TheUKHighStreet.com
HOME OVER VIEW TUTORIALS TESTS BOOKS CONTACT US  
   
Google
 
Windows Tips
ACTIVE DIRECTORY
TCP / IP
SECURITY
RECOVERY
SYSTEM CONFIGURATIONS
PRINTING
NETWORK
RAID
RAS
SERVICE PACKS


Windows XP : Windows 2003 : Windows 2000
 

Active Directory
What is a Kerberos trust?

Windows NT 4.0 trust relationships aren’t transitive. Therefore, if domain2 (e.g., Marketing, in the Figure) trusts domain1 (Sales), and domain3 (Development) trusts domain2 (Marketing), domain3 (Development) doesn’t trust domain1 (Sales).

In Windows 2000, the trust relationships that connect members of a tree or forest are two-way, transitive Kerberos trusts. Thus, all the domains in a tree implicitly trust all the other domains in the tree or forest. Because trusts occur automatically when a domain joins a tree, time-consuming trust administration is unnecessary.

Kerberos is Win2K’s primary security protocol. Kerberos verifies a user’s identity and a session’s data integrity. Each domain controller (DC) has Kerberos services on it, and every Win2K workstation and server has a Kerberos client. A user's initial Kerberos authentication gives the user one logon session to enterprise resources. Kerberos isn’t a Microsoft protocol but is based on MIT’s Kerberos 5.0. For more information about Kerberos, see the Internet Engineering Task Force (IETF) Requests For Comments (RFC) 1510.

What is Active Directory?

Active Directory (AD) is Microsoft's implementation of a Directory Service. DSs store data in an organized format and can publish and access the data. AD isn’t a Microsoft innovation but is an implementation of an existing model (i.e., X.500), communication mechanism (i.e., Lightweight Directory Access Protocol—LDAP), and location technology (i.e., DNS).

To understand AD, you must understand what it is supposed to achieve. A directory is simply a container for other information.

A telephone directory is an example of a DS, because a telephone directory contains data and a means to access and use the data. For example, a telephone directory has various entries, and each entry has values. A telephone directory entry consists of name, address, and telephone number values. A large directory might group entries by location (e.g., city) or type (e.g., lawyers), or by both. Thus a hierarchy of types could exist for each location. You might also consider a telephone operator a DS, because the operator has access to the data. You can request data, and the operator presents the answer to your query.

AD is a type of DS that holds information about all the resources on a network. Clients can query AD for information about any aspect of the network. AD’s features include the following.

  • Secure information storage. Each object in AD has an ACL with a list of resources that can access the object and to what degree.
  • A flexible query mechanism based on an AD-generated Global Catalog (GC). Any client that supports AD can query the catalog.
  • Directory replication to all domain controllers (DCs) in the domain, for easy accessibility, high availability, and fault tolerance.
  • An extensible design that lets you add new object types or build on existing objects. For example, you could add a salary attribute to the user object.
  • Multiple-protocol communication. AD’s X.500 foundation lets you communicate over various protocols, such as LDAPv2, LDAPv3, and HTTP.
  • DNS rather than NetBIOS names for DC naming and location.
  • Directory information partitioned by domain to avoid replicating an excessive amount of information.

Although AD partitions directory information into different stores, you can still query AD for information from other domains. GCs contain information about every object in the enterprise forest, so that you can perform a forestwide search.

When you run DCPROMO on a Windows 2000 machine for the first time to create a new domain, DCPROMO creates a domain on the DNS server. A client then contacts the DNS server to look up the client's domain. The DNS server will discover not only the domain, but also the domain’s DCs. The server then sends the client the closest DC’s address. The client in turn connects and accesses the AD domain database on the closest DC to find objects (e.g., printers, file servers, users, groups, organizational units—OUs) in the domain. Because each DC stores links to other domains in the tree, the client can search an entire tree of domains.

A version of AD that lists all the objects in the forest is also available in case you need to perform a search beyond the client's tree of domains. This version is the GC. You can store the GC on any or all of the DCs in the forest.

The GC provides shorthand access to objects anywhere in the forest. However, the GC contains only some of an object’s attributes. For the whole object, you must go to the domain AD (which is on a DC in the domain). You can configure the GC to provide the object attributes you want.

To help you create AD objects, the DC maintains a copy of the classes and hierarchy of classes for the whole forest. AD stores class structures in the schema. The schema is extensible, which means that you can add classes to it.

The schema is part of Win2K’s configuration namespace, which all the DCs in a forest maintain. A namespace is a range of labels. Win2K’s configuration namespace consists of several defined items such as physical locations, Win2K sites, and subnets. A site is a child of a forest; a site can contain machines from any domain, but all the machines in a site must have fast and reliable connections for DC replication. A subnet is an IP address grouping assigned to a site; subnets help speed up AD replication among DCs.

Because DCs store records in an LDAP distinguished name format, AD uses LDAP to access the records. In case an application uses a name format other than the LDAP distinguished name, you can also use the LDAP URL or AD canonical name formats to access AD.

 2    3    4    5    6    7    8    9    10    11    12    13    14   [>>]

Contact Us | Bookmark This Page | Make Your Home Page