MCSE Designing a Microsoft Windows 2000 Directory Services Infrastructure Readiness Review; Exam 70-219 (Pro-Certification)
In Windows 2000 and Active Directory services there are several new concepts and some changes to the concepts used in Windows NT. These concepts include replication, trust relationships, group policies, DNS namespaces, and naming conventions. It is important that you understand the meaning of these concepts as applied to Active Directory.
After this lesson, you will be able to
- Explain Active Directory replication
- Explain the security relationships between domains in a tree (trusts)
- Explain the purpose and function of group policy
- Describe the DNS namespace used by Active Directory
- Describe the naming conventions used by Active Directory
Estimated lesson time: 20 minutes
Replication
Users and services should be able to access directory information at any time from any computer in the domain tree or forest. Replication ensures that changes to a domain controller are reflected in all domain controllers within a domain. Directory information is replicated to domain controllers both within and among sites.
What Information Is Replicated
The information stored in the directory is partitioned into three categories. Each of these information categories is referred to as a directory partition. These directory partitions are the units of replication. The following information is contained in each directory:
- Schema information, which defines the objects that can be created in the directory and the attributes those objects can have. This information is common to all domains in the domain tree or forest.
- Configuration information, which describes the logical structure of the deployment, including information such as domain structure or replication topology. This information is common to all domains in the domain tree or forest.
- Domain data, which describes all of the objects in a domain. This data is domain-specific and is not distributed to any other domains. For the purpose of finding information throughout the domain tree or forest, selected attributes for all objects in all domains are stored in the global catalog.
Schema and configuration information is replicated to all domain controllers in the domain tree or forest. All of the domain data for a particular domain is replicated to every domain controller in that domain. All of the objects in every domain, and selected attributes for all objects in a forest, are replicated to the global catalog.
A domain controller stores and replicates
- The schema information for the domain tree or forest
- The configuration information for all domains in the domain tree or forest
- All directory objects and properties for its domain (this data is replicated to any additional domain controllers in the domain; for the purpose of finding information, a subset of the properties of all objects in the domain is replicated to the global catalog)
A global catalog stores and replicates
- The schema information for a forest
- The configuration information for all domains in a forest
- Selected attributes for all directory objects in the forest (replicated between global catalog servers only)
- All directory objects and all their properties for the domain in which the global catalog is located
CAUTION
Extensions to schemas in a global catalog should be approached with caution. Schema extensions can have disastrous effects on large networks because the extensions cannot be deleted (only disabled) and because of the large amount of network traffic generated as the extensions are synchronized throughout the forest.
How Replication Works
Active Directory replicates information in two ways: intrasite (within a site) and intersite (between sites). The need for up-to-date directory information is balanced with the limitations imposed by available network bandwidth.
Intrasite Replication
Within a site, a Windows 2000 service known as the Knowledge Consistency Checker (KCC) automatically generates a topology for replication among domain controllers in the same domain using a ring structure. The topology defines the path for directory updates to flow from one domain controller to another until all domain controllers in the site receive the directory updates.
The ring structure ensures that there are at least two replication paths from one domain controller to another; if one domain controller is down temporarily, replication still continues to all other domain controllers, as shown in Figure 1.8.
Figure 1.8 Intrasite replication topology
The KCC analyzes the replication topology within a site every 15 minutes to ensure that it still works and is efficient. If you add or remove a domain controller from the network or a site, the KCC reconfigures the topology to reflect the change.
Intersite Replication
To ensure replication between sites, you must manually connect them by creating site links. Site links represent network connections and allow replication to occur. Active Directory uses the network connection information to generate connection objects that provide efficient replication and fault tolerance, as shown in Figure 1.9.
You provide information about the replication transport used, cost of a site link, times when the link is available for use, and how often the link should be used. Active Directory uses this information to determine which site link will be used to replicate information. Customizing replication schedules so replication occurs during specific times, such as when network traffic is light, will make replication more efficient. Replication and site link configuration are discussed in Chapter 6, "Creating a Site Topology Plan."
NOTE
When operating in native mode, Windows 2000 domain controllers do not replicate with pre–Windows 2000 domain controllers.
Figure 1.9 Intersite replication topology
Trust Relationships
A trust relationship is a link between two domains in which the trusting domain honors the logon authentication of the trusted domain. Active Directory supports two forms of trust relationships:
- Implicit two-way transitive trust. A relationship between parent and child domains within a tree and between the top-level domains in a forest. This is the default; trust relationships among domains in a tree are established and maintained implicitly (automatically). Transitive trust is a feature of the Kerberos authentication protocol, which provides the distributed authentication and authorization in Windows 2000.
For example, in Figure 1.10 a Kerberos transitive trust simply means that if Domain A trusts Domain B, and Domain B trusts Domain C, then Domain A trusts Domain C. As a result, a domain joining a tree immediately has trust relationships established with every domain in the tree. These trust relationships make all objects in the domains of the tree available to all other domains in the tree.
Transitive trust between domains eliminates the management of interdomain trust accounts. Domains that are members of the same tree automatically participate in a transitive, bidirectional trust relationship with the parent domain. As a result users in one domain can access resources to which they have been granted permission in all other domains in a tree.
- Explicit one-way nontransitive trust. A relationship between domains that are not part of the same tree. A nontransitive trust is bounded by the two domains in the trust relationship and does not flow to any other domains in the forest. In most cases, you must explicitly (manually) create nontransitive trusts. For example, in Figure 1.10, a one-way, nontransitive trust is shown where Domain C trusts Domain 1, so users in Domain 1 can access resources in Domain C.
Explicit one-way nontransitive trusts are the only form of trust possible between
- A Windows 2000 domain and a Windows NT domain
- A Windows 2000 domain in one forest and a Windows 2000 domain in another forest
- A Windows 2000 domain and an MIT Kerberos V5 realm, allowing a client in a Kerberos realm to authenticate to an Active Directory domain to access network resources in that domain
Figure 1.10 Active Directory supports two types of trust relationships
Group Policy
Group policies are collections of user and computer configuration settings that can be linked to computers, sites, domains, and OUs to specify the behavior of users' desktops. For example, using group policies, you can determine the programs that are available to users, the programs that appear on the user's desktop, and Start menu options.
To create a specific desktop configuration for a particular group of users, you create group policy objects (GPOs). GPOs are collections of group policy settings. Each Windows 2000 computer has one local GPO and may, in addition, be subject to any number of nonlocal (Active Directory–based) GPOs. Local GPOs are overridden by nonlocal GPOs. Nonlocal GPOs are linked to Active Directory objects (sites, domains, or OUs) and can be applied to either users or computers. Following the inheritance properties of Active Directory, nonlocal GPOs are applied hierarchically from the least restrictive group (site) to the most restrictive group (OU) and are cumulative.
How Group Policy Is Applied
Because nonlocal GPOs are applied hierarchically, the user or computer's configuration is a result of the GPOs applied to its site, domain, and OU. Group policy settings are applied in the following order:
- Local GPO. Each Windows 2000 computer has exactly one GPO stored locally.
- Site GPOs. Any GPOs that have been linked to the site are applied next. GPO application is synchronous; the administrator specifies the order of GPOs linked to a site.
- Domain GPOs. Multiple domain-linked GPOs are applied synchronously; the administrator specifies the order of GPOs linked to a domain.
- OU GPOs. GPOs linked to the OU highest in the Active Directory hierarchy are applied first, followed by GPOs linked to its child OU, and so on. Finally, the GPOs linked to the OU that contains the user or computer are applied. At the level of each OU in the Active Directory hierarchy, one, many, or no GPOs can be linked. If several group policies are linked to an OU, then they are applied synchronously in an order specified by the administrator.
Figure 1.11 shows how group policy is applied for the example Marketing and Servers OUs.
Figure 1.11 How group policy is applied
The default order for the application of group policy settings is subject to the following exceptions:
- A computer that is a member of a workgroup processes only the local GPO.
- No Override. Any GPO linked to a site, domain, or OU (not the local GPO) can be set to No Override with respect to that site, domain, or OU, so that none of its policy settings can be overwritten. When more than one GPO has been set to No Override, the one highest in the Active Directory hierarchy (or higher in the hierarchy specified by the administrator at each fixed level in Active Directory) takes precedence. No Override is applied to the GPO link.
- Block Policy Inheritance. At any site, domain, or OU, group policy inheritance can be selectively marked as Block Policy Inheritance. However, GPO links set to No Override are always applied and cannot be blocked. Block Policy Inheritance is applied directly to the site, domain, or OU. It is not applied to GPOs, nor is it applied to GPO links. Thus, Block Policy Inheritance deflects all group policy settings that reach the site, domain, or OU from above (by way of linkage to parents in the Active Directory hierarchy) no matter what GPOs those settings originate from.
- Loopback setting. Loopback is an advanced group policy setting that is useful on computers in certain closely managed environments such as kiosks, laboratories, classrooms, and reception areas. Loopback provides alternatives to the default method of obtaining the ordered list of GPOs whose user configuration settings affect a user. By default, a user's settings come from a GPO list that depends on the user's location in Active Directory. The ordered list goes from site-linked to domain-linked to OU-linked GPOs, with inheritance determined by the location of the user in Active Directory and in an order specified by the administrator at each level. Loopback can be Not Configured, Enabled, or Disabled as can any other group policy setting. In the Enabled state, loopback can be set to Replace or Merge mode.
- Replace. In this case, the GPO list for the user is replaced in its entirety by the GPO list already obtained for the local computer at startup. The computer's GPOs replace the user GPOs normally applied to the user.
- Merge. In this case, the GPO list is concatenated. The GPO list obtained for the local computer at startup is appended to the GPO list obtained for the user at logon. Because the GPO list obtained for the computer is applied later, it has precedence if it conflicts with settings in the user's list.
You should plan your GPO settings and the Active Directory objects to which they will be applied to provide the most efficient group policy management for your organization. Chapter 5, "Creating an Organizational Unit Plan," discusses planning for group policy.
DNS Namespace
Active Directory, like all directory services, is primarily a namespace. A namespace is any bounded area in which a name can be resolved. Name resolution is the process of translating a name into some object or information that the name represents. The Active Directory namespace is based on the DNS naming scheme, which allows for interoperability with Internet technologies. Private networks use DNS extensively to resolve computer names and to locate computers within their local networks and the Internet. DNS provides the following benefits:
- DNS names are user friendly, which means they are easier to remember than IP addresses.
- DNS names remain more constant than IP addresses. An IP address for a server can change, but the server name remains the same.
- DNS allows users to connect to local servers using the same naming convention as the Internet.
NOTE
To read more about DNS, open your Web browser and use an Internet search engine to run a search on "RFC 1034" and "RFC 1035". RFCs (Request for Comments) are the official documents of the Internet Engineering Task Force (IETF) that specify the details for new Internet specifications or protocols. RFC 1034 is entitled "Domain Names—Concepts and Facilities" and RFC 1035 is entitled "Domain Names—Implementation and Specification."
Because Active Directory uses DNS as its domain naming and location service, Windows 2000 domain names are also DNS names. Windows 2000 Server uses dynamic DNS, which enables clients with dynamically assigned addresses to register directly with a server running the DNS service and update the DNS table dynamically. Dynamic DNS eliminates the need for other Internet naming services, such as Windows Internet Naming Service (WINS), in a homogeneous environment.
NOTE
To read more about dynamic DNS, open your Web browser and use an Internet search engine to run a search on "RFC 2136". RFC 2136 is entitled "Dynamic Updates in the Domain Name System (DNS Update)."
IMPORTANT
For Active Directory and associated client software to function correctly, you must have installed and configured the DNS service.
Domain Namespace
The domain namespace is the naming scheme that provides the hierarchical structure for the DNS database. Each node represents a partition of the DNS database. These nodes are referred to as domains.
The DNS database is indexed by name; therefore, each domain must have a name. As you add domains to the hierarchy, the name of the parent domain is appended to its child domain (called a subdomain). Consequently, a domain's name identifies its position in the hierarchy. For example, in Figure 1.12, the domain name sales.microsoft.com identifies the sales domain as a subdomain of the microsoft.com domain and microsoft as a subdomain of the com domain.
Figure 1.12 Hierarchical structure of a domain namespace
The hierarchical structure of the domain namespace consists of a root domain, top-level domains, second-level domains, and host names.
There are two types of namespaces:
- Contiguous namespace. The name of the child object in an object hierarchy always contains the name of the parent domain. A tree is a contiguous namespace.
- Disjointed namespace. The names of a parent object and a child of the same parent object are not directly related to one another. A forest is a disjointed namespace. For example, consider the domain names
- www.microsoft.com
- msdn.microsoft.com
- www.msn.com
The first two domain names create a contiguous namespace within microsoft.com, but the third domain is part of disjointed namespace.
NOTE
The term domain, in the context of DNS, is not related to domain as used in Windows 2000 directory services. A Windows 2000 domain is a group of computers and devices that are administered as a unit.
The DNS naming scheme is discussed in Chapter 4, "Creating a Domain Plan."
Root Domain
The root domain is at the top of the hierarchy and is represented as a period (.). The Internet root domain is managed by several organizations, including Network Solutions, Inc.
Top-Level Domains
Top-level domains are arranged by organization type or geographic location. Table 1.1 provides some examples of top-level domain names.
Table 1.1 Examples of Top-Level Domains
Top-level domain | Description |
---|---|
gov | Government organizations |
com | Commercial organizations |
edu | Educational institutions |
org | Noncommercial organizations |
net | Commercial sites or networks |
NOTE
Individual country names may also be a part of top-level domains. Examples of country domain names are "au" for Australia or "fr" for France.
Top-level domains can contain second-level domains and host names.
Second-Level Domains
Organizations, such as Network Solutions, Inc., and others, assign and register second-level domains to individuals and organizations for the Internet. A second-level name has two name parts: a top-level name and a unique second-level name. Table 1.2 provides some examples of second-level domains.
Table 1.2 Examples of Second-Level Domains
Second-level domain | Description |
---|---|
ed.gov | United States Department of Education |
microsoft.com | Microsoft Corporation |
stanford.edu | Stanford University |
w3.org | World Wide Web Consortium |
pm.gov.au | Prime Minister of Australia |
NOTE
In the case of country names, "gov.au", "edu.au", and "com.au" are top-level domains. If the name is structured as "company.au", however (and in this case only), ".au" is top-level.
Host Names
Host names refer to specific computers on the Internet or a private network. For example, in Figure 1.12, Computer1 is a host name. A host name is the leftmost portion of a fully qualified domain name (FQDN), which describes the exact position of a host within the domain hierarchy. In Figure 1.12, Computer1.sales.microsoft.com. (including the end period, which represents the root domain) is an FQDN.
NOTE
The host name does not have to be the same as the computer name, NetBIOS, or any other naming protocol.
Zones
A zone is a database containing resource records for a portion of a DNS namespace. Zones provide a way to partition the domain namespace into manageable sections.
Multiple zones in a domain namespace are used to distribute administrative tasks to different groups. For example, Figure 1.13 depicts the microsoft.com domain namespace divided into two zones. The two zones allow one administrator to manage the microsoft and sales domains and another administrator to manage the development domain.
A zone must encompass a contiguous domain namespace. For example, in Figure 1.13, you could not create a zone that consists of only the sales.microsoft.com and development.microsoft.com domains because the sales and development domains are not contiguous.
The name-to-IP-address mappings for a zone are stored in the zone database file. Each zone is anchored to a specific domain, referred to as the zone's root domain. The zone database file does not necessarily contain information for all subdomains of the zone's root domain, only those subdomains within the zone.
In Figure 1.13, the root domain for Zone1 is microsoft.com, and its zone file contains the name-to-IP-address mappings for the microsoft and sales domains. The root domain for Zone2 is development, and its zone file contains the name-to-IP-address mappings for the development domain only. The zone file for Zone1 does not contain the name-to-IP-address mappings for the development domain, although development is a subdomain of the microsoft domain.
Figure 1.13 Domain namespace divided into zones
Name Servers
A DNS name server stores the zone database file. DNS name servers use the zone database files to handle the DNS name resolution process. Name servers can store data for one zone or multiple zones. A name server is said to have authority for the domain namespace that the zone encompasses. When a DNS name server receives a DNS query, it responds in one of three ways: by returning the requested name or IP-resolution information, by returning a pointer to another DNS name server, or by indicating that the information is not available. There are three main types of DNS name servers: primary, secondary, and master.
A primary name server gets data from the local zone and is the authoritative server (performs administrative tasks) for the zone. A secondary name server is a backup DNS server and receives data from another name server. A zone can have multiple secondary name servers and should have at least one to perform zone transfers, provide redundancy, improve access speed, and reduce the load on the primary name server. A master name server is a primary or secondary name server for a zone that is designated to provided updated DNS information to a secondary server.
Naming Conventions
Every object in Active Directory is identified by a name. Active Directory uses a variety of naming conventions: distinguished names, relative distinguished names, globally unique identifiers, and user principal names.
Distinguished Name
Every object in Active Directory has a distinguished name (DN) that uniquely identifies the object and contains sufficient information for a client to retrieve the object from the directory. The DN includes the name of the domain that holds the object, as well as the complete path through the container hierarchy to the object.
For example, the following DN identifies the Firstname Lastname user object in the microsoft.com domain (where Firstname and Lastname represent the actual first and last name of a user account):
/DC=COM/DC=microsoft/OU=dev/CN=Users/CN=Firstname Lastname
Table 1.3 describes the attributes in the example.
Table 1.3 Distinguished Name Attributes
Attribute | Description |
---|---|
DC | Domain component name |
OU | Organizational unit name |
CN | Common name |
DNs must be unique. Active Directory does not allow duplicate DNs.
NOTE
To read more about distinguished names, search on the Internet for "RFC 1779". RFC 1779 is entitled "A String Representation of Distinguished Names."
Relative Distinguished Name
Active Directory supports querying by attributes, so you can locate an object even if the exact DN is unknown or has changed. The relative distinguished name (RDN) of an object is the part of the name that is an attribute of the object itself. In the preceding example, the RDN of the Firstname Lastname user object is Firstname Lastname. The RDN of the parent object is Users.
You can have duplicate RDNs for Active Directory objects, but you cannot have two objects with the same RDN in the same OU. For example, if a user account is named Jane Doe, you cannot have another user account called Jane Doe in the same OU. However, objects with duplicate RDN names can exist in separate OUs because they have different DNs (see Figure 1.14).
Figure 1.14 Distinguished names and relative distinguished names
Globally Unique Identifier
A globally unique identifier (GUID) is a 128-bit number that is guaranteed to be unique within the enterprise. GUIDs are assigned to objects when the objects are created. The GUID never changes, even if you move or rename the object. Applications can store the GUID of an object and use the GUID to retrieve that object regardless of its current DN.
In earlier versions of Windows NT, each domain resource was associated with a security identifier (SID) that was generated within the domain. This meant that the SID was guaranteed to be unique only within the domain. A GUID is unique across all domains, meaning that you can move objects from domain to domain and they will still have a unique identifier.
User Principal Name
Each user account has a "friendly" name, the user principal name (UPN). The UPN is composed of a shorthand name for the user account and the DNS name of the tree where the user account object resides. For example, Firstname Lastname (substitute the first and last names of the actual user) in the microsoft.com tree might have a UPN of FirstnameL@microsoft.com (using the full first name and the first letter of the last name).
Lesson Summary
In this lesson you learned about several new concepts introduced with Active Directory, including replication, trust relationships, group policies, DNS namespaces, and naming conventions.
You learned that Active Directory includes replication to ensure that changes to a domain controller are reflected in all domain controllers within a domain. Within a site, the KCC automatically generates a ring topology for replication among domain controllers in the same domain. Between sites, you must specify how your sites are connected by using site links.
A trust relationship is a link between two domains in which the trusting domain honors the logon authentication of the trusted domain. Active Directory supports two forms of trust relationships: implicit two-way transitive trusts and explicit one-way nontransitive trusts.
You also learned that group policies are collections of user and computer configuration settings that can be linked to computers, sites, domains, and OUs to specify the behavior of users' desktops. To create a specific desktop configuration for a particular group of users, you create group policy objects (GPOs), collections of group policy settings. Each Windows 2000 computer has one local GPO and may, in addition, be subject to any number of nonlocal (Active Directory–based) GPOs. Local GPOs are overridden by nonlocal GPOs. Nonlocal GPOs are linked to Active Directory objects (sites, domains, or OUs) and can be applied to either users or computers. Following the inheritance properties of Active Directory, nonlocal GPOs are applied hierarchically from the least restrictive group (site) to the most restrictive group (OU) and are cumulative.
In this lesson you also learned that Active Directory uses DNS as its domain naming and location service; therefore Windows 2000 domain names are also DNS names. Windows 2000 Server uses dynamic DNS, so clients with dynamically assigned addresses can register directly with a server running the DNS service and dynamically update the DNS table. There are contiguous namespaces and disjointed namespaces.
Finally, you learned about the naming conventions employed by Active Directory: DNs, RDNs, GUIDs, and UPNs.