Windows Active Directory (AD)
Fig. 1
- Objects with attributes and own Access Control List (ACL)
- Container - a special kind of object that can contain other objects
Fig. 2
- abstraction of the object information in the AD store
- when user makes an inquiry about an object, it's passed to the GC
A. File Structure
- AD stores database and log files.
1. Database
Ntds.dit - all domain info
2. Log Files
- Transaction log - edb.log
- Checkpoint log - edb.chk, committed/uncommitted transactions
- Reserved log - resX.log
- Patch files - X.pat, used during backup and restore of AD
B. Data Stores and Partitions
- Three type of partitions are used to facilitate info storage and replication:
- Schema data - definitions of the objects that are available
- Config data - logical structure of the domain
- Domain data - relates strictly to the domain and is not replicated to any other domain
C. SA Relevance
- Simplifies management - provides a single, consistent point of management for users, applications, and devices
- Strengthens security - provides users with a single sign-on to network resources and provides administrators with powerful and consistent tools to manage security services for internal desktop users, remote dial-up users, and external e-commerce customers
- Extends interoperability - supplies standards-based access to all Active Directory features as well as synchronization support for popular directories
II. AD Structural Components
There are 3 structural component in AD:
- logical - primary, involves organization
- physical - primary, involves communication
- schema - defines objects that make up the AD (more later)
A. Logical Structure
- AD objects are organized in a hierarchical domain model as seen earlier in Fig 2 and below in Fig 3.
Fig. 3
- Each domain has its own security perms and unique security relationship with other domains.
- Multi-master replication model is used to communicate info between domain (This is in contrast to single-master replication in which all changes must be made to a single, authoritative directory replica). Fig. 4
Fig. 4
- Domain model building blocks consist of: domains, domain trees, forests, organizational units, the schema
1. Domains - comprise computer systems and network resources that share common logical security boundary.
- Groupings of resources that utilize a common domain name. (E.g. reskit.com)
- All domain controllers (DC) contain the following info in their AD:
- data on every object within the domain
- metadata about other domain in the tree or forest
- listing of all domains in the tree or forest
- location of the server with GC
2. Domain Tree - a grouping or hierarchical arrangement of one or more Windows domains that you create by adding one or more child domains to an existing domain. It's created when multiple domains share common schema, security trust relationship and a GC. It's defined by a contiguous namespace.
Fig. 5
3. Domain Forest - a grouping or hierarchical arrangement of one or more separate, completely independent Windows domains trees. Some characteristics:
- All trees share common schema
- Trees in a forest have different naming structures, according to their domains.
- All domains in a forest share common GC
- Domains in the forest operate independently, but the forest enables communication across the entire organization.
- Implicit 2-way trust exists between domains and domain trees.
Fig. 6
4. Organizational Units (OU) - a container used to organize objects within the domain into logical administrative groups that mirror the function business structure of an organization. Some characteristics:
- Can contain objects such as user accounts, groups, computers, printers, etc.
- Provides a means for handling administrative tasks, as they are the smallest scope to which you can delegate admin rights. This provides a way to delegate administration of users and resources.
Fig. 7
5. Schema - a list of definitions that defines the kinds of objects and the types of info about the those objects that can be stored in the AD.
- The 2 types of definitions or base components:
- objects
- attributes
- object classes - definitions of object types that can be created in AD
- Schema - AD mechanism for storing object classes
B. Physical Structure
There are 2 physical components in AD:
- Site
- Domain Controllers
1. Site - combination of one or more Internet Protocol (IP) subnets connected by a highly reliable and fast (512Kbps) link to localize as much network traffic as possible.
- Sites are not part of the the AD namespace.
- Sites contain only computer objects and connection objects used to configure replication between sites.
- A single domain can span multiple geographical sites, and a site can include users and computers belonging to multiple domains.
2. Domain Controller (DC)- computer running a type of Windows server that stores replica of the domain directory. Some characteristics of DCs:
- Each DC stores a complete copy of the all AD info for that domain, manages changes and replicates those changes to other DCs
- DCs automatically replicate all objects in the domain to each other. (you can specify how often)
- DCs immediately replicate certain updates such as disabling user accounts
III. Conclusion
Active Directory services within Windows provide a focal point for managing
and securing Windows user accounts, clients, servers, and applications. In addition,
Active Directory is designed to integrate with the non-Windows directories within
existing systems, applications, and devices to provide a single place and a
consistent way of managing an entire network infrastructure. In this way, Active
Directory increases the value of an organization's existing investments and
lowers the overall costs of computing by reducing the number of places where
administrators need to manage directory information.
Next meeting: AD
Management and Use
