70-240 in 15 minutes a week: Active Directory and DNS - Part 1

By ServerWatch Staff (Send Email)
Posted May 14, 2001


by Dan DiNicolo
http://www.win2000trainer.com
Welcome to Article 13 in my 70-240 in 15 minutes a week series. This week's article is the first in the Active Directory portion of the series and covers a review of Active Directory concepts as well as an overview of DNS.

Welcome to article number 13 in my 70-240 in 15 minutes a week series. This week's article is the first in the Active Directory portion of the series and covers a review of Active Directory concepts as well as an overview of DNS. This includes a look at the logical and physical structure of Active Directory, as well as a look at DNS terms, concepts, and new features. This article does reiterate some of the material covered in article number 8 in the series, which introduced Active Directory for the purpose of the Windows 2000 Server section of the 70-240 exam. Next week this topic will be continued, with a look at the actual implementation and administration of DNS, as well as Active Directory domain installation.

The material to be covered in this article includes:

- Review of basic Active Directory terms and concepts
- Logical Structure
- Physical Structure
- DNS Basics overview
- New Features of Windows 2000 DNS


Active Directory Review

As we covered in the Window 2000 Server portion of the series, Active Directory is the directory service of Windows 2000. A directory service is a store of information used for the purpose of both accessing information about objects (such as users, computers, domains, etc) as well as providing authentication and security services. Active Directory is very similar to other X.500-based directory services such as Novell's NDS and Sun's Directory Service, both in terms of basic structure and the services that it provides. 

A wide range of objects can be created in Active Directory. An object represents a unique entity with the directory, and is usually made up of many attributes, which help to describe and identify it. For example, a user account is an example of an object. This type of object can have many attributes, including a first name, last name, password, phone number, address, and many others. In the same way, a shared printer can also be an object in Active Directory, and can have attributes such as a name, location, and more. The attributes of an object not only help to identify the object, but also allow us to search for it in the directory. For example, I could search Active Directory for a list of all users with first name Mark (perhaps to find his phone number), and would be returned with a list of all users whose first name attribute value is equal to Mark. Keep in mind that there are many different types of objects to be found in Active Directory - everything from domains, to users, to servers, to sites, to printers, and more. Objects are defined in something called the Schema - this is basically the 'blueprint' that defines the types of objects that can be created in Active Directory. However, you should be aware that it is also possible to define new types of objects and attributes by extending the Schema to meet the needs of your organization. This could include adding a babysitter's phone number attribute to user accounts, or creating a whole new object type called Company Vehicles, for example. Much more on extending the schema later in the series.
Active Directory functions mainly through the use of a protocol referred to as LDAP, the Lightweight Directory Access Protocol. An open and defined standard for accessing directories, LDAP provides the mechanism for updating information, querying, and defining objects in the directory. For example, every object in Active Directory is represented by what is called an LDAP distinguished name. This name uniquely identifies the object within the entire directory. For example, the distinguished name for a user account object named Dan DiNicolo that exists in the Information Technology organizational unit in the win2000trainer.com domain would be:

CN=Dan DiNicolo, OU=Information Technology, DC=win2000trainer, DC=com

An LDAP distinguished name is made up of three main elements

CN - Common Name, the name of the object within Active Directory. 
OU - Organizational Unit, the name of the Organizational Unit within Active Directory. Note that built-in containers, such as Users, would use CN= instead of OU= in an LDAP distinguished name.
DC - Domain Component, the DNS domain name in which the object exists, represented one domain level at a time, starting with lower-level domains and ending with top-level domains.

Another two quick examples:

CN=John Doe, CN=Users, DC=domain, DC=com would represent a user object named John Doe whose account exists in the Users built-in container in a domain named domain.com

CN=Jane Doe, OU=Sales, OU=Toronto, DC=canada, DC=company, DC=net would represent a user object name Jane Doe, whose account exists in an OU called Sales, which is a sub-OU of an OU named Toronto, which is in a domain named canada.company.net

Another way of defining objects within Active Directory is via the object's relative distinguished name. Quite simply, a relative distinguished name is just a shorter way of describing an object based on where we are focused. For example, if I were looking in the OU called Sales, which is a sub OU of the OU Toronto, in the canada.company.net domain, I could say that the relative distinguished name of the object I previously described is CN=Jane Doe. 

Page 1 of 3


Comment and Contribute

Your name/nickname

Your email

(Maximum characters: 1200). You have characters left.