W2K Active Directory in a nutshell, prepared by Jörg Bänder
What is Active Directory?
Active Directory or A.D. is the antithesis of NT 4.0's LanManager. It is essentially a
database of network resources(known as objects) and information about each of
these objects. This is not a new concept as Novell and Banyan have used directory
services for years. Familiarity with Novell 4.11 will greatly improve the time it takes
to become comfortable with this new network management system as many of AD's
features and terminology are very similar to that of Novell Directory Services(NDS).
Why Active Directory?
While NT 4.0 was a pretty good networking operating system, it wasn't entirely
equipped for enterprise networking. The network neighborhood was a great tool until
you had a huge network, then browsing problems would begin and finding a
particular printer or server could become a nightmare especially if you didn't know
the name of it. Furthermore, in order to even accomodate such a network, you would
most likely have to partition it into several domains connected with trust
relationships. AD solves many of these problems and offers a new level of scalability
and orginization for enterprise computing. The directory of each domain can store as
many as 10 million objects which is enough to accommodate millions of users per
domain.
Directory Architecture:
First let's introduce the concept of "Sites". Sites are used to define the boundaries of
high-speed links on a network containing Active Directory Servers. Sites are based
on IP subnets and are defined as a "well-connected subnet or subnets". Do not
confuse this term with the concept of domains which are discussed next.
One thing that hasn't changed from NT 4.0 is the use of domains. A domain is still
the centerpiece of a Windows 2000 network, however, it is set up differently. Domain
controllers are no longer separated into PDCs and BDCs. Now there are simply
DCs(Domain Controllers). By default, all Win2K servers are installed as Standalone
Member Servers. DCPROMO.EXE is the Active Directory Installation Wizard and is
used to promote a non-domain controller to a DC and vice versa. The wizard
prompts for all of the required information to install Active Directory under the
conditions that you have asked it to run Knowledge Consistency Checker(KCC) - This
is a service created in order to ensure that the Active Directory service in the
Windows 2000 operating system can replicate properly, runs on all DCs and
automatically establishes connections between individual computers in the same site.
These are known as Active Directory connection objects. An administrator can
establish additional connection objects or remove connection objects, but at any
point where replication within a site becomes impossible or has a single point of
failure, the KCC steps in and establishes as many new connection objects as
necessary to resume Active Directory replication.
Each domain controller in a domain is capable of accepting requests for changes to
the domain database and replicating that information with the other DCs in the
domain. The first domain that is created is referred to as the "root domain" and is at
the top of the directory tree. All subsequent domains will live beneath the root
domain and are referred to as child domains. The child domain names must be
unique. As you are viewing the items below, pay attention to how Windows 2000
now supports internet naming conventions.
When a root domain and at least 1 child domain have been created, a "tree" is
formed. Remember and understand this term as you will hear it often when working
with a directory service.
You can see that the structure begins to take the shape of a tree with branches and
sub-branches. Now what if we are a company like Microsoft or DuPont that owns
several other corporations. Typically, each company would have its own tree and
these would be aggregated together via trusts to create a "forest". Let's look at an
example using our site.
So let's say that our company owns techtutorials.com(actually that is true) and
xyzabc. You can see that the individual trees are organized just like the root
domain(mcmcse).
Trusts Overview:
Trusts are much more easily managed in Windows 2000 than in NT 4.0. There are 2
main reasons that this is the case.
1. When a new domain is added, trust relationships are automatically
configured.
2. Trusts are now automatically transitive. This means that if domain A trusts
domain B then the reverse is automatically true. Furthermore, it means that if
domain A trusts domain B and domain B trusts domain C, then domain A
trusts domain C and vice versa. In Windows NT 4.0 trusts had to be
administered as a series of 1 way trusts and could be quite cumbersome.
These changes save an adminstrator some of the time consuming administration
efforts spent creating and maintaining trusts that were required in NT 4.0. 1-way
trusts can still be created when necessary.
Directory Components:
Now that we have looked at the big picture, it is time to take a look at what happens
inside a domain. To get started, the first concept that you will need to understand
what the directory is made of. A common analogy for a directory is a phonebook.
Both contain listings of various objects and information and properties about them.
Within the directory are several other terms that you must know to gain even an
entry level understanding as to how it all works.


Objects - Objects in the database can include printers, users, servers,
clients, shares, services, etc. and are the most basic component of the
directory.
Attributes - An attribute describes an object. For example, passwords and
names are attributes of user objects. Different objects will have a different set
of attributes that define them, however, different objects may also share


attributes. For example, a printer and Windows 2000 Professional Workstation
may both have an IP address as an attribute.
Schema - A schema defines the list of attributes that describe a given type of
object. For example, let's say that all printer objects are defined by name,
PDL type and speed attributes. This list of attributes comprises the schema
for the object class "printers". The schema is customizable, meaning that the
attributes that define an object class can be modified.
Containers - A container is very similar to the folder concept in Windows. A
folder contains files and other folders. In Active Directory, a container holds
objects and other containers. Containers have attributes just like objects even
though they do not represent a real entity like an object. The 3 types of
containers are Domains, Sites and Organizational Units and are explained in
more detail below.
o Domains - We have already discussed this concept in the preceding
paragraphs.
o Sites - A site is a location. Specifically, sites are used to distinguish
between local and remote locations. For example, company XYZ has its
headquarters in San Fransisco, a branch office in Denver and an office
that uses DUN to connect to the main network from Portland. These
are 3 different sites.
o Organizational Units - Organizational units are containers into which
you can place users, groups, computers, and other organizational
units. An organizational unit cannot contain objects from other
domains. The fact that organizational units can contain other OUs, a
hierarchy of containers can be created to model your organization's
structure and hierarchy within a domain. Organizational units should
be used to help minimize the number of domains required for a
network.
Now that we know what these concepts mean, let's take a visual look at what is
going on inside a domain.
The folder symbols represent Organizational Unit(OU) containers and within each of
these we find objects such as printers, servers, computers, users, etc. Instead of
objects directly located inside these OUs, there could be more OU containers.
Object Names:
Most of us are used to the 15 character NetBIOS naming conventions of NT 4.0.
Things are quite different now as Windows 2000 uses Lightweight Directory Access
Protocol(LDAP) to supply the naming convention. This is a fairly complicated naming
system for those of you without experience with Novell's context concept. The 2
basic concepts that you need to know are distiguished names and common names.
Distinguished names are the complete "path" through the hierarchical tree structure
to a specific object. This is similar to specifying the complete path to a file from a
DOS prompt. This "path" points to the location of an object in the hierarchy. Let's
take a look in more detail.
The following are the components that make up a distinguished name:



OU - Organizational Unit. This attribute is used to divide a namespace based
on organizational structure as previously discussed. An OU usually is
associated with an Active Directory container or folder.
DC - Domain Component. Domain components . A distinguished name that
uses DC attributes will have one DC for every domain level below root.
Another way of thinking of this would be that there would be a DC attribute
for every item separated by a dot in the domain name.
CN - Common Name. This attribute represents the object itself within the
directory service.
NOTE: Contrary to information that is currently posted online(even on Microsoft's
site), AD doesn't support C= and O= objects as Novell has. The information that you
may see posted refers to NT 5 development.
Here is an example of a distinguished name:
CN=Jason Sprague,CN=Users,DC=mcmcse,DC=COM
Now lets say that I was a member of the sales.mcmcse.com domain. My new DN
would be:
CN=Jason Sprague,CN=Users,DC=sales,DC=mcmcse,DC=COM
And what about my computer called WOPR? It would be:
CN=WOPR,CN=Computers,DC=mcmcse,DC=COM
Windows 2000 also supports several other naming conventions in addition to
distinguished names as listed in the table below.
Naming Convention
Example
Friendly name/RFC 822
jsprague@mcmcse.com
LDAP URL
LDAP://mcmcse.com/CN=jsprague,
OU=sales,O=MCMCSE,C=US
Universal Naming
Convention(UNC)
\\mcmcse.com\documents\webpages\index.shtml
Global Catalog:
So now that we have seen how complicated the naming conventions can be, let's
look at the tool that makes it all manageable. Windows 2000 includes a service
called the Global Catalog(GC) that is used to locate any objects on a network to
which a particular user has been granted access. The searches that can be
performed are far more advanced than those included in NT 4.0 and not only is
capable of locating objects by name, but by attributes as well. So if I have a 50 page
document and I need 1000 copies made, I probably won't want to send it to an HP
5si. I need to find a production printer that can print at least 100ppm and has the
capability of binding the document. The Global Catalog allows me to search the
network for a printer that has these attributes. I find a Xerox Docutech 6135. I can
add the driver and send the print job. But what if I am in Portland and the printer is
in Seattle? The GC will provide this information and I can email the owner of the
printer and ask them to ship the job to me via our internal mail system. Still a little
confused? Let's take a look at another example. Let's say that I get a voice mail from
someone named Betty Doe in the payroll department. Her voicemail is garbled and I
can't understand her phone number. I can use GC to search for her by name and
then access her phone number(assuming that our network administrator has stored
the phone number attribute for users in the schema). What other previously existing
application has features similar to this? The answer is Microsoft Exchange. Exchange
also has a global catalog that allows you to find users by name. GC is a scaled up
version of this feature in exchange in that it allows you to find objects based on a
variety of customizable attributes.
When a new object is created in AD, it is assigned a unique number called a GUID
(globally unique identifier). The GUID is useful because it stays the same for any
given object even if the object is moved. The GUID is a 128-bit identifier, which
means that applications that reference objects in Active Directory can record the
GUIDs for objects and use the GC to find them even if it has been moved.
REPLICATION:
Windows 2000 networks will rely heavily on AD, and thus, it will be very important
that the service is running, fast and accessible at all times. In order to accomplish
this, the AD database must exist on multiple servers so that if one server fails, a
client can contact a server with duplicate services and information. This not only
creates redundancy, but reduces the load on individual servers. All that needs to be
done for a domain controller to become a replication partner is to add it to the AD
domain.
One of the most complex parts of making redundant servers work properly is
replicating the information and ensuring that all servers have the most up-to-date
content. Active Directory uses multimaster replication, which is another way of
stating that updates can occur on any Active Directory server. This also means that
there is not a master domain controller and all DCs work together in a peer
relationship. Each server keeps track of which updates it has received from which
servers, and can intelligently request only necessary updates in case of a failure.
This is accomplished via the use of unique sequence numbers(USN). Every time an
update is made, it is assigned a unique sequence number from a counter that is
incremented whenever a change is made.
Flexible Single Master Operation:
To prevent update conflicts in Windows 2000, the Active Directory performs updates
to certain objects in a single-master fashion. In a single-master network model, only
one domain controller in an Active Directory handles updates. Windows 2000 Active
Directory extends the single-master model to include multiple roles and the ability to
transfer roles to any DC. Since an Active Directory role is not bound to a single DC, it
is referred to as a Flexible Single Master Operation role. There are five FSMO roles as
follows:
 Schema Master
Remember from earlier that the schema is a list of attributes that define a given
object type. The schema master FSMO role is the DC responsible for performing
updates to the directory schema. This DC is the only one that can process updates to
the directory schema. Once the schema update is complete, it is replicated from the
schema master to all other DCs in the directory. There is only one schema master
per directory.
 Domain Naming Master
Domain Naming Master Controls the addition of Domains in a forest. This DC is the
only one that can add or remove a domain from the directory.
 RID Master
RID Master(Relative Identifier Master) works with domain controllers to assign
unique SIDS to each object that requires one. Each object gets a domain SID that is
common to all objects in a domain. What makes SIDS unique is the RID which is
unique to all objects in the domain. The RID Master is also responsible for removing
an object from its domain and putting it in another domain when an object is moved.
 PDC emulator
PDC Emulator acts like a PDC from a Windows NT 4.0 network and is necessary in
domains that are not pure Windows 2000(i.e have Windows 95/98/NT down-level
clients). If the domain is running in Native Mode then this server is the "preferred"
replication partner for the other DCs for password changes and also handles account
lockouts and authentication failures.
 Infrastructure Daemon
Updates user to group memberships when changes are made.
Security:
There are now three types of groups in Windows 2000:
 Domain Local(similar to a local group)
 Global
 Universal groups
The rules remain the same for Local and Global groups, except that you can now
nest groups in Native mode. Universal groups can have membership from any
domain and can be used to assign access to any resource in any domain. Accounts
go into Global Groups which then go into local groups that are assigned permissions
to use a resource.
Each group can have one of two functions in Native mode - distribution or security.
Security groups are the ones we are familiar with in NT4 while distribution groups
will be used primarily with Exchange 2000 or any other Active Directory mail
application.
Group Policy:
Group Policy in Windows 2000 is one of it's largest administrative enhancements and
is designed to enable administrators to control the environment with minimal effort.
Group Policy is administered through the Group Policy Microsoft Management
Console(MMC) snap-in. Group policies are not applied to "groups", but we can apply
them to OUs. There are five major categories that group policies can be configured
for:
 Folder redirection: Store users' folders (my documents, my pictures) on the
network.
 Security: Similar to account policies under user manager in NT4 - includes settings
for the local computer, the domain, and network security.
 Administrative Templates - NT4 administrators will recognize this section as
system policies - in a much more convenient and flexible configuration. Included are
desktop, application, and system settings.
 Software Installation - Completely new - enables an administrator to have
software installed automatically at the client machine - or removed automatically.
 Scripts - similar to logon scripts in NT4, but we can now specify a startup and a
shutdown script for the computer as well as a logon and a logoff script for the user.
An administrator can create several Group Policy Objects (GPO) in a given Group
Policy Container (GPC) and assign the appropriate GPO to the computers or users
that need the settings contained in that GPO. If you want to exclude certain users or
computers from processing the GPO assigned to the Site/Domain/OU that they
belong to, you can simply remove the users' or groups' "apply group policy"
permissions. This effectively creates a filter. You can also delegate control over GPOs
so that a manager can change what a GPO does for his or her department, but can't
create any new GPOs or change the scope of a GPO.
It is also possible to disable group policy objects without deleting them. If you do
this (from Group Policy - Options) it will only disable it for that container and any
sub-containers that inherit the settings. If another administrator "linked" to that GPO
from another container, then the GPO is still active in that container.
Software can be efficiently deployed, updated and removed using Group Policies and
two technologies built into Windows 2000 - Windows Installer and Software
Installation and Maintenance.
 Windows Installer will replace Setup.exe for many applications. Its advantages
include the ability to build custom installations, enable programs to "repair"
themselves if a critical file is missing or corrupt and to remove themselves very
cleanly when necessary.
 Software Installation and Maintenance combines Group Policies and Active
Directory technologies to enable an administrator to install, manage and remove
software across the network. This is only available for Windows 2000 clients.
When you deploy software, you can choose to assign it or publish it. Assigned
software can be targeted at users or computers. If you assign an application to a
USER, the icons show up on the desktop and/or start menu, but the program is only
installed when the user runs it for the first time. If it is assigned to a COMPUTER, it's
installed the next time the system is restarted.
If you publish an application, the user can install it through Add/Remove Programs or
through opening a file that requires that particular program(a file association).
Published programs cannot self repair, cannot be published to computers and are not
advertised on the users' desktop or start menu - only through add/remove
programs.
Assigned applications require a windows installer file(.msi) while published
applications can use Windows Installer files or ZAP files. A .ZAP file is an
administrator created text file that specifies the parameters of the program to be
installed and the file extensions associated with it. Installations that utilize .ZAP files
cannot self repair or install with higher privileges and will typically require user
intervention to completely install.
You can deploy upgrades using GPO's simply by specifying which program is to be
upgraded and whether or not it is a mandatory upgrade. You can apply service packs
or patches by "re-deploying" an existing Group Policy with the new information
regarding the service pack.
Active Directory Utilities:
Utility
Purpose
SIDwalker
Security Administration Tools. Consists of 3 programs, showaccs.exe,
sidwalk.exe and Security Migration Editor (MMC snap-in). First two
used to examine and change ACL entries. Security Migration Editor
edits mappings between old and new security IDs (SIDs).
repadmin.exe Replication Diagnostics Tool. Check replication consistency between
partners, status, force replication events and knowledge consistency
checker recalculation.
acldiag.exe
ACL Diagnostics. Used to determine whether users have been
granted/denied access to AD objects. Can be used to reset Access
Control Lists to their default values.
ADSI edit
Low-level editor for Active Directory which enables adding, moving,
and deleting objects within Active Directory.
dfsutil.exe
Distributed File System Utility. Manages all aspects of the distributed
file system.
dnscmd.exe
DNS Server Troubleshooting Tool. Check dynamic registration of DNS
resource records including secure DNS update and unregister resource
records.
dsacls.exe
View or modify ACLs of objects in AD.
nltest.exe
Create a list of PDCs, force a shutdown, provide info about trusts and
replication.
dsastat.exe
Active Directory Diagnostic Tool. Compare naming contexts on Domain
Controllers and detect differences.
ldp.exe
Allows LDAP operations be be performed against Active Directory.
movetree.exe AD Object Manager. Move AD objects like OUs and users between
domains in a single forest.
netdom.exe
Windows 2000 Domain Manager. Used to manage Windows 2000
domains and trust relationships.
replmon.exe
Active Directory Replication Monitor. Graphically displays replication
topology, monitor status, force replication and knowledge consistency
checker recalculation.
sdcheck.exe
Security Descriptor Check Utility. Verify ACL propagation and
replication for specified objects in a directory.