Active Directory in Windows Server 2003
This page is designed to help those who are new to Microsoft’s Active Directory. My goal is to get you started with the key terms and concepts. For those with some experience already, I want to help plug gaps in your knowledge.
Just as you might get the perspective of a diamond by looking at its different facets, so I want you to build up a picture of Active Directory by examining its many aspects.
Seven Aspects of Active Directory
- Active Directory as the Successor to NT 4.0�s SAM database
- An object based system, e.g. Object (User), Attribute (Logon name), Value (GuyT)
- ASearch mechanism to retrieve those resources from its database
- The Physical side of Active Directory, sites, subnets and site links
- Logical Structure – Forest, Tree, Domain and Organizational Units
- The Schema and how it defines the Active Directory objects and attributes
- Group Policy – Thanks to Active Directory we can lock down the desktop and assign software
Every successful operating system needs an authentication mechanism. Novell developed the marvellous NDS tree, while UNIX has the powerful directory services to manage their users. By the year 2000, NT 4.0’s SAM had become an embarrassment and Microsoft developed their directory service we know as Active Directory. As a matter of interest the physical file corresponding to NT 4.0’s SAM is called NTDS.DIT (Directory Information Tree).
The NT 4.0 SAM database was very thin, both in respect to the number of users it could hold and their range of properties. The only information SAM stored was usernames and their passwords. Active Directory on the other hand, can store many many more attributes of the user object. To examine and configure these attributes, launch the Active Directory Users and Computers and browse through a user’s Properties tabs. There you will discover a whole range of attributes, for example, telephone number, manager, email address, certificates, dial-in properties.
See more on Active Directory Attributes
Microsoft do not change menu names without good reason; if you go to the Start Menu in Windows Server 2003 you will see that
Find (NT 4.0) has been replaced by Search. Once you launch Search, you will see the file system in the upper window, however, it is the lower section that I am interested in, because this where you can search for Computers, Printers or People. Using this part of Search, you are actually querying Active Directory to retrieve the objects you are interested in.
Technically you are using a protocol, or query language called LDAP (Lightweight Directory Access Protocol). What LDAP does is to provide directions and so find objects in the Active Directory database. LDAP is an important language particularly useful for advanced troubleshooting and making changes suggested by TechNet articles.
To learn more about LDAP install the support tools from the Server CD, and experiment with ADSI
SolarWinds’ Network Performance Monitor will help you discover what’s happening on your network. This utility will also guide you through troubleshooting; the dashboard will indicate whether the root cause is a broken link, faulty equipment or resource overload.
Perhaps the NPM’s best feature is the way it suggests solutions to network problems. Its second best feature is the ability to monitor the health of individual VMware virtual machines. If you are interested in troubleshooting, and creating network maps, then I recommend that you give this Network Performance Monitor a try.
The physical side of Active Directory means your sites and subnets. If you are familiar with Exchange then the site concept is the same in Server 2003. SUB NET = split the network, so you split your network into subnets. The network routers join these subnets to form sites. Your practical task is to tell Active Directory about the physical sites; Microsoft provide a snap-in to help you define the sites. Once the sites are created, you configure the Active Directory replication through Site Links. Lastly, double check that the domain controller objects are in the correct subnet of the correct site.
Their are two main reasons for creating a site, slow network connections and the need to control Active Directory replication traffic. What confuses beginners is that there is no relationship between sites and domains. Amateurs think there is a one to one relationship between a site and a domain – wrong. You can have one domain with many sites. Multi-nationals may need one site to have domain controller from three different domains.
Plan your sites with a TCP/IP and router expert; thereafter you will only need an occasional change to the configuration. Users and computer on the other hand, always seem to need their Active Directory settings changing.
How you view the logical side of Active Directory depends on your company background. Small companies will start with just one Domain and focus their efforts on how many Organization Units they need. A network architect of a large companies will be primarily concerned with how to link DNS names with Domain names, should they have a blank root domain, would that subsidiary be best in its own tree.
- Forest – Two or more trees. Each tree has a distinct name e.g. OurCompany.com and SubsiaryCo.org
- Tree – Two or more domains with the same namespace e.g. OurCompany.com and son.OurCompany.com
- Domain – Remains the basic unit of security and replication
- Organization Unit – Sub division of a Domain. Used with delegation, management and Group Policy
- Parent / Child – The two way, transitive trust relationship between two domains
- Root Domain – The first domain that you create, has additional powerful groups e.g. Enterprise Admins
- Contiguous namespace – Catchphrase to describe a tree where all the domains have a common word
- Schema – The definition of objects and attributes for the whole forest. Every every domain, in every tree has the same schema partition in Active Directory.
- See more about analyzing Active Directory Permissions.
At its heart, Active Directory is an object based system. The main objects are Users, Computers, Sites and Printers. Microsoft has built these objects using attributes, for example Common name (CN), Location, Department and many more. The role of we the administrators, is to set the values, for example Common name = guyt, Location = Worcester. At this stage in our education, all we need to know is: we just configure the values through the Active Directory Users and Computers, we do not mess with the Schema itself – that is a job for a developer.
The only other practical point we need to be aware of is that when you install Exchange 2000 or 2003, you have to be a member of the Schema Admins and Enterprise Admins. Also, once Exchange is installed the User objects will have more tabs with attributes like Mailbox, email address and instant messaging.
7) Group Policy and Active Directory
My first point is that without Active Directory, there would be no Group Policies. Group policies encourage central control of the desktop. Your mantra should be ‘prevention is better than cure’. My vision of a group policy is to pamper users with all the software they need, yet deny them access to any part of the computer where they have no business to roam.
The best kept secret of group policy is the chance to assign software to users. Many administrators get so carried away locking down the desktop that they overlook the change to deploy software. The advantage of this method of rolling out software is the ease with which you can service pack or update the .MSI installer files.
Do you remember the Organization Units? Well part of the reason for creating them was so that you could apply group polices. I mention this as a justification for studying all the facets to Active Directory before you start configuring. The one group policy that you need to apply at the domain level is the security policy. Reluctantly, I will leave further discussion to the Group Policy 2003 section.
If you like this page then please share it with your friends