20/02/13

Active Directory - Wikipedia, the free encyclopedia

Active Directory
From Wikipedia, the free encyclopedia

Active Directory (AD) is a directory service created by Microsoft for Windows domain networks. It is included in most Windows Server operating systems. Active Directory provides a central location for network administration and security. Server computers that run Active Directory are called domain controllers. An AD domain controller authenticates and authorizes all users and computers in a Windows domain type networkassigning and enforcing security policies for all computers and installing or updating software. For example, when a user logs into a computer that is part of a Windows domain, Active Directory checks the submitted password and determines whether the user is a system administrator or normal user.[1] Active Directory makes use of Lightweight Directory Access Protocol (LDAP) versions 2 and 3, Kerberos and DNS.

Contents
1 History 1.1 Site 1.2 Forests, trees, and domains 1.2.1 Organizational units 1.2.1.1 Shadow groups 2 Physical matters 3 Replication 4 Database 5 Single server operations 6 Trusting 6.1 Terminology 6.1.1 Forest trusts 7 Lightweight Directory Service 8 Unix integration 9 See also 10 References 11 External links

History
Active Directory was previewed in 1999, released first with Windows NT server. Then Windows 2000 Server edition, and revised to extend functionality and improve administration in Windows Server 2003. Additional improvements were made in Windows Server 2003 R2, Windows Server 2008 and Windows Server 2008 R2, and with the release of the latter the domain controller role was renamed Active Directory Domain Services. Each object represents a single entitywhether a user, a computer, a printer, or a groupand its attributes. Certain objects can contain other objects. An object is uniquely identified by its name and has a set of attributes the characteristics and information that the object represents defined by a schema, which also determines
en.wikipedia.org/wiki/Active_Directory 1/10

20/02/13

Active Directory - Wikipedia, the free encyclopedia

the kinds of objects that can be stored in Active Directory. The schema object lets schema when necessary. However, because each schema object is integral to the definition of Active Directory objects, deactivating or changing these objects can fundamentally change or disrupt a deployment. Schema changes automatically propagate throughout the system. Once created, an object can only be deactivatednot deleted. Changing the schema usually requires planning.[2] Site A Site object in Active Directory represents a geographic location that hosts networks.[3]

Forests, trees, and domains

The Active Directory framework that holds the objects can be viewed at a number of levels. The forest, tree, and domain are the logical divisions in an Active Directory network. Within a deployment, objects are grouped into domains. The objects for a single domain are stored in a single database (which can be replicated). Domains are identified by their DNS name structure, the namespace. A tree is a collection of one or more domains and domain trees in a contiguous namespace, linked in a transitive trust hierarchy. At the top of the structure is the forest. A forest is a collection of trees that share a common global catalog, directory schema, logical structure, and directory configuration. The forest represents the security boundary within which users, computers, groups, and other objects are accessible. Organizational units
Forest-Widgets Corp Tree-Eastern Domain-Dallas OU-

The object held within a domain can be grouped into Marketing Domain-Boston Organizational Units (OUs).[4] OUs can provide hierarchy Hewitt to a domain, ease its administration, and can resemble the Domainorganization's structure in managerial or geographical terms. New York Aon OUs can contain other OUsdomains are containers in this Domain-Philly Steve sense. Microsoft recommends using OUs rather than Tree-Southern OU-Sales domains for structure and to simplify the implementation of policies and administration. The OU is the recommended Domain-Atlanta Bill level at which to apply group policies, which are Active Domain-Dallas Ralph Directory objects formally named Group Policy Objects (GPOs), although policies can also be applied to domains or Example of the geographical organizing of zones of sites (see below). The OU is the level at which interest within trees and domains. administrative powers are commonly delegated, but delegation can be performed on individual objects or attributes as well. Organizational Units are an abstraction for the administrator and do not function as containers; the underlying domain is the true container. It is not possible, for example, to create user accounts with an identical username (sAMAccountName) in separate OUs, such as "fred.staff-ou.domain" and "fred.student-ou.domain", where "staff-ou" and "student-ou" are the OUs. This is so because sAMAccountName, a user object attribute, must be unique within the domain. However, two users in different OUs can have the same Common Name (CN), the name under which they are stored in the directory itself. In general the reason for this lack of allowance for duplicate names through hierarchical directory placement, is
en.wikipedia.org/wiki/Active_Directory 2/10

20/02/13

Active Directory - Wikipedia, the free encyclopedia

that Microsoft primarily relies on the principles of NetBIOS, which is a flat-file method of network object management that for Microsoft software, goes all the way back to Windows NT 3.1 and MS-DOS LAN Manager. Allowing for duplication of object names in the directory, or completely removing the use of NetBIOS names, would prevent backward compatibility with legacy software and equipment. As the number of users in a domain increases, conventions such as "first initial, middle initial, last name" (Western order) or the reverse (Eastern order) fail for common family names like Li (), Smith or Garcia. Workarounds include adding a digit to the end of the username. Alternatives include creating a separate ID system of unique employee/student id numbers to use as account names in place of actual user's names, and allowing users to nominate their preferred word sequence within an acceptable use policy. Because duplicate usernames cannot exist within a domain, account name generation poses a significant challenge for large organizations that cannot be easily subdivided into separate domains, such as students in a public school system or university who must be able to use any computer across the network.
Shadow groups

In Microsoft's Active Directory, OUs do not confer access permissions, and objects placed within OUs are not automatically assigned access privileges based on their containing OU. This is a design limitation specific to Active Directory. Other competing directories such as Novell NDS are able to assign access privileges through object placement within an OU. Active Directory requires a separate step for an administrator to assign an object in an OU as a member of a group also within that OU. Relying on OU location alone to determine access permissions is unreliable, because the object may not have been assigned to the group object for that OU.

A common workaround for an Active Directory administrator is to write a custom PowerShell or Visual Basic script to automatically create and maintain a user group for each OU in their directory. The scripts are run periodically to update the group to match the OU's account membership, but are unable to instantly update the security groups anytime the directory changes, as occurs in competing directories where security is directly implemented into the directory itself. Such groups are known as Shadow Groups. Once created, these shadow groups are selectable in place of the OU in the administrative tools. Microsoft refers to shadow groups in the Server 2008 Reference documentation, but does not explain how to create them. There are no built-in server methods or console snap-ins for managing shadow groups.[5]

In Active Directory, organizational units cannot be assigned as owners or trustees. Only groups are selectable, and members of OUs cannot be collectively assigned rights to directory objects.

The division of an organization's information infrastructure into a hierarchy of one or more domains and top-level OUs is a key decision. Common models are by business unit, by geographical location, by IT Service, or by object type and hybrids of these. OUs should be structured primarily to facilitate administrative delegation, and secondarily, to facilitate group policy application. Although OUs form an administrative boundary, the only true security boundary is the forest itself and an administrator of any domain in the forest must be trusted across all domains in the forest.[6]

Physical matters
en.wikipedia.org/wiki/Active_Directory 3/10

20/02/13

Active Directory - Wikipedia, the free encyclopedia

Sites are physical (rather than logical) groupings defined by one or more IP subnets.[7] AD also holds the definitions of connections, distinguishing low-speed (e.g., WAN, VPN) from high-speed (e.g., LAN) links. Site definitions are independent of the domain and OU structure and are common across the forest. Sites are used to control network traffic generated by replication and also to refer clients to the nearest domain controllers. Microsoft Exchange Server 2007 uses the site topology for mail routing. Policies can also be defined at the site level. Physically, the Active Directory information is held on one or more peer domain controllers (DCs), replacing the NT PDC/BDC model. Each DC has a copy of the Active Directory. Servers joined to Active Directory that are not domain controllers are called Member Servers.[8] The Active Directory database is organized in partitions, each holding specific object types and following a specific replication pattern. AD synchronizes changes using multi-master replication.[9] Microsoft often refers to these partitions as 'naming contexts'.[10] The 'Schema' partition contains the definition of object classes and attributes within the Forest. The 'Configuration' partition contains information on the physical structure and configuration of the forest (such as the site topology). Both replicate to all domain controllers in the Forest. The 'Domain' partition holds all objects created in that domain and replicates only to Domain Controllers within its domain. So, for example, a user created in Domain X would be listed only in Domain X's domain controllers. A subset of objects in the domain partition replicate to domain controllers that are configured as global catalogs. Global catalog (GC) servers provide a global listing of all objects in the Forest.[11] Global Catalog servers replicate to themselves all objects from all domains and hence, provide a global listing of objects in the forest. However, to minimize replication traffic and keep the GC's database small, only selected attributes of each object are replicated. This is called the partial attribute set (PAS). The PAS can be modified by modifying the schema and marking attributes for replication to the GC.[12] Earlier versions of Windows used NetBIOS to communicate. Active Directory is fully integrated with DNS and requires TCP/IPDNS. To be fully functional, the DNS server must support SRV resource records, also known as service records.

Replication
Active Directory replication by default is 'pull' rather than 'push', meaning that replicas pull changes from the server where the change was effected.[13] The Knowledge Consistency Checker (KCC) creates a replication topology of site links using the defined sites to manage traffic. Intrasite replication is frequent and automatic as a result of change notification, which triggers peers to begin a pull replication cycle. Intersite replication intervals are typically less frequent and do not use change notification by default, although this is configurable and can be made identical to intrasite replication. Each link can have a 'cost' (e.g., DS3, T1, ISDN etc.) and the KCC alters the site link topology accordingly. Replication may occur transitively through several site links on same-protocol site link bridges, if the cost is low, although KCC automatically costs a direct site-to-site link lower than transitive connections. Site-to-site replication can be configured to occur between a bridgehead server in each site, which then replicates the changes to other DCs within the site. Replication for Active Directory zones is automatically configured when DNS is activated in the domain based by site. Replication of Active Directory uses Remote Procedure Calls (RPC) over IP (RPC/IP). Between Sites SMTP can be used for replication, but only for changes in the Schema, Configuration, or Partial Attribute Set (Global Catalog) NCs. SMTP cannot be used for replicating the default Domain partition.[14]

Database
The Active Directory database, the directory store, in Windows 2000 Server uses the JET Blue-based
en.wikipedia.org/wiki/Active_Directory 4/10