This page is designed to help those who are new to Microsoft's Active Directory.
My goal is to get you started with the key terms and concepts. For
those with some experience already, I want to help plug gaps in your knowledge.
Just as you might get the perspective of a diamond by looking at its different
facets, so I want you to build up a picture of Active Directory by examining its
many aspects.
Every successful operating system needs an authentication mechanism.
Novell developed the marvellous NDS tree, while UNIX has the
powerful directory services to manage their users. By the year 2000, NT 4.0's SAM had become an
embarrassment and Microsoft developed their directory service we know as Active Directory. As a matter of interest the physical file corresponding to NT
4.0's SAM is called NTDS.DIT (Directory Information Tree).
The NT 4.0 SAM database was very thin, both in respect to the number of users
it could hold and their range of properties. The only information SAM
stored was usernames and their passwords. Active Directory on
the other hand, can store many many more attributes of the user object.
To examine and configure these attributes, launch the Active Directory Users and Computers and
browse through a
user's Properties tabs. There you will discover a whole range of attributes, for
example, telephone number, manager, email address, certificates, dial-in
properties.
Microsoft do not change menu names without good reason; if you go to the Start
Menu in Windows Server 2003 you will see that Find (NT
4.0) has been replaced by Search. Once you launch Search, you will
see the file system in the upper window, however, it is the lower section that I am interested in, because this
where you can search for Computers, Printers or People. Using this part of
Search, you are actually querying Active Directory to retrieve the objects you
are interested in.
Technically you are using a protocol, or query language called LDAP
(Lightweight Directory Access Protocol). What LDAP does is to provide
directions and so find objects in the Active Directory database. LDAP is an
important language particularly useful for advanced troubleshooting and making
changes suggested by TechNet articles.
To learn
more about LDAP install the support tools from the Server CD, and experiment
with ADSI
Guy Recommends: A Free Trial of the Network Performance Monitor
(NPM)
SolarWinds'
Orion performance monitor
will help you discover what's happening on your network. This
utility will also guide you through troubleshooting; the dashboard will
indicate whether the root cause is a broken link, faulty equipment or
resource overload.
Perhaps the NPM's best feature is the way it suggests solutions to network
problems. Its
second best feature is the ability to monitor the health of individual VMware
virtual machines. If you are interested in troubleshooting, and creating network maps, then I recommend that you take advantage of SolarWinds' offer.
The physical side of Active Directory means your sites and subnets. If
you are familiar with Exchange then the site concept is the same in Server 2003.
SUB NET = split the network, so you split your network into subnets.
The network
routers join these subnets to form sites. Your practical task is to
tell Active Directory about the physical sites; Microsoft provide a snap-in to
help you define the sites. Once the sites are created, you configure the
Active Directory replication through Site Links. Lastly, double check that
the domain controller objects are in the correct subnet of the correct site.
Their are two main reasons for creating a site, slow network connections and
the need to control Active Directory replication traffic. What confuses
beginners is that there is no relationship between sites and domains.
Amateurs think there is a one to one relationship between a site and a domain -
wrong. You can have one domain with many sites. Multi-nationals may
need one site to have domain controller from three different domains.
Plan your sites with a TCP/IP and router expert; thereafter you will only
need an occasional change to the configuration. Users and computer on the
other hand, always seem to need their Active Directory settings changing.
How you view the logical side of Active Directory depends on your company
background. Small companies will start with just one Domain and focus
their efforts on how
many Organization Units they need. A network
architect of a large companies will be primarily concerned with how to link DNS
names with Domain names, should they have a blank root domain, would that subsidiary be
best in its own tree.
Logical Components
Forest - Two or more trees. Each tree has a distinct name e.g.
OurCompany.com and SubsiaryCo.org
Tree - Two or more domains with the same namespace e.g. OurCompany.com and
son.OurCompany.com
Domain - Remains the basic unit of security and replication
Organization Unit - Sub division of a Domain. Used with delegation,
management and Group Policy
Parent / Child - The two way, transitive trust relationship between two
domains
Root Domain - The first domain that you create, has additional powerful
groups e.g. Enterprise Admins
Contiguous namespace - Catchphrase to describe a tree where all the
domains have a common word
Schema - The definition of objects and attributes for the whole forest.
Every every domain, in every tree has the same schema partition in Active Directory.
At its heart, Active Directory is an object based system. The main
objects are Users, Computers, Sites and Printers. Microsoft has built
these objects using attributes, for example Common name (CN), Location,
Department and many more. The role of we the administrators, is to set the
values, for example Common name = guyt, Location = Worcester. At this
stage in our education, all we need to know is: we just configure the values
through the Active Directory Users and Computers, we do not mess with the Schema
itself - that is a job for a developer.
The only other practical point we need to be aware of is that when you install
Exchange 2000 or 2003, you have to be a member of the Schema Admins and
Enterprise Admins. Also, once Exchange is installed the User objects will have
more tabs with attributes like Mailbox, email address and instant messaging.
My first point is that without Active Directory, there would be no Group
Policies. Group policies encourage central control of the desktop.
Your mantra should be 'prevention is better than cure'. My vision of a
group policy is to pamper users with all the software they need, yet deny them
access to any part of the computer where they have no business to roam.
The best kept secret of group policy is the chance to assign software to
users. Many administrators get so carried away locking down the desktop
that they overlook the change to deploy software. The advantage of
this method of rolling out software is the ease with which you can service pack
or update the .MSI installer files.
Do you remember the Organization Units? Well part of the reason for creating
them was so that you could apply group polices. I mention this as a
justification for studying all the facets to Active Directory before you start
configuring. The one group policy that you need to apply at the domain
level is the security policy. Reluctantly, I will leave further discussion
to the Group Policy 2003 section.
If you like this page then please share it with your friends
Guy Recommends: Orion's NPM - Network Performance Monitor
Orion's performance monitor is designed for detecting network outages. NPM makes it easy to see what's working, and what needs your attention.
This utility guides you through creating network maps. It also helps troubleshooting by indicating whether the root cause is faulty equipment, or resource overload.
To learn
more about LDAP install the support tools from the Server CD, and experiment
with ADSI
