (MAPI) interfaces.

Application
Programming Interfaces
(APIs)
Active Directory Service Interfaces (ADSI)

LDAP C API
Windows MAPI

Virtual Containers

Active Directory services supports virtual containers,

which allow any LDAP-compliant directory to be
accessed transparently through Active Directory
services.

The virtual container is implemented via location

information in the Active Directory store.

Directory Service
Architecture

Interfaces
Directory System Agent (DSA)
Database layer
Extensible Storage Engine (ESE)
Data store (Ntds.dit)

Active Directory Key

Service Components

Interfaces

LDAP provides the API for LDAP clients and exposes the
ADSI so that additional applications can be written that
can talk to the Active Directory services.

REPL is used by the replication service to facilitate

Active Directory replication via RPC over Internet
Protocol (IP) or Simple Mail Transfer Protocol (SMTP).

SAM Provides down-level compatibility to facilitate

communication between Microsoft Windows 2000 and
Microsoft WindowsNT 4.0 domains.

MAPI supports legacy MAPI clients.

Directory System Agent

(DSA)

Object identification
Transaction processing
Schema enforcement of updates
Access control enforcement
Support for replication
Referrals

Database Layer

Provides an object view of database information by

applying schema semantics to database records

Is an internal interface that is not exposed to the public

Translates each DN into an integer structure called the

DN tag, which is used for internal access

Is responsible for the creation, retrieval, and deletion of

individual records, attributes, and values

Follows the parent references in the database and

concatenates the successive RDNs to form DNs

Extensible Storage
Engine (ESE)

A new and improved version of the JET database

Stores all Active Directory objects

Stores attributes that can have multiple values

Implements a transacted database system that uses log

files to ensure that committed transactions are safe
Comes with a predefined schema that defines all the
attributes required and allowed for a given object

Introduction to
Namespace Planning

The Active Directory namespace is the top-level qualified

domain name for the company.

You must determine whether the internal and external

namespaces will be the same or separate.

Defining a Namespace
Architecture

Introduction
Root domain
First-layer domains
Second-layer domains

Introduction to OU
Planning

OUs should reflect the details of the organizations

business structure.

Create OUs to delegate administrative control over

smaller groups of users, groups, and resources.

OUs eliminate the need to provide users with

administrative access at the domain level.

OUs inherit security policies from the parent domain and

parent OU unless inheritance is specifically disabled.

Creating the OU
Structure

You should begin your OU design by creating an OU

structure for the first domain in the namespace.

When you create an OU, you should determine who will

be able to view and control certain objects and what
level of administration each administrator will have over
the objects.

OU Design Guidelines

Create OUs to delegate administration.

Create OUs to apply security policies.

Create OU structures that are relatively static. OUs also

give the namespace flexibility to adapt to changing
needs of the enterprise.

Avoid allocating too many child objects to any OU.

Create a logical and meaningful OU structure that allows

OU administrators to complete their tasks efficiently.
Create OUs to manage the visibility of published
resources.

Structure the OU
Hierarchy

Administration-based or object-based OUs

Geographical-based OUs
Business functionbased OUs
Department-based OUs
Project-based OUs

Introduction to Site
Planning
The physical design of a Windows 2000 network is
demarcated by site.

The Active Directory replication engine allows you to

differentiate between replication over a LAN and
replication over a WAN.

How you set up your sites affects Windows 2000 with

respect to workstation logon and directory replication.

In Active Directory services, sites are not part of the

namespace.

Properly planned sites ensure that network links are not

saturated by replication traffic, that Active Directory
services stay current, and that client computers access
resources that are closest to them.

When planning how to group subnets into sites, consider

the connection speed between the subnets.

Optimizing Workstation
Logon Traffic

When planning sites, consider which domain controllers

workstations should use.

To have a particular workstation log on to a specific set

of domain controllers, define the sites so that only those
domain controllers are on the same site as the
workstation.

Optimizing Directory
Replication

When planning sites, consider where the domain

controllers will be located.

Configure sites so that replication occurs at times or

intervals that will not interfere with network
performance.

When implementing sites in branch offices, base your

planning on the size of the branch office.

Introduction to the Active

Directory Installation
Wizard

Adding or Creating a
Domain Controller

If you add a domain controller to an existing domain,

you create a peer domain controller.

If you create the first domain controller for a new

domain, you are creating not only the domain controller
but also a new domain.

Adding a Domain
Controller to an Existing
Domain

Creating a New Child

Domain

Creating a New Domain

Tree

Adding a Domain Tree to

a Forest

The Active Directory

Database and the Shared
System Volume
Created when Active Directory Services is installed

The Active Directory

Database

The database is a file named Ntds.dit, which is the

directory for the new domain.

The default location for the database and the database

log files is %systemroot%\Ntds, although you can specify
a different location.

The database contains all the information stores in the

Active Directory store.

The Ntds.dit file is an ESE database that contains the

entire schema, the global catalog, and all the objects
stored on that domain controller.

The Shared System

Volume

The shared system volume is a folder structure that

exists on all Windows 2000 domain controllers.

The shared system volume stores scripts and some of

the group policy objects for the current domain as well
as the enterprise.

Replication of the shared system volume occurs on the

same schedule as Active Directory replication.

Domain Modes

Mixed mode
Native mode

Introduction to OUs and

their Objects

Each Active Directory object is a distinct named set of

attributes that represents a specific network resource.

Before objects are added to Active Directory services,

you should create the OUs that will contain those
objects.

Creating Ous

Adding Objects to OUs

Compute
r

Printer

Contac
t

User

Grou
p

Shared Folder

Locating Objects

Modifying Attributes and

Deleting Objects

You can modify the attributes of an object to change or

add information.

You can modify an objects attribute by opening the

properties for that object in the Active Directory Users
And Computers snap-in.

To maintain security, delete objects when they are no

longer needed.

Moving Objects

You can move objects from one location in the Active

Directory store to another location.

You should move objects when organization or

administrative functions change.

Managing Active
Directory Permissions

Use Active Directory permissions to determine who has

the permissions to gain access to the object and what
type of access is allowed.

The object type determines which permissions you can

select.

Permissions inheritance minimizes the number of times

you need to assign permissions for objects.

Delegating
Administrative Control
of
can delegate administrative control of objects to
YouObjects
individuals.

Use the Delegation Of Control wizard to delegate control

of objects.

An administrator can delegate specific types of control.

To delegate administrative control, you should try to

follow specific guidelines.

You can access the Delegation Of Control wizard through

the Active Directory Users And Computers snap-in.

The most common method of delegating control is to

assign permissions at the OU level.

Guidelines for
Administering Active
Directory
Services
structure with other
Coordinate Active Directory
administrators.

Complete all attributes when creating objects.

Ensure that delegated users take responsibility and can

be held accountable.

Provide training for users who control objects.

Use deny permissions sparingly.

Ensure that at least one user has Full Control permission
for each object.