• No results found

Windows Server 2003 Active Directory: Perspective

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Windows Server 2003 Active Directory: Perspective"

Copied!
7
0
0

Loading.... (view fulltext now)

Download now ( 7 Page )

Full text

(1)

Richardson

Windows Server 2003 Active Directory: Perspective

Summary

The Windows Server 2003 Active Directory lies at the core of the Windows Server 2003 network infrastructure, providing authentication and authorization services, central administration and information sharing.

Table of Contents Technology Basics Technology Analysis Business Use Benefits and Risks Standards

Technology Leaders Technology Alternatives Insight

List Of Tables

(2)

Technology Basics

Active Directory (AD) is the directory service in the Standard, Enterprise and Datacenter versions of the Windows Server 2003 family. (While Windows Web Server 2003 can participate in a directory service, it cannot operate one.) AD gives Windows administrators the ability to centrally organize, manage and control access to all network resources, including desktops and applications, as well as to monitor and manage network devices. It not only stores information about network resources but also provides a consistent way to name, describe, locate, manage and secure this information as it applies to both users and applications.

Active Directory consists of both logical and physical components. Each must be taken into consideration when designing the network infrastructure. AD’s logical components organize network resources to match the organizational structure. AD’s physical components configure and control where and when data replication and login traffic can occur over the network.

Active Directory’s Logical Structure

The basic logical component in AD is the domain, defined by the administrator as a collection of computers that share a common directory database, security policies and security relationships. For example, an organization can set up a separate domain for each department or region.

Domains, in turn, can be partitioned into Organizational Units (OUs). An OU is a collection of users and computers that have been given certain administrative rights. Instead of having one person administer an entire domain, AD let’s you delegate specific administrative tasks over organizational units. For example, under the domain headquarters you can create an OU named HR that contains all user accounts and computer objects for that department. Then, you can delegate the responsibility for maintaining passwords to someone in that department. If necessary, you can also delegate the authority to create, delete or manage user accounts or groups within the OU,

Multiple domains can be organized into trees. A tree is a hierarchical arrangement of domains that have the same Domain Name System (DNS) name. When a domain is added to an existing tree, the new domain becomes a child domain of the parent domain. The name of the child domain is combined with the DNS name of the parent to form the child’s DNS name.

Trees can be grouped into forests. A forest is a group of trees that do not share a common DNS name but do share a common configuration and schema—an attribute repository that allows attributes and object classes to be redefined separately from the AD objects. Every domain in a forest can share resources and administrative functions with the other trees in the forest. Every domain trusts every other domain in a forest. The forest is the security boundary—not the domain.

Trusts can be established between two forests to provide a one-way or two-way transitive trust relationship between every domain residing within each forest. For example, forest-to-forest trusts can be established between companies undergoing mergers or acquisitions, or between collaborative business extranets.

One- or two-way transitive and nontransitive trusts can be established between any non-Windows Kerberos v.5 realm and a Windows Server 2003 domain. Active Directory also supports one-way, nontransitive trusts for connections to Windows NT networks from an external organization.

(3)

Active Directory’s Physical Structure consists of these basic components: site, domain controller (DC) and Global Catalog Server (GCS).

A site is a high-speed subnet, or subnets, connected by a high-speed link. A domain controller is a Windows 2000 or Windows 2003 Server computer that stores a replica of the AD logical structure. Because AD’s logical and physical structures are independent of each other, a single site can have multiple domains, or there can be multiple sites in a single domain. The domain controllers manage the directory structure, including:

• Multimaster replication change management • User logon management

• Authentication and directory searches

The Global Catalog Server is a separate Windows 2000 or Windows Server 2003 computer that stores a subset of the object attributes contained on a domain controller, including schema, configuration, a read/write copy of the local domain and partial replicas of the other domains in the forest.

Once a user has successfully logged on to a DC, the user’s universal group membership is obtained from the GCS and stored on the local DC cache. When the user logs into the DC again, the DC can check the cache to verify the user rather than contact the GCS. This reduces demand on slow or unreliable networks and maintains availability even if the GCS is down.

AD’s Group Policy features give administrators the ability to specify Group Policy settings for a site, domain or OU.

Multimaster Replication

Because AD is based on a multimaster replication model, changes to any AD object can be made to any domain controller in a network, and those changes will be automatically replicated to the rest of the domain controllers in the domain. The Knowledge Consistency Checker (KCC) calculates the best connections for replications to the domain controllers based on site knowledge. The following protocols are used for data replication:

• Remote procedure call (RPC)—Active Directory replication uses RPC over IP for replication within a site. Domain, schema, configuration and global catalog replication can take place over RPC.

• Simple Mail Transfer Protocol (SMTP)—SMTP supports schema configuration and global catalog replication. However, you cannot use SMTP to replicate the domain partition to domain controllers of the same domain. This is because some domain operations, such as Group Policy, require the support of the File Replication service (FRS), which does not yet support an asynchronous transport for replication. Only RPC can be used to replicate the domain partition.

Features Specific to Windows Server 2003 family

While Active Directory is operable on Windows 2000 servers and will work in mixed Windows 2000/2003/NT environments, to take advantage of all of its features, AD must be installed on a computer running Windows Server 2003. Features that work only with Windows Server 2003 include:

• Schema management

(4)

• Tools for creating cross-forest trusts • Enhanced AD health monitoring

• Resultant Set of Policy (RSoP) tool for verifying policies in effect for any user or computer on a domain

• Setup Wizard

• Support for over 5,000 members in a Group • Ability to disable replication compression Schema Management

The Windows Server 2003 AD database comes with 200 object types and over 1,000 attributes. By modifying the schema, users can extend this number, as well as deactivate some, but none can be deleted. Schema modifications must be based on standard X.500 naming conventions and cannot conflict with other modifications. Schema modifications are replicated to every domain controller in the forest; to avoid AD from becoming corrupted through schema object conflict, schema modification must be managed in a structured manner.

AD Application Mode

For organizations that don’t require the full functionality of AD, Windows Server 2003 provides AD Application Mode (AD/AM) Server, a lightweight version of AD with a different schema that provides application directories without requiring the complex authentication services inherent in AD.

Upgrading to Windows Server 2003 AD

Active Directory can be installed at one of the following domain functional levels:

• Windows 2000 mixed—supports Windows NT 4.0, Windows 2000 and Windows Server 2003 family domain controllers

• Windows 2000 native—supports Windows 2000 and Windows Server 2003 family domain controllers • Windows Server 2003, Interim—supports Windows NT 4.0 and Windows 2000 and Windows Server

2003 family domain controllers

• Windows Server 2003—supports Windows Server 2003 family domain controllers

While AD can be installed on Windows NT or Windows 2000 servers, users must upgrade to the Windows Server 2003 domain functional level to take advantage of Windows Server 2003-specific features, such as schema management, support for Kerberos Key Distribution Center (KDC) version numbers, domain rename, cross-forest trusts and the inetOrgPerson class. Windows Server 2003, Interim is used only for direct upgrades from Windows NT 4.0 to the Windows Server 2003 family, directly bypassing Windows 2000. Windows 2000 domain controllers will not function in a Windows Server 2003, Interim installation. Domain controllers running earlier operating systems cannot be introduced into a domain functional level that does not support them. Once you have raised the domain functional level, you cannot lower it.

Active Directory Migration Tool (ADMT)

(5)

Technology Analysis

AD gives the organization a great deal of flexibility in setting up its network infrastructure. However, not all structural combinations will work with every organization. For example, AD allows multilevel nesting of organization units or groups, but when deployed to more than five levels, the resultant structure can lead to poor performance. Since domain setup involves translating job functions into AD access rights, failure to account for the political aspects of this process can result in significant delays in design and deployment. It takes time to analyze the present organizational structure before changing or adapting it to AD. A documented migration plan should be in place, followed by a pilot migration, before AD is placed into production.

DNS/WINS Compatibility Issues

Because AD uses DNS for name resolution while Win NT domains use Windows Internet Naming Service (WINS), an NT upgrade will involve setting up a DNS server on an existing or new server and installing an additional copy of Windows 2000/2003 to run DNS. In a WinNT Server environment, a WINS server is used for name resolution and an Internet service provider’s (ISP’s) DNS server is used for Internet name resolution. Thus, a WinNT client is usually configured with two IP addresses, one for WINS and one for DNS. When NT clients are migrated to an AD environment that uses DNS for name resolution, all references to WINS IP addresses must be removed, and all DNS IP addresses must be reconfigured to a local DNS server rather than the ISP’s Internet DNS Server. For Windows clients to access the Internet, the local DNS server must be configured to forward unresolved requests to the ISP’s DNS server,

Maintaining Availability

In addition to migration planning, both maintenance and disaster recovery plans should be in place to guarantee maximum uptime and availability. The maintenance plan should include proactive monitoring, backups and defragmentation.

Plans should include backing up and restoring the AD database in response to events that result in: • A corrupted or invalid schema

• Missing DNS records

• Damaged or corrupted information • An inoperable configuration

Because the AD is continually in use, it is not possible to simply make a copy of it as with other database files. Instead, the AD backup utility must be used to perform a separate online backup of each DC, including the system-state data. Since all DCs in a domain are full-replica partners, a DC with no backup can still be restored from backup media (that is, tape, CD, DVD or file copy over a network). First, the AD backup utility should be used to create a backup of an existing domain controller onto external media. Then, the Active Directory Installation Wizard must be run to install the DC to the failed machine from the backup media.

(6)

white-space content reaches a specified level. By helping to reduce the size of the AD database files, offline defragmentation can improve directory performance and availability.

Desktop and Replication Requirements

While all Windows clients can log into an AD domain and access shared resources, only Windows 2000 and Windows XP clients can use all of AD’s features including Group Policies.

Another factor that must be taken into consideration when implementing AD is replication requirements. AD won’t function properly if it cannot complete its replication cycles due to inadequate network bandwidth or poorly configured DC hardware.

Business Use

AD is mainly deployed as an identity and applications manager for managing single sign-on, passwords, adding and deleting users, and user provisioning. Combined with Group Policy, AD controls security settings for remote desktop management, including:

• Automatic software distribution and installation • Desktop configuration

• Software repair

AD is also used in applications services. Third-party software, such as SAP and J.D. Edwards, can work with AD.

Benefits and Risks Benefits:

• Desktop management • Network security

• Ability to upgrade to Exchange 2000 which requires AD • Central management of users throughout the enterprise • Multimaster replication change management

• AD’s delegation capabilities

• User access to millions of objects without knowledge of physical location or connection to the network Risks:

AD migration and deployment involves specific costs that must be managed to minimize risk to the organization. These costs include:

• Windows 2000/2003 software licenses • Staff retraining

• Third-party AD migration and management tool licenses

(7)

• Replacement or upgrade of desktop systems to take advantage of AD Group Policies Standards

Table 1: Windows Server 2003 Active Directory Standards Support

Standard Description Version

Dynamic Host Configuration Protocol Network address management

RFC 2131

DNS Dynamic update protocol Host names management RFC 2136, 2782 and 3007 Simple Network Time Protocol Distributed time service RFC 2030

Lightweight Directory Access Protocol (LDAP) v.3 Client directory access RFC 2251

LDAP “C” Directory application

programming (API)

RFC 1823

LDAP Data Interchange Format (LDIF) Directory synchronization 2849

LDAP Directory schema RFC 2247, 2252 and 2256

Kerberos v.5 Authentication RFC 1510

X.509 v# certificates Authentication ISO X.509

TCP/IP Network transport RFC 791 and 793

Technology Leaders

An organization can use Microsoft-provided tools and utilities to deploy and manage AD, but users may find that the additional features provided by third-party tools make managing more complex environments easier. These products provide tools for migrating to AD from older network operating systems, as well as AD change management, monitoring, and event detection and correction. Leading vendors of AD management technologies include NetIQ (www.netiq.com), Quest Software (www.quest.com), BindView Corporation (www.bindview.com) and Aelita (www.aelita.com). Netpro (www.netpro.com) provides monitoring and security products for AD. Full Armor (www.fullarmor.com) provides a management solution for group policies.

Technology Alternatives

An alternative to AD on Windows Platforms is Novell’s eDirectory. Insight

References

Download now ( PDF - 7 Page - 62.76 KB )

Related documents

Laxatives do not improve symptoms of opioid-induced constipation: results of a patient survey

cent of patients reported that they experienced consti- pation despite taking laxatives, and more than half said that constipation had a “moderate-to-great” or “great” impact on

The French market and customers’ perceptions of Nordic softwood offerings

Customer C has very little or no experience of Swedish softwood, Customer D is designing timber frame houses where Customer A is conducting the practical building of the houses,

COUN 664 Children, Families and Systems in Counselor Education Spring 2014

Pedagogy relevant to multicultural issues and competencies, including social change theory and advocacy action planning...

PROPER SPINE ALIGNMENT IS THE KEY TO THE PRESENTATION AND SELECTING THE RIGHT SLEEP SYSTEM.

The foam density combination creates our best support mattress for a number of spinal issues including sciatica, scoliosis, hip replacement, degenerative disc, bludging or

Tuberculosis Intensive November 17 20, 2015 San Antonio, TX

EXCELLENCE EXPERTISE INNOVATION Tuberculosis Infection Prevention in Health Care Settings Jeffrey L.. Levin,

Forecasting of Groundwater Level using Artificial Neural Network by incorporating river recharge and river bank infiltration

The result indicates that the capability of neural networks models in modelling of daily groundwater level using rainfall, temperature, stream flow and river water level data

With Windows Server 2003 Active Directory

With the introduction of Windows 2000 Server and Windows Server 2003 Active Directory, you can now create two-way transitive trusts automatically between different domains in the

Proposal for Graduate Certificate Program in Environmental Engineering

The College of Engineering also embraces the goals of fostering teaching, scholarship and outreach on an interdisciplinary basis. The certificate program will support