MCSE Training Kit(c) Microsoft Windows 2000 Accelerated 2000
You use a directory service to uniquely identify users and resources on a network. Windows 2000 uses Active Directory to provide directory services. It is important to understand the overall purpose of Active Directory and the key features it provides. Understanding the interactions of Active Directory architectural components provides the basis for understanding how Active Directory stores and retrieves data. This lesson introduces you to Active Directory functions, features, and architecture.
After this lesson, you will be able to
- Explain the function of a directory service
- Explain the purpose of Active Directory
- Identify the features of Active Directory
- Identify the layers in the Active Directory architecture
Estimated lesson time: 20 minutes
What Is a Directory Service?
A directory is a stored collection of information about objects that are related to one another in some way. For example, a telephone directory stores names of entities and their corresponding telephone numbers. The telephone directory listing may also contain an address or other information about the entity.
In a distributed computing system or a public computer network such as the Internet, there are many objects, such as file servers, printers, fax servers, applications, databases, and users. Users must be able to locate and use these objects. Administrators must be able to manage how these objects are used. A directory service stores all the information needed to use and manage these objects in a centralized location, simplifying the process of locating and managing these resources.
In this course, the terms directory and directory service refer to the directories found in public and private networks. A directory provides a means of storing information related to the network resources to facilitate locating and managing these resources. A directory service is a network service that identifies all resources on a network and makes them accessible to users and applications. A directory service differs from a directory in that it is both the source of the information and the services making the information available to the users.
A directory service acts as the main switchboard of the network operating system. It is the central authority that manages the identities and brokers the relationships between distributed resources, enabling them to work together. Because a directory service supplies these fundamental operating system functions, it must be tightly coupled with the management and security mechanisms of the operating system to ensure the integrity and privacy of the network. It also plays a critical role in an organization's ability to define and maintain the network infrastructure, perform system administration, and control the overall user experience of a company's information systems.
Why Have a Directory Service?
A directory service provides the means to organize and simplify access to resources of a networked computer system. Users and administrators may not know the exact name of the objects they need. However, they may know one or more attributes of the objects in question. As illustrated in the figure below, they can use a directory service to query the directory for a list of objects that match known attributes. For example, "Find all color printers on the third floor" queries the directory for all color printer objects with the attributes of color and third floor (or maybe a location attribute that has been set to "third floor"). A directory service makes it possible to find an object based on one or more of its attributes.
Using a directory service
Other functions of the directory service are:
- Enforcing security to protect the objects in its database from outside intruders or from internal users who do not have permission to access those objects.
- Distributing a directory across many computers in a network.
- Replicating a directory to make it available to more users and resistant to failure.
- Partitioning a directory into multiple stores that are located on different computers across the network. This makes more space available to the directory as a whole and allows the storage of a large number of objects.
A directory service is both an administration tool and an end user tool. As a network becomes larger, more resource objects must be managed and the directory service becomes a necessity.
Windows 2000 Directory Services
Active Directory is the directory service included in Windows 2000 Server. Active Directory includes the directory, which stores information about network resources, as well as all the services that make the information available and useful. The resources stored in the directory, such as user data, printers, servers, databases, groups, services, computers, and security policies, are known as objects.
Active Directory is integrated within Windows 2000 Server and offers:
- Simplified administration
- Scalability
- Open standards support
- Support for standard name formats
Simplified Administration
Active Directory organizes resources hierarchically in domains. A domain is a logical grouping of servers and other network resources under a single domain name. The domain is the basic unit of replication and security in a Windows 2000 network.
Each domain includes one or more domain controllers. A domain controller is a computer running Windows 2000 Server that manages user access to a network, which includes logging on, authentication, and access to the directory and shared resources. To simplify administration, all domain controllers in the domain are equal. You can make changes to any domain controller, and the updates are replicated to all other domain controllers in the domain.
Active Directory further simplifies administration by providing a single point of administration for all objects on the network. Because Active Directory provides a single point of logon for all network resources, an administrator can log on to one computer and administer objects on any computer in the network.
Scalability
In Active Directory, the directory stores information by organizing the directory into sections that permit storage for a very large number of objects. As a result, the directory can expand as an organization grows, allowing users to scale from a small installation with a few hundred objects to a large installation with millions of objects.
NOTE
You can distribute directory information across several computers in a network.
Open Standards Support
Active Directory integrates the Internet concept of a name space with the Windows 2000 directory services. This allows you to unify and manage the multiple name spaces that now exist in the heterogeneous software and hardware environments of corporate networks. Active Directory uses DNS for its name system and can exchange information with any application or directory that uses LDAP or Hypertext Transfer Protocol (HTTP).
IMPORTANT
Active Directory also shares information with other directory services that support LDAP version 2 and version 3, such as Novell Directory Services (NDS).
DNS
Because Active Directory uses DNS as its domain naming and location service, Windows 2000 domain names are also DNS names. Windows 2000 Server uses Dynamic DNS (DDNS), which enables clients with dynamically assigned addresses to register directly with a server running the DNS service and update the DNS table dynamically. DDNS eliminates the need for other Internet naming services, such as Windows Internet Name Service (WINS), in a homogeneous environment.
IMPORTANT
For Active Directory and associated client software to function correctly, you must have installed and configured the DNS service.
Support for LDAP and HTTP
Active Directory further embraces Internet standards by directly supporting LDAP and HTTP. LDAP is a version of the X.500 directory access protocol, which was developed as a simpler alternative to the Directory Access Protocol (DAP). Active Directory supports both LDAP version 2 and version 3. HTTP is the standard protocol for displaying pages on the World Wide Web. A user can display every object in Active Directory as an HTML page in a Web browser. Thus, users receive the benefit of the familiar Web browsing model when querying and viewing objects in Active Directory.
NOTE
Active Directory uses LDAP to exchange information between directories and applications.
MORE INFO
For more information about LDAP, use your Web browser to search for RFC 1777 and retrieve the text of this Request for Comment.
Support for Standard Name Formats
Active Directory supports several common name formats. Consequently, users and applications can access Active Directory using the format with which they are most familiar. The following table describes some standard name formats supported by Active Directory.
Standard Name Formats Supported by Active Directory
Format | Description |
---|---|
RFC 822 | Takes the form of someone@domain and is familiar to most users as an Internet e-mail address. |
HTTP Uniform Resource Locator (URL) | Takes the form of http://domain/path-to-page and is familiar to users with Web browsers. |
Universal Naming Convention (UNC) | Takes the form of \\microsoft.com\xl\budget.xls and is used in Windows 2000 Server-based networks to refer to shared volumes, printers, and files. |
LDAP URL | Active Directory supports a draft to RFC 1779 and uses the attributes in the following example: LDAP://someserver.microsoft.com/CN=FirstnameLastname, OU=sys, OU=product, OU=division, DC=devel Where CN represents Common Name OU represents Organizational Unit Name DC represents Domain Component Name An LDAP URL specifies the server on which the Active Directory services reside and the attributed name of the object. |
Active Directory in the Windows 2000 Architecture
As you learned in the previous lesson, Windows 2000 uses modules and modes that combine to provide operating system services to applications. Two processor access modes, kernel and user, divide the low-level, platform-specific processes from the upper level processes, respectively, to shield applications from platform differences and to prevent direct access to system code and data by applications. Each application, including service applications, runs in a separate module in user mode, from which it requests system services through an API that gains limited access to system data. An application process begins in user mode and is transferred to kernel mode, where the actual service is provided in a protected environment. The process is then transferred back to user mode. Active Directory runs in the security subsystem in user mode. The security reference monitor, which runs in kernel mode, is the primary authority for enforcing the security rules of the security subsystem. The following figure shows the location of Active Directory within Windows 2000.
Location of Active Directory within Windows 2000
The tight integration of the directory service and security subsystem services is key to the implementation of Windows 2000 distributed systems. Access to all directory objects first requires proof of identity (authentication), which is performed by components of the security subsystem, and then validation of access permissions (authorization), which is performed by the security subsystem in conjunction with the security reference monitor. The security reference monitor enforces the access control applied to Active Directory objects.
Active Directory Architecture
Active Directory functionality can be illustrated as a layered architecture in which the layers represent the server processes that provide directory services to client applications. Active Directory consists of three service layers and several interfaces and protocols that work together to provide directory services. The three service layers accommodate the different types of information required to locate records in the directory database. Above the service layers in this architecture are the protocols and APIs that enable communication between clients and directory services.
The following figure shows the Active Directory service layers and their respective interfaces and protocols. The direction of the arrows indicates how different clients gain access to Active Directory through the interfaces.
Active Directory architecture
The key service components include the following:
- Directory System Agent (DSA) builds a hierarchy from the parent-child relationships stored in the directory. Provides APIs for directory access calls.
- Database Layer provides an abstraction layer between applications and the database. Calls from applications are never made directly to the database; they go through the database layer.
- Extensible Storage Engine communicates directly with individual records in the directory data store on the basis of the object's relative distinguished name attribute.
- Data store (the database file NTDS.DIT) is manipulated only by the Extensible Storage Engine database engine, stored in the \Winnt\ntds folder on the domain controller. You can administer the file by using the Ntdsutil tool, located in the \Winnt\system32 folder on the domain controller.
Clients obtain access to Active Directory by using one of the following mechanisms that is supported by the DSA:
- LDAP/ADSI. Clients that support LDAP use it to connect to the DSA. Active Directory supports LDAP version 3 (defined by RFC 2251) and LDAP version 2 (defined by RFC 1777). Windows 2000 clients, as well as Windows 98 and Windows 95 clients that have the Active Directory client components installed, use LDAP version 3 to connect to the DSA. ADSI is a means of abstracting LDAP API; however, Active Directory uses only LDAP.
- Messaging API (MAPI). Legacy MAPI clients, such as Microsoft Outlook, connect to the DSA by using the MAPI RPC address book provider interface.
- Security Accounts Manager (SAM). Windows clients that use Windows NT 4.0 or earlier use the SAM interface to connect to the DSA. Replication from backup domain controllers in a mixed-mode domain goes through the SAM interface as well.
- Replication (REPL). When they are performing directory replication, Active Directory DSAs connect to each other by using a proprietary RPC interface.
Lesson Summary
In this lesson, you learned that a directory service is a network service that identifies all resources on a network and makes them accessible to users and applications. A directory service differs from a directory in that it is both the source of the information and the services making the information available to the users.
You also learned that Active Directory is the directory service included in Windows 2000 Server. Active Directory includes the directory, which stores information about network resources such as user data, printers, servers, databases, groups, computers, and security policies. The directory can scale from a small installation with a few hundred objects to a large installation with millions of objects. Active Directory offers simplified administration, scalability, open standards support, and support for standard name formats.
Finally, you learned that Active Directory runs in the security subsystem in the user mode in the Windows 2000 architecture. The security reference monitor, which runs in kernel mode, is the primary authority for enforcing the security rules of the security subsystem. Active Directory functionality can be illustrated as a layered architecture in which the layers represent the server processes that provide directory services to client applications. Active Directory consists of three service layers and several interfaces and protocols that work together to provide directory services.