Free
HOME OVER VIEW TUTORIALS TESTS BOOKS CONTACT US  
   
Google
 
Windows Tips
ACTIVE DIRECTORY
TCP / IP
SECURITY
RECOVERY
SYSTEM CONFIGURATIONS
PRINTING
NETWORK
RAID
RAS
SERVICE PACKS


Windows XP : Windows 2003 : Windows 2000
 

Active Directory
What happens if two AD objects have the same RDN?

Every Active Directory (AD) object has a distinguished name (DN—e.g., CN=John Savill,CN=Users,DC=SavillTech,DC=Com) that uniquely identifies the object and its position in AD. The system also creates a relative distinguished name (RDN), which is a name relative to the container (e.g., CN=John Savill for the user).

Two objects with the same RDN can't exist in one container. For example, in the container CN=Users,DC=SavillTech, CN=John Savill and OU=John Savill are allowed because one is a user and the other is an organisational unit (OU). However, CN=John Savill and CN=John Savill aren't allowed.

The only way you can have a duplicate RDN is if two objects are created on different domain controllers (DCs). But at the next replication cycle, the system will rename the older object.

To find objects that the system has renamed because of RDN collisions, use the search.vbs script in \support\tools\support.cab as follows: 

cscript search.vbs "LDAP://<server>/dc=<domain>,dc=com" 
/C:"(CN=*\0ACNF:*)" /P:distinguishedName /S:SubTree
Any matches will display the RDN for the renamed objects.
What is a domain forest?

You might have several domain trees in your organization that you need to share resources. To solve this problem, you can join the trees to form a forest.

A forest is a collection of trees that don’t necessarily form a contiguous namespace (although each tree must be contiguous). This arrangement might be useful if your company has multiple root DNS addresses, as in the Figure.

As the Figure shows, two root domains connect through a transitive, two-way Kerberos trust (much like the trust between a child and parent). Forests always contain a domain’s entire domain tree. You can’t create a forest that contains only part of a domain tree.

When you promote a server to a domain controller (DC), DCPROMO creates a forest. Forest creation can’t occur at any other time, although this restriction will change in the OS that follows Windows 2000.

You can add as many domain trees to a forest as you want. All the domains in a forest can grant object access to any user in the forest. Thus, the administrator doesn’t need to manually manage the trust relationships.

Creating a forest provides the following benefits.

  • All the trees have a common Global Catalog (GC) that contains specific information about every object in the forest.
  • All the trees contain a common schema. Microsoft hasn’t confirmed what happens if two trees have different schemas before you join the trees, because you currently can’t join two trees. However, this problem will arise in future versions of the OS. I assume the changes will merge.
  • Performing a search in a forest initiates a deep search of the entire tree in the domain you initiate the request from and uses the GC entries for the rest of the forest.

You might prefer not to join trees into a forest. Instead, you can create normal trusts between individual tree elements.

What is a domain tree?

In Windows 2000, a domain can be a child of another domain (e.g., child.domain.com is a child of domain.com). A child domain name always includes the complete parent domain name. A child domain and its parent share a two-way transitive trust.

A domain tree exists when one domain is the child of another domain. A domain tree must have a contiguous namespace, as in the leftmost diagram in the Figure.

In the rightmost diagram in the Figure, the lack of contiguous names means that the domains can’t be part of the same tree.

The tree’s name is the root domain name. In my example, the tree is root.com. Because domains are DNS names and because domains inherit the parent part of the name, if you rename part of a tree, all of the parent’s children are also implicitly renamed. For example, if you renamed the parent domain ntfaq.com to backoffice.com, the child domain sales.ntfaq.com would change to sales.backoffice.com. Although you can’t currently rename part of a tree, this problem will arise in future versions of the OS.

You can currently create domain trees only when DCPROMO promotes a server to a domain controller (DC). This restriction might change in the OS that follows Win2K.

Placing domains in a tree yields several advantages. The most useful benefit is that all members of a tree have Kerberos transitive trusts with the domain’s parent and all the domain’s children. Transitive trusts also let any user or group in a domain tree obtain access to any object in the tree. In addition, you can use one network logon at any workstation in the domain tree.

  2    3    4    5    6    7    8    9    10    11    12    13    14   [>>]

Contact Us | Bookmark This Page | Make Your Home Page