|
|
 |
|||
|
Active Directory Basics
What is Active Directory? It's an enterprise-wide distributed database of objects with properties. Examples of objects are users, computers, domain controllers, and printers, as well as containers that may contain other objects. Notice that files are Windows securable objects but they are not represented in the Active Directory. As been already mentioned Active Directory is a core piece in the Windows 2000 architecture. Everyone is probably familiar with White Pages or Yellow Pages telephone directories. These directories contain items (entries) with a limited set of properties such as name, telephone and address. Another example would be an online store you can buy things from. Items here would probably contain a description and a price. The same idea is behind Active Directory - to store objects with their properties. For example, a user object might have a first name, a last name, a telephone number, an identifier of some kind, etc. Active Directory provides the means to access and modify its information electronically. Two simple and powerful ideas lie in the foundation of Active Directory. It's LDAP (light weight directory access) protocol and integration with the domain name system (DNS). DNS and LDAP are not Microsoft inventions. They are Internet standards. LDAP is defined in RFC 2251, and DNS in a collection of RFCs (the most important ones are 1033, 1034, and 1035). DNS defines how to find things on networks. LDAP defines a protocol to communicate with electronic directories. DNS integration means that it is possible to use nslookup to locate an Active Directory server. For example, in the Figure below I have started nslookup, set the server to be 192.168.2.2, set q=any, and then queried for _ldap._tcp.myresearch.local. 
Locating LDAP provider using nslookup.
As you can see the server has returned some data (priority 0, weight 100, port 389) for server frosty.myresearch.local, as well as its IP address (192.168.2.2). I have located the machine with the directory server for domain myresearch.local. In a similar way you can look for a global catalog. The difference is that you query for _gc._tcp.myresearch.local. 
Finding global catalog for a domain.
This section provides only a very brief and basic overview of Active Directory. Refer to specialized books for more details on its design and functionality. So, we have domain directories as well as global catalogs. Directories are available through LDAP on port 389, and global catalogs on port 3268. If I had several domain controllers in my domain then the query would return several machines back. I would then be able to choose which machine I desire to talk to. The same applies to global catalogs. What is the difference between a domain directory on port 389 and a global catalog on port 3268? The domain directory (a domain controller) hosts a complete read-write replica of all objects in the domain with a complete set of attributes. For example, to modiify an object in a given domain you need to find one of the directories for this domain and speak to it using LDAP. Domain controllers automatically synchronize changes between each other. Notice that this design is different from NT 4, where you had only one primary domain controller (PDC) with a modifiable account database and optional backup domain controllers (BDCs) with read-only replicas. So, to summarize, any Windows 2000 domain controller hosts a complete writable directory of all objects in the domain. Global catalog hosts a read-only replica of a subset of attributes for all objects in the domain forest. Domain forest is a collection of domains with common schema and automatically created transitive trust relationships. For example, a.com represents one domain while a.com, b.com, and c.com may be united in a forest and share the directory schema and the configuration information. Domains may have children such as child.a.com, and grandchild.child.a.com. In this case they form a domain tree. No matter how complex the hierarchy is, a global catalog is supposed to have some defined subset of attributes for all objects in all domains in the forest. A global catalog is useful in a multiple domain scenario, when you can query a local machine (a machine in your current domain) for a common attribute for objects in other domains. An administrator can assign a domain controller to be a global catalog. This may be done using the NTDS Settings properties dialog on Active Directory Sites and Services (see the 2 Figures below). 
Active Directory sites and services tree. Right-click on the NTDS Settings entry and select Properties to invoke the dialog shown below.
Making a domain controller a global catalog.
Windows 2000 comes with the tools for Active Directory administration. The three of them are:
These tools are available on a Windows 2000 domain controller (Start - Programs - Administrative Tools). It is possible to install them on Windows 2000 Professional. Do it by using (double-clicking on) adminpak.msi file on Windows 2000 Server CD in I386 directory. Active Directory schema is extensible. You can add your own classes and attributes. This is of course subject to security permissions. Microsoft provides the Active Directory Schema snap-in that you can include into the MMC. Notice that the three tools described above may be included into the MMC as well. Here is how to do it. Start MMC by invoking Start - Run, and then typing in MMC. Then click on the Console - Add/Remove Snap-In... menu. Click on the Add button on the dialog to display the Add Standalone Snap-in dialog (see the Figure below). Select a desired snap-in and click on the Add button. Notice that it's possible to have many snap-ins in one console. Save the console in a desired location. The default location is the Administrative Tools folder, so that the new console is available via Start - Programs - Administrative Tools. 
Adding individual snap-ins to the MMC.
|
|