70-240 in 15 minutes a week: Introduction to Windows 2000 Server and Active Directory Page 2
|Introduction to Active Directory concepts
Certainly the biggest single change between Windows NT 4 and Windows 2000 is the inclusion in Windows 2000 of an important new service - Active Directory. Active Directory is the native directory service in Windows 2000. Unlike Windows NT 4, when domains were pretty much stand-alone islands that we connected with trust relationships as necessary, Active Directory is a full-featured directory service. But what is a directory service? Well, a directory service is actually a combination of two things - a directory, and services that make the directory useful. Simply, a directory is a store of information, similar to other directories, such as a telephone book. A directory can store a variety of useful information relating to users, groups, computers, printers, shared folders, and so forth - we call these objects. A directory also stores information about objects, or properties of objects - we call these attributes. For example, attributes stored in a directory for a particular user object would be the user's manager, phone numbers, address information, logon name, password, the groups they are a part of, and more. To make a directory useful, we have services interact with the directory. For example, we can use the directory as a store or information against which users are authenticated, or as the place we query to find information about an object. For example, I could query a directory to show me all the color printers in the Frankfurt office, the phone number of Bob in the Delhi office, or a list all of the users accounts whose first name starts with the letter 'G'. In Windows 2000, Active Directory is responsible for creating and organizing not only these smaller objects, but also larger objects - like domains, organizational units, and sites. In order to fully comprehend what Active Directory is all about, we need to take an initial look at a number of concepts. For the Server exam, you'll only need to be familiar with the ideas for the most part. A deeper discussion on Active Directory will be covered once we get to the AD Implementation and Administration portion of the series.
Active Directory is uses the Lightweight Directory Access Protocol (LDAP) as its primary access protocol. LDAP runs over TCP/IP, and defines a way to reference and access objects between an Active Directory client and server. Under LDAP, every object has a distinct Distinguished Name, and this name distinguishes the object from every other object in Active Directory, while also telling us where the object exists. The two main components of a distinguished name are a CN (common name) and a DC (domain component). The common name identifies an object or the container in which it exists, while the domain component references the domains within which the object exists. For example, a distinguished name could be as follows:
CN=Dan DiNicolo, CN=Users, DC = win2000trainer, DC=com
In the above example I have a user called Dan DiNicolo, who exists within a container called Users, in the domain win2000trainer, which is a subdomain of com. The distinguished name of an object must be unique within a given Active Directory forest (more on forests in a bit).
While a distinguished name tells us about the complete context of an object, a relative distinguished name uniquely identifies an object within its parent container. For example, if I were searching within the Users container, the relative distinguished name of the object I identified above would be Dan DiNicolo.
When a user logs on to an Active Directory domain, two types of names can be provided. The first is the traditional NetBIOS name, referred to in Windows 2000 as the downlevel logon name. This exists for the purpose of backwards compatibility with versions of Windows that rely on NetBIOS for logon functions (such as NT 4, Windows 9x, etc). When using a downlevel logon name ('User logon name - pre-Windows 2000' in the interface) to log on, the user must provide a username, password, and choose the appropriate domain name that they wish to log in to. The second option and new in Windows 2000 is the ability to log on using what is referred to as a User Principal Name, or UPN. A UPN follows the format email@example.com (in the interface it is referred to as the User logon name). When this convention is used, a user no longer needs to specify the domain that they wish to log in to. In fact, under Windows 2000, the domain portion of the login box is grayed out when a UPN is used to sign in. An example of the two types of names is shown in the properties of an Active Directory use account below:
|A first look requires that we also discuss both the logical and physical elements of Active Directory. The logical part of Active Directory includes some ideas that you may have already heard of, including terms like forest, trees, domains, and OUs. The physical part of Active Directory relates to sites and domain controllers. The distinction between the logical and physical elements is important and you must recognize and understand the differences.
Active Directory Logical Structure
The logical structure of Active Directory will vary based on the needs of an organization. Logical elements include forests, trees, domains, and organizational units.
A domain in Windows 2000 is very similar to what a domain was in NT 4. For all intents and purposes, a domain is still a logical group of users and computers (objects) that forms an administrative and replication boundary. That means two things. First of all, a domain is an administrative unit. As such, an administrator from one domain is only the administrator of that domain, and not necessarily any others. Secondly, all domain controllers in the same domain must replicate with one another. We refer to this as a replication boundary. In Windows 2000, domains are named according to DNS naming conventions, instead of conventions based on Netbios. An example of an Active Directory domain name would be win2000trainer.com. In Windows NT, domains had a restriction on how large they could grow, based on the size of the domain SAM database (40MB or thereabouts). As such it was often necessary to create multiple domains if a company had tens of thousands of users and computers. By comparison, multiple domains wouldn't actually be required in such a scenario under Windows 2000, since Active Directory can contain literally millions of objects. In the same manner that a user account existed within a domain in Windows NT, the same is true in Windows 2000. A given user should be given only one account, and that account exists within only one domain, even if multiple domains exist. Active Directory does allow you to have multiple domains, forming structures referred to as trees and forests, to be discussed next.