Introduction to Active Directory Services Completely integrated with Microsoft Windows 2000 Server Integrates the Internet concept of namespace with the operating system s directory service Allows a single point of administration for all published resources Secure Distributed Partitioned Replicated Hierarchical Scalable Understanding Active Directory Concepts Schema defines attributes an instance class must have and those attributes that are optional What Object classes can be parents Default schema contains definitions of most commonly used objects Extensible schema Can name new object types and their attributes Or new attributes of existing objects Not for the faint hearted Global Catalog The global catalog is the central repository of information about objects in a domain tree or forest Contents generated by AD Services Only the most frequently used attributes The global catalog is a service as well as a physical storage location that contains a replica of selected attributes of every object in the Active Directory store By default the first domain controller is a global catalog server Additional domain controllers can also be designated as global catalog servers by using the Active Directory Sites And Services snap in Understanding Active Directory Concepts Namespace Any bounded area in which a name can be resolved Based on DNS naming scheme Contiguous namespace Parent name part of full name Disjoint namespace Namespace Distinguished Names DNs Objects are located within Active Directory domains according to a hierarchical path Every object in the Active Directory store has a DN which uniquely identifies the object The DN includes the name of the domain that holds the object as well as the complete path through the container hierarchy to the object For example if John Smith works for msft com and is a member of the CONTOSO domain his DN is DC com DC msft DC Contoso CN Users CN John Smith Relative Distinguished Names RDNs The RDN is one of an object s attributes Active Directory services allows duplicate RDNs for objects but no two objects with the same RDN can exist within the same OU The RDN is part of the full DN For example CN John Smith Globally Unique Identifiers GUIDs Assigned to every object Unique across Domains Can move objects but GUID stays the same 128 bit number Never changes Identifies Object regardles of DN Stored in an Object attribute User Principal Names UPNs The UPN is a friendly name that is shorter than the DN and easier to remember The UPN consists of a shorthand name that represents the user and usually the DNS name of the domain where the object resides Independent of DN Example johns contoso msft Active Directory Structure Data model Schema Trusted Computer Base Administration model Class instances Can be updated dynamically Protected by ACL s Security model X 500 Authorized to perform certain set of actions Directory System Agent Manages physical storage Protocol Support LDAP is the Active Directory core protocol V2 or v3 Active Directory services supports remote procedure call RPC interfaces that support Messaging Application Programming Interface MAPI interfaces The Active Directory information model is derived from the X 500 information model Does not support all x 500 defined wire protocols Application Programming Interfaces APIs Active Directory Service Interfaces ADSI Easy to write applications LDAP C API Developers C VB Administrators C VB Script Users Script Ability to work with many types of clients Windows MAPI Outlook or other legacy apps Virtual Containers Active Directory services supports virtual containers which allow any LDAP compliant directory to be accessed transparently through Active Directory services The virtual container is implemented via location information in the Active Directory store Location describes where in the AD Store the foreign directory should appear Active Directory Key Service Components Interfaces LDAP provides the API for LDAP clients and exposes the ADSI so that additional applications can be written that can talk to the Active Directory services REPL is used by the replication service to facilitate Active Directory replication via RPC over Internet Protocol IP or Simple Mail Transfer Protocol SMTP SAM Provides down level compatibility to facilitate communication between Microsoft Windows 2000 and Microsoft Windows NT 4 0 domains MAPI supports legacy MAPI clients Directory System Agent DSA Object identification Maintains GUID association with object Transaction processing Commit Rollback Schema enforcement of updates Multimaster Replication Duplication and Synchronization of directory information Change in an object may conflict with other object in same or other replicas Single master Replication Any change you make on the master is made on all replicas Ie Schema changes must be replicated to preserve consistency Access control enforcement SIDs Support for replication Referrals Database Layer Provides an object view of database information by applying schema semantics to database records Is an internal interface that is not exposed to the public Translates each DN into an integer structure called the DN tag which is used for internal access Is responsible for the creation retrieval and deletion of individual records attributes and values Follows the parent references in the database and concatenates the successive RDNs to form DNs Extensible Storage Engine ESE A new and improved version of the JET database Stores all Active Directory objects Stores attributes that can have multiple values Implements a transacted database system that uses log files to ensure that committed transactions are safe Comes with a predefined schema that defines all the attributes required and allowed for a given object Can handle sparse rows End Part 1 Introduction to Namespace Planning Consists of Doman hierarchy Global catalog Trust relationships OU s The Active Directory namespace is the top level qualified domain name for the company You must determine whether the internal and external namespaces will be the same or separate Internal Inside the firewall External Outside the firewall Registered Domain Name Your name space architecture should be scalable adaptable to change able to distinguish between internal and external resources protect company data Scenarios Same internal and external name space Internal users can access both intranet and internet servers External users external users can access internal resources Solution