CS603 Active Directory February 1, 2001

What is Active Directory? Microsoft’s Windows 2000 directory server Included in Windows 2000 Server Microsoft finally using Internet standards for network naming DNS for machine naming LDAP (RFC 2251) for accounts/users Also supports legacy Microsoft directories ADSI (COM) Synchronizes with Exchange and other directories

What goes in Active Directory? Objects Object: Anything that gets a name Container objects Leaf objects Key object types: User Principal Name (user@dns_name) Security Account Manager name (compatiblity with NT) Object publishing Shared folders Printers RPC, Winsock, DCOM

Active Directory Schema Schema: Object that describes object classes, attributes Attributes Defined globally Can be indexed (independent of object class) Object classes – allowable collections of attributes Default schema Cannot delete from default Can mark items as deactivated Can be extended – but not reversible

Object Naming Conventions Names unique in a domain LDAP Distinguished name disambiguates across domains Also Security ID, GUID, Active Directory Canonical name GUID is permanent, others change if object moved between domains GUID is “real object identifier” – globally unique Security Principal: User, computer, or group Security ID: Used internally Access Control Entry (read ACL) lists SIDs (not names) allowed to access object Doesn’t support full LDAP naming convention Cn=common name, ou=organizational unit, dc=domain component Ldap: cn, ou, o=organization, c=country

ActiveDirectory and DNS Same Name for same machine Different namespaces Follow same hierarchical structure Active Directory requires DNS Needed to locate Active Directory server Uses Service Location Resource records DNS can store information in Active Directory

Hierarchical Directory Structure Domain: Individually managed subset of name space Single controller supports one domain Replication done at entire domain level – multimaster replication Namespace can have multiple domains – forest Why forest and not tree? Root tied to DNS name! Global catalog for entire forest – used for logon requests Security policies/settings don’t cross domains Can only build down in hierarchy

Trust Relationships What does trust mean? Trust relationships Authentication: Single system logon Doesn’t imply permissions in multiple domains Share common configuration information. Share a common schema. Share a common global catalog. Trust relationships Parent/child trust each other Roots of trees in forest trust each other Trust is transitive “Shortcut” trust relationships to save transitive search Can trust external methods

Domain Controller Roles (Beyond directory service) Forest-wide roles Schema master Domain naming master Domain-wide roles Relative ID master Assigns Unique Security ID (SID) to each object Primary Domain Controller Emulator Emulates WindowsNT domain controller Infrastructure master Handles replication across domains

Other Hierarchies: Organizational Units Use to delegate authority Can have administrative authority only over OU Subset of domains

Replication Global Catalog contains subset of domain attributes Allows logon, lookup without going to source domain Replicated at multiple sites Methods: IP SMTP Determining latest update: Universal Sequence Number Timestamp if USNs same Replication path may have loops Don’t propagate already propagated updates

Sites Idea: Highly Connected Machines Independent of Domains Clients can request service from a domain controller in the same site (if one exists). Active Directory tries to minimize replication latency for intra-site replication. Active Directory tries to minimize bandwidth consumption for inter-site replication. Sites let you schedule inter-site replication. Independent of Domains Can delegate authority over site

Microsoft Metadirectory Services (MMS) Goal: Single directory for multiple applications Brokers to provide directory information to multiple vendors Acquired from Zoomit corporation Uses Active Directory Also moving to use Active Directory instead of internal solutions in other Microsoft products (e.g., Exchange Server)