Syngress - Managing Active Directory for Windows 2000 Server

Chapter 1

Introduction to ActiveDirectory

Solutions in this chapter:

Define a Directory Service

Describe the Active Directory Service

Define the Components of Active Directory

Prepare for Active Directory Implementation

This is itActive DirectoryServices. This is the beginning to a completely new way of looking at networks,networking, and Microsoft Windows 2000 Server. Microsoft created Windows 2000to be the next generation of Windows NT. Windows 2000 has inherited acomprehensive networking platform, and the reliability and scalability of NTtechnology. However, Windows 2000 goes beyond the core NT technology and adds anew element with Active Directory Services (ADS).

In this book, you will gobehind the curtains of the Active Directory and get a look at the real wizarddriving the controls. You will learn about the Active Directory components andhow they interact. You will explore the ways that you can use Active Directoryto manage your Windows 2000 network. And when you have finished this book, youwill be able to plan an Active Directory Design and integrate it with legacyWindows NT domain architecture and various types of networking equipment.

It is time to get started andpull back the corner of the Active Directory curtain...

Introductionto Directory Services

Directory services have beenavailable in networking as tools for organizing, locating, and managing networkinformation for many years. Network directories are similar in concept to thetelephone book Yellow Pages. The Yellow Pages are a listing of businesses andphone numbers that are indexed by the type of business and then alphabetized.Anyone can look up a business by type and name in order to get the correctphone number. On the network, a user could utilize a directory service to findall printing services, and then browse the listing of the one that is mostappropriate.

The directory service is aconcept that organizes all the pieces of a network together. It is available toeach server that participates in the directory, and to each client that wantsto access a server. DNS (Domain Name Service) is one type of directory wellknown to Administrators. The DNS directory lists computers by their hostnamesand associates them to their respective IP addresses. When a user needs toaccess a computer on the network and uses its hostname, the client computer contactsthe DNS server to request an IP address.

For ITProfessionals Only

DirectoryEnabled Networks

The Distributed ManagementTask Force (DMTF), whose Web site is www.dmtf.org, is currently developing astandard for Directory Enabled Networks (DEN). Even though many networkoperating systems support directory services of various types, most are vendorspecific. This means that one server might be able to access a directory, butanother will not simply because it is running a different vendors networkoperating system. The result might be multiple directory services running on asingle network, which poses problems for users who are faced with multiplelogons (again) and for Administrators who must manage multiple directorystructures.

Once vendors createDEN-compliant directories, multiple network operating systems will be able toparticipate in a single directory service. Dont worry! DEN compliance is agoal for Microsoft Active Directory services once the standard has beenfinalized.

A directory service such asthe standard being developed for DEN will go beyond the simple organization ofaddresses and hostnames that DNS provides. Instead, the directory service willorganize all the services and resources participating in a network, depicted inFigure 1.1.

Figure 1.1 Directory servicestructure.

Historyof the Directory Service

Before directory servicescame about, networks were server-centric. Each server on a network had its ownsecurity system of user accounts. It would associate those user accounts to thefiles, directories, printers, and other services or resources that it had tooffer. Sometimes the server would use the same system for this association asfor the list of accounts, and sometimes it would use separate systems.

Many of the first networksbegan with a single server for the purpose of sharing its hard drive space at atime when hard drives were extremely expensive. Soon, these servers harddrives would fill up, and at some point another server would be added to thenetwork to allow further storage of shared files. It was with the additions ofsubsequent servers that administration became difficult. If a user needed toaccess more than one server, he or she needed to know how to access thatspecific server and needed a separate logon ID and password. It was difficultto keep the logon IDs and passwords synchronized since each server might have adifferent timing mechanism for password changes, and even a differentAdministrator creating logon IDs. The end result was a convoluted and difficultprocess for accessing resources on the network.

Microsoft Windows NT wasreleased with a way to mitigate this confusing logon process when there weremultiple servers. NT uses a domain architecture. The NT domain is a group of WindowsNT servers that participate in a single security architecture. It consists of aprimary domain controller (PDC), any number of backup domain controllers(BDCs), and any number of member servers and client computers. The PDC is thesecurity manager of the domain. BDCs maintain a read-only copy of the securitydatabase, but the PDC is the single point of change control. Member servers andclient computers contact the domain controller (DC) to access networkresources. A domain is logically established in the structure shown in Figure1.2.

Figure 1.2 The components ofa single domain.

Microsoft also developedmultiple domain structures to enable a distributed security structure. In orderto enable users of domain A to access the resources such as files and printersof domain B, then domain B must trust domain A. When drawn out, this trustrelationship is shown as an arrow pointing from the trusting domain to thetrusted domain. Microsoft defines various models for a multiple domainstructure:

Master Domain model:All resource domains trust a single Master Domain that contains all the useraccounts. This is depicted in Figure 1.3.

Multiple Master Domainmodel: All resource domains trust all Master Domains. Each Master Domaintrusts all other Master Domains.

Complete Trust model:All domains trust each other.

Figure 1.3 Legacy Windows NTMaster Domain model,

Although a domain iseffective as a security model for a small or medium-sized organization, it doesnot have some of the features that a directory service offers. A domainstructure is flat rather than hierarchical like most directory services, whichmeans that security cannot be applied at different levels to different groupsof computers. Since each domain is its own administrative area, the only way toimplement a distributed administration system is to have multiple domains.Domains require a significant amount of traffic between clients and DCs. Thistraffic overhead is undesirable over wide area network (WAN) links that mayhave a limited amount of bandwidth available. Thus, multiple domains may becreated to overcome WAN limitations. Trust relationships between multipledomains become cumbersome as more domains are added. As a result, trade-offsmay be made between WAN performance or administrative needs and domainstructures.