Understanding Active Directory Services

Transcription

1 06_IsideWi_ch06 12/3/03 1:59 PM Page Uderstadig Active Directory Services C LASSIC NT HAS MANY ECCENTRICITIES big ad small that limit its scalability ad fuctioality. May of these eccetricities stem from NT s clumsy, flat-file, Registry-based accout maagemet system.what is lackig i classic NT is a true directory service capable of hadlig the maagemet chores for a etwork cotaiig hudreds of thousads, if ot millios, of users, computers, groups, priters, shared folders, etwork appliaces, ad so forth. The hallmark of moder Widows is a eterprise-class directory service called Active Directory. We re goig to sped the ext six chapters learig to cofigure, deploy, maage, ad fix Active Directory.The purpose of this chapter is to itroduce you to the compoets of Active Directory ad how they fit together.we ll also take a iitial look at the tools provided by Microsoft to access ad modify the cotets of Active Directory. New Features i Widows Server 2003 Microsoft has doe quite a bit of tuig o Active Directory i Widows Server 2003 to improve scalability ad speed ad to correct a couple of key deficiecies. Some of these updates might ot make much sese util you read further, but here is a syopsis to use for referece. The first three features require havig Widows Server 2003 o every domai cotroller: Site scalability. The calculatios for determiig replicatio topology betwee sites have bee streamlied.this corrects a problem where large orgaizatios with hudreds of sites might experiece replicatio failure because the topology calculatios caot be completed i the time allotted to them. 281

2 06_IsideWi_ch06 12/3/03 1:59 PM Page Chapter 6 Uderstadig Active Directory Services Backlik attribute replicatio. Group members are ow replicated as discrete etities istead of replicatig the etire group membership list as a sigle uit. This corrects a problem where membership chages made to the same group o differet domai cotrollers i the same replicatio iterval overwrite each other. Federatios. A ew trust type called Forest was added to simplify trasitive trust relatioships betwee root domais i differet forests. Usig Forest trusts, it is possible to build a federatio of idepedet Active Directory forests.this feature does ot implemet true prue ad graft i Active Directory, but it goes a log way toward simplifyig operatios withi affiliated orgaizatios. Simplified domai logo. Uiversal group membership ca be cached at o-global catalog servers.this permits users to log o eve if coectivity to a global catalog server is lost.this ehacemet is coupled with a feature i XP where the domai\ame result of crackig a User Pricipal Name (UPN) is cached locally.this permits a user at a XP desktop to log o with the format [email protected] eve if a global catalog server is ot available. Applicatio amig cotexts. Widows Server 2003 itroduces the capability to create ew amig cotexts to hold DNS record objects for Active Directory Itegrated zoes. Oe amig cotext holds domai zoe records ad oe holds the _msdcs records used throughout a forest.these amig cotexts make it possible to target replicatio of DNS zoes oly to domai cotrollers that are ruig DNS. Elimiate pilig oto ew domai cotrollers. There is potetial for a problem whe a NT4 primary domai cotroller (PDC) is upgraded to Widows Server I this circumstace, all existig Widows 2000 ad XP desktops will use the ewly promoted PDC as a logo server. I Widows Server 2003, domai cotrollers ca be cofigured to respod to moder Widows cliets as if they were still classic NT domai cotrollers util sufficiet domai cotrollers are available to hadle local autheticatio.this feature is also available i Widows 2000 SP2 ad later. DNS diagostics. Proper DNS cofiguratio is critical for proper Active Directory operatio.the Domai Cotroller promotio utility ow performs a suite of DNS diagostics to esure that a suitable DNS server is available to register the service locator resource records associated with a Widows domai cotroller.

3 06_IsideWi_ch06 12/3/03 1:59 PM Page 283 New Features i Widows Server Fewer global catalog rebuilds. Addig or removig a attribute from the Global Catalog o loger requires a complete sychroizatio cycle.this miimizes the replicatio traffic caused by addig a attribute to the GC. Maagemet cosole ehacemets. The Active Directory Users ad Computers cosole ow permits drag-ad-drop move operatios ad modifyig properties o multiple objects at the same time.there is also the capability of creatig ad storig custom LDAP queries to simplify maagig large umbers of objects.the ew MMC 2.0 cosole icludes scriptig support that ca elimiate the eed to use the cosole etirely. Real-time LDAP. Support was added for RFC 2589, LDAPv3: Extesios for Dyamic Directory Services. This permits puttig time-sesitive iformatio i Active Directory, such as a user s curret locatio. Dyamic etries automatically time out ad are deleted if they are ot refreshed. Ehaced LDAP security. Support was added for digest autheticatio as described i RFC 2829, Autheticatio Methods for LDAP. This makes it easier to itegrate Active Directory ito o-widows eviromets. Support was also added for RFC 2830, LDAPv3: Extesio for Trasport Layer Security. This permits usig secure coectios whe sedig LDAP (Lightweight Directory Access Protocol) queries to a domai cotroller. Schema ehacemets. The ability was added to associate a auxiliary schema class to idividual objects rather tha to a etire class of objects.this associatio ca be dyamic, makig it possible to temporarily assig ew attributes to a specific object or objects. Attributes ad object classes ca also be declared defuct to simplify recoverig from programmig errors. LDAP query ehacemets. The LDAP search mechaism was expaded to permit searchig for idividual etries i a multivalued Distiguished Name (DN) attribute.this is called a Attribute Scoped Query, or ASQ. For example, a ASQ could be used to quickly list every group to which a specific user belogs. Support was also added for Virtual List Views, a ew LDAP cotrol that permits large data sets to be viewed i order istead of pagig through a radom set of iformatio.this chage permits Widows Server 2003 to show alphabetically sorted lists of users ad groups i pick lists. Iteroperability. Support was added for RFC 2798, Defiitio of the ietorgperso LDAP Object Class. This ehaces iteroperability with Netscape ad NetWare directory services, both of which use the ietorgperso object class to create User objects.

4 06_IsideWi_ch06 12/3/03 1:59 PM Page Chapter 6 Uderstadig Active Directory Services Speedier domai cotroller promotios. The capability was added for usig a tape backup of the Active Directory database to populate the database o a ew domai cotroller.this greatly simplifies domai cotroller deploymets i situatios where it is ot practical to ship a etire server. Scalability. The maximum umber of objects that ca be stored i Active Directory was icreased to over oe billio. Limitatios of Classic NT Security The first questios you may ask whe hukerig dow to study Active Directory is, What is it? ad Why have it? This sectio aswers the secod questio.the remaider of the chapter aswers the first. Accout admiistratio i a classic NT etwork is hampered by may limitatios. The most importat of these limitatios are the followig: Restricted SAM size Multiple logo IDs Sigle poit of failure at the primary domai cotroller Poor operatioal performace Poor replicatio performace Lack of maagemet graularity The fact that security databases differ betwee servers ad domai cotrollers Notrasitive trust relatioships I m goig to discuss each of these limitatios to show exactly how they hider classic NT operatios.this also helps to uderstad why certai decisios were made i the desig of Active Directory. Restricted Accout Database Size Security accouts i classic NT are stored i the Security Accout Maager database, called the SAM for short.the SAM is a flat-file database cosistig of a set of Groups ad a set of Users. Computer accouts are also icluded i the SAM as a special form of user accout.

5 06_IsideWi_ch06 12/3/03 1:59 PM Page 285 Limitatios of Classic NT Security 285 SAM Database Structure Ordiarily, you caot view the cotets of the SAM database because the Registry oly permits access by the System accout. If you wat to take a peek iside, you ca set the Registry permissios to give your accout or the Admiistrators group Read access. Actual data is ecrypted ad stored i biary format, but you ca view the structure. Figure 6.1 shows a example. Figure 6.1 SAM database viewed by the Registry Editor after chagig security permissios. The total umber of users, computers, ad groups i classic NT is limited because the SAM caot grow above a certai size.this is due to restrictios o overall Registry size called the Registry size limit (RSL).The RSL permits the Registry to grow to a maximum of 80 percet of paged pool memory. Paged pool memory has a ceilig of 192MB i NT ad 470MB i Widows 2000 ad Widows Server 2003.

6 06_IsideWi_ch06 12/3/03 1:59 PM Page Chapter 6 Uderstadig Active Directory Services Memory Pool Registry Settigs Memory used by the kerel i all Widows server products is divided betwee o-paged pool memory ad paged pool memory. You ca view settigs for the memory pools i the followig Registry key: HKLM System CurretCotrolSet Cotrol Sessio Maager Memory Maagemet The default values are zero, idicatig that the system calculates them dyamically. You should ot chage ay values without specific directio from Microsoft Product Support Services. I moder Widows, the RSL is adjusted automatically whe the Registry is about to exceed the curret RSL settig. The RSL ca also be adjusted from the User Iterface (UI) usig the Computer Maagemet cosole as follows: 1. Lauch the Computer Maagemet cosole by eterig COMPMGMT.MSC from the Ru widow. 2. Right-click the Computer Maagemet ico ad select PROPERTIES from the flyout meu. 3. Select the Advaced tab. 4. Click Performace Optios. 5. Uder Virtual Memory, click Chage. This opes the Virtual Memory widow. 6. Put a ew value i the Maximum Registry Size field. The SAM is oly oe compoet of the Registry, so its size is restricted still further.a classic SAM has eough room for about 40,000 users if you cout the groups you ll eed to maage them. Practical limits o replicatio ad user maagemet reduces this umber cosiderably, although I kow of at least oe compay that has i excess of 60,000 users i a sigle classic NT domai. Sigle Poit of Failure The PDC is the oly server that has read/write access to the SAM i a classic NT domai. If the PDC crashes or the telecommuicatios lik to it goes dow, you caot make ay chages to the domai costituets.you caot add ew users to a group.you caot joi computers to the domai. Users ca still log o via a backup domai cotroller (BDC) but they caot chage their passwords. To correct this problem, a admiistrator must promote a BDC to PDC somewhere i the domai. If the promoted BDC does t have the horsepower of the origial PDC, worldwide performace suffers. A worse situatio occurs if the WAN coectio that coects the PDC to the rest of the domai goes dow. I this situatio, you do t dare promote a BDC because whe the WAN coectio returs, you ll have two PDCs with slightly differet security database cotets. This forces you to make a Solomo-like decisio to keep oe PDC ad kill the other. I short, you have the makigs of a real disaster. Poor Operatioal Performace The sigle PDC i a classic NT domai also imposes practical limits o daily operatios.assume, for example, that you are a admiistrator of a global NT etwork with 30,000 users. You are statioed i Omaha but the PDC for the master security

7 06_IsideWi_ch06 12/3/03 1:59 PM Page 287 Limitatios of Classic NT Security 287 domai is i Bosto.You ope User Maager for Domais to add a ew user. User Maager pulls the accout database from the SAM o the PDC, ot a local BDC. Depedig o the speed of the iterveig WAN liks, it ca take a log, log time to sca through a big SAM. Admiistrators i large NT domais lear to use commad-lie utilities to avoid this irritatio. Poor Replicatio Performace The hub-ad-spoke replicatio model of classic NT imposes operatioal limits beyod the problem with limited SAM size. A large etwork with may BDCs imposes a great deal of load o the PDC to keep the databases replicated. By default, replicatio occurs whe 200 updates accumulate every seve miutes or at a radom iterval betwee oe ad seve miutes. If you do t wat to wait for replicatio to carry a update to a remote BDC, you must use Server Maager to force replicatio. This meas opeig still aother tool ad waitig aother period of time. SAM Database Differs Betwee Servers ad Domai Cotrollers The SAM database has a differet structure o a classic domai cotroller tha o a regular server. For this reaso, a classic NT server caot be promoted directly to domai cotroller or demoted from a domai cotroller dow to a server.you must reistall the operatig system completely to chage the server s security role. Lack of Maagemet Graularity A major weakess i the flat-file SAM structure is its iability to support hierarchical maagemet.admiistrators wield supreme power i a domai.a few BuiltI groups such as Accout Admis ad Server Operators have specially tailored privileges, but there is o provisio for localizig admi rights or creatig ew groups with a differet set of limited rights. Third-party tools are available to overcome this lack of maagemet graularity, but they carry their ow replicatio ad maagemet baggage alog with a hefty price tag. Notrasitive Trust Relatioships Of all the limitatios i classic NT, the ugliest is the iability to lik domais together seamlessly while maitaiig separate admiistrative roles. Classic domais are liked by trust relatioships. Domai cotrollers i trust-ig domais perform pass-through autheticatios to check the credetials of users from trust-ed domais. These trust relatioships are based o etries i the NT Security database called LSA Secrets. (LSA stads for Local Security Authority.) A pair of LSA Secrets, oe i each SAM database, liks the two domais together. Classic trust relatioships ca oly operate i oe directio.you ca add complemetary pairs of trusts to get the appearace of two-way autheticatio, but the two trusts operate idepedetly.

8 06_IsideWi_ch06 12/3/03 1:59 PM Page Chapter 6 Uderstadig Active Directory Services Worse yet, classic trusts caot exted beyod the two domais that form the trust edpoits. For istace, if Domai A trusts Domai B ad Domai B trusts Domai C, the Domai A does ot trust Domai C, or vice versa.this forces large NT systems to have may iterlockig trusts.you kow whe you walk ito the operatios ceter of a big NT shop because there s butcher paper o the walls with circles ad arrows goig everywhere. Multiple Logo IDs I a ideal uiverse, a sigle etwork logo accout would provide access to all server-based applicatios. I the past, applicatio desigers have bee reluctat to base their autheticatio services o the classic NT logo mechaism. Part of this reluctace was due to the iscrutable set of security APIs that Microsoft provided. Desigers were also put off by the iflexible ature of the SAM. This meas tryig to achieve true sigle sig-o uder NT has bee very difficult. This forces users to memorize passwords for may differet applicatios as well as their etwork logo. Because users ofte select the same password for differet applicatios, the etire security system becomes as secure as the most vulerable iterface. Improvemets Made by Active Directory Now that I ve listed the litay of sis i classic NT, let s take a quick look at what Active Directory does to resolve them: The Active Directory accout database i Widows Server 2003 ca hold a billio objects.this resolves scalability cocers. Multiple domai cotrollers ca host read/write copies of Active Directory, elimiatig the problems with a sigle poit of failure ad poor operatioal performace. The Active Directory replicatio egie ca be tued to make best use of available badwidth.this reduces WAN traffic. A moder Widows server (Widows 2000 or Widows Server 2003) ca be promoted to a domai cotroller ad demoted back to a member server without the eed to reistall the operatig system. Active Directory ca be cofigured with as may braches as eeded to localize ad compartmetalize admiistrative fuctios. Active Directory domais still use trusts as a operatioal model but the trusts ow give full, two-way access to resources ad are fully trasitive betwee domais. The presece of a truly world-class directory service i Widows has sparked reewed iterest amog applicatio developers i achievig sigle sig-o. Microsoft has helped ecourage this iterest by simplifyig the security access methods ad greatly expadig the access iterfaces.

9 06_IsideWi_ch06 12/3/03 1:59 PM Page 289 Directory Service Compoets 289 So, ow we kow what we re leavig behid. Let s move o to see what we re gettig.the ext sectio describes what goes ito a directory service. Directory Service Compoets A directory service compiles iformatio about objects of iterest i the world ad dispeses that iformatio whe give a suitably formulated request. The Yellow Pages are a kid of directory service. A library card catalog is aother. People like to have their iformatio classified for easy retrieval. For istace, the Yellow Pages has categories like Theaters Movies ad Restaurats Outrageously Overpriced. A library card catalog classifies items ito Books Fictio, Books Nofictio, Periodicals, ad so forth. Iformatio eeds to be readily accessible, as well. People wat oe-stop shoppig.at the same time, you do t wat all the iformatio at a sigle locatio.this produces bottleecks, sigle poits of failure, ad turf hassles. For this reaso, the iformatio i a directory service eeds to be distributed amog may sources. Each source of iformatio is resposible for maitaiig its little piece of the distributed database. Iformatio eeds to follow rules to make it cosistet ad reliable.yellow Pages ads cotai a limited set of iformatio about busiesses i a commuity.you would ot go to the Yellow Pages to look up the curret stock price of a compay. A etwork directory service has etries for users ad groups, workstatios ad servers, policies ad scripts, priters ad queues, switches ad routers, ad just about aythig else that relates to computig. The attributes for these etries have somethig to do with their relatioship to etwork services. For example, autheticatio credetials ca be stored i a directory service so users ca log o from aywhere the directory service is available. O the other had, you would ot expect to see a user s cologe preferece i the directory service. A directory service is ot a geeral-purpose database.you would ot implemet a directory service to maage a poit-of-sale system i a chai of video stores. But you would cosider implemetig a directory service to maage the salespeople who log o at the poit-of-sale termials. Fially, a directory service eeds maagemet tools.admiistrators eed some way to add iformatio to the directory, remove outdated iformatio, ad make use of the iformatio that remais.these tools eed to be global i scope, straightforward to operate, ad aid i diagosig ay problems that might arise. So let s get dow to some basic questios. How does a directory service work? Why does it work that way? How does it break? How is it fixed? Ad most importat, how does it make my job easier so I do t sped all my spare time maagig the service that s supposed to be helpig me maage the etwork?

10 06_IsideWi_ch06 12/3/03 1:59 PM Page Chapter 6 Uderstadig Active Directory Services Brief History of Directory Services There s a old sayig that you ca t get to where you re goig uless you kow where you ve bee. Before aalyzig Active Directory, let s start with a look at the history of directory services i geeral. This is ot a academic exercise. It s importat to uderstad the reaso behid the decisios made whe directory services were formulated ad who made those decisios. ITU-T The directory service story starts with a smallish documet called X.500, Data Networks ad Ope System Commuicatios Directory. The cast of characters i this story icludes a group of stadards bodies ad vedors from all over the world. First ad foremost is the Iteratioal Telecommuicatio Uio (ITU).The ITU is a Uited Natios agecy that acts as a forum for govermets that wat to achieve cosesus o global telecom issues.the ITU membership icludes maufacturers ad service providers from over 130 coutries. The brach of the ITU specifically tasked with makig directory service recommedatios is the Telecommuicatio Stadardizatio Sector, or ITU-T.The ITU-T was formerly called the Comité Cosultatif Iteratioal Téléphoique et Télégraphique (CCITT). The ITU-T issues recommedatios i may areas, from broadcast requiremets ad measurig equipmet to faxig. These recommedatios are grouped ito lettered series. For example, the V series covers data commuicatio over telephoe etworks ad icludes such famous stadards such as V.34, Widebad Aalog Modem Commuicatio, ad V.90, Coectig Aalog to Digital Modems. The X series of recommedatios, which icludes the X.500 recommedatios for directory services, covers a variety of data etwork ad ope system commuicatio techologies, such as X.25 packet-switched etworks ad X.400 messagig systems. For a complete listig of ITU recommedatios, see telecom.htm. ISO The ITU-T does ot set stadards; it oly makes recommedatios. Gettig a iteratioal stadard approved requires the coset of the Iteratioal Orgaizatio for Stadardizatio (ISO). Source of the ISO Name You may woder why the iitials ISO do ot match the ame, Iteratioal Orgaizatio for Stadardizatio. Actually, the letters are ot iitials at all. They come from the Greek word isos, meaig equal. These letters were used to avoid the hodgepodge of acroyms that would have resulted if the various member coutries traslated Iteratioal Orgaizatio for Stadardizatio ito their ow laguage with their ow iitials.

11 06_IsideWi_ch06 12/3/03 1:59 PM Page 291 Brief History of Directory Services 291 Ulike the ITU, whose membership comes from idustry vedors, ISO members come from atioal stadards bodies. The U.S. member is the America Natioal Stadards Istitute (ANSI).The ISO web site is located at ch idicates that the site is i Switzerlad, just i case you are ot up o your ISO 3166 two-letter coutry codes. The ISO is resposible for stadardizatio i just about every area, from the quality stadards of ISO 9000 to the stadard paper sizes of ISO 216. I the etworkig idustry, it is most famous for ISO 7498, Iformatio Techology Ope System Itercoectio Basic Referece Model, better kow as the OSI Network Model. ISO stadards that affect data commuicatio techology are ofte joitly published with the ITU-T. For example, the ISO stadard that parallels the ITU-T X.500 recommedatios for directory services is ISO 9594, Iformatio Techology Ope Systems Itercoectio The Directory. Because the ISO issues stadards ad the ITU-T issues recommedatios, it is actually a misomer to refer to the X.500 Stadard, but this is commoly doe because the two documets are idetical. IEC ANSI IETF The ISO is the seior stadards body i the world, but it certaily is ot the oly oe. May agecies dip their spoos i the stadards soup bowl ad they sometimes slosh o each other. I the data commuicatios field, there is overlap betwee stadards published by the ISO ad stadards published by the Iteratioal Electrotechical Commissio (IEC). The IEC deals with iteratioal stadardizatio for electroics, magetics, electromagetics, electroacoustics, telecommuicatio, ad eergy productio/distributio. They promulgate termiology, symbols, measuremet stadards, performace stadards, depedability, desig, developmet, safety, ad evirometal stadards.the U.S. member of the IEC is also ANSI.The ISO ad IEC joied with the ITU i publishig the directory service stadards.the IEC web site is located at I the Uited States, there is oe seior stadards body, ANSI. You are probably most familiar with ANSI for its work to stadardize character-based data formats, although there are ANSI stadards for just about aythig. I used to work i the uclear idustry, where eve the ballpoit pes were built to coform to a ANSI stadard.the ANSI web site is I a coutry where millios of people call televisio talk shows to give advice to total stragers about their sex lives, it should come as o surprise that may advisory bodies are eager to give iput to ANSI.A advisory body with a great deal of ifluece

12 06_IsideWi_ch06 12/3/03 1:59 PM Page Chapter 6 Uderstadig Active Directory Services over implemetatio of the X.500 stadard is the Iteret Egieerig Task Force (IETF). Its web site is located at The IETF is a amalgam of vedors, developers, researchers, desigers, ad architects of all stripes who have a iterest i the workigs of the Iteret. Special workig groups withi the IETF ride herd o Iteret workigs i collaborative effort called the Iteret Stadards Process, a uique ad somewhat legthy operatio that cosists of thrashig a good idea mercilessly util it breaks ito pieces that ca be easily digested by the collective orgaism. Request For Commets (RFC) The Iteret Stadards Process is facilitated by documets called Request for Commets (RFCs) ad Iteret Drafts.To give you a idea of how log it takes to assimilate ew ideas ito Iteret stadards, out of the hudreds ad hudreds of stadards-track RFCs listed i RFC 2700, Iteret Official Protocol Stadards, there are oly 59 stadards.the rest of the documets squirm somewhere i the approval process. Copies of RFCs, Stadards, Stadards Track documets, Iteret Drafts, ad other workig papers ca be foud at the IETF site ad at various mirrored sites aroud the Iteret. I prefer the search egie at the Iteret Egieerig Stadards Repository, The IETF ca bypass ISO/IEC stadards ad ITU recommedatios if they deem it ecessary to get useful protocols out ito the world. A example of this is the Lightweight Directory Access Protocol (LDAP). LDAP is a pared-dow versio of the X.500 directory service that forms the basis of Active Directory, Netscape Directory Services, ad other products. There is o LDAP stadard from ISO ad o LDAP recommedatio from the ITU. LDAP is purely a Iteret cococtio. Active Directory implemets the most curret versio of LDAP, versio 3, as documeted i RFC 2251, Lightweight Directory Access Protocol v3. This RFC expads ad augmets the origial LDAP Stadards Track documet, RFC 1777, Lightweight Directory Access Protocol. There is a log list of RFCs that expad various LDAP features. Although LDAP is ot precisely a X.500 implemetatio, a great deal of the desig basis of LDAP comes from X.500. So before goig through LDAP i detail, let s take a quick look at its paret. X.500 Overview A directory service is a distributed store of iformatio about the users of a computer system ad the ifrastructure that supports that system. The goal of X.500 was to cut through the babble of competig iformatio repositories to defie a sigle place where users from all atios could go to locate each

13 06_IsideWi_ch06 12/3/03 2:00 PM Page 293 X.500 Overview 293 other, lear about each other, discover commo likes ad dislikes, ad evetually commuicate freely to fid a path to uiversal peace ad brotherhood ad the dawig of the Age of Aquarius.The key features of a X.500 directory service are as follows: The iformatio is distributed amog may differet servers. Users ca submit queries to ay server to fid iformatio aywhere i the system. Servers ca fid iformatio o other servers because they share commo kowledge about each other. X.500 Compoets The magic of X.500 comes from the flexible way it compartmetalizes ad distributes iformatio. This flexibility comes at the cost of complexity, though ot the least of which is a thicket of omeclature rife with obscure computig jargo ad Three Letter Acroyms (TLAs).These X.500 acroyms crop up quite a bit i Active Directory documetatio, so it pays to give them a Quick Ru Through (QRT). Refer to Figure 6.2 for a roadmap. Here are the X/500 TLAs: Iformatio i a X.500 Directory is stored i a Directory Iformatio Base (DIB). The DIB is divided ito pieces that are structured ito a hierarchy called a Directory Iformatio Tree (DIT). DIT DIB DIB DISP DSA DSA (DSP usig DOP) DSA over OSI DAP DAP over OSI DAP over OSI DUA DUA DUA DMD maaged by DMO DMD maaged by DMO Figure 6.2 X.500 compoets ad their commuicatio protocols.

14 06_IsideWi_ch06 12/3/03 2:00 PM Page Chapter 6 Uderstadig Active Directory Services Each piece of the DIB is stored o a server called a Directory Service Aget (DSA). A user who eeds iformatio from Active Directory submits queries via a applicatio iterface called a Directory User Aget (DUA). A DUA commuicates with a DSA usig the Directory Access Protocol (DAP). Oe DSA commuicates with aother usig the Directory System Protocol (DSP). Admiistrative iformatio exchaged betwee DSAs is cotrolled via policies defied by the Directory Operatioal Bidig Maagemet Protocol (DOP). A sigle Directory Maagemet Orgaizatio (DMO) takes charge of a Directory Maagemet Domai (DMD) that cotais oe or more DSAs. Iformatio held by oe DSA is replicated to other DSAs i the same DMD usig the Directory Iformatio Shadowig Protocol (DISP). DAP, DSP, DISP, ad all other high-level commuicatio protocols i X.500 use OSI etworkig as defied i ITU Recommedatio X.200/OSI-EIU Stadard X.500 Trasactio Example Here s a example of how these X.500 compoets tie together (see Figure 6.3). Let s say that the secodhad car dealers i America get together ad decide to form a associatio. They wat a directory service to store iformatio about vehicles available for sale at each member s showroom. Directory Maagemet Domai (DMD) Directory Maagemet Domai (DMD) Directory Services Aget (DSA) Directory Iformatio Base (DIB) Directory System Protocol (DSP) Directory Services Aget (DSA) Directory Iformatio Shadowig Protocol (DISP) Directory Access Protocol (DAP) Directory Iformatio Base (DIB) Directory User Aget (DUA) Directory Services Aget (DSA) Directory Iformatio Base (DIB) Figure 6.3 Diagram of a example X.500 commuicatio scheme.

15 06_IsideWi_ch06 12/3/03 2:00 PM Page 295 X.500 Overview 295 The DIB for this dealership directory service icludes makes, models, years, vehicle idetificatio umbers, ad ubeatable prices. Each dealer is assiged a DMO that cotrols a DMD.The DIB i each DMD is hosted by at least oe DSA, which exchages admiistrative iformatio with DSAs i other DMDs usig DOP. Dealerships i the same regio have idividual DSAs that replicate their copy of the DIB betwee each other via DISP.The pieces of the DIB are joied ito a sigle DIT, the root of which is hosted by a DSA at headquarters. Why go through all this trouble? Well, if a customer at a dealership i Kakakee wats a cherry-colored Cherokee, the salesperso ca sit at a DUA ad submit a query to a local DSA via DAP.The DSA would check its copy of the local DIB ad if it failed to locate a record, it would use DSP to query other DSAs util it either foud a match or exhausted all possibilities.the DUA could the be programmed to suggest alteratives, like a cream-colored Chevelle i Chicago. The importat poit to remember about this trasactio is that there is o cetral repository of iformatio. Each local DSA holds its ow copy of the DIB. Referral mechaisms are used to distribute queries aroud the system. Why LDAP Istead of X.500? Several pedigreed X.500 directory services are commercially available, but few have achieved widespread popularity.the problem with pristie X.500 implemetatios is the overhead represeted by all those protocols.whe you get a army of DUAs all talkig DAP to DSAs that refer queries to other DSAs usig DSP while at the same time mirrorig their DIBs to other DSAs i their DMD via DISP, my fried, you ve got a whole D* lot to go wrog. I the early 90s, a few bright folks at the Uiversity of Michiga wated to build a directory service to hadle their 100,000+ studets, staff, ad faculty.they gave up o the complexities of X.500 ad came up with a scheme that retaied the X.500 directory structure but gave it a streamlied access protocol based o stadard TCP/IP istead of ISO. They also came up with a pared-dow referral mechaism, a more flexible security model, ad o fixed replicatio protocol.they called the result the Lightweight Directory Access Protocol, or LDAP.The rest, as they say, is history.the Blue ad Maize folks o loger cotrol LDAP developmet. The curret repository of LDAP kowledge is at Active Directory ad LDAP Whe Microsoft decided to replace the clumsy Registry-based accout maagemet system i classic NT with a true directory service, rather tha devise a proprietary directory service of their ow, they chose to adopt LDAP. Eve more importatly, from our perspective as admiistrators, Microsoft chose to deliver their LDAP directory service usig two prove techologies.

16 06_IsideWi_ch06 12/3/03 2:00 PM Page Chapter 6 Uderstadig Active Directory Services Extesible Storage Egie (ESE) At its heart, a directory service database is made up of tables with rows represetig objects of iterest ad colums represetig attributes of those objects.what sets differet databases apart is the way the tables are maaged.this table maager is ofte called a database egie. The LDAP stadards do ot stipulate a particular table maagemet techology. For the Active Directory table maager, Microsoft used a revved-up versio of the Extesible Storage Egie (ESE) first itroduced with Exchage. Microsoft chose ESE over the SQL Server database egie because a SQL egie does ot work efficietly with the object-orieted structure of a LDAP directory. The ESE egie, o the other had, was primarily desiged as a object-orieted database. DNS-Based Locator System Users caot take advatage of the iformatio i a directory service if they caot fid the servers hostig the iformatio. Microsoft chose to build its LDAP directory service aroud the Domai Name System (DNS).Whe a LDAP cliet eeds to fid a server hostig a directory service, it does so by queryig DNS. This eabled Microsoft to use ew features i DNS to simplify the search. For example, Microsoft took advatage of the relatively ew service locator (SRV) record type to put poiters i DNS to idicate the ames of servers hostig LDAP ad Kerberos services. SRV records have a relatively complex structure, but Microsoft was able to avoid typographical errors by registerig them automatically usig Dyamic DNS. LDAP Iformatio Model A directory service may be a bit facier tha the database you use to tally the overtime pay you ve lost sice takig your salaried admiistrator positio a few years back, but the priciples of operatio are pretty much the same. Object-Orieted Database I X.500 termiology, the directory service database is called a Directory Iformatio Base (DIB). If you thik of a old-style library card catalog system as a kid of directory service, oe of those big oak cabiets with rows of drawers would be a DIB. The X.500 directory service structure was developed at a time whe objectorieted databases represeted leadig-edge techology. If your oly exposure to database techology has bee more moder relatioal databases, the desig costraits of a object database ca look a little strage. I a object-orieted database, each record (object) occupies a uique positio i a hierarchical amespace. The object s ame ad path traces its origis to the top of

17 06_IsideWi_ch06 12/3/03 2:00 PM Page 297 LDAP Iformatio Model 297 the amespace, i much the same way that a Daughter of the America Revolutio traces her forebears back to the Mayflower.A file system is a example of a objectorieted database. Object databases cosist of big, structured sequetial files coected by a set of idexes that are themselves othig more tha big, structured sequetial files.this uderlyig database techology is called Idexed Sequetial Access Method, or ISAM.You ll see this term i the Evet log ad other reports. The ESE database egie exposes the flat ISAM structure as a hierarchy of objects. I additio, Microsoft makes extesive use of COM techology by represetig Active Directory objects as COM objects via the Active Directory Services Iterface (ADSI). Classes ad Attributes A directory service cotais iformatio about specific types of objects, such as User objects, Computer objects, ad so forth.these are called object classes.a class is a budle of attributes with a ame. Figure 6.4 shows how attributes ad classes are related. Object Class: User Object Class: DHCPClass Commo Name Commo Name Descriptio Descriptio Distiguished Name Distiguished Name ObjectGUID ObjectGUID ObjectSID DHCPUiqueKey UicodePwd DHCPType SamAccoutName DHCPFlags MemberOf DHCPServers Figure 6.4 Classes ad attributes i a directory service. Attributes ad Properties Attributes are also ofte called properties. There is a differece betwee these two terms, but it is so subtle that most referece mauals, icludig this oe, use them iterchageably.

18 06_IsideWi_ch06 12/3/03 2:00 PM Page Chapter 6 Uderstadig Active Directory Services The attributes associated with a particular object class differetiate it from other object classes. For example, User objects have differet attributes tha Computer objects or IP Security objects. Usig a library card catalog as a example, differet card formats represet differet classes of items.a certai card format is used to record etries for Books. Aother format is used for Tapes. The card format for Books would have spaces for Title, Author, ISBN, ad so forth. A card for Tapes would have spaces for those etries plus additioal spaces for Read-By ad Play-Time. A object class, the, is really othig more tha a budle of attributes with a ame. RFC 2256, A Summary of the X.500(96) User Schema for use with LDAPv3, defies 21 classes ad 55 attributes for use i a stadard LDAP directory service.active Directory adds quite a few more for a total of about 200 object classes ad 1500 attributes. Classes also defie the scope of a directory service database.you would ot expect to fid cards i a library card catalog represetig Off-The-Road Vehicles or Double- Meat Hamburgers. Microsoft egieers defied the iitial scope of Active Directory by icludig a certai set of object classes ad attributes.this list ca be exteded by other applicatios or by admiistrators. For example, your orgaizatio could create attributes ad classes for storig badge umbers ad social security umbers i Active Directory. Class Iheritace Directory service desigers strive to limit complexity by defiig the miimum umber of classes ad attributes ecessary to describe the objects of iterest that eed to be stored i the directory service database. For example, i a library card catalog, it would be a mistake to create a class called Somewhat-Less-Tha-Rivetig-Early-20th-Cetury-America-Novels, eve though it seems like quite a few objects would fit that class. I relatio to the overall scope of a library, this classificatio would be too arrow. It would be better to have a attribute called Borig with a Boolea value.you could assig this attribute to the Book class so that objects derived from that class would get a Borig attribute that could be give a value of Yes or No or left empty.you could also assig the Borig attribute to the Periodical,Tape, ad Video classes, as well. A directory ca have hudreds of classes ad may hudreds of attributes. If the attributes for each class had to be separately defied, the sheer umber of perturbatios would make the directory look less like a tree ad more like a example of Germa expressioism. Fortuately, attributes associated with a particular class ofte overlap those of other classes. For example, the attribute list for the Mailbox class icludes all the attributes associated with the Mail-Recipiet class with oe additio, the Delivery-Mechaism attribute. So, istead of separately defiig all the attributes i Mailbox class, LDAP allows the class to be defied as a child of the Mail-Recipiet class.this permits it to

19 06_IsideWi_ch06 12/3/03 2:00 PM Page 299 LDAP Iformatio Model 299 iherit the attributes of its paret.the desiger eed oly stipulate the ew additioal attribute or attributes that make the subordiate class uique. Attributes flow dow the hierarchy of object classes like gees i a family tree. Figure 6.5 shows a example of class iheritace for the Computer object class. All LDAP classes derive from a class called Top. This makes it possible to defie certai attributes that every class would have i commo. For example, every class eeds a Commo-Name attribute.the attribute is assiged to Top ad the rest of the classes iherit it. Thik of Top as a director who ever actually appears o camera but leaves a distictive mark o the productio. Top is a Abstract class, oe of three class types i LDAP.They are as follows: Abstract. Classes that exist solely to derive other object classes.there are 14 abstract classes i the Active Directory. Examples iclude Top, Device, Perso, ad Security Object. Structural. Classes that have objects i Active Directory. Examples iclude User, Group, ad Computer. Auxiliary. Used to exted the defiitio of a Abstract class for specialized purposes.there are oly six of these classes i Active Directory: Mail-Recipiet, Dyamic-Object, MS-MMS Object, Sam-Domai, Sam-Domai-Base, ad Security-Pricipal. Object Class: Top Object Class: Perso Object Class: OrgaizatioalPerso Object Class: User Object Class: Computer Figure 6.5 Iheritace diagram for the Computer object class.

20 06_IsideWi_ch06 12/3/03 2:00 PM Page Chapter 6 Uderstadig Active Directory Services These three class types act like assembly lie robots desiged to produce thigs called objects. The Structural classes are the tools ad dies that stamp ad shape the objects.the Abstract classes are the mill workers ad patter makers that build the tools ad dies.the Auxiliary classes act like a custom shop at the ed of the lie where special versios of stadard objects are tured out. Object Istaces Each object i Active Directory is derived from a specific object class. Aother way of sayig this is that a object represets a istace of a class. Each istace of a object class differs from aother istace by havig differet values for its attributes. Remember the movie Elephat Ma? I a great scee, the lead character, Joh Merrick, stads i frot of a curious mob ad exclaims, I am ot a elephat. I am a huma beig. Had Mr. Merrick bee a directory services desiger, he could have clarified his poit by addig, I am a istace of the Huma Beig class, ot the Elephat class.ad the oly differece betwee you ad me is a relatively mior attribute of mie that has a differet value from yours. So lay off, will you? Defiig suitable attributes for a object class ca be slippery. Subtle differeces may force a desiger to create a ew class. If you were desigig a library card catalog, you might start out by defiig a class called Tape with a attribute called Type that has two permitted values,audio ad Video.This decisio forces you to defie attributes for the Tape class that fully defies both audiotapes ad videotapes. After moths of agoizig, you might decide that the properties of audio ad video tapes are so differet that they warrat creatig two classes, AudioTape ad VideoTape, each with their ow uique attribute sets.there are may istaces i Active Directory ad LDAP where two object classes differ by oly oe or two attributes. Schema A database schema defies the cotet ad structure of the database. I a library card catalog, the schema would be a set of procedures ad rules set dow by the libraria. Books go o gree cards, she tells you. Videos go o red cards. File the cards alphabetically by Title i this cabiet ad by Subject i that cabiet. So o ad so o.the schema for a LDAP directory service defies these items: The attributes associated with each object class The permissible object classes The paret-child relatioship of object classes, which i tur determies attribute iheritace The data type associated with each attribute The physical represetatio of the object i the user iterface

21 06_IsideWi_ch06 12/3/03 2:00 PM Page 301 LDAP Namespace Structure 301 The schema ca take the form of a exteral table that acts as data dictioary or a iteral table that is structured usig the same rules as the database itself. Active Directory uses a iteral schema. May of the desig costraits we ll see i the ext chapter stem from the ecessity to keep a cosistet schema throughout all the servers that host a copy of the directory database. Later i this chapter, we ll see how to modify the Active Directory schema to add ew attributes ad object classes that ca be used by applicatios to support etwork operatios. LDAP Iformatio Model Summary Here are the importat iformatio model cocepts to carry forward with you whe you start desigig a Active Directory system for your ow orgaizatio: LDAP uses a object-orieted database.the database egie for Active Directory is the Extesible Storage Egie, or ESE. A object class defies a uique set of attributes for a particular type of object. Object classes iherit attributes from their parets.this permits the desiger to idetify oly the ew attributes for a ew object class. Each object is a istace of a object class.the attributes for the object are assiged values that describe that particular object. A schema defies the cotet ad structure of the LDAP database. I the case of Active Directory, the schema is cotaied withi the directory itself. The directory schema must be cosistet o every server hostig a copy of the database. LDAP Namespace Structure A directory service has two major features. First, it distributes its iformatio base amog may differet servers. Secod, users ca access directory iformatio by queryig ay of those servers. Makig this work requires defiig a amespace i which each object s locatio ca be quickly determied. Commo Names As we saw i the last sectio, iformatio i a LDAP database comes i the form of objects. Objects have attributes that describe them. For example, the User object for Tom Joes would have attributes such as Tom s logo ame, his password, his phoe umber, his address, his departmet, ad so forth. Whe a LDAP cliet eeds to locate iformatio about a object, it submits a query that cotais the object s distiguished ame (DN) ad the attributes the cliet wats to see.a search for iformatio about Tom Joes could be phrased i a couple of ways:

22 06_IsideWi_ch06 12/3/03 2:00 PM Page Chapter 6 Uderstadig Active Directory Services You could search for attributes i Tom s User object. Give me the Departmet attribute for c=tom Joes,c=Users,dc=Compay,dc=com. You could search for attributes that ed up icludig Tom s object. Give me all User objects with a Departmet attribute equal to Fiace. I either case, LDAP ca fid Tom s object because the ame assiged to the object describes its place i the LDAP amespace. Figure 6.6 shows a portio of the LDAP amespace i Active Directory.With oe exceptio, each folder represets a Cotaier object, which i tur holds other objects.the exceptio is the domai cotrollers object, which is a Orgaizatioal Uit (OU). Domai cotrollers are placed i a OU so that they ca have discrete group policies. Geeric Cotaier objects caot be liked to group policies. Domai Users Builti Cofiguratio Computers Services Domai Cotrollers Sites System Default-First- Site-Name MicrosoftDNS Servers Policies Schema Users c=admiistrator c=domai Admis Figure 6.6 Example LDAP directory hierarchy.

23 06_IsideWi_ch06 12/3/03 2:00 PM Page 303 LDAP Namespace Structure 303 The User objects i the diagram have desigators that start with CN, meaig Commo Name. The CN desigator applies to all but a few object types. Active Directory oly uses two other object desigators (although LDAP defies several). They are as follows: Domai Compoet (DC). DC objects represet the top of a LDAP tree that uses DNS to defie its amespace.active Directory is a example of such a LDAP tree.the desigator for a Active Directory domai with the DNS ame Compay.com would be dc=compay,dc=com. Orgaizatioal Uit (OU). OU objects act as cotaiers that hold other objects.they provide structure to the LDAP amespace. OUs are the oly geeralpurpose cotaier available to admiistrators i Active Directory. A example OU ame would be ou=accoutig. Distiguished Names A ame that icludes a object s etire path to the root of the LDAP amespace is called its distiguished ame, or DN. A example DN for a user amed CSataa whose object is stored i the c=users cotaier i a domai amed Compay.com would be c=csataa,c=users,dc=compay,dc=com. A idetifyig characteristic of LDAP distiguished ames is their little-edia path sytax.as you read from left to right, you travel up the directory tree.this cotrasts to file system paths, which ru dow the tree as you read from left to right. Relative Distiguished Names A object ame without a path, or a partial path, is called a relative distiguished ame, or RDN. The commo ame c=csataa is a example of a RDN. So is c=csataa,c=users.the RDN serves the same purpose as a path fragmet i a fileame. It is a coveiet avigatioal shortcut. Two objects ca have the same RDN, but LDAP has a rule that o two objects ca have the same DN.This makes sese if you thik of the object-orieted ature of the database.two objects with the same DN would try to occupy the same row i the database table. C est impossible, as we say i souther New Mexico. Case Sesitivity of LDAP Names Distiguished ames i Active Directory are ot case sesitive. I most istaces, the case you specify whe you eter a value is retaied i the object s attribute. This is similar to the way Widows treats fileames. Feel free to mix cases based o your corporate stadards or persoal aesthetic.

24 06_IsideWi_ch06 12/3/03 2:00 PM Page Chapter 6 Uderstadig Active Directory Services Typeful Names The combiatio of a object s ame ad its LDAP desigator is called a typeful ame. Examples iclude c=admiistrator ad c=admiistrator,c=users,dc=compay, dc=com. Some applicatios ca parse for delimiters such as periods or semicolos betwee the elemets of a distiguished ame. For example, a applicatio may permit you to eter Admiistrator.Users.Compay.com rather tha the full typeful ame.this is called typeless amig.whe eterig typeless ames, it is importat to place the delimiters properly. The cosole-based tools provided by Microsoft use a GUI to avigate the LDAP amespace, so you do t eed to worry about iterpretig typeful or typeless ames right away. But if you wat to use may of the support tools that come o the Widows Server 2003 CD or i the Resource Kit, or you wat to use scripts to maage Active Directory, you ll eed to use typeful amig.after you get the hag of it, rattlig off a log typeful ame becomes secod ature. Directory Iformatio Tree I LDAP, as i X.500, the servers that host copies of the iformatio base are called Directory Service Agets, or DSAs.A DSA ca host all or part of the iformatio base. The portios of the iformatio base form a hierarchy called a Directory Iformatio Tree, or DIT. Figure 6.7 shows a example. The top of the DIT is occupied by a sigle object.the class of this object is ot defied by the LDAP specificatio. I Active Directory, the object must come from the object class DomaiDNS. Because Active Directory uses DNS to structure its amespace, the DomaiDNS object is give a DC desigator. For example, the object at the top of the tree i Figure 6.7 would have the distiguished ame dc=compay,dc=com. Typeless Names ad Delimiters If you write scripts ad you eed to allow for periods i object ames, precede the period with a backslash. This tells the parser that the period is a special character, ot a delimiter. For example, if your user ames look like tom.collis, a typeless ame i a script would look like this: tom\.collis.users.compay.com. The same is true for user ames that have embedded commas ad periods, such as Wisto H. Bortothepurple, Jr. A ADSI query for this ame would look like this: wisto h\. bortothepurple\, jr\.

25 06_IsideWi_ch06 12/3/03 2:00 PM Page 305 LDAP Namespace Structure 305 dc=compay, dc=com dc=us, dc=compay, dc=com dc=mexico, dc=compay, dc=com dc=phoeix, dc=us, dc=compay, dc=com dc=oaxaca, dc=mexico, dc=compay, dc=com ou=accoutig, dc=phoeix, dc=us, dc=compay, dc=com ou=egieerig, dc=phoeix, dc=us, dc=compay, dc=com ou=estadísticas, dc=oaxaca, dc=mexico, dc=compay, dc=com ou=igeiería, dc=oaxaca, dc=mexico, dc=compay, dc=com Figure 6.7 Directory Iformatio Tree. Active Directory ad DNS Roots Active Directory caot be rooted at the very top of a DNS amespace. The assumptio is that may differet Active Directory amespaces could share the same root. For this reaso, the DomaiDNS object at the top of the tree must always have at least two domai compoet desigators. A LDAP tree cotais braches formed by cotaiers udereath the root cotaier.these cotaiers hold objects that have some relatio to each other as defied by the amespace. For istace, i Active Directory, the default cotaier for User objects is c=users. For Computer objects, it is c=computers. Iformatio about group policies, DNS, Remote Access Services, ad so forth go i c=system. As we ll see whe we discuss Active Directory desig i Chapter 8, Desigig Widows Server 2003 Domais, admiistrators have the ability to create Orgaizatioal Uits (OUs) to cotai objects that have similar maagemet or cofiguratio requiremets. Namig Cotexts As the umber of objects i a DIT grows, the database may get too large to store efficietly o oe DSA. Also, a orgaizatio might wat to use badwidth more effectively by usig a DSA i New York to store iformatio about users i North America ad aother DSA i Amsterdam to store iformatio about users i Europe.

26 06_IsideWi_ch06 12/3/03 2:00 PM Page Chapter 6 Uderstadig Active Directory Services Namig Cotexts ad Partitios X.501, Iformatio Techology Ope Systems Itercoectio The Directory: Models, defies the term amig cotext as, A subtree of etries held i a sigle master DSA. It goes o to describe the process of dividig a tree ito multiple amig cotexts as partitioig. Novell chose to adopt the term partitio to defie separate pieces of the directory database. I their semial book, Uderstadig ad Deployig LDAP Directory Services, Tim Howe, Mark Smith, ad Gordo Good use the term partitio i favor of amig cotext, although they describe both as meaig the same thig. Microsoft uses the two terms iterchageably. The tools that come with the Widows Server 2003 CD ad i the Resource Kit favor the term amig cotext. That is the term I use throughout this book. Here is where the distributed ature of a LDAP database comes ito play. The Directory Iformatio Base ca be separated ito parts called amig cotexts, or NCs. I Active Directory, each domai represets a separate amig cotext. Domai cotrollers i the same domai each have a read/write replica of that Domai amig cotext. Cofiguratio ad Schema objects are stored i their ow amig cotexts, as are DNS Record objects whe usig Active Directory Itegrated DNS zoes. Whe a cliet submits a query for iformatio about a particular object, the system must determie which DSA hosts the amig cotext that cotais that particular object. It does this usig the object s distiguished ame ad kowledge about the directory topology. If a DSA caot respod to a query usig iformatio i the amig cotexts it hosts, it seds the cliet a referral to a DSA hostig the ext higher or lower amig cotext i the tree (depedig o the distiguished ame of the object i the search). The cliet the submits the request to a DSA hostig the amig cotext i the referral.this DSA either respods with the iformatio beig requested or a referral to aother DSA.This is called walkig the tree. DSAs that host copies of the same amig cotext must replicate chages to each other. It s importat to keep this i mid as you work with Active Directory servers. If you have separate domais, the cliets i oe domai must walk the tree to get access to Active Directory objects i aother domai. If the domai cotrollers for the domais are i differet locatios i the WAN, this ca slow performace. May of the architectural decisios you ll make as you desig your system focus o the locatio, accessibility, ad reliability of amig cotexts. LDAP Searches From a cliet s perspective, LDAP operates like a well-ru departmet store. I a departmet store, you ca sidle up to the fragrace couter ad ask, How much is the Chael No. 5? ad be sure of gettig a immediate reply, especially if you already have your credit card i had. The same is true of LDAP.Whe a search request is submitted to a DSA that hosts a copy of the amig cotext cotaiig the objects ivolved i the search, the DSA ca aswer the request immediately.

27 06_IsideWi_ch06 12/3/03 2:00 PM Page 307 LDAP Namespace Structure 307 But i a departmet store, what if you ask the fragrace associate, Where ca I fid a size 16 chambray shirt that looks like a Tommy Hilfiger desig but does t cost so dar much? The associate probably does t kow, but gives you directios to the Meswear departmet.you make your way there ad ask your questio to a associate stadig ear the slacks.the associate may ot kow the aswer, but gives you directios to the Bargai Meswear departmet i the basemet behid last year s Christmas decoratios. You proceed to that area ad ask a associate your questio agai.this time you re either haded a shirt or give a excuse why oe is t available. LDAP uses a similar system of referrals to poit cliets at the DSA that hosts the amig cotext cotaiig the requested iformatio.these referrals virtually guaratee the success of ay lookup so log as the object exists iside the scope of the iformatio base. The key poit to remember is that LDAP referrals put the burde of searchig o the cliets.this cotrasts to X.500, where all the messy search work is haded over to the DSAs. LDAP is Wal-Mart to the Nordstroms of X.500. RootDSE Whe LDAP cliets eed iformatio from a DSA, they must first bid to the directory service.this autheticates the cliet ad establishes a sessio for the coectio. The cliet the submits queries for objects ad attributes withi the directory.this meas the cliet eeds to kow the security requiremets of the DSA alog with the structure of the directory service it hosts. DSAs advertise this iformatio by costructig a special object called RootDSE. The RootDSE object acts like a sigpost at a rural itersectio. It poits the way to various importat features i the directory service ad gives useful iformatio about the service. LDAP cliets use this iformatio to select a autheticatio mechaism ad cofigure their searches. Each DSA costructs its ow copy of RootDSE.The iformatio is ot replicated betwee DSAs. RootDSE is like the eye above the pyramid o the back of a dollar bill. It sits apart from the structure but kows all about it.you ll be seeig more about RootDSE later i this book i topics that cover scriptig. Queryig RootDSE for iformatio about Active Directory rather tha hard-codig that iformatio ito your scripts is a coveiet way to make your scripts portable. LDAP Namespace Structure Summary Here are the highlights of what you eed to remember about the LDAP amespace structure to help you desig ad admiister Active Directory: A object s full path i the LDAP amespace is called its distiguished ame. All DNs must be uique.

28 06_IsideWi_ch06 12/3/03 2:00 PM Page Chapter 6 Uderstadig Active Directory Services The Directory Iformatio Tree, or DIT, is a distributed LDAP database that ca be hosted by more tha oe server. The DIT is divided ito separate uits called amig cotexts. A domai cotroller ca host more tha oe amig cotext. Active Directory uses separate amig cotexts to store iformatio about domais i the same DIT. Whe LDAP cliets search for a object, LDAP servers refer the cliets to servers that host the amig cotext cotaiig that object.they do this usig shared kowledge about the system topology. Each DSA creates a RootDSE object that describes the cotet, cotrols, ad security requiremets of the directory service. Cliets use this iformatio to select a autheticatio method ad to help formulate their search requests. Active Directory Namespace Structure At this poit, we kow eough about a geeric LDAP directory service to begi applyig the terms ad cocepts to Active Directory. Let s start with what we eed to store i Active Directory.You ca classify the required iformatio ito three geeral categories: Iformatio about etwork security etities. This icludes users, computers, ad groups alog with applicatios such as group policies, DNS, RAS, COM ad so forth. Iformatio about the Active Directory mechaisms. This icludes replicatio, etwork services, permissios, ad user iterface displays. Iformatio about the Active Directory schema. This icludes objects that defie the classes ad attributes i Active Directory. Microsoft had to devise a way to structure this iformatio i a way that was compatible with LDAP while retaiig backward compatibility with classic NT. I classic NT, iformatio about security etities is stored i the SAM ad SECURITY databases i the Registry. Microsoft calls the cotets of the SAM database a domai. Because the oly way to cotrol access to the SAM is to cotrol access to the etries i the SAM, a domai defies a security boudary as well as a maagemet boudary. The SAM databases i classic NT domais caot be combied.to get a commo security boudary, the domais must be kitted together usig trust relatioships.whe oe domai trusts aother, members of the trust-ed domai ca be used as security etities i the trust-ig domai. The uderlyig autheticatio mechaism, NT LaMa Challege Respose, supports this trust relatioship by permittig passthrough autheticatio of users from trusted domais.

29 06_IsideWi_ch06 12/3/03 2:00 PM Page 309 Active Directory Namespace Structure 309 Domais LDAP gave Microsoft the freedom to costruct just about ay amespace it chose. There is o amig restrictio other tha at the top of the amespace, where the distiguished ame of the root object eeds to correspod to a DNS domai ame. Jais Jopli had it right, though, that freedom s just aother word for othig left to lose, ad Microsoft had a lot to lose if it desiged Active Directory i such a way as to ot be compatible with classic NT. For this reaso, Microsoft chose to structure Active Directory aroud the classic cocepts of domais ad trust relatioships. I Active Directory, a domai defies a separate amespace, a separate security structure, a separate maagemet structure, ad a separate amig cotext. The Active Directory database is hosted o domai cotrollers. Users ad computers are members of a domai. Group policies are cotaied withi a particular domai, eve if they impact users i other domais. Active Directory Namig Cotexts Active Directory is capable of holdig a billio objects. This is eough to hold accout, computer, mailboxes, ad group memberships for every perso i the wester hemisphere. A big Active Directory database is like a NBA ceter, though. He may be the key to wiig, but oly if he does t have to move too fast or too ofte. The Active Directory database, Ntds.dit, ca grow very quickly. The DIT for a domai with 150,000 objects could be well over 2GB depedig o the umber of groups ad the legth of the group membership. A DIT this size ca be difficult to replicate ad maage.also, it does ot make sese to replicate iformatio about users i oe cotiet to domai cotrollers o other cotiets uless those users regularly share iformatio. Domai Namig Cotexts LDAP permits breakig up a directory ito separate amig cotexts. Maagig the iterfaces betwee these amig cotexts ca get a little tricky, though.to get maximum performace, it is ofte ecessary to geerate local caches cotaiig refereces to objects i other amig cotexts. Ridig herd o these exteral referece caches to make sure they reflect the most curret iformatio takes some doig. Microsoft chose to avoid may of the complexities ivolved with amig cotexts by elimiatig the ability to create ad hoc amig cotexts. As a Active Directory admiistrator, you have oly two places where you ca create a amig cotext (see Figure 6.8): At a domai boudary By creatig a special Applicatio amig cotext (a ew feature i Widows Server 2003)

30 06_IsideWi_ch06 12/3/03 2:00 PM Page Chapter 6 Uderstadig Active Directory Services dc=compay,dc=com dc=subsidiary,dc=com 2-Way Trasitive Trust c=cofiguratio,dc=compay,dc=com c=schema,c=cofiguratio, dc=compay,dc=com c=domaidnszoes, dc=compay,dc=com c=forestdnszoes, dc=compay,dc=com Partial replica of outside Domai NC stored o Global Catalog servers c=domaidnszoes, dc=subsidiary,dc=com c=forestdnszoes, dc=compay,dc=com c=cofiguratio, dc=compay,dc=com c=schema,c=cofiguratio, dc=compay,dc=com dc=subsidiary, dc=com Partial Replica Figure 6.8 Active Directory forest showig amig cotexts. The Applicatio amig cotext has oly limited utility (it is curretly used oly to support DNS), so the oly real optio to break apart a big DIT is to create separate domais. I additio to the Domai amig cotext, each Active Directory implemetatio cotais two other amig cotexts: Cofiguratio ad Schema. Every domai cotroller i the forest gets a replica of these two amig cotexts. The Schema replica is read-oly except for the domai cotroller selected as the Schema Operatios Master. Schema Namig Cotexts The Schema amig cotext holds ClassSchema ad AttributeSchema objects that represet the various classes ad attributes i Active Directory. If this souds like a circular defiitio, it s meat to be. Ulike some directory services that load the schema i a separate file, the Active Directory schema is completely self-referetial. Every domai cotroller i a forest hosts a read-oly copy of the Schema amig cotext. Oly oe domai cotroller, the Schema Role Master, ca make chages to the schema. The Schema cotaier object is a istace of the Directory Maagemet Domai (DMD) class. This is a holdover from Exchage, which uses X.500 termiology to defie the iformatio store. Because the Schema object represets a amig cotext boudary, it also cotais replicatio cotrol attributes similar to those i the Cofiguratio object ad the Domai-DNS object.

31 06_IsideWi_ch06 12/3/03 2:00 PM Page 311 Active Directory Namespace Structure 311 Figure 6.9 DNS zoe properties Chage Zoe Type widow showig Active Directory Itegratio optio. If you search through the objects i the Schema cotaier, you ll come across a special object called Aggregate.This loe istace of the LDAP SubSchema class has attributes called AttributeTypes ad ObjectClasses that lists the ames of all classes ad attributes i Active Directory. LDAP cliets query for the cotets of this object to discover the structure of the directory.this helps them formulate queries. Applicatio Namig Cotexts A ew feature i Widows Server 2003 is the ability to create additioal amig cotexts that ca be placed o specific domai cotrollers. Microsoft uses this feature to store DNS resource records for Active Directory Itegrated zoes. You elect to Active Directory Itegrate a zoe usig the Properties of the zoe i the DNS cosole.the Geeral tab displays the zoe type. Click Chage to ope the Chage Zoe Type widow that lists your optios. Figure 6.9 offers a example. If you elect to itegrate a zoe ito Active Directory, the resource records are copied from the existig text-based zoe file ito Active Directory as discrete DNSzoe objects. I Widows 2000, these objects are stored i a MicrosoftDNS cotaier i c=system,dc=<domai>,dc=<root>.this gave limited flexibility to admiistrators who wated to deploy Active Directory Itegrated DNS i large, multidomai forests. The applicatio amig cotexts added by Widows Server 2003 gives this additioal flexibility.whe you Active Directory Itegrate a zoe o a DNS domai cotroller ruig Widows Server 2003, the domai cotroller creates two additioal amig cotexts: DomaiDNSZoes. A replica of this amig cotext is placed o domai cotrollers ruig the DNS service. Each domai gets a separate DomaiDNSZoes NC.

32 06_IsideWi_ch06 12/3/03 2:00 PM Page Chapter 6 Uderstadig Active Directory Services ForestDNSZoes. A replica of this amig cotext is placed o domai cotrollers ruig DNS throughout the forest. Whe you elect to Active Directory Itegrate a zoe, a ew etry called Replicatio is added to the Geeral tab i the zoe Properties widow. Click the Chage butto ext to this etry to ope the Chage Zoe Replicatio Scope widow (see Figure 6.10). This widow gives you the followig replicatio optios: All DNS servers i the forest. If you select this optio, the zoe records are placed i the ForestDNSZoes amig cotext.this is the broadest scope ad ivolves the most replicatio traffic. All DNS servers i the domai. This optio places the resource records i the DomaiDNSZoes amig cotext for the domai of the DNS server. For istace, if you create stub zoe o a DNS server i Compay.com that poits at Brach.Compay.com, the records i the stub zoe would be placed i c=domaidnszoes,dc=compay,dc=com. All domai cotrollers i the domai. This optio places the zoe records i the Domai amig cotext uder c=microsoftdns,c=system,dc=<domai>, dc=<root>.this is the same cotaier used by Widows 2000, so select this optio whe you have Widows 2000 DNS server hostig Active Directory Itegrated zoes. All domai cotrollers specified i the scope of the applicatio directory partitio. This optio permits you to select a specific applicatio amig cotext. If you have a sigle domai, there is othig to be gaied by usig the separate amig cotext to store DNS records. Select the All domai cotrollers i the domai optio. Figure 6.10 Chage Zoe Replicatio Scope widow.

33 06_IsideWi_ch06 12/3/03 2:00 PM Page 313 Active Directory Namespace Structure 313 If you have a multidomai forest, use the All DNS servers i the domai optio whe you wat to limit the scope of replicatio to a particular domai.this is typical for most domai-based zoes. All domai cotrollers i a forest eed SRV ad CNAME records from the zoe represetig the forest root domai. Uder ormal circumstaces, DNS servers i the other domais would obtai these records recursively from the DNS servers i the root domai.you ca speed this process up a little by settig the replicatio scope of the root domai to All DNS servers i the forest. If this seems like too may records to replicate globally, you ca create a ew zoe just for the resource records that require forest-wide scope.these records are stored i the forest root zoe uder _msdcs. For example, if the forest root domai were Compay.com, you could create a ew zoe called _msdcs.compay.com. The records would be extracted from the compay.com zoe ad placed i this ew zoe. Set the replicatio scope for the _msdcs.compay.com zoe to All DNS servers i the forest. Cofiguratio Namig Cotext The Cofiguratio amig cotext holds iformatio about parameters that cotrol the services that support Active Directory. Every domai cotroller i a forest hosts a read/write copy of the Cofiguratio amig cotext. It holds eight top-level cotaiers. Here is a brief descriptio of their purpose ad cotet. Display Specifiers This cotaier holds objects that alter the viewable attributes for other object classes. This is called shadowig. For example, the User-Display object shadows the User class. Display Specifiers provide localizatio ad cotext meu fuctios. Localizatio is the task of producig foreig laguage versios of a applicatio. Rather tha traslate the cotets of each attribute for each AD object ito Frech, Italia, Germa, Spaish, Cyrillic, Kaji, Szechwa,Arabic, Korea, Hebrew,Thai, ad so o, the system looks to see which coutry code was used durig istallatio ad filters the output through the appropriate Display Specifier. Display Specifiers also defie separate cotext meus, property pages, ad icos based o whether or ot the user accessig the object has admiistrator privileges. For example, whe you right-click a object, the flyout meu that appears comes from a cotext meu associated with that object class.the Display Specifier filters the meu to display oly those items you are permitted to perform. Sortig Through Display Specifiers Whe you view the cotets of the DisplaySpecifiers cotaier i Active Directory, you ll see a cotaier with a umber. This is the code page for the Natioal Laguage Group i hex. The Uited States Eglish code page is umber 1033, which correspods to 409 hex. The code pages for FIGS coutries are Frech, 1036; Italia, 1040; Germa, 1031; ad Spaish, 1034.

34 06_IsideWi_ch06 12/3/03 2:00 PM Page Chapter 6 Uderstadig Active Directory Services Exteded Rights Directory objects are also Widows security objects.this makes it possible to assig permissios to the object itself as well as ay of the properties associated with the object. A User object ca have may properties. Selectig precisely which properties to assig access rights to get a particular result ca get tedious. Exteded Rights cotrol access to objects by cosolidatig sets of property permissios ito a sigle etity. For example, a exteded right called Membership grats the ability to modify the membership of a sigle group, selected groups, every group i a cotaier, or every group i a cotaier ad its subordiate cotaiers. Like the Display Specifiers metioed previously, each Exteded Rights object is associated with a structural object that it cotrols. For example, the Persoal-Iformatio ad Public-Iformatio objects are associated with both User ad Cotact classes. There are over 50 Exteded Rights objects coverig a wide assortmet of maagemet operatios, such as chagig passwords, chagig domai cofiguratios, resettig user lockouts, ad maagig BackOffice services. Lost ad Foud Cofig This cotaier holds objects that get orphaed durig database replicatio. For istace, if a cotaier is deleted durig the same replicatio cycle that a object was created i the cotaier, the object is set to Lost ad Foud. Both the Domai ad Cofiguratio amig cotexts have a Lost ad Foud cotaier.the Schema amig cotext does ot eed oe because Schema objects ca ever be deleted. See Chapter 7, Maagig Active Directory Replicatio, for more iformatio. Partitios This cotaier holds the cross-referece objects that list other domais i the forest. Domai cotrollers use the cotets of this cotaier to build referrals to other domais. The Partitios cotaier is extremely importat for maitaiig the itegrity of a forest. It would be very bad to have objects represetig ivalid amig cotexts i this cotaier. For this reaso, oly oe domai cotroller i a forest is permitted to update the cotets of this cotaier. Physical Locatios This cotaier holds Physical Locatio DN objects associated with Directory Eabled Networkig (DEN). For example, a DEN-aware router ca place a locator object i this cotaier. Because DEN makes use of stadard LDAP fuctioality, this is the oly object class i Active Directory that uses the Locatio attribute. The DEN iitiative has developed a set of policies for cotrollig etwork parameters affectig Quality of Service (QoS), IP Security (IPSec), ad other core etworkig fuctios. All leadig routig ad ifrastructure vedors have pledged

35 06_IsideWi_ch06 12/3/03 2:00 PM Page 315 Active Directory Namespace Structure 315 support for DEN, ad may have allied themselves with both Microsoft ad Novell for the Directory part of DEN.Visit the web site of your favorite vedor to see its DEN-aware products ad fid out its plas for Active Directory itegratio. Services This cotaier is exposed i the AD Sites ad Services cosole by selectig VIEW SHOW SERVICES optio from the meu.thik of the cotets of the Services cotaier as a kid of eterprise-wide Registry. Distributed applicatios put objects ito this cotaier where they ca be see by other servers ruig the same applicatio. A disadvatage to this cotaier is that it is replicated to every domai cotroller i the forest.you may have applicatios that oly eed their objects to be see at selected domai cotrollers. For this reaso, Microsoft icluded the ability to create a separate Applicatio amig cotext that ca be placed o idividual domai cotrollers of your choice. Sites The Sites cotaier is also exposed i the AD Sites ad Services cosole.the objects i this cotaier cotrol Active Directory replicatio ad other site-specific fuctios. Sites are used to cotrol replicatio betwee domai cotrollers. Well-Kow Security Pricipals The object-based security used by classic NT ad Widows Server 2003 assigs a uique Security Idetifier (SID) to every security pricipal. There is a set of wellkow SIDs that represets special-purpose groups. This icludes groups like Iteractive, which desigates users who are logged o at the cosole of a machie; Network, which desigates users who have logged o to the domai; ad Everyoe, which desigates every user.this cotaier holds the ames ad SIDs of these groups. Active Directory Trees ad Forests Recall that domais represet security boudaries for users as well as maagemet boudaries for admiistrators. Users i oe domai caot access resources i aother domai uless some provisio is made to support a secure coectio. If you have separate domais, you eed a way to coect them ito a sigle security structure. Classic NT uses Master domais ad Resource domais for this purpose. Active Directory uses trees ad forests. Trees Active Directory uses DNS domais to defie its amespace. As we ve see, a stadard LDAP hierarchy coforms to a cotiguous amespace called a Directory Iformatio Tree. A Active Directory amespace that follows a cotiguous amespace is also called a tree (see Figure 6.11).

36 06_IsideWi_ch06 12/3/03 2:00 PM Page Chapter 6 Uderstadig Active Directory Services dc=compay,dc=com dc=us, dc=compay,dc=com dc=caada, dc=compay,dc=com dc=quebec,dc=caada, dc=compay,dc=com ou=fracophoe, dc=quebec,dc=caada, dc=compay,dc=com ou=aglophoe, dc=quebec,dc=caada, dc=compay,dc=com Figure 6.11 Active Directory tree. Figure 6.11 shows the way a Active Directory tree coicides with a stadard DNS amespace. I this diagram, a root domai called Compay.com has two child domais, oe for the US ad oe for Caada.The Caada domai has a child domai of its ow for Quebec.The Quebec domai has Orgaizatioal Uits (OUs) that divide objects depedig o laguage.the US domai has OUs that divide objects depedig o geography. Both represet acceptable uses of OU cotaiers. From a LDAP perspective, this tree structure looks pretty stadard. If a cliet i the Quebec domai queries LDAP for iformatio about a server i the US domai, the cliet will get a chai of referrals that walks the tree up to root ad the dow to a domai cotroller i the US domai. Recall that each of these domais represets the cotets of a amig cotext.the amig cotext for a domai is hosted o a domai cotroller i that domai.whe a query walks the tree, it moves from oe domai cotroller to aother. If the domai cotrollers are i differet locatios i a WAN, the trasactio may take a while to complete.

37 06_IsideWi_ch06 12/3/03 2:00 PM Page 317 Active Directory Namespace Structure 317 dc=compay,dc=com dc=subsidiary,dc=com Two-Way Trasitive Trust dc=us, dc=compay,dc=com dc=caada, dc=compay,dc=com dc=busiessuit1, dc=subsidiary,dc=com dc=busiessuit2, dc=subsidiary,dc=com Figure 6.12 Active Directory forest. Forests Not every orgaizatio is fortuate eough to have a clea tree structure. May compaies have busiess uits that are virtually autoomous fiefdoms with their ow DNS root domais ad idepedet admiistrative staffs ad eve separate luchrooms. May uiversities, too, have colleges with separate IT staffs ad campuses that maitai their ow ifrastructures. To accommodate these ad other utree-like busiess structures, Microsoft tweaked the LDAP stadard just a bit to develop a secod structure called a forest. See Figure 6.12 for a example. Domais i a Active Directory forest do ot eed to follow a cotiguous amespace. A secure coectio betwee the root domais forms a coduit that permits access by users i oe domai to resources i the other domais. Global Catalog I a stadard LDAP search ivolvig multiple amig cotexts hosted by multiple servers, the servers pass referrals to the cliet, ad the cliets walk the tree to get iformatio from the various servers.this process of query ad referral cosumes time ad badwidth.ad if oe of those domai cotrollers is at the wrog ed of a 56K lie oversubscribed with users dowloadig MP3s, the search might take a while. Active Directory speeds up searches ad reduces WAN traffic by aggregatig the cotets of the various Domai amig cotexts ito a structure called a Global Catalog, or GC.

38 06_IsideWi_ch06 12/3/03 2:00 PM Page Chapter 6 Uderstadig Active Directory Services Global Catalog Structure Because the GC cotais a copy of every Domai amig cotext i a forest, it holds a copy of every object. I a big orgaizatio, this could make the database very large. It would ot make sese to use separate domais to get separate amig cotexts oly to roll them up agai ito a GC that must be available at each locatio. To reduce GC size ad replicatio traffic, oly a small umber of commoly used attributes are stored i it.the list of attributes icluded i the GC is determied by the Partial Attribute Set, or PAS.The PAS cotais oly 200 or so out of the 1700 attributes i the Active Directory schema. Further, the partial amig cotexts hosted by a GC server are read-oly, so the GC server eed oly cocer itself with replicatig updates from a domai cotroller hostig a full copy of the amig cotext. The Global Catalog is ot a separate etity. A domai cotroller does ot have a separate DIT file for a GC. Rather, the GC is really just a ame for a domai cotroller fuctio.the fuctio is cotrolled by a flag i Active Directory.With the flag set to FALSE, a domai cotroller hosts oly the stadard three amig cotexts its ow Domai NC, the Cofiguratio NC, ad the Schema NC.With the flag set to TRUE, the domai cotroller adds a partial replica for the other amig cotexts i the forest.these amig cotexts are stored i Ntds.dit right alog with the three stadard amig cotexts. Global Catalog Fuctio A Global Catalog server differetiates itself from a stadard domai cotroller by listeig for LDAP queries o a secod port. The stadard LDAP wire protocol uses TCP/UDP port 389. Global Catalog servers liste o this port but they also liste ad respod o TCP/UDP port Here are the three possibilities for hadlig a search submitted to a GC o port 3268: If the GC server receives a search request ivolvig a attribute or attributes i the Partial Attribute Set (PAS), it respods to the request with a dataset cotaiig the requested objects ad attributes. If the GC server receives a search request ivolvig a attribute or attributes that are ot i the PAS but the objects are i its ow domai, it respods to the request with a dataset cotaiig the requested objects ad attributes. It obtais this iformatio from the full copy of its Domai amig cotext. If the GC server receives a search request ivolvig a attribute or attributes that are ot i the PAS ad for objects i aother domai, it respods to the request with a referral to the other domai.the LDAP cliet follows up o the referral ad completes the search by walkig the tree.

39 06_IsideWi_ch06 12/3/03 2:00 PM Page 319 Active Directory Namespace Structure 319 Global Catalog servers play a crucial role i the operatio of Active Directory i a eterprise. If you have a multidomai forest, it is very importat that all users be able to reach a GC server. I the ext few chapters, we ll come back to the operatio of the GC ad the role it plays i autheticatio ad access cotrol. Global Catalogs ad Namig Cotext Locatios Just as a recap, take a look at the forest i Figure 6.12.The forest cotais six differet domais. Let s say that a domai cotroller i the Caada domai is cofigured to be both a Global Catalog server ad a DNS server for a Active Directory Itegrated DNS zoe.this server would host the followig amig cotexts: A full, read/write copy of dc=caada,dc=compay,dc=com A full, read/write copy of c=cofiguratio,dc=compay,dc=com A full, read-oly copy of c=schema,c=cofiguratio,dc=compay,dc=com A full, read/write copy of c=forestdnszoes,dc=compay,dc=com A full, read/write copy of c=domaidnszoes,dc=caada,dc=compay,dc=com A partial, read-oly copy of the remaiig domai amig cotexts Active Directory Trust Relatioships Creatig trees ad forests requires a way to pipe secure trasactios betwee the various domais. Like classic NT, this pipe is called a trust relatioship. Classic NT trusts have always remided me of the Dr. Seuss story The Zax. I this story, a North-goig Zax meets a South-goig Zax i the prairies of Prax.They stad ose to ose, uwillig to move out of each other s way. Oe Zax says, I m a North- Goig Zax ad I always go orth. Get out of my way, ow, ad let me go forth! To which the other Zax replies, You re i MY way! Ad I ask you to move, ad let me go south i my south-goig groove. A classic oe-way NT trust behaves exactly the same way. The rights implicit i the trust oly flow i oe directio ad caot flow from oe domai to aother.a big NT system based o iterlockig trusts betwee may differet resource ad master domais ca begi to look a little like a Dr. Seuss drawig, as well. Trasitive Kerberos Trusts The picture gets a little eater with Active Directory.Whe two Active Directory domais trust each other, users ad groups ad computers from oe domai ca seamlessly access resources i the other domai.the trust flows both ways.

40 06_IsideWi_ch06 12/3/03 2:00 PM Page Chapter 6 Uderstadig Active Directory Services I additio, Active Directory trusts are trasitive, meaig that they flow from oe domai to aother if domais are chaied together. For example, if five Active Directory domais trust each other, users from oe domai ca access resources i ay of the other four domais, assumig that they have bee grated access permissios. The magic that makes this work comes from the Kerberos autheticatio mechaism that uderlies the trust relatioships. See Chapter 12, Maagig Group Policies, for more iformatio about how Kerberos works ad how it supports trasitive trusts. Trust Types Active Directory domais have several ways they ca trust each other, or trust dowlevel NT domais, depedig o the structure you wat to build.there are six types of trust relatioships, illustrated i Figure 6.13: Paret/Child trusts. This style of trust exists betwee two Active Directory domais that share a cotiguous DNS amespace ad belog to the same forest. Tree Root trusts.this style of trust exists betwee root domais i the same forest that do ot share a commo DNS amespace. Shortcut trusts.this style of trust exists betwee two domais i differet trees withi the same forest. It is used to expedite Kerberos trasactios betwee the domais.with a shortcut trust i place, a cliet ca obtai a Kerberos ticket directly from the trusted domai without walkig the tree. Forest Root Trust Tree Root Trust Realm Trust Vedor.com Compay.com Subsidiary.com Paret/Child Trust MITv5 Kerberos KDC WEST Domai 4 US.Compay.com Uit.Subsidiary.com NT4 PDC Exteral Trust Shortcut Trust NT4 BDC Figure 6.13 Diagram of various Active Directory trust optios i Widows Server 2003.

41 06_IsideWi_ch06 12/3/03 2:00 PM Page 321 Active Directory Namespace Structure 321 Exteral trusts. This style of trust exists betwee a Active Directory domai ad a dowlevel NT4 domai.you ca also create a exteral trust to a Samba domai.a Exteral trust resembles a classic NT trust. It is oe-way ad otrasitive, meaig it caot lik a etire forest to a dowlevel domai. LDAP searches ad Kerberos autheticatios do ot cross the trust boudary. Kerberos realm trusts. This style of trust exists betwee a Active Directory domai ad a MIT v5 Kerberos realm. (MIT stads for Massachusetts Istitute of Techology, where Kerberos origiated.) The trust ca be made trasitive ad two-way. Forest trusts.this style of trust exists betwee two Active Directory forests. It ca be made trasitive ad two-way.the forests do ot share a commo Schema or Cofiguratio amig cotext.this trust type forms a federatio of forests. It is used to joi two orgaizatios that have existig Active Directory deploymets ad do ot wat to migrate accouts ito a sigle forest.this trust type is a ew feature i Widows Server 2003 ad requires all domais i the forests ad the forests themselves to be ruig at full Widows Server 2003 fuctioality (o legacy domai cotrollers.) You must be a member of the Icomig Forest Trust Builders group to create a Forest trust. The ew Forest Trust type should ot be cosidered a paacea for orgaizatioal restructurigs. Because the two forests do ot share a commo Cofiguratio or Schema amig cotext, they caot share applicatios that require a commo cofiguratio. A pricipal example is Exchage 2000, which places critical iformatio ito the Cofiguratio amig cotext. A federatio of forests caot be placed ito a sigle Exchage orgaizatio, so users caot see a commo Global Address List (GAL) or use commo distributio lists. Establishig Paret/Child ad Tree Root Trusts Paret/Child trusts ad Tree Root trusts ca oly be formed whe a domai is created. There are o tools for cosolidatig domais (graftig) or pryig them apart (pruig) after the forest is i place. Every domai cotroller i a forest hosts a idetical copy of the Schema amig cotext.there are o tools to coordiate ad cosolidate two sets of schemas. I m goig to repeat this poit i a differet way because it s importat to remember. New domais ca oly be added to a forest whe the first domai cotroller is promoted i that domai. After you create a forest, the costituet domais caot be removed without demotig every domai cotroller i the domai, essetially losig all Active Directory iformatio for that domai. Exteral ad Realm trusts do ot rely o the Schema or Cofiguratio amig cotexts, so they ca be created ad broke while leavig the ed-poit domais itact. If you break the trust, users i the trusted domai lose access to resources i the other domais. If you make the trust agai, the users regai access.

42 06_IsideWi_ch06 12/3/03 2:00 PM Page Chapter 6 Uderstadig Active Directory Services Establishig Forest Trusts Forest trusts are a bit more complex to cofigure tha the stadard Widows 2000 trust types. Although the trust itself is two-way ad trasitive, you ca select the domais i each forest that participate i the trust. For example, cosider the diagram i Figure This diagram shows two forests i a federatio coected by a Forest trust. Each forest has domais coected by Paret/Child trusts. I a fully trasitive cofiguratio, users i the US.Compay.com ad Caada. Compay.com domais would be able to access resources i the PacRim.Subsidiary.com ad Europe.Subsidiary.com domais ad vice-versa. However, you may ot wat to eable fully trasitive resource access. Usig the Properties widow for the trust, you ca select which domais will participate i the Forest trust ad i which directio the trust will be effective. Usig this feature, you ca target trusts i the federatio. For example, you ca cofigure the Forest trust so that users i PacRim.Subsidiary.com ca access resources i US.Compay.com but ot i Caada.Compay.com. You must be a member of the Icomig Forest Trust Builders group to create a Forest trust to aother domai. This ew Builti group permits a root domai admiistrator to grat permissios for a admiistrator i aother root domai to create a trust without givig that admiistrator full domai admiistrative privileges. Forest Trust Selectively trasitive ad 2-way dc=compay,dc=com dc=subsidiary,dc=com dc=caada dc=pacrim dc=europe Figure 6.14 Federatio of two Active Directory forests.

43 06_IsideWi_ch06 12/3/03 2:00 PM Page 323 Active Directory Namespace Structure 323 Sysvol Object Migratio Betwee Domais ad Forests You caot build or break Paret/Child ad Tree Root trusts after they are formed, so the oly way to chage your forest structure is to migrate objects betwee domais. Microsoft provides a utility for performig these object migratios called the Active Directory Migratio Tool, or ADMT. Movig user, computer, ad group accouts betwee domais ivolves issues of security ad accessibility. Both classic NT ad moder Widows servers use Security IDs (SIDs) to idetify users.these SIDs are placed o access cotrol lists (ACLs) to cotrol access to resources. ADMT performs a complex set of fuctios desiged to preserve the origial SIDs so that users retai access to their resources.the ew versio i Widows Server 2003 also preserves passwords ad the origial user profiles. There are a variety of third-party tools that ca help with object migratio betwee domais ad forests. See Chapter 9, Deployig Widows Server 2003 Domais, for details. There s more to beig a domai cotroller tha simply hostig the Active Directory database.the domai cotroller is also resposible for distributig the files associated with group policies. Group policies are used to cetrally maage member servers, desktops, ad users. They are covered i detail i Chapter 12, Maagig Group Policies. Active Directory domai cotrollers must also support dowlevel cliets by providig a place to obtai classic scripts ad system policies cotaied i Cofig.pol or Ntcofig.pol files. I a NT domai, these files are stored i the Netlogo share, physically located at C:\Wit\System32\Repl\Import\Scripts. Sysvol Files To meet its dual resposibilities of supportig moder group policies ad classic system policies ad scripts, Active Directory domai cotrollers host a special folder called Sysvol.The locatio of the folder is determied durig Dcpromo. Sysvol must be o a NTFS volume because folders withi Sysvol use reparse poits, which are oly supported by NTFS. Sysvol cotais a folder with the ame Domai that holds the group policy files i a folder called Policies ad classic scripts i a folder called Scripts.The Scripts folder is shared as Netlogo to support dowlevel cliets. Moder scripts that are distributed as part of group policies are stored as part of a particular group policy uder the Policies folder. Cliets access Sysvol via a special fault tolerat share with the Uiversal Namig Covetio (UNC) path of \\<domai_ame>\sysvol. For example, you ca do a directory of \\compay.com\sysvol from ay cliet i the Compay.com domai.accessig fault tolerat shares requires that the Dfscliet service be ruig o the cliet.

44 06_IsideWi_ch06 12/3/03 2:00 PM Page Chapter 6 Uderstadig Active Directory Services File Replicatio ad Sysvol The cotets of Sysvol are replicated to every domai cotroller i a domai. It is importat that the cotets stay i syc. Otherwise, users will get differet group policies, system policies, ad classic scripts whe they log o to differet domai cotrollers. A service called the File Replicatio Service, or FRS, is resposible for sychroizig the cotets of Sysvol betwee domai cotrollers. (The actual service ame is Ntfrs, which you may see i Evet log etries.) FRS replicates a etire file whe ay chages are made to the file.to prevet race coditios that could occur if the file were locked, the file is first copied to a Stagig folder the replicated to the other domai cotrollers. Locatig Active Directory Services Active Directory cliets use DNS to locate domai cotrollers. They do this by queryig for Service Locator (SRV) records that poit at LDAP, Kerberos, ad Global Catalog ports o the servers. Refer to RFC 2052, A DNS RR for Specifyig the Locatio of Services. (RR stads for Resource Record.) Figure 6.15 DNS cosole showig SRV records for the Compay.com domai.

45 06_IsideWi_ch06 12/3/03 2:00 PM Page 325 Active Directory Namespace Structure 325 SRV Records for Active Directory Figure 6.15 shows a DNS zoe table for the Compay.com domai.the zoe table cotais the SRV records registered by the first domai cotroller i a Widows Server 2003 domai. Here are the SRV records i a stadard zoe table format: _kerberos._tcp.phoeix._sites.dc._msdcs 600 SRV dc-01.compay.com._ kerberos._tcp.phoeix._sites 600 SRV dc-01.compay.com. _kerberos._tcp.dc._msdcs 600 SRV dc-01.compay.com. _kerberos._tcp 600 SRV dc-01.compay.com. _kerberos._udp 600 SRV dc-01.compay.com. _kpasswd._tcp 600 SRV dc-01.compay.com. _kpasswd._udp 600 SRV dc-01.compay.com. _ldap._tcp.phoeix._sites.gc._msdcs 600 SRV dc-01.compay.com. _gc._tcp.phoeix._sites 600 SRV dc-01.compay.com. _ldap._tcp.gc._msdcs 600 SRV dc-01.compay.com. _gc._tcp 600 SRV dc-01.compay.com. _ldap._tcp.phoeix._sites.dc._msdcs 600 SRV dc-01.compay.com. _ldap._tcp.phoeix._sites 600 SRV dc-01.compay.com._ ldap._tcp.dc._msdcs 600 SRV dc-01.compay.com. ldap._tcp.{guid of domai}.domais._msdcs 600 SRV dc-01.compay.com. _ldap._tcp 600 SRV dc-01.compay.com. _ldap._tcp.pdc._msdcs 600 SRV dc-01.compay.com. dc A gc._msdcs 600 A {GUID of DC ivocatio}._msdcs 600 CNAME dc-01.compay.com. Format of SRV Record Names The leadig uderscores i SRV record ames are there to avoid collisio with other records by the same ame. The amig format is specified i RFC 2052, SRV Record Format ad Use.

46 06_IsideWi_ch06 12/3/03 2:00 PM Page Chapter 6 Uderstadig Active Directory Services Widows DNS reverses the SRV record ames to display them as a hierarchy of folders. Here are the fuctios of the SRV records based o their groupigs i the DNS cosole: _MSDCS. This headig collects SRV records based o their status as domai cotrollers, domai ivocatios, global catalog servers, ad primary domai cotrollers. Domai cotrollers ad global catalog servers are broke dow by site. This tells Active Directory cliets very quickly where to fid local services. Domai ivocatios support replicatio. Each domai cotroller gets a GUID that it uses whe ivokig replicatio.the PDC etry cotais the SRV record for the domai cotroller assiged to be the PDC Emulator, a domai cotroller that acts as the PDC to dowlevel NT BDCs. _SITES. A site represets a area of high-speed coectivity associated with oe or more distict IP subets. By idexig domai cotrollers based o their site affiliatio, cliets ca look i _SITES to fid local services rather tha sedig their LDAP lookups across the WAN. Stadard LDAP queries use port 389. Global Catalog queries use port _TCP. This headig collects all domai cotrollers i the DNS zoe.the _TCP groupig acts as a catchall for cliets that caot fid their specific site or that eed to fid a domai cotroller elsewhere i the etwork if oe of those with local SRV records respod. _UDP. Kerberos v5 permits cliets to use coectioless services to get tickets ad chage passwords.this is doe via UDP ports that correspod to the TCP ports for the same services, UDP port 88 for ticketig ad UDP 464 for password chages. Operatioal Descriptio of SRV Record Queries Whe a user iitiates a process that requires a Active Directory lookup, the AD cliet process seds a query to DNS for SRV records correspodig to server advertisig LDAP ports.the first query is for SRV records i the cliet s local site. This esures that LDAP searches do ot go to domai cotrollers elsewhere i the WAN. If there are o domai cotrollers i the cliet s site, it asks for all SRV records regardless of site. Registry Tip: Site Name Cache Cliets cache their site iformatio i the followig Registry locatio: Key: HKLM System CurretCotrolSet Services Netlogo Parameters Value: DyamicSiteName Data: Flat ame of the last domai cotroller autheticatig the cliet for example, dc-01

47 06_IsideWi_ch06 12/3/03 2:00 PM Page 327 Active Directory Namespace Structure 327 DNS returs all SRV records that meet the query coditios. If there are five domai cotrollers i a site, DNS returs five SRV records accompaied by the Host record cotaiig the IP address of the server i each SRV record.this is differet tha stadard DNS operatio, where it would ormally retur a sigle record i a roud-robi selectio process. Whe the cliet receives the SRV records, it performs a quick LDAP pig to all of them by sedig out a bid query to UDP port 389.The first domai cotroller to respod is selected as the primary LDAP server by the cliet. Here are details of the trasactio: 1. Whe the operatig system loads, the etwork cliet locates a domai cotroller by queryig DNS for SRV records.the cliet i the diagram seds a query for _kerberos._tcp.phoeix._sites.dc._msdcs.compay.com. Notice that the scope of this query is limited to domai cotrollers from the same site ad domai.the cliet stores the site ame i the Registry uder HKLM System CurretCotrolSet Services Netlogo Parameters DyamicSiteName. 2. Whe the DNS server receives this query, it returs all SRV records that meet the query criteria, sortig them by priority ad weight. 3. Whe the etwork cliet receives the SRV records, it fires off a LDAP pig (a sigle UDP packet) over port 389 to every domai cotroller o the list. It seds these pigs i rapid successio, every oe-teth of a secod. 4. Whe a domai cotroller gets the LDAP pig, it returs a LDAP respose.the cliet desigates the first domai cotroller to respod as the logo server ad proceeds to autheticate via Kerberos. At this poit, the cliet behaves like a loely kid who has fially foud a fried. It houds the domai cotroller with all subsequet LDAP requests, Kerberos autheticatio requests, ad group policy dowloads. You ca determie the idetity of the domai cotroller that autheticated a member Widows Server 2003 usig the SYSTEMINFO utility. Here is a partial listig showig the logo server iformatio: Virtual Memory: Max Size: 1,733 MB Virtual Memory: Available: 1,344 MB Virtual Memory: I Use: 389 MB Page File Locatio(s): C:\pagefile.sys Domai: compay.com Logo Server: \\DC01.compay.com Hotfix(s): 0 Hotfix(s) Istalled

48 06_IsideWi_ch06 12/3/03 2:00 PM Page Chapter 6 Uderstadig Active Directory Services If the cliet is i a forest, the domai cotrollers geerate referrals to other domais. Cliets use SRV records for those domais to locate domai cotrollers that host copies of the target Domai amig cotexts. Site Coverage You caot cofigure a preferred domai cotroller for a cliet. If you have a large LAN ad you wat to compartmetalize your cliets based o their area of a campus LAN or MAN (metropolita area etwork), you must structure your replicatio topology aroud multiple sites. This is true eve if your WAN iterties meet the requiremets for a high-speed coectio that would ot ormally require separate sites. Domai cotrollers automatically register their SRV records usig their site ame. They also retur referrals to cliets to esure that cliets use a local domai cotroller for autheticatio ad LDAP queries. This localizatio feature is possible because each site is associated with oe or more IP etworks coected by Site Liks.A domai cotroller ca read the IP address of a cliet ad determie the site it should desigate whe makig DNS requests for SRV records. Here s how this works. Let s say that the cliet is a laptop.the user shuts dow the laptop, flies to Housto, ad coects to the etwork agai: 1. The cliet gets a local address from Dyamic Host Cofiguratio Protocol (DHCP). It remembers that it is i the Phoeix site ad queries DNS for domai cotrollers i that site. 2. DNS returs the requested SRV records ad the cliet seds LDAP pigs to the domai cotrollers i Phoeix. 3. A domai cotroller i Phoeix examies the cliet s IP address ad sees that the cliet is i the Housto site. It kows this by comparig the IP address to the IP Subet objects i Active Directory. 4. The domai cotroller respods with a referral tellig the cliet to query DNS for the Housto site. 5. The cliet respods by repeatig the DNS query for SRV records from the Housto site. I this way, the cliet automatically adjusts to chages i locatio. Cliets cache their site iformatio i the followig Registry locatio: Key: HKLM System CurretCotrolSet Services Netlogo Parameters Value: DyamicSiteName Data: Flat ame of domai cotroller autheticatig the cliet for example, dc1

49 06_IsideWi_ch06 12/3/03 2:00 PM Page 329 Active Directory Namespace Structure 329 This site localizatio feature herds cliets toward local domai cotrollers for autheticatio ad LDAP queries. If you have a locatio that does ot have a domai cotroller, you should still create a site for the locatio.this populates DNS with SRV records for the ext site upstream so that cliets autheticate at the closest domai cotrollers. Compatibility Settigs For backward compatibility, certai Active Directory features are disabled while domai cotrollers ruig somethig other tha Widows Server 2003 are i operatio. A Widows Server 2003 domai faces two compatibility challeges (at least with other Widows servers): Operatio with dowlevel NT domai cotrollers Operatio with Widows 2000 domai cotrollers Each of these challeges requires a differet compatibility settig. Operatio with Dowlevel NT Domai Cotrollers Active Directory domai cotrollers ca coexist with NT4 Domai Cotrollers i the same domai.this is called Widows 2000 Mixed. I Mixed, a Widows Server 2003 domai cotroller desigated as the PDC Emulator uses classic LMRepl (LaMa Replicatio) to deliver selected Active Directory updates to dowlevel BDCs. I Mixed, certai advaced features i Active Directory are disabled because they are icompatible with classic NT4. Here is a list: Uiversal groups. This group type ca have members from ay domai i a forest ad ca be placed o access cotrol lists aywhere i a forest. Global group estig. I Native, Global groups from differet domais ca be ested together ad ested ito Uiversal groups. Local access to Domai Local groups. I Native, Domai Local groups from Active Directory ca be placed o access cotrol lists o member servers ad desktops. Dowlevel cliets ca participate i trasitive autheticatio. After a domai is ruig i Native, the domai cotrollers ca proxy NTLM autheticatio requests from dowlevel cliets to give them access to domais that they would ot be able to access i a stadard NT master/resource domai structure. After you have upgraded or decommissioed all NT4 BDCs, you ca get these advaced features by shiftig the domai to Widows 2000 Native. This stops replicatio from the PDC Emulator to ay remaiig NT4 BDCs. After a domai has bee shifted to Widows 2000 Native, it caot be shifted back to Widows 2000 Mixed.

50 06_IsideWi_ch06 12/3/03 2:00 PM Page Chapter 6 Uderstadig Active Directory Services Fuctioal Levels Several ew Widows Server 2003 features are icompatible with Widows Here is a quick list: The calculatios for determiig replicatio topology betwee sites have bee streamlied.this corrects a problem where large orgaizatios with hudreds of sites might experiece replicatio failure because the topology calculatios could ot be completed i the time allotted to them. Group members are ow replicated as discrete etities istead of replicatig the etire group membership list as a sigle uit.this corrects a problem where membership chages made to the same group o differet domai cotrollers i the same replicatio iterval would overwrite each other. A ew trust type has bee added to simplify trasitive trust relatioships betwee domais that are ot i the same forest. Support has bee added for the ietorgperso object class, which is used o other commercial LDAP directory services to represet users. ietorgperso objects ca be give a SID ad used as security pricipals for logo ad put o access cotrol lists. Domai cotrollers ca be reamed i a Widows Server 2003 domai. Domais themselves ca be reamed i a Widows Server 2003 forest.this permits restructurig a forest by chagig paret/child relatioships betwee domais. Schema objects ca be declared defuct so that the parameters ca be reused i aother Schema object. A Schema object caot be deleted or ca the Commo Name (CN) be chaged. Chages made to elemets of the Global Catalog, such as addig a attribute to the GC or takig oe away, do ot ow require a full rebuild ad replicatio of the GC. As log as Widows Server 2003 domai cotrollers coexist with Widows 2000 Domai Cotrollers, these features are disabled. Whe all Widows 2000 Domai Cotrollers have bee upgraded to Widows Server 2003 or demoted to stadard servers, the domais ad the forest ca be shifted to full Widows Server 2003 fuctioality. This is a oe-time operatio ad caot be reversed. See Chapter 9, Deployig Widows Server 2003 Domais, for the prerequisites ad steps to chage fuctioal levels. Cliet Compatibility Widows Server 2003 Active Directory domais are compatible with ay ad all Widows cliets as well as the Microsoft DOS cliet ad the most curret versios of Samba.

51 06_IsideWi_ch06 12/3/03 2:00 PM Page 331 Active Directory Namespace Structure 331 The opposite is also true. Widows Server 2003 ad XP ca operate i ay Widows domai eviromet: classic workgroups, classic NT,Widows 2000 Active Directory, ad of course,widows Server 2003 Active Directory. (The sole exceptio is XP Home Editio, which caot joi a domai of ay form.) Oe subtle problem that arose i Widows 2000 was fixed i Widows Server 2003 ad i Widows 2000 SP2.Whe Kerberos-based Widows cliets operate i dowlevel domais, they happily use NTLM Challege-Respose for their autheticatio.this meas they ca log o to classic backup domai cotrollers (BDCs) ad participate i pass-through autheticatio. Pilig O Whe the domai is upgraded to Active Directory, however, a Kerberos-based cliet chages a flag i its security database to disable NTLM Challege-Respose ad use oly Kerberos.This meas that if you have deployed a few thousad Widows 2000 or XP desktops i your NT domai, as soo as you upgrade the PDC, all those desktops will scurry to that oe machie to autheticate. Microsoft calls this behavior pilig o. I additio, after a cliet has autheticated with a Active Directory domai cotroller, it behaves like a teeager who has fially gotte up the gumptio ad moey to move out of the house. It sets a flag i its local security database ad thereafter will oly autheticate with Active Directory domai cotrollers. If oly classic BDCs are available, the cliet logs users o usig cached credetials rather tha deig to use a classic BDC.This ca cause operatioal difficulties if you have large umbers of desktops ad member servers that have already bee upgraded to Widows 2000 or XP or Widows Server 2003 whe you do the upgrade of the PDC. If the cliets are i Guam ad your PDC is i Galvesto, the morig logos i Guam are goig to be exceedigly slow. To avoid this problem,widows Server 2003 icludes a feature that keeps a Active Directory domai cotroller pretedig that it is still a dowlevel domai cotroller to its cliets. After you have istalled eough Widows Server 2003 Domai Cotrollers to hadle the logo requests, you ca pull up the curtai ad tur o the footlights ad let the cliets switch to Kerberos autheticatio. The feature cosists of a Registry etry that makes a ewly promoted Widows Server 2003 domai cotroller preted to be classic NT4 domai cotroller. Here is the etry: Key: HKLM System CurretCotrolSet Services Netlogo Parameters Value: NT4Emulator Data: 1 (REG_DWORD) It is importat that you put this etry i place o all NT domai cotrollers before you upgrade them.the domai cotroller will still register its SRV records, but whe the moder Widows cliets go to autheticate, the domai cotroller will oly respod with a NTLM autheticatio sequece.

52 06_IsideWi_ch06 12/3/03 2:00 PM Page Chapter 6 Uderstadig Active Directory Services Special NT4 Emulator Cosideratios Durig the time that you have the NT4Emulator switch i place, your XP ad Widows 2000 desktops will cotiue to use NTLMv2 autheticatio rather tha Kerberos. This imposes the followig limitatios: Cliets do ot dowload or implemet group policies. You caot use Active Directory maagemet tools such as AD Users ad Computers or AD Sites ad Services from the cliet because it has ot autheticated usig Kerberos ad therefore caot gai LDAP access to Active Directory. You caot promote a member server to a domai cotroller because it caot make LDAP coectio to a existig domai cotroller. If the NT4Emulator switch is set o domai cotrollers i the root domai of the forest, you caot create a ew domai i the forest because the ew domai cotroller caot make LDAP coectio to a existig domai cotroller i the root domai. You ca avoid these limitatios o a case-by-case basis by permittig the cliet to igore the NT4Emulator behavior of a domai cotroller ad to log o usig Kerberos. Do this by puttig a etry ito the Registry at the cliet: Key: HKLM System CurretCotrolSet Services Netlogo Parameters Value: NeutralizeNT4Emulator Data: 1 (REG_DWORD) After puttig this etry i place, log off ad back o agai. The desktop fids the Widows Server 2003 domai cotroller ad uses Kerberos to autheticate.you ca verify that this occurs usig the Kerbtray utility from the Resource Kit. Whe you have sufficiet Widows Server 2003 domai cotrollers deployed to hadle the expected volume of Kerberos autheticatios ad group policy deliveries, flip the NT4Emulator switch to 0 i the Registry of each domai cotroller ad restart it. This eables the domai cotroller to autheticate usig Kerberos as well as NTLMv2. Be sure you flip the switch o all domai cotrollers to avoid cofusio. Active Directory Namespace Highlights Here is a summary of the key poits to remember about how the Active Directory amespace is structured.these poits become critical desig elemets whe the time comes to deploy Active Directory i your orgaizatio: The Active Directory database is divided ito separate replicatio uits called amig cotexts.there are four types of amig cotexts: Domais, Cofiguratio, Schema, ad Applicatio. Active Directory domais form separate security ad maagemet uits as well as separate amig cotexts.

53 06_IsideWi_ch06 12/3/03 2:00 PM Page 333 Active Directory Schema 333 Every domai cotroller i a forest has a replica of the Cofiguratio ad Schema amig cotext.this esures that the domai cotrollers share the same kowledge about Active Directory topology, operatio, ad object maagemet. Separate Active Directory domais ca be coected together ito a commo security structure. If the domais share a cotiguous DNS amespace, they form a tree. If they do ot share a cotiguous amespace, they form a forest. Active Directory uses trust relatioships betwee domais to form trees, forests, ad secure coectios to exteral domais, forests, ad MIT Kerberos realms. A trust ca also be used to create a shortcut betwee domais i the same forest. Trust relatioships betwee Kerberos-based Widows domais ca be made trasitive ad two-way.trusts to dowlevel domais are oe-way ad o-trasitive. Active Directory improves the performace of deep LDAP searches (searches that iclude multiple domais) by aggregatig a partial replica of all Domai amig cotexts ito a Global Catalog. Ay domai cotroller ca host a copy of the GC. Active Directory cliets use SRV records i DNS to locate Active Directory services o domai cotrollers. Cliets preferetially use domai cotrollers from their local etwork to reduce WAN traffic ad improve performace. Widows Server 2003 maitais backward compatibility to both classic NT4 domais ad Widows 2000 domais. All domais i a forest ad the forest itself must be shifted to Widows Server 2003 Fuctioal Level to get access to all ew Active Directory features. Active Directory Schema Whe discussig directory service structure ad operatio up to this poit, I ve used geeral terms that are applicable to just about ay LDAP implemetatio. It s ow time to sped a while lookig at specific features i Active Directory.You may fid this iformatio to be a little too much detail for helpig you maage day-to-day operatios i Widows Server However, it s good to kow some of the importat fuctioal ad operatioal details of the directory service to help you create reliable domai desigs ad to troubleshoot problems that arise. As a quick review, the object-orieted LDAP database that comprises Active Directory is structured aroud a set of object classes ad their associated attributes. Idividual objects are istaces of specific object classes.the schema defies the available object classes, their associated attributes, the data types ad permitted rages for those attributes, ad the rules for arragig ad maagig objects withi the Active Directory database.

54 06_IsideWi_ch06 12/3/03 2:00 PM Page Chapter 6 Uderstadig Active Directory Services Schema Fuctioal Operatio To visualize how the schema works, cosider a simple, paper-based directory. Every moth or so I get a catalog from Lad s Ed, the clothig retailer. This catalog is a database of sorts, similar to a directory service except that it guides the user to a garmet istead of a etwork etity. Cosider this: The schema for this directory defies a set of object classes with the scope Garmets Sold by Lad s Ed. These classes represet objects of iterest to garmet purchasers, such as Sweaters, Suits, Blazers, Accessories, ad so forth. The schema also defies the available attributes that ca be associated with the object classes, such as Size, Color, Iseam-Legth, ad Price, alog with more subtle attributes specific to the directory itself, such as Picture-Of-Garmet. The schema has cotet rules that defie what attributes ca be associated with a class. Some attributes, like Size ad Color, might be associated with early every class. A attribute like Iseam-Legth, however, might oly be associated with classes like Slacks ad Jeas, ot Sport-Coats or Shoes. Some garmet classes have attributes that are early idetical. For example, the attributes that defie the Polo-Shirts class differ oly slightly from the attributes that defie the Sport-Shirts class.the Polo-Shirts class derives from the Sport- Shirts class ad iherits the attributes associated with its paret.the ew attributes are the just tacked o to the ew class. Class iheritace makes it importat to have structure rules that keep the directory aliged with the real world. For example, a structure rule prevets placig a object from the Bathrobe class uder a cotaier from the Shoe class. A particular garmet is a istace of its garmet class. For example, a istace of the Blazer class would be the solid red blazer with gree plaid liig that I gave my brother for Christmas last year. (The side thak you ote I received i retur came from the Hallmark directory service as a istace of the Ugrateful-Siblig class.) The Lad s Ed schema has sytax rules that defie the values that ca be associated with a attribute. For example, the Size attribute must have whole iteger values while the Shoe-Size attribute ca have real umber (fractioal) values. Because the garmet classes ad their attributes ca chage, the Lad s Ed directory is extesible. For example, a ew attribute called Number-Of-Sleeve- Buttos ca be added ad the Blazers class modified to iclude that attribute. For flexibility, certai special object classes ca be dyamically assiged to a specific object.this makes it possible to create special budles of attributes for a certai object like a Rad-Phat T-shirt object without alterig all other istaces of the T-shirt class.

55 06_IsideWi_ch06 12/3/03 2:00 PM Page 335 Active Directory Schema 335 I kow this was a log example, so here are the key terms ad cocepts: Object Classes. Defie the objects that ca appear i Active Directory ad their associated attributes. Class Derivatios. Defie a method for buildig ew object classes out of existig object classes. Object Attributes. Defie the available attributes.this icludes exteded attributes that gover actios that ca be take o object classes. Structure Rules. Determie possible tree arragemets. Sytax Rules. Determie the type of value a attribute is capable of storig. Cotet Rules. Determie the attributes that ca be associated with a give class. Extesible schema. Additios ca be made to the list of available classes ad attributes. Dyamic class assigmets. Certai classes ca be dyamically assiged to a specific object rather tha a etire class of objects. Object Classes ad Class Derivatios A object class is othig more tha a budle of attributes with a ame.the User class, for example, has certai attributes that, take together, make it distict from the Orgaizatioal-Uit class or the Server class. The X.500/9594 stadard as modified by RFC 2256, A Summary of the X.500(96) User Schema for use with LDAPv3, defies 21 classes ad 55 attributes i a stadard LDAP directory schema. The Active Directory schema exteds this list quite a bit, out to early 200 classes ad just uder 1700 attributes. If you wat a complete list, check out the Widows Server 2003 Platform SDK or look at the MSDN web site, msd.microsoft.com. Stadard LDAP Classes ad Attributes i Active Directory The Active Directory schema icludes all RFC 2256 classes, except for Alias ad Strog-Autheticatio-User, ad all attributes, except for Aliased-Object-Name. The exclusio of Alias was deliberate. Aliases are a otorious source of performace difficulties ad itegrity problems i directory services. I additio, most of the object classes that would ormally be give aliases are required to have uique ames i Active Directory. This icludes Users, Computers, ad Groups. Widows.NET icludes the ietorgperso class as defied i RFC 2798, Defiitio of the ietorgperso Object Class. This makes Active Directory more compatible with Netscape Directory Services ad Novell Directory Services, both of which derive their User class from ietorgperso.

56 06_IsideWi_ch06 12/3/03 2:00 PM Page Chapter 6 Uderstadig Active Directory Services Schema Rules It s ot eough to defie schema compoets i terms of objects, actios, ad relatioships. Laws ad customs are also ecessary to avoid aarchy.these take the form of schema rules. Directory service desigers build certai rules ito the schema that determie how classes ad attributes are used, what kid of values they ca have, ad what relatioship they have to each other.these rules fall ito three categories: Structure Rules Cotet Rules Sytax Rules Structure Rules Frak Lloyd Wright established the desig paradigm for twetieth cetury architecture by declarig that form should always follow fuctio. He was a buildig architect rather tha directory services architect, of course, but Active Directory is as much of a moumet to form ad fuctio as a prairie house, ad it is the structure rules that accomplish this. There is really oly oe structure rule i Active Directory: Each object class has oly certai classes that ca be directly above it, called Possible Superiors.This structure rule is very importat because classes iherit attributes from their parets. Structure rules prevet puttig a User class object uder a totally urelated cotaier class, like IPSEC-Base or NTDS Settigs. Cotet Rules Every object class has certai attributes with values that caot be left blak whe a object is istatiated. These are called must-cotai attributes. For example, every istace of the User class must have a value for the Commo-Name attribute. Other attributes are optioal ad are desigated may-cotai attributes. A importat desig priciple of Active Directory is that oly attributes with values are stored i the database.this greatly reduces the size ad complexity of the database. Because attributes ca be added after a object is created ad the later removed if they are set to ull, the database egie must costatly pack ad repack the data. This is doe by a garbage collectio service that rus every 12 hours. Sytax Rules Attributes store data. Data must have a data type to defie the storage requiremets. Real umbers have a differet form from itegers, which are differet from log itegers, which are differet from character strigs. A attribute ca have oly oe data type. It caot hold a strig whe associated with oe object class ad a iteger whe associated with aother.the sytax rules i the schema defie the permissible values types ad rages for the attributes.

57 06_IsideWi_ch06 12/3/03 2:00 PM Page 337 Active Directory Schema 337 Schema Defiitio Objects Idividual objects are always istaces of a object class. Achievig this desig priciple ivolves usig a template that defies the attributes, schema rules, ad class hierarchy for the objects withi a object class. The same applies for attributes, which require a template to defie the sytax rules. This suite of templates makes up the schema defiitios for a directory service iformatio store. Some directory services put the schema defiitios ito a separate file that is loaded at boot time or wheever the schema requires chagig. I cotrast, the Active Directory schema is self-referetial.that is to say, all class defiitios, attribute defiitios, ad schema rules are part of the schema itself.a appropriate title for a Active Directory schema self-help book would be Everythig I Need to Kow I Leared from Myself. The Active Directory schema cotais two schema object classes, ClassSchema ad AttributeSchema. Objects derived from these classes act like patters i a lathe to tur out other objects. The schema objects are stored i the directory i the c=schema,c=cofiguratio,dc=<domai_ame>,dc=<domai_root> cotaier. I additio to ClassSchema ad ClassAttribute classes, the Schema cotaier holds a class called SubSchema with oe istace, a object called Aggregate. The distiguished ame of this object is c=aggregate,c=schema,c=cofiguratio,dc=compay,dc=com.the purpose of Aggregate is to provide a sigle poit for LDAP cliets to discover iformatio about the Active Directory schema. Without this object, cliets would be forced to perform expesive scas of the etire Schema cotaier. Idetifyig Objects We ve completed the overview of the schema structure, fuctio, ad rules. Before movig forward, let s look at how Active Directory uiquely idetifies objects. This iformatio is crucial to uderstadig the more advaced Active Directory tools. Here is a brief attribute listig for a sample User object made usig the LDIFDE utility.the uique idetifiers are highlighted: C:\>ldifde -d c=bgates,c=users,dc=dotet,dc=com -f co Coectig to DC01.Compay.com Loggig i as curret user usig SSPI Exportig directory to file co Searchig for etries... Writig out etries.d: CN=bgates,CN=Users,DC=dotet,DC=com chagetype: add objectclass: top objectclass: perso objectclass: orgaizatioalperso objectclass: user c: bgates distiguishedname: CN=bgates,CN=Users,DC=dotet,DC=com istacetype: 4 whecreated: Z

58 06_IsideWi_ch06 12/3/03 2:00 PM Page Chapter 6 Uderstadig Active Directory Services whechaged: Z usncreated: usnchaged: ame: bgates objectguid:: 7swJ8PXwqkWu8N2Qv+jQ+Q== useraccoutcotrol: 512 badpwdcout: 0 codepage: 0 coutrycode: 0 badpasswordtime: 0 lastlogoff: 0 lastlogo: 0 pwdlastset: primarygroupid: 513 objectsid:: AQUAAAAAAAUVAAAAdbl1VBUlr0cWwOoyVQQAAA== accoutexpires: 0 logocout: 0 samaccoutname: bgates userpricipalname: [email protected] samaccouttype: objectcategory: CN=Perso,CN=Schema,CN=Cofiguratio,DC=dotet,DC=com Distiguished Name Because LDAP uses a object-orieted database, it is importat that each object has a uique path i the amespace, similar to the way that a fileame ad path must be uique i a file system. The Distiguished Name (DN) attribute of a object defies the LDAP path all the way to the root of the amespace; therefore, the DN must be uique. If you move a object to a differet cotaier i Active Directory, i reality, you are simply chagig the DN. Globally Uique Idetifier (GUID) I classic Exchage, Microsoft used the DN as the uique database row idetifier for objects i the directory service store.this ufortuate egieerig decisio created a cofiguratio problem for Exchage.Whe a object is moved, its DN chages, but a uique row idetifier i a database caot ever chage. For this reaso, i Exchage 5.5 ad earlier, mailbox recipiets caot be moved but must be freshly created ad the liked to a User accout i the SAM. To avoid that problem i Active Directory, Microsoft used a differet uique row idetifier called the Globally Uique Idetifier, or GUID. A GUID is created usig a algorithm that virtually guaratees its uiqueess withi a system. Usig a GUID permits you to move objects at will betwee cotaiers i Active Directory without chagig the uique row umbers for the objects, thereby maitaiig iteral referetial itegrity i the database. Keep this behavior i mid, because you ll see it at work whe we discuss the role of the Ifrastructure Master i keepig track of group members from other domais.

59 06_IsideWi_ch06 12/3/03 2:00 PM Page 339 Active Directory Schema 339 Other Uses for GUIDs Microsoft uses the GUID algorithm i a variety of differet circumstaces. You will see them i desigators used to idetify COM objects ad OLE registratios. Group policies use the GUID algorithm to create a uique folder ame for each policy. The operatig system idetifies hardware usig GUIDs durig Plug-ad-Play eumeratio. GUIDs also go by the ames Uiversally Uique Idetifier (UUID) ad Class ID (CLSID). Security Idetifier (SID) Three classes of Active Director objects ca be placed o the access cotrol lists (ACLs) used to protect security objects.these object classes are User, Computer, ad Group.Together, they are termed security pricipals. A security pricipal is assiged a uique umber called a Security Idetifier, or SID. This is exactly the same SID used by NT to idetify users, groups, ad computers.a SID for a security pricipal is made up of the SID of the security pricipal s domai ad a uique suffix, called a Relative ID, or RID.The series of RIDs for security pricipals that ca be created by a admiistrator start at decimal For example, the first User accout created followig the creatio of a domai would be give RID 1000.The ext object, call it a group, would be RID 1001, ad so forth. The combiatio of a domai SID ad a RID form a uique umber withi a domai ad withi a forest.the pool of RIDs is maitaied by a specially desigated Widows Server 2003 domai cotroller called a RID Master. SAM Accout Name I a NT domai, every object i the SAM must have a uique ame.this is true for computers, users, ad groups.a uique ame guaratees that the object will have a uique NetBIOS presece i the etwork as well as a oe-to-oe correspodece betwee the logo ame (i the case of users ad computers) ad the SID used to cotrol resource access. The same restrictio is left i place i Widows 2000 ad Widows Server Every user, computer, ad group i a domai must have a uique ame.this attribute is called SAMAccoutName, although you might hear it called logo ame or flat ame. Whe you create a ew security pricipal, regardless of the cotaier where you place the object, it must have a uique flat ame i the domai. User Pricipal Name (UPN) ad Service Pricipal Name (SPN) Just as uique flat ames idetify security pricipals i NetBIOS, User Pricipal Names (UPNs) idetify security pricipals withi the hierarchical LDAP amespace i Active Directory. A UPN takes the form [email protected]. Uique UPNs esure that users ca log o with their UPN rather tha the classic domai\userame costruct.the Global Catalog is used to crack the UPN ito its costituet parts.

60 06_IsideWi_ch06 12/3/03 2:00 PM Page Chapter 6 Uderstadig Active Directory Services To assure uiqueess, whe a security pricipal is created, the system refers to the Global Catalog to verify that the UPN has ot already bee used. If a GC server is ot available, the system displays a error message promptig the admiistrator to wait util a GC is available so that uiqueess ca be verified. I a Paret/Child trust cofiguratio, the UPN suffix of the root domai is assiged to every security pricipal. I a Tree Root trust cofiguratio, you must maually assig a commo UPN suffix.this is doe usig the Properties widow of the domai tree i the AD Domais ad Trusts cosole. Object Idetifier (OID) I additio to the attributes that assure uiqueess of a particular object, Active Directory eeds a way to assure that objects of the same class all come from the same Schema object.this is doe by assigig a uique Object Idetifier, or Object Idetifier (OID) to each object i the Schema amig cotext. ISO defies the structure ad distributio of OIDs i ISO/IEC 8824:1990, Iformatio Techology Ope Systems Itercoectio Specificatio of Abstract Sytax Notatio Oe (ASN.1). ASN.1 provides a mechaism for stadards bodies i various coutries to eumerate stadard data items so that they do ot coflict with oe other. ASN.1 govers more tha just directory services classes ad attributes. For example, OIDs are used extesively i SNMP to build hierarchies of Maagemet Iformatio Base (MIB) umbers.they are also assiged to may items associated with the Iteret. If you re iterested i the list of orgaizatios that assig OID umbers ad their hierarchy, it is available at ftp.isi.edu/i-otes/iaa/assigmets/eterprise-umbers. If you ever eed to create a ew attribute or object class i Active Directory, you must have a uique OID.There are a couple of ways to get oe.the first is to apply to ANSI for your ow umerical series.this costs a few thousad dollars ad takes a while to process.the other is to use the OIDGEN utility from the Resource Kit.This will geerate a Class ad a Attribute OID out of Microsoft s address space.the disadvatage to usig OIDGEN is that the resultat umber is very, very, very log. Here is a example: C:\>oidge Attribute Base OID: Class Base OID: Fidig OID Hierarchy Iformatio May thaks to Harald Alvestrad, who made good use of a log witer i Trodheim, Norway, to build a hyperliked tree showig may of the commo OID registratios. His iformatio is ow slightly out of date but the structure is still valid ad very istructive. Visit his web site at

61 06_IsideWi_ch06 12/3/03 2:00 PM Page 341 Active Directory Support Files 341 Active Directory Support Files The ESE egie used by Active Directory is based o Microsoft s Jet database techology. Jet uses a b-tree file structure with trasactio logs to esure recoverability i the evet of a system or drive failure. Whe you promote a server to a domai cotroller, you select where to put the Active Directory files.the default path is i the boot partitio uder \Widows\NTDS. Geerally, it is a good idea to put them o a separate volume from the operatig system files to improve performace. The followig list cotais the Active Directory support files ad their fuctios: Ntds.dit. This is the mai AD database. NTDS stads for NT Directory Services. The DIT stads for Directory Iformatio Tree.The Ntds.dit file o a particular domai cotroller cotais all amig cotexts hosted by that domai cotroller, icludig the Cofiguratio ad Schema amig cotexts. A Global Catalog server stores the partial amig cotext replicas i the Ntds.dit right alog with the full Domai amig cotext for its domai. Edb.log. This is a trasactio log. Ay chages made to objects i Active Directory are first saved to a trasactio log. Durig lulls i CPU activity, the database egie commits the trasactios ito the mai Ntds.dit database.this esures that the database ca be recovered i the evet of a system crash. Etries that have ot bee committed to Ntds.dit are kept i memory to improve performace.trasactio log files used by the ESE egie are always 10MB. Edbxxxxx.log. These are auxiliary trasactio logs used to store chages if the mai Edb.log file gets full before it ca be flushed to Ntds.dit.The xxxxx stads for a sequetial umber i hex.whe the Edb.log file fills up, a Edbtemp.log file is opeed.the origial Edb.log file is reamed to Edb00001.log, ad Edbtemp.log is reamed to Edb.log file, ad the process starts over agai. ESENT uses circular loggig. Excess log files are deleted after they have bee committed. You may see more tha oe Edbxxxxx.log file if a busy domai cotroller has may updates pedig. Edb.chk. This is a checkpoit file. It is used by the trasactio loggig system to mark the poit at which updates are trasferred from the log files to Ntds.dit.As trasactios are committed, the checkpoit moves forward i the Edb.chk file. If the system termiates abormally, the poiter tells the system how far alog a give set of commits had progressed before the termiatio. Res1.log ad Res2.log. These are reserve log files. If the hard drive fills to capacity just as the system is attemptig to create a Edbxxxxx.log file, the space reserved by the Res log files is used.the system the puts a dire warig o the scree promptig you to take actio to free up disk space quickly before Active Directory gets corrupted.you should ever let a volume cotaiig Active Directory files get eve close to beig full. File fragmetatio is a big

62 06_IsideWi_ch06 12/3/03 2:00 PM Page Chapter 6 Uderstadig Active Directory Services performace thief, ad fragmetatio icreases expoetially as free space dimiishes. Also, you may ru ito problems as you ru out of drive space with olie database defragmetatio (compactio).this ca cause Active Directory to stop workig if the idexes caot be rebuilt. Temp.edb. This is a scratch pad used to store iformatio about i-progress trasactios ad to hold pages pulled out of Ntds.dit durig compactio. Schema.ii. This file is used to iitialize the Ntds.dit durig the iitial promotio of a domai cotroller. It is ot used after that has bee accomplished. Active Directory Utilities We ve ow see all the compoets i Active Directory. Over the ext few chapters, we ll see how to use those compoets to build a reliable, useful structure. First, though, let s take a look at the tools of the trade for Active Directory.You get some of these tools whe you promote Widows Server 2003 to a domai cotroller. Others come from the support tools o the Widows Server 2003 CD. Others require purchasig the Resource Kit. I ll idetify the origi as I discuss the tools. Stadard Active Directory Maagemet Cosoles Widows Server 2003 comes with three stadard MMC-based cosoles for viewig ad maagig Active Directory objects. MMC cosole files have a.msc extesio. The maagemet cosoles ca be differetiated by the amig cotext they are used to maage: AD Users ad Computers. This cosole is used to maage the cotets of a Domai amig cotext.the cosole ame is Dsa.msc. AD Sites ad Services. This cosole is used to maage the Sites ad Services cotaiers iside the Cofiguratio amig cotext.the cosole fileame is Dssite.msc. AD Domais ad Trusts. This cosole is used to maage the cotets of the Partitios cotaier iside the Cofiguratio amig cotext. It uses the CrossRef objects i the Partitios cotaier to idetify domais i the forest i their assiged hierarchy.the cosole fileame is Domai.msc. These cosoles ca all be lauched from the Start butto at Widows Server 2003 usig START PROGRAMS ADMINISTRATIVE TOOLS <CONSOLE NAME>.You ca also lauch them by eterig the ame of the MMC cosole file, such as Dssite.msc, i a Ru widow or o the commad lie. Specific istructios for usig these AD maagemet cosoles are cotaied i the remaiig Active Directory chapters.the most importat thig to ote at this time, as you get familiar with them, is that virtually all fuctioality is available from a right-click of the mouse.very few features require operatios from the meu.

63 06_IsideWi_ch06 12/3/03 2:00 PM Page 343 Active Directory Utilities 343 Virtual List Views If you have experiece with Widows 2000, you may otice a differece i the way Widows Server 2003 displays pick lists that are built as a result of LDAP searches. I Widows 2000, the results of the search were delivered to the cliet i icremets of 1500 ordered sequetially as matches were foud i the directory. This made pick lists difficult to maage because the items were ot sorted. I Widows Server 2003, search results are fully collected ad sorted at the server the delivered i icremets stipulated by the cliet. This meas that pick lists are automatically sorted alphabetically, makig it easier to locate a particular item. Schema Cosole Microsoft makes it fairly difficult to get access to the Schema amig cotext. It does ot iclude a stadard MMC cosole for maagig the schema.you must create a custom cosole that cotais the Schema sap-i.a sap-i is a Dyamic Lik Library (DLL) that is loaded by the MMC executable.after you have associated oe or more sap-is with a cosole, you ca save the cosole with a uique ame that has a.msc extesio. Before you ca create a custom MMC cosole for schema maagemet, you must have access to the Schema sap-i.this sap-i is part of the admiistrative tools but is ot registered by default.this prevets casual mokeyig aroud with the schema. To register the Schema sap-i, ope a commad cosole, avigate to C:\Widows\ System32, ad ru regsvr32 schmmgmt.dll. After the Schema sap-i is registered, create a custom MMC cosole for it as directed i Procedure 6.1. Procedure 6.1 Creatig a Custom Schema Maagemet Cosole 1. From the Ru widow, type mmc ad click OK.This opes a empty MMC cosole. 2. From the CONSOLE meu, select FILE ADD/REMOVE SNAP-IN.The Add/Remove Sap-i widow opes. 3. Click Add.The Add Stadaloe Sap-i widow opes. 4. Double-click Active Directory Schema ad the click Close. 5. Click OK to save the chage ad retur to the MMC widow.the Active Directory Schema tree will appear uder the Cosole Root folder. 6. Save the file with a ame like Schema.msc.The system will put the file i your persoal profile. Save it to the \Widows\System32 folder if you wat other admiistrators to use it.

64 06_IsideWi_ch06 12/3/03 2:00 PM Page Chapter 6 Uderstadig Active Directory Services Whe you expad the Schema tree, you ll see the objects that make up the classes ad attributes of the schema.you ca double-click to see the properties for oe of these objects. Figure 6.16 shows a example of the properties for the SamAccoutName attribute, which holds a user s logo ame. There is a list of optios that affect how this attribute will be used i Active Directory: Allow This Attribute To Be Show I Advaced View. Each AD cosole has a ADVANCED VIEW optio.this prevets clutterig the iterface with optios that are oly used occasioally. (It also cofouds admiistrators who are tryig to perform a operatio ad do t kow that the optio is hidde i a ormal view.this is called a feature.) Figure 6.16 Properties widow for the attributeschema object used to create the SamAccoutName attribute. Attribute Is Active. Some attributes are ot required for system operatio ad ca be disabled to prevet them from gettig values. Idex This Attribute I Active Directory. Like ay database, performace improves whe you search for idexed attributes. Idexig cosumes disk space ad processor time, though, ad a attribute must be uique to make the idex worthwhile. Oly the most commoly searched attributes are selected for idexig.

65 06_IsideWi_ch06 12/3/03 2:00 PM Page 345 Active Directory Utilities 345 Ambiguous Name Resolutio (ANR). ANR permits searchig for partial matches. A ANR search for a SamAccoutName of gh would retur ghaw, ghaskell, ghowell, ad so forth. ANR searches put quite a strai o the database egie, so oly ie attributes are selected to use it by default. If you desig a applicatio with a attribute that would beefit from ANR searchig, you ca use this optio to add it to the ANR set. Replicate This Attribute To The Global Catalog. This settig determies if a attribute should be icluded i the Global Catalog. Oly commoly searched attributes are icluded to miimize GC size ad replicatio load. I Widows 2000, addig or removig a attribute from the GC required a full GC rebuild ad replicatio.this had the potetial for creatig sigificat traffic.widows Server 2003 permits modifyig the cotets of the GC without forcig a full rebuild. Attribute Is Copied Whe Duplicatig A User. With this optio selected, the value for the attribute would be carried over to a ew User object with the Copy fuctio.the SamAccoutName must be uique i a domai, so this optio is disabled for this attribute. Idex This Attribute For Cotaierized Searches I The Active Directory. The search routies provided i the LDAP API ad with Microsoft ADSI permits searchig a cotaier rather tha the etire directory.you ca select this optio to improve lookup times for cotaier searches. The schema ca oly be modified at oe domai cotroller, the oe desigated as a Schema Operatios Master.This esures the itegrity of the schema by prevetig potetially coflictig chages from beig made at two differet domai cotrollers durig the same replicatio iterval. You ca idetify the Schema Operatios Master by right-clickig Active Directory Schema ad selectig OPERATIONS MASTER from the flyout meu. You do ot eed to be at the cosole of the Schema Operatios Master server to view ad modify the schema.you ca put the focus of the Schema cosole o this server by right-clickig Active Directory Schema ad selectig CHANGE DOMAIN CONTROLLER. Search Flags Several of the attribute property optios listed i the Schema Maager cotrol a value called SearchFlags. This value cotrols the followig actios (values are additive): 1 = Idex this attribute 2 = Idex this attribute ad its cotaier 4 = Add to ANR set (must have idexig set) 8 = Keep the attribute whe deletig the object ad creatig a tombstoe 16 = Copy the attribute s value whe creatig a ew copy of a object Of these settigs, oly umber 8 caot be cotrolled from the Schema Maager sap-i. You ca use the ADSI Edit cosole (covered i the ext sectio) to chage the value.

66 06_IsideWi_ch06 12/3/03 2:00 PM Page Chapter 6 Uderstadig Active Directory Services Registry Requiremets for Schema Modificatios Widows 2000 had a security measure that required a special Schema Updated Allowed parameter i the Registry of the machie where you ra the Schema cosole. This requiremet has bee removed i Widows Server You must be a member of the Schema Admis group to modify ay part of the schema. By default, the Admiistrator accout is a member of this group.the Schema Admis group has a set of special permissios for the Schema cotaier.these iclude the followig: Chage Schema Master Maage Replicatio Topology Replicatig Directory Chages Replicatio Sychroizatio Update Schema Cache You should ot make chages to the schema uless you are very familiar with its structure ad what you wat to accomplish. New schema objects caot be deleted. Chages to existig objects ca cause problems that could force reistallig Active Directory from scratch or recoverig from a backup tape. Geeral-Purpose Active Directory Tools The stadard AD maagemet cosoles provide a feature-rich iterface for accessig ad modifyig Active Directory objects ad attributes. They also hide a lot of the gears ad pulleys that go together to make Active Directory work. We re ow goig to take a look at a few tools that take us behid the glitzy façade of those facy AD maagemet cosoles.we re goig to see the real world that uderlies Active Directory.If you ve ever see The Matrix,you have a idea of what we re i for. I have just oe questio before we start: Do you wat to take the red pill or the blue pill? ADSI Edit The first set of geeral-purpose tools we ll look at come i the suite of Support Tools o the Widows Server 2003 CD. Istall the support tools by double-clickig the \Support\Tools\2000RKST.MSI ico ad walkig through the istallatio wizard. After the tools are istalled, ope a Ru widow ad eter adsiedit.msc.this is the cosole fileame for the ADSI Editor.Whe the ADSI Edit cosole opes, you see icos represetig the three stadard amig cotexts for a domai cotroller: Domai NC, Cofiguratio Cotaier, ad Schema. (It caot display the Applicatio amig cotexts.) See Figure 6.17 for a example.

67 06_IsideWi_ch06 12/3/03 2:00 PM Page 347 Active Directory Utilities 347 Figure 6.17 ADSI Edit cosole showig the three stadard amig cotexts for a domai cotroller. Selectig Alterative Domai Cotrollers for ADSI Edit If you do ot see ay amig cotexts whe you ope ADSI Edit, or you wat to view a amig cotext o aother domai cotroller, proceed as follows: 1. Right-click the ADSI Edit ico ad select CONNECT TO from the flyout meu.the Coectio widow opes. 2. Uder Computer, select the Select or Type a Domai or Server radio butto. 3. I the combo box, type the fully qualified DNS ame of a domai cotroller. Whe you make this etry, the Path etry automatically chages. 4. Click Advaced.The Advaced widow opes (see Figure 6.18). The optios i this widow are used as follows: Credetials. If you are coectig to Active Directory i aother domai, or you are curretly logged o usig a accout that does ot have admiistrator privileges, you ca specify a set of admiistrator credetials. Port Number. If this field is left blak, ADSI Editor uses well-kow TCP port 389 for LDAP.You ca specify a differet port if you are browsig a ostadard implemetatio.you could also use this optio to browse the Global Catalog through TCP port 3268, but it is more coveiet to use the Protocol feature. Protocol. Select whether you wat to browse Active Directory (port 389) or the Global Catalog (port 3268).

68 06_IsideWi_ch06 12/3/03 2:00 PM Page Chapter 6 Uderstadig Active Directory Services Figure 6.18 ADSI Editor Advaced widow showig alterative credetials, specific port umber, ad protocol selectio. 5. Click OK to save the chages ad retur to the Coectios widow. 6. Click OK to save the chages ad retur to the mai ADSI Edit cosole.the display refreshes to show the ew settigs, if you made ay chages. Usig ADSI Edit to View ad Modify AD Objects Use the steps i Procedure 6.2 to view ad modify iformatio about Active Directory objects. Procedure 6.2 Usig the ADSI Editor to View AD Objects 1. Expad the tree to show the top of the amig cotext you wat to view.you ca ope several Domai amig cotexts from several domai cotrollers at the same time, makig ADSI Edit a hady way to view a big eterprise. 2. You ca view the attributes associated with ay object i ay amig cotext. For example, expad the Domai NC tree to show the list of objects uder c=users ad the right-click c=admiistrator ad select PROPERTIES from the flyout meu.the Properties widow opes (see Figure 6.19).

69 06_IsideWi_ch06 12/3/03 2:00 PM Page 349 Active Directory Utilities 349 Figure 6.19 Properties for distiguished ame c=admiistrator,c=users, dc=compay,dc=com. 3. The Show Madatory Attributes ad Show Optioal Attributes optios are checked by default. Select the Show Oly Attributes That Have Values optio to elimiate extraeous iformatio i the widow. 4. Scroll dow through the widow to view the various attributes ad their values. 5. To chage a value, double-click it. ADSI Edit will select the appropriate low-level editor to modify the attribute. Thik of ADSI Edit as a kid of super Regedit for Active Directory. All the same caveats apply.you ca tur a perfectly tued domai ito sad, twisted carage with a few mouse clicks.you ca also perform miraculous surgery that solves seemigly itractable problems. LDAP Browser ADSI Edit is built from the groud up as a tool to maage Active Directory amig cotexts.the Support Tools also icludes a geeric LDAP tool that is capable of accessig ay RFC-compliat LDAP directory service. This tool is a true executable, ot a MMC sap-i. It is called the LDAP Browser, or Ldp.exe.

70 06_IsideWi_ch06 12/3/03 2:00 PM Page Chapter 6 Uderstadig Active Directory Services LDP is a little less coveiet to use tha ADSI Edit, ad it requires you to kow a little more about how to use LDAP. But it s well worth the effort to lear. LDP provides a lot more iformatio with a sigle mouse click tha ADSI Edit. Also, some LDAP operatios are hidde by ADSI Editor but exposed by LDP. Istallig LDP Whe you use LDP, you must walk through a few steps to bid (autheticate) ad set up to view the directory tree. Procedure 6.3 demostrates how it works. Procedure 6.3 Bidig with LDP 1. At a cliet i a domai, ope the Ru widow ad eter LDP.This opes the LDP widow. 2. Select CONNECTION BIND to ope the Bid widow. 3. Eter admiistrator credetials i the domai or forest. 4. Click OK.The attributes associated with the RootDSE object appear i the right pae. These attributes show the structure ad cotet of the directory o the server. (LDP will bid to your logo server.you ca use the Coect optio to select aother server.) 5. From the meu, select VIEW TREE.This opes the Tree View widow. 6. Uder BaseDN, eter the distiguished ame of the cotaier you wat to browse. For example, you ca eter dc=compay,dc=com to start at the top of the Domai amig cotext for the Compay domai.you ca also specify a cotaier lower i Active Directory. For example, you could select the Users cotaier by eterig c=users,dc=compay,dc=com.the iterface is ot case sesitive. 7. Click OK.The left pae of the widow ow shows the root of the cotaier you etered. Click the + sig or double-click the ame to expad the tree.this geerates a LDAP query that eumerates the child objects i the cotaier, which are listed i the tree i the left pae. It also geerates a query for the attributes associated with the domai object.these are listed i the right pae (see Figure 6.20). Searchig for a Specific Attribute LDP is also a coveiet place to search the directory for specific istaces of a attribute (see Procedure 6.4).

71 06_IsideWi_ch06 12/3/03 2:00 PM Page 351 Active Directory Utilities 351 Figure 6.20 LDP widow showig tree view of Compay.com domai. Procedure 6.4 Searchig with LDP 1. Select BROWSE SEARCH from the mai meu to ope a search widow. 2. I Base DN, eter the distiguished ame of the cotaier you wat to search.you ca eter the DN of the root domai of a tree if you wat to search the etire tree, but this might take a while if you have a large eterprise with several child domais. 3. I Filter, eter the search criteria.the sytax is a little tricky. LDAP expects to see Boolea operators such as & (AND) ad (OR) at the begiig of the search strig. For example, if you wat to fid all Users who are i the Fiace departmet, you would eter (&(objectclass=user)(departmet=fiace)).the etry is ot casesesitive. 4. If you wat to search just the object you etered the DN for, select Base. If you wat to search the base object ad ay objects directly uder it, select Oe Level. If you wat to search all cotaiers uder the base cotaier, select Subtree. LDP caot search a etire forest.you must select a base DN at the root of each tree i the forest ad ru the search multiple times. LDP Search Wildcards LDP oly accepts wildcards at the middle ad ed of a filter optio. You ca search for departmet=fi* or for departmet=fi*ce but ot for departmet=*ace.

72 06_IsideWi_ch06 12/3/03 2:00 PM Page Chapter 6 Uderstadig Active Directory Services You ca do may facy tricks with LDP.You ca get a quick view of the security descriptor for a object.you ca view the replicatio metadata associated with all the properties of a object (somethig we ll cover i more detail i Chapter 7, Maagig Active Directory Replicatio ). It s well worth your time to lear the is ad outs of LDP.You ll also lear a lot about LDAP ad Active Directory at the same time.you ll be glad you took the red pill. DCDIAG This tool comes i the Resource Kit. It is a ivaluable diagostic utility for examiig ad troubleshootig a variety of Active Directory operatios.you ll fid that these tests give great iformatio about the curret state of your Active Directory domais, trusts, ad replicatio status. Eter dcdiag /? to get a list of the tests that are performed. Every elemet of Active Directory operatio is tested.this utility is highly recommeded. DS Tools Widows Server 2003 expads the umber of commad-lie tools available for admiisterig Active Directory with a set of DS tools. Here is a list: Dsadd. Creates a object of a specified class. A wide variety of attributes ca be give values at the same time. For example, here are the attributes for dsadd user: dsadd user <UserDN> [-samid <SAMName>] [-up <UPN>] [-f <FirstName>] [-mi <Iitial>] [-l <LastName>] [-display <DisplayName>] [-empid <EmployeeID>] [-pwd {<Password> *}] [-desc <Descriptio>] [-memberof <Group...>] [-office <Office>] [-tel <Phoe#>] [- < >] [-hometel <HomePhoe#>] [-pager <Pager#>] [-mobile <CellPhoe#>] [-fax <Fax#>] [-iptel <IPPhoe#>] [-webpg <WebPage>] [-title <Title>] [-dept <Departmet>] [-compay <Compay>] [-mgr <Maager>] [-hmdir <HomeDir>] [-hmdrv <DriveLtr:>] [-profile <ProfilePath>] [-loscr <ScriptPath>] [-mustchpwd {yes o}] [-cachpwd {yes o}] [-reversiblepwd {yes o}] [-pwdeverexpires {yes o}] [-acctexpires <NumDays>] [-disabled {yes o}] [{-s <Server> -d <Domai>}] [-u <UserName>] [-p {<Password> *}] [-q] [{-uc -uco -uci}] Dsmod. Modifies selected attributes of a existig object. Dsrm. Removes a object or cotaier. Use cautio.you ca accidetally remove a etire brach of the tree ad force yourself ito a tape restore to recover. Dsmove. Moves a object to a ew cotaier.the cotaier must be i the same amig cotext. Dsquery. Fids objects that match a specified search criteria. Dsget. Views selected properties from a specified object.

73 06_IsideWi_ch06 12/3/03 2:00 PM Page 353 Bulk Imports ad Exports 353 Bulk Imports ad Exports You may fid yourself i a situatio where you wat to dump iformatio out of Active Directory ito a flat file for searchig. Or you may eed to create large umbers of objects ad you wat to simplify your work by importig iformatio from a flat file. A stadard Widows domai cotroller has a couple of utilities that help with this kid of bulk object processig. First, we eed to take a look at the format for exchagig LDAP iformatio. LDAP Data Iterchage Format (LDIF) RFC 2849, The LDAP Data Iterchage Format (LDIF) Techical Specificatio defies a stadard structure for exchagig LDAP iformatio.the followig example shows the LDIF format for the attributes of the Admiistrator accout i the Compay.com domai: d: CN=Admiistrator,CN=Users,DC=compay,DC=com memberof: CN=Group Policy Admis,CN=Users,DC=compay,DC=com memberof: CN=Eterprise Admis,CN=Users,DC=compay,DC=com memberof: CN=Schema Admis,CN=Users,DC=compay,DC=com memberof: CN=Admiistrators,CN=Builti,DC=compay,DC=com memberof: CN=Domai Admis,CN=Users,DC=compay,DC=com accoutexpires: admicout: 1 badpasswordtime: badpwdcout: 0 codepage: 0 c: Admiistrator coutrycode: 0 descriptio: Built-i accout for admiisterig the computer/domai iscriticalsystemobject: TRUE lastlogoff: 0 lastlogo: logocout: 109 distiguishedname: CN=Admiistrator,CN=Users,DC=compay,DC=com objectcategory: CN=Perso,CN=Schema,CN=Cofiguratio,DC=compay,DC=com objectclass: user objectguid:: glgtb/ju0hgckadat1nqtq== objectsid:: AQUAAAAAAAUVAAAAoF4uDLI/DAf7Cwg9AEAAA== primarygroupid: 513 pwdlastset: ame: Admiistrator samaccoutname: Admiistrator samaccouttype: useraccoutcotrol: usnchaged: 1532 usncreated: 1410 whechaged: Z whecreated: Z

74 06_IsideWi_ch06 12/3/03 2:00 PM Page Chapter 6 Uderstadig Active Directory Services There are a few items of ote with this example: LDIF files use simple ASCII characters. If you have high-order Uicode values i some of the attributes, they might ot survive the traslatio. Log itegers that represet time ad dates will be represeted i decimal format ad, as such, will ot survive reimport.these items are discarded ad created afresh whe a etry is imported ad a ew object created. Octet strigs are coverted to Base64 format.this is idicated by a double-colo after the attribute ame. ObjectGUID is a example.these values withstad a reimport. For the most part, though, this sytax is used for values that are uique for a object so the imported values would be igored. The attributes coform to the Active Directory schema for the forest where they were obtaied. Attemptig to import these values ito a foreig directory service ca result i compatibility issues. At the very least, you ll eed to chage the distiguished ames, because it is ulikely that the foreig directory service would use the same amespace. The LDIF stadard icludes several commad verbs that are used to determie what to do with a particular record. These verbs permit addig, modifyig, replacig, or deletig a etire object or idividual attributes of a object.they also permit modifyig the directory schema. Active Directory permits LDIF to add ad modify object classes ad attributes, but it does ot permit them be deleted. After a class or attribute has bee added to the schema, it s there to stay. LDIF ad Active Directory Schema Upgrades Lest you thik that LDIF is oe of those obscure programmer toys that reasoable system admiistrators should avoid like it was oozig with plague, cosider this: Whe you upgrade the first Widows 2000 domai cotroller i a domai to Widows Server 2003, ew objects are added ad old objects modified to support chages i the ew operatig system versio. I additio, the Active Directory schema must be modified to support the ew features i Widows Server How does Microsoft istall these schema updates? With LDIF files, that s how. Check the Widows Server 2003 CD i the \I386 folder. Look for a series of files with a LDF extesio. These cotai the LDIF etries that modify Active Directory cotets ad the schema. The CD icludes a ucompressed executable called Schupgr.exe. This executable loads the chages from the LDF files ito Active Directory. Oe last feature of this upgrade method is importat to ote. The last step i each LDF file modifies a attribute of the Schema cotaier called ObjectVersio. This is how Widows keeps track of the LDF files applied by Widows updates. Istallig Widows Server 2003 upgrades the schema to versio umber 30. Istallig Exchage also modifies the schema but does ot chage the schema versio umber. LDIFDE A Widows domai cotroller comes with a commad-lie tool for importig ad exportig LDIF files, LDIFDE. Ru ldifde with o switches to get a list of parameters.

75 06_IsideWi_ch06 12/3/03 2:00 PM Page 355 Bulk Imports ad Exports 355 LDIFDE simplifies importig ad exportig large umbers of records to ad from Active Directory, but it also comes i hady for makig quick checks of directory etries without opeig up a pesky MMC sap-i. Use the f co switch to direct the output to the cosole. For example: To kow the group membership of a user, use Ldifde d c=userame,c=users, dc=compay,dc=com f co. To check the etries i a trusted domai, use Ldifde s alb-dc-01.office. compay.com d dc=office,dc=compay,dc=com f co. To fid all the priters i a orgaizatioal uit, use Ldifde d ou=phoeix, dc=compay,dc=com r (objectclass=priters) f co. You ca use LDIFDE to dump a file of iformatio about a user ad the modify the settigs ad the userame ad import that file as a ew user.to do this, use the -m optio to remove the SAM-specific iformatio from the dump file. You ca also use LDIFDE to modify attributes of existig objects, but you eed to kow a little trick.after you ve created a LDIF file cosistig of etries you wat to modify, you must put a dash o the first blak lie at the ed of the etries ad the a blak lie after that. Here s a example showig how to chage the Descriptio attribute for a user amed Avguser: d: CN=avguser,OU=Phoeix,DC=compay,DC=com chagetype: modify replace: Descriptio Descriptio: Wazula - Without that dash, you ll get a error similar to the followig: Failed o lie 4. The last toke starts with W. The chage-modify etry is missig the termiator -. CSVDE Workig with the LDIF format ca get a little tedious because it sorts attributes vertically rather tha horizotally. If you prefer a more stadard spreadsheet layout, use the CSVDE utility.the switches for CSVDE are the same as for LDIFDE. Here s a example of usig CSVDE. Let s say you are the admiistrator for a school district ad you wat to add 5000 ew studets ito Active Directory.Your studet list may be i a maiframe or AS400 applicatio or a UNIX applicatio of oe form or aother or a SQL database.you ca write a little JCL (Job Cotrol Laguage) routie or do a quick SQL query to output the studet list to a delimited file. Import the delimited file ito a spreadsheet ad massage it util you get the required data for Active Directory. (Do a csvde -f output.ldf to see the colum headigs ad data types.) The use csvde -i to import the spreadsheet cotets ito Active Directory.

76 06_IsideWi_ch06 12/3/03 2:00 PM Page Chapter 6 Uderstadig Active Directory Services Reimportig LDIF Dumps If you do a LDIFDE or CSVDE export, may of the attributes for user ad group objects are owed by the system ad caot be reimported. Here s a trick. Ru the export with the m switch. This eables SAM Logic, which is aother way of sayig that the export skips the attributes that are owed by the system. This gives you a template to use whe buildig your import files or spreadsheets. Other LDAP Tools Because Active Directory is a RFC-compliat implemetatio of LDAP, you ca use virtually ay LDAP tool for browsig objects ad collectig iformatio. Here are a few sources of LDAP tools ad related iformatio: OpeLDAP ( If you are a ope source kid of perso, you should take a look at the latest wares from that commuity.these toolkits are ot for the faithearted, ad there are o compiled packages to play with, but it s worth a peek if you wat to build your ow admiistratio tools to replace those clumsy MMC sap-is. Novell ( NetWare 5 boogies o IP ad so does NDS. Novell is puttig lots of calories ito doig the Iteret thig right. Also take a look at developer.ovell.com for LDAP ad X.500 tools that might be useful i a mixed etwork. Movig Forward This chapter covered the structure ad operatio of Active Directory. The ext five chapters describe how to desig, deploy, ad maage Active Directory-based domais, how to maage replicatio betwee domai cotrollers, ad how to repair ad recover Active Directory i the evet of a problem.