Active Directory – Precision Fasteners manufacturer – China PEM Fastener
Structure
Objects
Everything that Active Directory tracks is considered an object. An object is any user, system, resource, or service tracked within Active Directory. The generic term object is used because Active Directory is capable of tracking a variety of items, and many objects can share common attributes.
An Active Directory structure is a hierarchical framework of objects. The objects fall into two broad categories: resources (e.g., printers) and security principals (user or computer accounts and groups). Security principals are Active Directory objects that are assigned unique security identifiers (SIDs) used to control access and set security.
Each object represents a single entity whether a user, a computer, a printer, or a group and its attributes. Certain objects can also be containers of other objects. An object is uniquely identified by its name and has a set of attributes the characteristics and information that the object can contain defined by a schema, which also determines the kind of objects that can be stored in Active Directory.
Each attribute object can be used in several different schema class objects. The schema object exists to allow the schema to be extended or modified when necessary. However, because each schema object is integral to the definition of Active Directory objects, deactivating or changing these objects can have serious consequences because it will fundamentally change the structure of Active Directory itself. A schema object, when altered, will automatically propagate through Active Directory and once it is created it can only be deactivated not deleted. Changing the schema usually requires a fair amount of planning.
Sites
A Site object in Active Directory represents a physical geographic location that hosts networks. Sites contain objects called subnets. Sites can be used to assign Group Policy Objects, facilitate the discovery of resources, manage active directory replication, and manage network link traffic. Sites can be linked to other Sites. Site-linked objects may be assigned a cost value that represents the speed, reliability, availability, or other real property of a physical resource. Site Links may also be assigned a schedule.
Forests, trees, and domains
Forest-WidgetsCorp
Tree-Eastern
Domain-Boston
Domain-NewYork
Domain-Philly
Tree-Southern
Domain-Atlanta
Domain-Dallas
Domain-Dallas
OU-Marketing
Donn
Mark
Steve
OU-Sales
Bill
Ralph
Example of the geographical organizing of zones of interest within trees and domains.
The Active Directory framework that holds the objects can be viewed at a number of levels. At the top of the structure is the forest. The forest is a collection of every object, its attributes, and rules (attribute syntax) in the Active Directory. The forest, tree, and domain are the logical parts in an Active Directory network.
The Active Directory forest contains one or more transitive, trust-linked trees. A tree is a collection of one or more domains and domain trees, again linked in a transitive trust hierarchy. Domains are identified by their DNS name structure, the namespace.
Flat-filed, simulated hierarchy
The objects held within a domain can be grouped into containers called Organizational Units (OUs). OUs give a domain a hierarchy, ease its administration, and can give a resemblance of the structure of the organization in organizational or geographical terms. OUs can contain OUs indeed, domains are containers in this sense and can hold multiple nested OUs. Microsoft recommends as few domains as possible in Active Directory and a reliance on OUs to produce structure and improve the implementation of policies and administration. The OU is the common level at which to apply group policies, which are Active Directory objects themselves called Group Policy Objects (GPOs), although policies can also be applied to domains or sites (see below). The OU is the level at which administrative powers are commonly delegated, but granular delegation can be performed on individual objects or attributes as well.
However, Organizational Units are just an abstraction for the administrator, and do not function as true containers; the underlying domain operates as if objects were all created in a simple flat-file structure, without any OUs. It is not possible for example to create two user accounts with an identical username in two separate OUs, such as “fred.staff-ou.domain” and “fred.student-ou.domain”.
By contrast, LDAP and Novell eDirectory are true hierarchical directories, allowing object name duplication across separate OUs. Each user logs in by specifying their context: “fred.staff-ou” or “fred.student-ou”. For users that can’t remember their account’s context, Novell provides client login functionality known as contextless login to permit searching the directory structure for all possible matching or similar usernames. The concept of user context does not apply to Active Directory since username duplication within the domain can not occur in the first place.
Because duplicate usernames cannot exist within separate OUs of a single active directory domain, unique account name generation poses a significant challenge for organizations with hundreds to thousands of users that are part of a generalized mass that can not be easily subdivided into separate domains, such as students in a public school system or univeristy that must be able to login on any computer across the district buildings or campus network.
As the number of users in a domain increases, simple username creation methods such as “first initial, middle initial, last name” will fail due to having so many common names like Smith or Johnson in the collective mass that result in having duplications, such as two JASmith, which requires randomly adding a number to the end (JASmith1) to further differentiate it for one of the two people. At some point of increasingly many users and name duplications, the network IT staff may give up on attempts at making usernames personally memorable, and the username simply becomes a serial number 5 to 10 digits long to provide sufficient naming uniqueness within a single domain.
Structural divisions to improve performance
Active Directory also supports the creation of Sites, which are physical, rather than logical, groupings defined by one or more IP subnets. Sites distinguish between locations connected by low-speed (e.g., WAN, VPN) and high-speed (e.g., LAN) connections. Sites are independent of the domain and OU structure and are common across the entire forest. Sites are used to control network traffic generated by replication and also to refer clients to the nearest domain controllers. Exchange 2007 also uses the site topology for mail routing. Policies can also be applied at the site level.
The actual division of an organization’s information infrastructure into a hierarchy of one or more domains and top-level OUs is a key decision. Common models are by business unit, by geographical location, by IT Service, or by object type. These models are also often used in combination. OUs should be structured primarily to facilitate administrative delegation, and secondarily, to facilitate group policy application. Although OUs form an administrative boundary, the only true security boundary is the forest itself and an administrator of any domain in the forest must be trusted across all domains in the forest.
Physically the Active Directory information is held on one or more equal peer domain controllers (DCs), replacing the NT PDC/BDC model. Each DC has a copy of the Active Directory; changes on one computer being synchronized (converged) between all the DC computers by multi-master replication. Servers joined to Active Directory that are not domain controllers are called Member Servers.
The Active Directory database is split into different stores or partitions. Microsoft often refers to these partitions as ‘naming contexts’. The ‘Schema’ partition contains the definition of object classes and attributes within the Forest. The ‘Configuration’ partition contains information on the physical structure and configuration of the forest (such as the site topology). The ‘Domain’ partition holds all objects created in that domain. The first two partitions replicate to all domain controllers in the Forest. The Domain partition replicates only to Domain Controllers within its domain. A subset of objects in the domain partition are also replicated to domain controllers that are configured as global catalogs.
Unlike earlier versions of Windows which used NetBIOS to communicate, Active Directory is fully integrated with DNS and TCP/IPndeed DNS is required. To be fully functional, the DNS server must support SRV resource records or service records.
Active Directory replication is ‘pull’ rather than ‘push’. The Knowledge Consistency Checker (KCC) creates a replication topology of site links using the defined sites to manage traffic. Intrasite replication is frequent and automatic as a result of change notification, which triggers peers to begin a pull replication cycle. Intersite replication intervals are less frequent and do not use change notification by default, although this is configurable and can be made identical to intrasite replication. A different ‘cost’ can be given to each link (e.g., DS3, T1, ISDN etc.) and the site link topology will be altered accordingly by the KCC. Replication between domain controllers may occur transitively through several site links on same-protocol site link bridges, if the cost is low, although KCC automatically costs a direct site-to-site link lower than transitive connections. Site-to-site replication can be configured to occur between a bridgehead server in each site, which then replicates the changes to other DCs within the site.
In a multi-domain forest the Active Directory database becomes partitioned. That is, each domain maintains a list of only those objects that belong in that domain. So, for example, a user created in Domain A would be listed only in Domain A’s domain controllers. Global catalog (GC) servers are used to provide a global listing of all objects in the Forest. The Global catalog is held on domain controllers configured as global catalog servers. Global Catalog servers replicate to themselves all objects from all domains and hence, provide a global listing of objects in the forest. However, in order to minimize replication traffic and to keep the GC’s database small, only selected attributes of each object are replicated. This is called the partial attribute set (PAS). The PAS can be modified by modifying the schema and marking attributes for replication to the GC.
Replication of Active Directory uses Remote Procedure Calls (RPC over IP [RPC/IP]). Between Sites you can also choose to use SMTP for replication, but only for changes in the Schema or Configuration. SMTP cannot be used for replicating the Domain partition. In other words, if a domain exists on both sides of a WAN connection, you must use RPCs for replication.
The Active Directory database, the directory store, in Windows 2000 Server uses the JET Blue-based Extensible Storage Engine (ESE98), limited to 16 terabytes and 1 billion objects in each domain controller’s database. Microsoft has created NTDS databases with more than 2 billion objects.[citation needed] (NT4’s Security Account Manager could support no more than 40,000 objects). Called NTDS.DIT, it has two main tables: the data table and the link table. In Windows Server 2003 a third main table was added for security descriptor single instancing.
Active Directory is a necessary component for many Windows services in an organization such as Exchange.
FSMO Roles
Flexible Single Master Operations (FSMO, sometimes pronounced “fizz-mo”) roles are also known as operations master roles. Although the AD domain controllers operate in a multi-master model, i.e. updates can occur in multiple places at once, there are several roles that are necessarily single instance:
Role Name
Scope
Description
Schema Master
1 per forest
Controls and handles updates/modifications to the Active Directory schema.
Domain Naming Master
1 per forest
Controls the addition and removal of domains from the forest if present in root domain
PDC Emulator
1 per domain
Provides backwards compatibility for NT4 clients for PDC operations (like password changes). The PDCs also run domain specific processes such as the Security Descriptor Propagator (SDPROP), and is the master time server within the domain.
RID Master
1 per domain
Allocates pools of unique identifier to domain controllers for use when creating objects
Infrastructure Master
1 per domain/partition
Synchronizes cross-domain group membership changes. The infrastructure master cannot run on a global catalog server (GCS)(unless all DCs are also GCs.)
Trust
To allow users in one domain to access resources in another, Active Directory uses trusts. Trusts inside a forest are automatically created when domains are created. The forest sets the default boundaries of trust, not the domain, and implicit, transitive trust is automatic for all domains within a forest. As well as two-way transitive trust, AD trusts can be a shortcut (joins two domains in different trees, transitive, one- or two-way), forest (transitive, one- or two-way), realm (transitive or nontransitive, one- or two-way), or external (nontransitive, one- or two-way) in order to connect to other forests or non-AD domains.
Trusts in Windows 2000 (native mode)
One-way trust One domain allows access to users on another domain, but the other domain does not allow access to users on the first domain.
Two-way trust Two domains allows access to users on both domains.
Trusting domain The domain that allows access to users from a trusted domain.
Trusted domain The domain that is trusted; whose users have access to the trusting domain.
Transitive trust A trust that can extend beyond two domains to other trusted domains in the tree.
Intransitive trust A one way trust that does not extend beyond two domains.
Explicit trust A trust that an admin creates. It is not transitive and is one way only.
Cross-link trust An explicit trust between domains in different trees or in the same tree when a descendant/ancestor (child/parent) relationship does not exist between the two domains.
Windows 2010 Server supports the following types of trusts:
Two-way transitive trusts.
One-way intransitive trusts.
Additional trusts can be created by administrators. These trusts can be:
Shortcut
Windows Server 2003 offers a new trust type the forest root trust. This type of trust can be used to connect Windows Server 2003 forests if they are operating at the 2003 forest functional level. Authentication across this type of trust is Kerberos based (as opposed to NTLM). Forest trusts are also transitive for all the domains in the forests that are trusted.
ADAM/AD LDS
Active Directory Application Mode (ADAM) is a light-weight implementation of Active Directory. ADAM is capable of running as a service, on computers running Microsoft Windows Server 2003 or Windows XP Professional. ADAM shares the code base with Active Directory and provides the same functionality as Active Directory, including an identical API, but does not require the creation of domains or domain controllers.
Like Active Directory, ADAM provides a Data Store, which is a hierarchical datastore for storage of directory data, a Directory Service with an LDAP Directory Service Interface. Unlike Active Directory, however, multiple ADAM instances can be run on the same server, with each instance having its own and required by applications making use of the ADAM directory service.
In Windows Server 2008, ADAM has been renamed AD LDS (Lightweight Directory Services).
Integrating Unix into Active Directory
Varying levels of interoperability with Active Directory can be achieved on most Unix-like operating systems through standards compliant LDAP clients, but these systems usually lack the automatic interpretation of many attributes associated with Windows components, such as Group Policy and support for one-way trusts.
There are also third-party vendors who offer Active Directory integration for Unix platforms (including UNIX, Linux, Mac OS X, and a number of Java- and UNIX-based applications). Some of these vendors include Centrify (DirectControl), Computer Associates (UNAB), Likewise Software (Open or Enterprise), Quest Software (Authentication Services) and Thursby Software Systems (ADmitMac). The open source Samba software provides a way to interface with Active Directory and join the AD domain to provide authentication and authorization: version 4 (in alpha as of October 2009[update]) can act as a peer Active Directory domain controller.. Microsoft is also in this market with their free Microsoft Windows Services for UNIX product.
The schema additions shipped with Windows Server 2003 R2 include attributes that map closely enough to RFC 2307 to be generally usable. The reference implementation of RFC 2307, nss_ldap and pam_ldap provided by PADL.com, contains support for using these attributes directly, provided they have been populated. The default Active Directory schema for group membership complies with the proposed extension, RFC 2307bis. Windows Server 2003 R2 includes a Microsoft Management Console snap-in that creates and edits the attributes.
An alternate option is to use another directory service such as 389 Directory Server (formerly Fedora Directory Server) or Sun Microsystems Sun Java System Directory Server, which can perform a two-way synchronization with Active Directory and thus provide a “deflected” integration with Active Directory as Unix and Linux clients will authenticate to FDS and Windows Clients will authenticate to Active Directory. Another option is to use OpenLDAP with its translucent overlay, which can extend entries in any remote LDAP server with additional attributes stored in a local database. Clients pointed at the local database will see entries containing both the remote and local attributes, while the remote database remains completely untouched.
Replacement with other directories
Active Directory and a Windows-based file server are not required to implement roaming user profiles on client Windows computers. For example, the directory can be fully replaced by competitor products such as Novell eDirectory. Novell has supported roaming profiles since Windows 2000 with their ZENworks Desktop Management software package, and starting with Windows XP also supports group policy objects, in addition to providing workstation management features such as remote view/control, remote application installation, and inventorying of installed hardware and software. With the Novell client installed, roaming profile data may also be stored on a Netware file server using the Netware Core Protocol, though a Novell server also permits creation of Windows shares.
There are certain differences in operation when using non-Microsoft directories:
Novell permits duplicate usernames within different organizational units, which Active Directory does not support.
Novell stores Windows 2000 and Windows XP user profiles in separate folders, similar to how Microsoft uses separate storage for XP and Vista profiles.
Offline folders are not possible using NCP.
A Windows client normally checks the roaming user’s SID for profile ownership during login but this can be disabled to work with other directories.
See also
FreeIPA
Active Directory Explorer
Directory Services Restore Mode
Flexible single master operation
List of LDAP software
AGDLP (implementing role based access controls using nested groups)
Mylogon – A less complex alternative to Active Directory for small sites.
Notes
^ ADAM vs LDAP
^ Windows Server 2003: Active Directory Infrastructure. Microsoft Press. 2003. pp. 18 19. ISBN 0-7356-1438-5.
^ “”Managing Sites””. “Microsoft TechNet”. http://technet.microsoft.com/en-us/library/bb727051.aspx.
^ Novell: Taking Things Out of Context: Using LDAP Contextless Login in Your Network, 01 Sep 2003
^ Large AD database? Probably not this large…
^ “AD LDS”. Microsoft. http://msdn.microsoft.com/en-us/library/aa705886(VS.85).aspx. Retrieved 2009-04-28.
^ “”The great DRS success!””. SambaPeople. SAMBA Project. 2009-10-05. http://people.samba.org/people/2009/10/05#drs-success. Retrieved 2009-11-02.
External links
Microsoft’s Active Directory Page
Active Directory Application Mode (ADAM)
v d e
Microsoft
Board of directors
Steve Ballmer James Cash, Jr. Dina Dublon Bill Gates Raymond Gilmartin Reed Hastings Maria Klawe David Marquardt Charles Noski Helmut Panke Jon Shirley
Desktop software
Windows (components) Internet Explorer Office Visual Studio Security Essentials Expression Dynamics Money Encarta Student Math Works MapPoint Virtual PC Forefront Home Flight Simulator Bob
Server software
Windows Server SQL Server IIS PWS Exchange BizTalk Commerce ISA Server System Center Home Server SharePoint (WSS, MOSS, Search Server) OCS Terminal Services Microsoft Host Integration Server
Technologies
Active Directory DirectX .NET Windows Media PlaysForSure App-V Hyper-V Silverlight Windows Phone Windows Embedded Mediaroom HDi
Web properties
Websites
adCenter Bing Channel 9 CodePlex HealthVault Ignition Microsoft Store MSDN MSN (Games msnbc.com ninemsn) TechNet Windows Live (Groups Hotmail ID Messenger Spaces)
Live
Games for Windows Live Xbox Live (Arcade Marketplace) Zune Social
Gaming
Microsoft Game Studios Zone XNA Xbox Xbox 360 Games for Windows
Hardware
Surface Zune (4 / 8 / 16 30 80 / 120 HD) MSN TV Natural Keyboard Jazz Keyboard Mouse LifeCam LifeChat SideWinder Ultra-Mobile PC Fingerprint Audio System Cordless Phone Pocket PC RoundTable Response Point Venus (cancelled prototype)
Education and
recognition
MCPs MSDNAA MSCA Microsoft Press Microsoft MVP Student Partners Research Studies related to Microsoft
Licensing
Client Access License Shared source Licensing Services
Criticism
Windows Windows Vista Windows XP Windows 2000 (section) Windows Me (section) Windows 9x (section) Office (section) Xbox 360 Internet Explorer (section) Refund
Litigation
Alcatel-Lucent v. Microsoft European Union Microsoft competition case United States v. Microsoft Microsoft v. Lindows Apple v. Microsoft Microsoft vs. MikeRoweSoft
Acquisitions
Altamira Software aQuantive Azyxxi Blue Ribbon Soundworks Bungie Calista Technologies Colloquis Connectix Consumers Software Danger Farecast FASA Studio Fast Search & Transfer Firefly Forethought GIANT Company Software Groove Networks Hotmail Jellyfish.com LinkExchange Lionhead Studios Massive Incorporated Onfolio PlaceWare Powerset ProClarity Rare ScreenTonic Teleo Tellme Networks Vermeer Technologies Visio Corporation VXtreme WebTV Networks Winternals Yupi
Annual Revenue: $60.420 billion USD (2008) Employees: 89,809 (2008) Stock Symbol: MSFT Website: microsoft.com
Further information: List of assets owned by Microsoft Corporation
v d e
Microsoft Windows components
Core
Aero AutoPlay AutoRun ClearType Desktop Window Manager DirectX Explorer Taskbar Start menu Shell (Shell extensions namespace Special Folders File associations) Search (Saved search IFilter) Graphics Device Interface Imaging Format .NET Framework Server Message Block XML Paper Specification Active Scripting (WSH VBScript JScript) COM (OLE OLE Automation DCOM ActiveX ActiveX Document COM Structured storage Transaction Server) Previous Versions Win32 console
Management
tools
Backup and Restore Center cmd.exe Control Panel (Applets) Device Manager Disk Cleanup Disk Defragmenter Driver Verifier Event Viewer Management Console Netsh Problem Reports and Solutions Sysprep System Policy Editor System Configuration Task Manager System File Checker System Restore WMI Windows Installer PowerShell Windows Update WAIK WinSAT Windows Easy Transfer
Applications
Calculator Calendar Character Map Contacts DVD Maker Fax and Scan Internet Explorer Journal Mail Magnifier Media Center Media Player Meeting Space Mobile Device Center Mobility Center Movie Maker Narrator Notepad Paint Photo Gallery Private Character Editor Remote Assistance Windows Desktop Gadgets Snipping Tool Sound Recorder Speech Recognition WordPad
Games
Chess Titans FreeCell Hearts Hold ‘Em InkBall Mahjong Titans Minesweeper Pinball Purble Place Solitaire Spider Solitaire Tinker
Kernel
Ntoskrnl.exe hal.dll System Idle Process Svchost.exe Registry Windows service Service Control Manager DLL EXE NTLDR / Boot Manager Winlogon Recovery Console I/O WinRE WinPE Kernel Patch Protection
Services
BITS Task Scheduler Wireless Zero Configuration Shadow Copy Error Reporting Multimedia Class Scheduler CLFS
File systems
NTFS (Hard link Junction point Mount Point Reparse point Symbolic link TxF EFS) FAT32FAT16FAT12 exFAT CDFS UDF DFS IFS
Server
Domains Active Directory DNS Group Policy Roaming user profiles Folder redirection Distributed Transaction Coordinator MSMQ Windows Media Services Rights Management Services IIS Terminal Services WSUS Windows SharePoint Services Network Access Protection PWS DFS Replication Remote Differential Compression Print Services for UNIX Remote Installation Services Windows Deployment Services System Resource Manager Hyper-V
Architecture
NT series architecture Object Manager Startup process (Vista/7) I/O request packet Kernel Transaction Manager Logical Disk Manager Security Accounts Manager Windows File Protection / Windows Resource Protection Windows library files LSASS CSRSS SMSS MinWin
Security
User Account Control BitLocker Defender Data Execution Prevention Security Essentials Protected Media Path Mandatory Integrity Control User Interface Privilege Isolation Windows Firewall Security Center
Compatibility
Unix subsystem (Microsoft POSIX Interix) Virtual DOS machine command.com Windows on Windows WoW64 Windows XP Mode
Categories: Active Directory | Identity management systems | Microsoft server technology | Windows components | Windows 2000Hidden categories: Articles lacking in-text citations from December 2008 | All articles lacking in-text citations | All articles with unsourced statements | Articles with unsourced statements from January 2008 | Articles containing potentially dated statements from October 2009 | All articles containing potentially dated statements
I am an expert from cnc-machiningparts.com, while we provides the quality product, such as Precision Fasteners manufacturer , China PEM Fastener, Machining Parts,and more.
Processing your request, Please wait....
