Microsoft Active Directory

Directory Server

Active Directory is the integrated directory server in Microsoft's line of Windows 2000 Server operating systems. It replaces the domain model in Windows NT 4.0 [61] and is based on the data models and concepts of X.500. A domain in Windows NT is a collection with a flat hierarchy and is limited to hold about 40,000 objects. In contrast, tests have shown that Active Directory can, on appropriate hardware^8.1, scale up to more than 100 million entries [3].

In Windows 2000 Microsoft has taken a step away from proprietary mechanisms. Data in Active Directory can be accessed by any LDAPv3 complient application. In another area, DNS replaces NetBIOS as the the standard protocol for service location. Native Windows 2000 clients now issue a request for a DNS SRV record to find a host offering a specific service. The Windows 2000 namespace is therefore the same as the one defined by the DNS. As a result, Microsoft has chosen to adopt the domain component naming scheme [50] for Active Directory.^8.2

Figure: Active Directory Structure

[IMAGE png]

The smallest area of partitioning in Active Directory is the domain. Domains with a coherent naming scheme form a domain tree. Multiple trees can be joined in a forest, (see Figure ) and will share the same schema and have a mutual trust relationship.^8.3 All Windows 2000 servers that run Active Directory are called domain controllers. Active Directory is a pure multi-master environment. Each domain controller maintains a read-writetable version of the directory for its domain. A Windows 2000 domain contoller cannot manage directories for more than one domain. If an online backup is required for a domain, a dedicated host has to be set up. However, domain controllers can hold a copy of the forest wide global catalog. In the global catalog a read-only subset of commonly used attributes for all entries in the forest is stored and indexed. This allows for forest wide searches to be performed without the penalty of having to contact multiple domain controllers.

Computers managed by Active Directory can be assigned to a site. A site is a location where all hosts are connected by a fast interlink--usually an Ethernet LAN. To ensure that changes are properly replicated to all domain controllers, the replication topology is maintained automatically by the Knowledge Consistency Checker (KCC). The KCC will create a bi-directional replication ring for all intra-site domain controllers. Inter-site connections will only be created if two sites have been marked as connected by the administrator.

There are five areas in Active Directory that need to be governed by a single master. Normally, operations affecting these areas are carried out by the first ever created domain controller. As these areas are critical to the functionality of Active Directory, mechanisms exist for other domain controllers to obtain authority over these areas. A domain controller responsible for such an area is called the Flexible Single Master Operation (FSMO) role owner. The FSMO roles in Windows 2000 are [61]:

Only the server that owns the Schema Master role is allowed to extend the schema.

The Domain Naming Master controls the Active Directory namespace. It can add or remove new sub-domains.

To allow coexistence with legacy Windows NT servers, one Windows 2000 domain controller--the PDC Advertiser--needs to play the role of the Primary Domain Controller (PDC) in the Windows NT domain. It will synchronise Active Directory with the remaining Windows NT Backup Domain Controllers (BDC).

Each security-enabled object in Active Directory has a unique security identifier (SID). These identifiers are assigned by the domain controller in which the entry is created. To ensure uniqueness, each server requests a pool of Ids from the RID Master in advance, which can later be used for newly created entries.

The Infrastructure Master in a domain maintains references to objectes in other domains.

The schema in Active Directory differs in some ways from that given in the X.500 Information Model. First, auxiliary classes do not exist as independant classes in Active Directory. Instead, they are incorporated into structural classes when the domain controller loads the schema. Their attributes become part of the structural class and they do not appear as values in the ``objectClass'' attribute. As a result, auxiliary classes cannot be searched for and, more importantly, they cannot be dynamically added to selected entries. Secondly, RDNs must be single-valued in Active Directory. Thirdly, Active Directory does not publish any matching rules in its schema although searching is obviously possible. Before attempting to change the schema one should be aware that extensions to Active Directory are irreversible. Once an object class or attribute type has been added, it cannot be removed but only marked as deactivated. [22]

Windows 2000 also includes a PKI component--the Enterprise Certification Authority (ECA). It can automatically issue certificates for users and computers and will publishes them in the directory. An ECA must be available for generating X.509 server certificates, if SSL protected LDAP connections are needed. [62]

Administration Tools

Administration of Windows 2000 and Active Directory is done with the Microsoft Management Console (MMC). MMC is an umbrella application that offers a consistent look and feel. Modules--so-called SnapIns-- are used to handle specific tasks. For the management of Active Directory the following SnapIns are available: [61]

Users and Computers to manage organizational units and accounts for computers and users.

With Sites and Services the administrator can create sites and define which IP subnets should belong to them. The replication topology that is automatically created by the KCC can be manually tuned in here.

Extensions to Active Directory's schema can be made with the Schema SnapIn.

The Domains and Trust SnapIn is used to manually establish trust relationships between domains and to manage meta-information of the domain itself.

ADSI Edit is a low-level tool for Active Directory. Unlike the other SnapIns it does not offer dialogues that present attributes in context, but rather provides a complete listing of attributes and their values for a given entry, thereby giving access to attributes that are otherwise hidden.

The Group Policy SnapIn is used to manage Group Policy Objects (GPOs).

Windows 2000 uses GPOs to apply settings to multiple objects. A section exists, which deals with the settings for computers, and another section deals with user settings. GPOs can be assigned to sites, domains and organizational units. Typically GPOs are applied during boot-up for computers or log-on for users but can also be periodically be re-applied if a refresh policy is in place. In a homogeneous Windows 2000 environment virtally all settings of the client PCs can be controlled with GPOs, here, for example, are a few of the important ones:

Scripts that should be run during user logon/logoff or computer boot-up respectively.

Software that should be available on computers/to users can be assigned, and will be installed during the next application of the GPO.

Settings in the Registry, Windows' database for application configuration data.

Security settings like password, audit or public key policies. A GPO can for example be used to install a new X.509 trusted root certificate on all systems.

Services on computers that should be started or must remain quiesent.

Directory-enabled Applications

The DNS server included in Windows 2000 can be integrated with Active Directory.^8.4 If this feature is activated, all DNS records would be stored as entries in the directory. The SMTP server that comes with Windows 2000 is also directory-enabled. It can use the information stored in the directory to decide whether to forward incoming email.

Since its 2000 version, Microsoft's messaging solution Exchange requires Active Directory. While earlier versions of Exchange used a private diretory service, which was accessible via LDAP, it is now fully integrated with Active Directory. In fact, Active Directory uses the database technology that was developed for Exchange. During its installation Exchange extends the Active Directory schema and adds user interface components to manage the new attributes. These components appear as additional property pages in the Users and Computers Snap-In of the MMC.