Windows Server 2003 Active Directory: Perspective

Transcription

1 Mary I. Hubley, MaryAnn Richardson Technology Overview 25 September 2003 Windows Server 2003 Active Directory: Perspective Summary The Windows Server 2003 Active Directory lies at the core of the Windows Server 2003 network infrastructure, providing authentication and authorization services, central administration and information sharing. Table of Contents Technology Basics Technology Analysis Business Use Benefits and Risks Standards Technology Leaders Technology Alternatives Insight List Of Tables Table 1: Windows Server 2003 Active Directory Standards Support Gartner Reproduction of this publication in any form without prior written permission is forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The reader assumes sole responsibility for the selection of these materials to achieve its intended results. The opinions expressed herein are subject to change without notice.

2 Technology Basics Active Directory (AD) is the directory service in the Standard, Enterprise and Datacenter versions of the Windows Server 2003 family. (While Windows Web Server 2003 can participate in a directory service, it cannot operate one.) AD gives Windows administrators the ability to centrally organize, manage and control access to all network resources, including desktops and applications, as well as to monitor and manage network devices. It not only stores information about network resources but also provides a consistent way to name, describe, locate, manage and secure this information as it applies to both users and applications. Active Directory consists of both logical and physical components. Each must be taken into consideration when designing the network infrastructure. AD s logical components organize network resources to match the organizational structure. AD s physical components configure and control where and when data replication and login traffic can occur over the network. Active Directory s Logical Structure The basic logical component in AD is the domain, defined by the administrator as a collection of computers that share a common directory database, security policies and security relationships. For example, an organization can set up a separate domain for each department or region. Domains, in turn, can be partitioned into Organizational Units (OUs). An OU is a collection of users and computers that have been given certain administrative rights. Instead of having one person administer an entire domain, AD let s you delegate specific administrative tasks over organizational units. For example, under the domain headquarters you can create an OU named HR that contains all user accounts and computer objects for that department. Then, you can delegate the responsibility for maintaining passwords to someone in that department. If necessary, you can also delegate the authority to create, delete or manage user accounts or groups within the OU, Multiple domains can be organized into trees. A tree is a hierarchical arrangement of domains that have the same Domain Name System (DNS) name. When a domain is added to an existing tree, the new domain becomes a child domain of the parent domain. The name of the child domain is combined with the DNS name of the parent to form the child s DNS name. Trees can be grouped into forests. A forest is a group of trees that do not share a common DNS name but do share a common configuration and schema an attribute repository that allows attributes and object classes to be redefined separately from the AD objects. Every domain in a forest can share resources and administrative functions with the other trees in the forest. Every domain trusts every other domain in a forest. The forest is the security boundary not the domain. Trusts can be established between two forests to provide a one-way or two-way transitive trust relationship between every domain residing within each forest. For example, forest-to-forest trusts can be established between companies undergoing mergers or acquisitions, or between collaborative business extranets. One- or two-way transitive and nontransitive trusts can be established between any non-windows Kerberos v.5 realm and a Windows Server 2003 domain. Active Directory also supports one-way, nontransitive trusts for connections to Windows NT networks from an external organization. Active Directory s Physical Structure 25 September

3 Active Directory s Physical Structure consists of these basic components: site, domain controller (DC) and Global Catalog Server (GCS). A site is a high-speed subnet, or subnets, connected by a high-speed link. A domain controller is a Windows 2000 or Windows 2003 Server computer that stores a replica of the AD logical structure. Because AD s logical and physical structures are independent of each other, a single site can have multiple domains, or there can be multiple sites in a single domain. The domain controllers manage the directory structure, including: Multimaster replication change management User logon management Authentication and directory searches The Global Catalog Server is a separate Windows 2000 or Windows Server 2003 computer that stores a subset of the object attributes contained on a domain controller, including schema, configuration, a read/write copy of the local domain and partial replicas of the other domains in the forest. Once a user has successfully logged on to a DC, the user s universal group membership is obtained from the GCS and stored on the local DC cache. When the user logs into the DC again, the DC can check the cache to verify the user rather than contact the GCS. This reduces demand on slow or unreliable networks and maintains availability even if the GCS is down. AD s Group Policy features give administrators the ability to specify Group Policy settings for a site, domain or OU. Multimaster Replication Because AD is based on a multimaster replication model, changes to any AD object can be made to any domain controller in a network, and those changes will be automatically replicated to the rest of the domain controllers in the domain. The Knowledge Consistency Checker (KCC) calculates the best connections for replications to the domain controllers based on site knowledge. The following protocols are used for data replication: Remote procedure call (RPC) Active Directory replication uses RPC over IP for replication within a site. Domain, schema, configuration and global catalog replication can take place over RPC. Simple Mail Transfer Protocol (SMTP) SMTP supports schema configuration and global catalog replication. However, you cannot use SMTP to replicate the domain partition to domain controllers of the same domain. This is because some domain operations, such as Group Policy, require the support of the File Replication service (FRS), which does not yet support an asynchronous transport for replication. Only RPC can be used to replicate the domain partition. Features Specific to Windows Server 2003 family While Active Directory is operable on Windows 2000 servers and will work in mixed Windows 2000/2003/NT environments, to take advantage of all of its features, AD must be installed on a computer running Windows Server Features that work only with Windows Server 2003 include: Schema management Support for inetorgperson schema Domain Rename 25 September

4 Tools for creating cross-forest trusts Enhanced AD health monitoring Resultant Set of Policy (RSoP) tool for verifying policies in effect for any user or computer on a domain Setup Wizard Support for over 5,000 members in a Group Ability to disable replication compression Schema Management The Windows Server 2003 AD database comes with 200 object types and over 1,000 attributes. By modifying the schema, users can extend this number, as well as deactivate some, but none can be deleted. Schema modifications must be based on standard X.500 naming conventions and cannot conflict with other modifications. Schema modifications are replicated to every domain controller in the forest; to avoid AD from becoming corrupted through schema object conflict, schema modification must be managed in a structured manner. AD Application Mode For organizations that don t require the full functionality of AD, Windows Server 2003 provides AD Application Mode (AD/AM) Server, a lightweight version of AD with a different schema that provides application directories without requiring the complex authentication services inherent in AD. Upgrading to Windows Server 2003 AD Active Directory can be installed at one of the following domain functional levels: Windows 2000 mixed supports Windows NT 4.0, Windows 2000 and Windows Server 2003 family domain controllers Windows 2000 native supports Windows 2000 and Windows Server 2003 family domain controllers Windows Server 2003, Interim supports Windows NT 4.0 and Windows 2000 and Windows Server 2003 family domain controllers Windows Server 2003 supports Windows Server 2003 family domain controllers While AD can be installed on Windows NT or Windows 2000 servers, users must upgrade to the Windows Server 2003 domain functional level to take advantage of Windows Server 2003-specific features, such as schema management, support for Kerberos Key Distribution Center (KDC) version numbers, domain rename, cross-forest trusts and the inetorgperson class. Windows Server 2003, Interim is used only for direct upgrades from Windows NT 4.0 to the Windows Server 2003 family, directly bypassing Windows Windows 2000 domain controllers will not function in a Windows Server 2003, Interim installation. Domain controllers running earlier operating systems cannot be introduced into a domain functional level that does not support them. Once you have raised the domain functional level, you cannot lower it. Active Directory Migration Tool (ADMT) Version 2 of ADMT for migrating NT domains to AD adds support for password migration between domains, and scripting and command-line interfaces that allow the development and testing of migration scripts. 25 September

5 Technology Analysis AD gives the organization a great deal of flexibility in setting up its network infrastructure. However, not all structural combinations will work with every organization. For example, AD allows multilevel nesting of organization units or groups, but when deployed to more than five levels, the resultant structure can lead to poor performance. Since domain setup involves translating job functions into AD access rights, failure to account for the political aspects of this process can result in significant delays in design and deployment. It takes time to analyze the present organizational structure before changing or adapting it to AD. A documented migration plan should be in place, followed by a pilot migration, before AD is placed into production. DNS/WINS Compatibility Issues Because AD uses DNS for name resolution while Win NT domains use Windows Internet Naming Service (WINS), an NT upgrade will involve setting up a DNS server on an existing or new server and installing an additional copy of Windows 2000/2003 to run DNS. In a WinNT Server environment, a WINS server is used for name resolution and an Internet service provider s (ISP s) DNS server is used for Internet name resolution. Thus, a WinNT client is usually configured with two IP addresses, one for WINS and one for DNS. When NT clients are migrated to an AD environment that uses DNS for name resolution, all references to WINS IP addresses must be removed, and all DNS IP addresses must be reconfigured to a local DNS server rather than the ISP s Internet DNS Server. For Windows clients to access the Internet, the local DNS server must be configured to forward unresolved requests to the ISP s DNS server, Maintaining Availability In addition to migration planning, both maintenance and disaster recovery plans should be in place to guarantee maximum uptime and availability. The maintenance plan should include proactive monitoring, backups and defragmentation. Plans should include backing up and restoring the AD database in response to events that result in: A corrupted or invalid schema Missing DNS records Damaged or corrupted information An inoperable configuration Because the AD is continually in use, it is not possible to simply make a copy of it as with other database files. Instead, the AD backup utility must be used to perform a separate online backup of each DC, including the system-state data. Since all DCs in a domain are full-replica partners, a DC with no backup can still be restored from backup media (that is, tape, CD, DVD or file copy over a network). First, the AD backup utility should be used to create a backup of an existing domain controller onto external media. Then, the Active Directory Installation Wizard must be run to install the DC to the failed machine from the backup media. By default, AD runs the Garbage Collection process every 12 hours. This process removes Tombstones or remnants of deleted objects, as well as any unnecessary log files. It then performs an online defragmentation to reclaim space in the directory for new objects; however, this has no effect on file size. To reduce file size, the default online defragmentation should be supplemented with offline defragmentation to recover unused space. Offline defragmentation can be scheduled to occur on an asneeded basis by using Garbage Collection to log an event showing when the ratio of current DB size to 25 September

6 white-space content reaches a specified level. By helping to reduce the size of the AD database files, offline defragmentation can improve directory performance and availability. Desktop and Replication Requirements While all Windows clients can log into an AD domain and access shared resources, only Windows 2000 and Windows XP clients can use all of AD s features including Group Policies. Another factor that must be taken into consideration when implementing AD is replication requirements. AD won t function properly if it cannot complete its replication cycles due to inadequate network bandwidth or poorly configured DC hardware. Business Use AD is mainly deployed as an identity and applications manager for managing single sign-on, passwords, adding and deleting users, and user provisioning. Combined with Group Policy, AD controls security settings for remote desktop management, including: Automatic software distribution and installation Desktop configuration Software repair AD is also used in applications services. Third-party software, such as SAP and J.D. Edwards, can work with AD. Benefits and Risks Benefits: Desktop management Network security Ability to upgrade to Exchange 2000 which requires AD Central management of users throughout the enterprise Multimaster replication change management AD s delegation capabilities User access to millions of objects without knowledge of physical location or connection to the network Risks: AD migration and deployment involves specific costs that must be managed to minimize risk to the organization. These costs include: Windows 2000/2003 software licenses Staff retraining Third-party AD migration and management tool licenses Replacement or upgrade of older hardware devices including servers to be used as domain controllers (Microsoft s hardware compatibility list should be checked to ensure that existing hardware device drivers will continue to work with AD.) 25 September

7 Replacement or upgrade of desktop systems to take advantage of AD Group Policies Standards Table 1: Windows Server 2003 Active Directory Standards Support Standard Description Version Dynamic Host Configuration Protocol Network address management RFC 2131 DNS Dynamic update protocol Host names management RFC 2136, 2782 and 3007 Simple Network Time Protocol Distributed time service RFC 2030 Lightweight Directory Access Protocol (LDAP) v.3 Client directory access RFC 2251 LDAP C Directory application programming (API) LDAP Data Interchange Format (LDIF) Directory synchronization 2849 RFC 1823 LDAP Directory schema RFC 2247, 2252 and 2256 Kerberos v.5 Authentication RFC 1510 X.509 v# certificates Authentication ISO X.509 TCP/IP Network transport RFC 791 and 793 Technology Leaders An organization can use Microsoft-provided tools and utilities to deploy and manage AD, but users may find that the additional features provided by third-party tools make managing more complex environments easier. These products provide tools for migrating to AD from older network operating systems, as well as AD change management, monitoring, and event detection and correction. Leading vendors of AD management technologies include NetIQ ( Quest Software ( BindView Corporation ( and Aelita ( Netpro ( provides monitoring and security products for AD. Full Armor ( provides a management solution for group policies. Technology Alternatives An alternative to AD on Windows Platforms is Novell s edirectory. Insight When properly implemented, Windows Server 2003 Active Directory can enhance productivity and security within any size organization. These benefits, however, do not come without incurring substantial costs in licensing, hardware and network upgrades, staffing, setup and maintenance. 25 September