Understanding Active Directory Concepts Schema defines attributes an instance class must have and those attributes that are optional What Object classes can be parents Default schema contains definitions of most commonly used objects Extensible schema Can name new object types and their attributes Or new attributes of existing objects Not for the faint hearted Global Catalog The global catalog is the central repository of information about objects in a domain tree or forest Contents generated by AD Services Only the most frequently used attributes The global catalog is a service as well as a physical storage location that contains a replica of selected attributes of every object in the Active Directory store By default the first domain controller is a global catalog server Additional domain controllers can also be designated as global catalog servers by using the Active Directory Sites And Services snap in Namespace Distinguished Names DNs Objects are located within Active Directory domains according to a hierarchical path Every object in the Active Directory store has a DN which uniquely identifies the object The DN includes the name of the domain that holds the object as well as the complete path through the container hierarchy to the object For example if John Smith works for msft com and is a member of the CONTOSO domain his DN is DC com DC msft DC Contoso CN Users CN John Smith Relative Distinguished Names RDNs The RDN is one of an object s attributes Active Directory services allows duplicate RDNs for objects but no two objects with the same RDN can exist within the same OU The RDN is part of the full DN For example CN John Smith Globally Unique Identifiers GUIDs Assigned to every object Unique across Domains Can move objects but GUID stays the same 128 bit number Never changes Identifies Object regardles of DN Stored in an Object attribute User Principal Names UPNs The UPN is a friendly name that is shorter than the DN and easier to remember The UPN consists of a shorthand name that represents the user and usually the DNS name of the domain where the object resides Independent of DN Example johns contoso msft Active Directory Structure Data model Schema Trusted Computer Base Administration model Class instances Can be updated dynamically Protected by ACL s Security model X 500 Authorized to perform certain set of actions Directory System Agent Manages all AD service functions Application Programming Interfaces APIs Active Directory Service Interfaces ADSI Easy to write applications LDAP C API Developers C VB Administrators C VB Script Users Script Ability to work with many types of clients Windows MAPI Outlook or other legacy apps Active Directory Key Service Components Interfaces LDAP provides the API for LDAP clients and exposes the ADSI so that additional applications can be written that can talk to the Active Directory services REPL is used by the replication service to facilitate Active Directory replication via RPC over Internet Protocol IP or Simple Mail Transfer Protocol SMTP SAM Provides down level compatibility to facilitate communication between Microsoft Windows 2000 and Microsoft Windows NT 4 0 domains MAPI supports legacy MAPI clients Directory System Agent DSA Object identification Maintains GUID association with object Transaction processing Commit Rollback Schema enforcement of updates Multimaster Replication Duplication and Synchronization of directory information Change in an object may conflict with other object in same or other replicas Single master Replication Any change you make on the master is made on all replicas Ie Schema changes must be replicated to preserve consistency Access control enforcement SIDs Support for replication Referrals Database Layer Provides an object view of database information by applying schema semantics to database records Is an internal interface that is not exposed to the public Translates each DN into an integer structure called the DN tag which is used for internal access Is responsible for the creation retrieval and deletion of individual records attributes and values Follows the parent references in the database and concatenates the successive RDNs to form DNs Extensible Storage Engine ESE A new and improved version of the JET database Stores all Active Directory objects Stores attributes that can have multiple values Implements a transacted database system that uses log files to ensure that committed transactions are safe Comes with a predefined schema that defines all the attributes required and allowed for a given object Can handle sparse rows Introduction to Namespace Planning Consists of Doman hierarchy Global catalog Trust relationships OU s The Active Directory namespace is the top level qualified domain name for the company You must determine whether the internal and external namespaces will be the same or separate Internal Inside the firewall External Outside the firewall Registered Domain Name Your name space architecture should be scalable adaptable to change able to distinguish between internal and external resources protect company data Scenarios Same internal and external name space Internal users can access both intranet and internet servers External users external users can access internal resources Solution Company DNS divided into two zones One resolves resources for external users outside the firewall The other resolves resources for internal users inside the firewall May need to duplicate the external zone for internal user access Advantage Single logon Consistent naming Disadvantage complicated duplication different view of internal and external resources Scenarios Different internal and external name space Requires registering two Domain Names If internal name not reserved someone else may use it Two DNS Zones Advantages Distinct difference between internal and external resources No overlap or duplication Configuration simpler Disadvantages Registering two names Different logon names and email names Internal ken expedia dom Email ken microsoft com Introduction to OU Planning OUs should reflect the details of the organization s business structure Create OUs to delegate administrative control over smaller groups of users groups and resources OUs eliminate the need to provide users with administrative access at the domain level OUs inherit security policies from the parent domain and parent OU unless inheritance is specifically disabled Creating the OU Structure You should begin your OU design