Understanding Active Directories

8/8/2019 Understanding Active Directories

http://slidepdf.com/reader/full/understanding-active-directories 1/7

Active Directory

An active directory is a directory structure used on Microsoft Windows based computers and servers tostore information and data about networks and domains. It is primarily used for online information and

was originally created in 1996. It was first used with Windows 2000.

An active directory (sometimes referred to as an AD) does a variety of functions including the ability toprovide information on objects, helps organize these objects for easy retrieval and access, allows access

by end users and administrators and allows the administrator to set security up for the directory.

An active directory can be defined as a hierarchical structure and this structure is usually broken up intothree main categories, the resources which might include hardware such as printers, services for end

users such as web email servers and objects which are the main functions of the domain and network.

Understanding Active Directories

It is interesting to note the framework for the objects. Remember that an object can be a piece of hardware such as a printer, end user or security settings set by the administrator. These objects can holdother objects within their file structure. All objects have an ID, usually an object name (folder name). Inaddition to these objects being able to hold other objects, every object has its own attributes which allows

it to be characterized by the information it contains. Most IT professionals call these settings or characterizations schemas.

The type of schema created for a folder will ultimately determine how these objects are used. For instance, some objects with certain schemas cannot be deleted, they can only be deactivated. Otherstypes of schemas with certain attributes can be deleted entirely. For instance, a user object can be

deleted, but the administrator object cannot be deleted.

When understanding active directories, it is important to know the framework that objects can be viewedat. In fact, an active directory can be viewed at either one of three levels, these levels are called forests,trees or domains. The highest structure is called the forest because you can see all objects included

within the active directory.

Within the Forest structure are trees, these structures usually hold one or more domains. Going further down the structure of an active directory are single domains. To put the forest, trees and domains into

perspective, consider the following example.

A large organization has many dozens of users and processes. The forest might be the entire network of end users and specific computers at a set location. Within this forest directory are now trees that holdinformation on specific objects such as domain controllers, program data and system, among others.

Within these objects are even more objects which can then be controlled and categorized.

How are Active Directories used?

If you are a computer administrator for a large corporation or organization, you can easily update all endusers computers with new software, patches and files simply by updating one object in a forest or tree.

Because each object fits into a set schema and has specific attributes, a network administrator can easilyclear a person on a set tree or instantly give or deny access to select users for certain applications. TheMicrosoft servers use trust to determine whether or not access should be allowed. Two types of trusts thatMicrosoft active directories incorporate are transitive trusts and one way non transitive trusts. A transitivetrust is when there is a trust that goes further than two domains in a set tree, meaning two entities are

able to access each other's domains and trees.

A one way transitive trust is when a user is al lowed access to another tree or domain; however, the other domain does not allow access to the further domains. This can be summed up as a network administrator and end user. The network administrator can access most trees in the forest including a specific end



user's domain. However, the end user, while able to access his or her own domain, cannot access other trees.

It is important to note that active directories are a great way to organize a large organization or corporation's computers' data and network. Without an active directory, most end users would havecomputers that would need to be updated individually and would not have access to a larger networkwhere data can be processed and reports can be created. While active directories can be technical to agood extent and require considerable expertise to navigate, they are essential to storing information anddata on networks .

Read more about Active Directory

Maintaining an Active Directory is a very important administrative task that one must schedule regularly

to ensure that, in case of disaster, you can recover your lost or corrupted data and can repair the active

directory database.

Extensible Storage Engine (ESE) is the active directory database, which manage all the active directoryobjects in active directory database. Any of the data modification affects database performance, database

fragmentation and data integrity.

Active Directory Database and Log Files

The ESE uses transaction and log files to ensure the integrity of the active directory database. Active

Directory includes the following files:

y Ntds.dit is the Active Directory database which stores the entire active directory objects on thedomain controller. The .dit extension refers to the directory information tree. The default location

is the %systemroot%\Ntds folder. Active Directory records each and every transaction log filesthat are associated with the Ntds.dit file.

y Edb*.log is the transaction log file. Each transaction file is 10 megabytes (MB). When Edb.log fileis full, active directory renames it to Edbnnnnn.log, where nnnnn is an increasing number starts

from 1.y Edb.chk is a checkpoint file which is use by database engine to track the data which is not yet

written to the active directory database file. The checkpoint file act as a pointer that maintains thestatus between memory and database file on disk. It indicates the starting point in the log file fromwhich the information must be recovered if a failure occurs.

y Res1.log and Res2.log: These are reserved transaction log files. The amount of disk space that

is reserved on a drive or folder for this log is 20 MB. This reserved disk space provides asufficient space to shut down if all the other disk space is being used.

Moving and Defragmenting the Active DirectoryDatabase

Over a period of time, fragmentation occurs as records in the active directory databases are deleted andnew records are added. When then records are fragmented, the computer must search the activedirectory database to find all the records each time the active directory database is opened. This searchslows the response time. Fragmentation also degraded the overall performance of the active directory

operations.

To overcome the problems that fragmentation causes, you defragment the active directory database.Defragmentation is the process of rewriting records in the Active Directory database to contiguous sectorsto increase the speed of access and retrieval. When the records are updated, Active Directory savesthese updates on the largest contiguous space in the Active Directory database.



Moving Database and Log Files

You move a database to a new location when you defragment the database. Moving the database doesnot delete the original database. Therefore, you can use the original database if the defragmenteddatabase does not work or becomes corrupted. Also, if your disk space is limited, you can add another hard disk drive and move the database to it. Additionally, you move the database files in order to performhardware maintenance. If the disk on which the files are stored requires upgrading or maintenance, you

can move the files to another location temporarily or permanently.

Active Directory was designed to provide a centralized repository of information, or data store that couldsecurely manage the resources of an organization. The Active Directory directory services ensure thatnetwork resources are available to, and can be accessed by users, applications and programs.

Network resources contained in the directory are known as objects. Objects typically consist of user,group and computer information, databases, printers, security policies and servers. With Active Directorytrust relationships are completely transitive between domains

Because all information stored in Active Directory is located in one centralized, distributed data store;administrative needs are reduced, the availability of security information is increased, and there is animprovement in the structure of information.

Active Directory also has an extensible schema. Schema refers to the structure of the database. You canexpand and customize the types of information stored within Active Directory.

Active Directory Structure

Active Directory has a hierarchical structure that consists of various components which mirror the networkof the organization. The components included in the Active Directory hierarchical structure are listed

below:

y Sites

y Domains

y Domain Trees

y Forests

y Organizational Units (OUs)

y Objects

y Domain Controllers

y Global Catalog

y Schema

The Global Catalog and Schema components actually manage the Active Directory hierarchical structure.In Active Directory, logically grouping resources to reflect the structure of the organization enables you tolocate resources using the resource's name instead of its physical location. Active Directory logical

structures also enable you to manage network accounts and shared resources.

The components of Active Directory that represent the logical structure in an organization are:

y Domains, Organizational Units (OUs), Trees, Forests, Objects



The components of ActiveDirectory that are regarded as ActiveDirectory physical structures are used toreflect the organization's physical structure. The components of ActiveDirectory that are physical

structures are:

y S ites, S ubnets,Domain Controllers

A domain in Active Directory consists of a set of computers and resources that all share a commondirectory database which can store a multitude of objects.Domains contain all the objects that exist in thenetwork. Each domain contains information on the objects that they contain. In ActiveDirectory, domains

are considered the core unit in its logical structure.Domains in Active Directory actually differ quitesubstantially from domains in Windows NT networks. In Windows NT networks, domains are able to storefar less objects than what ActiveDirectory domains can store. Windows NT domains are structured as

peers to one another. What this means is that you cannot structure domains into a hierarchical structure. Active Directory domains on the other hand can be organized into a hierarchical structure through the useof forests and domain trees.

An Active Directory domain holds the following:

y Logical partition of users and groups

y All other objects in the environments

In Active Directory, domains have the following common characteristics:

y The domain contains all network objects

y The domain is a security boundary - access control lists (AC Ls) control access to the objects

within a domain.

Within a domain, objects all have the following common characteristics:

y Group Policy and security permissions

y H ierarchical object naming

y H ierarchical properties

y

Trust relationships

The majority of components in ActiveDirectory are objects. In Active Directory, objects represent network resources in the network. Objects in ActiveDirectory have a unique name that identifies theobject. This is known as the distinguished name of the object. Objects can be organized and divided intoobject classes. Object classes can be regarded as the logical grouping of objects. An object classcontains a set of object attributes which are characteristics of objects in the directory. Attributes can belooked at as properties that contain information on characteristics and configurations. The ActiveDirectory objects that an Administrator would most likely be concerned with managing are users, groupsand computers. In ActiveDirectory, the main groups are security groups and distribution groups. It iseasier to place users into groups and then assign permissions to network resources via these groups.Through implementing groups and using groups effectively, you would be in a good position to manage

security and permissions in ActiveDirectory.

Organizat i onal uni ts (OU s) can be considered logical units that can be used to organize objects intological groups. OUs can be hierarchically arranged within a domain. An organization unit can containobjects such as user accounts, groups, computers, shared resources, and other OUs. You can alsoassign permissions to OUs to delegate administrative control.Domains can have their own OU hierarchy.Organizational units are depicted as folders in the ActiveDirectory Users and Computers administrative

tool.

In Active Directory, a d omain t r ee is the grouping of one or multiple Windows 2000 or WindowsS erver 2003 domains.Domain trees are essentially a hierarchical arrangement of these domains.Domain treesare created by adding child domains to a parent domain.Domains that are grouped into a domain tree

have a hierarchical naming structure and also share a contiguous namespace.



M ultiple domains are typically utilized to:

y Improve performance

y Decentralize administration

y M anage and control replication in ActiveDirectory

y Through the utilization of multiple domains, you can implement different security policies for eachdomain.

y M ultiple domains are also implemented when the number of objects in the directory is quite

substantial.

A f or est in Active Directory is the grouping of one or multiple domain trees. The characteristics of forests

are summarized below:

y Domains in a forest share a common schema and global catalog, and are connected by implicit two-way transitive trusts. A global catalog is used to increase performance in ActiveDirectory when users search for attributes of an object. The global catalog server contains a copy of all objects in its associated host domain, as well as a partial copy of objects in the other domains inthe forest.

y Domains in a forest function independently, with the forest making communication possible withthe whole organization.

y Domain trees in a forest do not have the same naming structures.

In Active Directory, a si te is basically the grouping of one or more Internet Protocol ( IP ) subnets whichare connected by a reliable high-speed link.S ites normally have the same boundaries as a local area

network ( L AN ). S ites should be defined as locations that enable fast and cheap network access.S itesare essentially created to enable users to connect to a domain controller using the reliable high-speed link; and to optimize replication network traffic.S ites determine the time and the manner in which

information should be replicated between domain controllers.

A si te cont ains the objects listed below that are used to configure replication among sites.

y Computer objects

y Connection objects

A d omain cont r oll er is a computer running Windows 2000 or WindowsS erver 2003 that contains areplica of the domain directory.Domain controllers in ActiveDirectory maintain the ActiveDirectory datastore and security policy of the domain.Domain controllers therefore also provide security for the domainby authenticating user logon attempts. The main functions of domain controllers within ActiveDirectory are summarized in the following section:

y Each domain controller in a domain stores and maintains a replica of the ActiveDirectory datastore for the particular domain.

y Domain controllers in ActiveDirectory utilize multimaster replication. What this means is that nosingle domain controller is the master domain controller. All domain controllers are considered

peers.

y Domain controllers also automatically replicate directory information for objects stored in thedomain between one another.

y Updates that are considered important are replicated immediately to the remainder of the domaincontrollers within the domain.

y Implementing multiple domain controllers within a domain provides fault tolerance for the domain.

y In Active Directory, domain controllers can detect collisions. Collisions take place when anattribute modified on one particular domain, is changed on a different domain controller prior tothe change on the initial domain controller being fully propagated.

Apart from domain controllers, you can have servers configured in your environment that operate asmember servers of the domain but who do not host ActiveDirectory information.M ember servers do not

provide any domain security functions either such as authenticating users. Typical examples of member

servers are file servers, print servers, and Web servers.



S tandalone severs on the other hand operate in workgroups and are not members of the ActiveDirectory domain. S tandalone servers have, and manage their own security databases.

Act iv e Dir ectory Namespace S t ru ct ur e

The Domain Name Sy stem (DNS ) is the Internet service that ActiveDirectory utilizes to structurecomputers into domains.DN S domains have a hierarchical structure that identifies computers,organizational domains and top-level domains. BecauseDN S also maps host names to numeric

Transmission Control Protocol/Internet Protocol (TCP/ IP ) addresses, you define the ActiveDirectory

domain hierarchy on an Internet-wide basis, or privately. BecauseDN S is an important component of Active Directory, it has to be configured before you install ActiveDirectory.

The information typically stored in ActiveDirectory can be categorized as follows:

y Network security entities: This category contains information such as users, groups,computers, applications.

y Active Directory mechanisms: This category includes permissions, replication, and network services.

y Active Directory schema: ActiveDirectory objects that define the attributes and classes in Active

Directory are included here.

To ensure compatibility with the Windows NT domain model, ActiveDirectory is designed and structured on the idea of domains and trust relationships. Because theS AM databases in Windows NT could not be

combined, domains have to be joined using trust relationships.

With Active Directory, a domain defines the following:

y A namespace

y A naming context

y A security structure

y A management structure

Within the domain, you have users and computers that are members of the domain, and group policies. In

ActiveD

irectory, you can only create a naming context at a domain boundary, or by creating an Application naming context. An Application naming context is a new ActiveDirectory feature introduced inWindows S erver 2003. Other than aDomain naming context, each installation of ActiveDirectory must

have a S chema naming context, and a Configuration naming context.

y S chema naming context:Domain controllers in the forest each have a read-only replica of the

S chema naming context which contains the ClassS chema and AttributeS chema objects. Theseobjects signify the classes and attributes in ActiveDirectory. The domain controller acting the roleof S chema RoleM aster is the only domain controller that can change the schema.

y Configuration naming context:Domain controllers in the forest each have a read and write replicaof the Configuration naming context. The Configuration naming context contains the top-level containers listed below which basically manage those services that support ActiveDirectory:

o Display S pecifiers container: Objects which change the attributes that can be viewed for

the remainder of the object classes are stored in this container.Display S pecifiers supply localization and define context menus and property pages.Localization deals withdetermining the country code utilized during installation, and then moves all content viathe proper Display S pecifier. Context menus and property pages are defined for eachuser according to whether the user attempting to access a particular object has

Administrator privileges.o Extended Rights container: Because you can assign permissions to objects and the

properties of an object, Extended Rights merges various property permissions to form asingle unit. In this manner, Extended Rights manages and controls access to objects.

o Lost and Found Config container: TheDomain naming context and Configuration context each have a Lost and Found Config container that holds objects which have gone astray.

o Partitions container: The Partitions container contains the cross-reference objects that depict all the other domains in a forest. The Partitions container's data is referenced by



domain controllers when they create referrals to these domains. The data in the Partitionscontainer can only be altered by a single domain controller within he forest.

o Physical Locations container: The Physical Locations container contains physical

Location DN objects which are related toDirectory Enabled Networking ( DEN). o S ervices container: This container stores the objects of distributed applications and is

replicated to all domain controllers within the forest. You can view the contents of thecontainer in the ActiveDirectory S ites and S ervices console.

o S ites container: The objects stored in theS ites container control ActiveDirectory replication, among other site functions. You can also view the contents of this container inthe Active Directory S ites and S ervices console.

o Well-KnownS ecurity Principals container: This container stores the names and uniqueS ecurity Identifiers ( S I Ds) for groups such as Interactive and Network.

R epli c at i on and Act iv e Dir ectory

In Active Directory, directory data that is classified into the categories listed below are replicated betweendomain controllers in the domain:

y Domain data includes information on the objects stored in a particular domain. This includesobjects for user accounts,Group Policy, shared resources and OUs.

y Configuration data includes information on the components of ActiveDirectory that illustrates thestructure of the directory. Configuration data therefore define the domains, trees, forests and

location of domain controllers and global catalog servers.

y S chema data lists the objects and types of data that can be stored in ActiveDirectory.

Active Directory utilizes multimaster replication. This means that changes can be made to the directory from any domain controller because the domain controllers operate as peers. The domain controller thenreplicates the changes that were made.Domain data is replicated to each domain controller within that domain. Configuration data and schema data are replicated to each domain in a domain tree and forest.Objects stored in the domain are replicated to global catalogs. A subset of object properties in the forest is also replicated to global catalogs. Replication that occurs within a site is known as intra-site replication.Replication between sites is known as inter-site replication.

Su ppor t Fil es of Act iv e Dir ectory

The Active Directory support files are listed below. These are the files that you specify a location for whenyou promote a server to a domain controller:

y Ntds.dit (NT Directory S ervices): Ntds.dit is the core ActiveDirectory database. This file on adomain controller lists the naming contexts hosted by that particular domain controller.

y Edb.log: The Edb.log file is a transaction log. When changes occur to ActiveDirectory objects,the changes are initially saved to the transaction log before they are written to the Active

Directory database.

y Edbxxxxx.log: This is auxiliary transaction logs that can be used in cases where the primary Edb.log file fills up prior to it being written to the Ntds.dit ActiveDirectory database.

y Edb.chk: Edb.chk is a checkpoint file that is used by the transaction logging process.

y Res log files: These are reserve log files whose space is used if insufficient space exists to createthe Edbxxxxx.log file.

y Temp.edb: Temp.edb contains information on the transactions that are being processed.

y S chema.ini: TheS chema.ini file is used to initialize the Ntds.dit ActiveDirectory database when a

domain controller is promoted.

Understanding Active Directories

Documents

Transcript of Understanding Active Directories