Docstoc

Chapter 4 Active Directory Architecture

Document Sample
Chapter 4 Active Directory Architecture Powered By Docstoc
					70-294: MCSE Guide to Microsoft
   Windows Server 2003 Active
      Directory, Enhanced

                  Chapter 4:
                Active Directory
                 Architecture




                             Objectives
• Describe the underlying database of Active
  Directory
• Describe the Active Directory schema and how it
  can be extended
• Describe the different Active Directory partitions
  and their functions




Guide to MCSE 70-294, Enhanced                         2




          Active Directory Layers




Guide to MCSE 70-294, Enhanced                         3




                                                           1
        Active Directory Physical
            Database Storage
• Extensible Storage Engine:
    • Lowest level
    • Directly responsible for manipulating database
    • All objects stored in nonhierarchical form
          • Rows in database table
• Database layer:
    • Responsible for providing object-oriented hierarchical
      view


Guide to MCSE 70-294, Enhanced                                       4




   Active Directory Physical
  Database Storage (continued)
• Directory Service Agent:
    • Third layer
    • Responsible for enforcing semantics
          • Govern how objects in Active Directory are created and
            manipulated
• Only adjacent layers communicate with one
  another



Guide to MCSE 70-294, Enhanced                                       5




       Extensible Storage Engine
• Active Directory store:
    • Transactional database
    • Based on Extensible Storage Engine
• Transaction
    • First thing that happens:
          • Operation is logged to hard disk
    • Modification transaction performs made to the in-
      memory copy of data
• Manipulating in-memory copy of data is faster
  that going to disk
Guide to MCSE 70-294, Enhanced                                       6




                                                                         2
        Extensible Storage Engine
               (continued)
• Least recently used:
    •   Storing entire database in memory is not practical
    •   Move data that is no longer needed
    •   Write changes back to hard drive
    •   Least recently used algorithm to write to disk:
          • When memory is running low
          • System is at a period of low activity




Guide to MCSE 70-294, Enhanced                                  7




        Extensible Storage Engine
               (continued)
• Transactions:
    • ESE writes all transactions to log before they are made
      to in-memory copy
    • After a crash, next time domain controller starts, ESE
      can use transactions recorded in log
    • Reapply changes to copy of data stored on hard disk
    • Called recovering the database
    • Done without user intervention


Guide to MCSE 70-294, Enhanced                                  8




        Extensible Storage Engine
               (continued)
• Checkpoints:
    • Shorten recovery times
    • Reduce amount of hard drive space logs take up
    • Completed transactions written back to disk
    • Fact that transactions were successfully written is noted
    • ESE only needs to reapply transactions from point of
      last checkpoint
    • Transactions can be deleted from log


Guide to MCSE 70-294, Enhanced                                  9




                                                                    3
Active Directory File Structure
• Files:
    •   NTDS.DIT
    •   EDB.LOG
    •   EDBXXXXX.LOG
    •   EDB.CHK
    •   RES1.LOG and RES2.LOG
    •   TEMP.EDB



Guide to MCSE 70-294, Enhanced                     10




                             NTDS.DIT
• Actual Active Directory store
• Stores all objects and their attributes
• Located in %SYSTEMROOT%\ NTDS folder on
  domain controllers by default
• Made up of three tables:
    • Schema table
    • Data table
    • Link table

Guide to MCSE 70-294, Enhanced                     11




                             EDB.LOG
• Current transaction log file
• Changes to Active Directory are noted first in
  transaction log file
• Size of EDB.LOG is always 10 MB




Guide to MCSE 70-294, Enhanced                     12




                                                        4
                 EDBXXXXX.LOG
• When EDB.LOG is filled, it is renamed to
  EDBXXXXX.LOG
• XXXXX is a number increased by one each time a
  new log file is created
• Every 12 hours:
    • Garbage-collection process runs
    • Deletes old EDBXXXXX.LOG



Guide to MCSE 70-294, Enhanced                                  13




                             EDB.CHK
• Checkpoint file
• System recovering from failure
    • Uses EDB.CHK file to determine what transactions
      should be written to database




Guide to MCSE 70-294, Enhanced                                  14




    RES1.LOG and RES2.LOG
• Placeholder files
• Reserve disk space
• If domain controller runs out of free disk space,
  uses reserved space from files
• Prevents updates from being lost due to
  insufficient disk space
• Important:
    • Include additional free space to store Active Directory
      database as it grows
Guide to MCSE 70-294, Enhanced                                  15




                                                                     5
                           TEMP.EDB
• Temporary storage space
• Hold large transactions while they are in process
• Used during maintenance operations




Guide to MCSE 70-294, Enhanced                           16




                                 LDAP
• Primary protocol used to work with objects in
  Active Directory
• Vital to understand how to use LDAP naming
  paths




Guide to MCSE 70-294, Enhanced                           17




                  LDAP (continued)
• Name example:
    • Lori Thompson located in dev.supercorp.net domain in
      Research organizational unit
    • DN: CN=Lori
      Thompson,OU=Research,DC=dev,DC=supercorp,DC=
      net
    • RDN: CN=Lori Thompson




Guide to MCSE 70-294, Enhanced                           18




                                                              6
        Active Directory Schema
• All available objects and attributes
• Sets out exactly:
    • What kind of objects are represented
    • What properties or attributes are required or optional
    • What types of values are acceptable
• Tool needed to modify the schema is not available
  by default


Guide to MCSE 70-294, Enhanced                                 19




                                 Naming
• Every object class and attribute in the schema
  must have:
    • Unique common name
    • LDAP display name
    • Object Identifier (OID)




Guide to MCSE 70-294, Enhanced                                 20




  Example common names and
     LDAP display names




Guide to MCSE 70-294, Enhanced                                 21




                                                                    7
                                 OID
• OID space must be obtained separately
• Two primary ways to obtain an OID space:
    • Through Microsoft
    • International Standards Organization (ISO)




Guide to MCSE 70-294, Enhanced                            22




                       Object Classes
•   Definition of each type of object
•   Like a template from which objects are created
•   Inheritance
•   Class Types:
    •   Structural classes
    •   Abstract classes
    •   Auxiliary classes
    •   88 classes

Guide to MCSE 70-294, Enhanced                            23




        Object Classes (continued)
• Possible superiors
    • Controls which types of objects new object can be
      instantiated or moved under
    • Example: user object cannot be created (or moved)
      under a printer object




Guide to MCSE 70-294, Enhanced                            24




                                                               8
                                 Attributes
• Schema contains list of all possible attributes
• Class is assigned both mandatory and optional
  attributes
• Syntaxes
    • Defines data type attribute can store




Guide to MCSE 70-294, Enhanced                          25




                  Common Syntaxes




Guide to MCSE 70-294, Enhanced                          26




                                  Indexes
• Similar in concept to index in back of book
• Store values (in order) for all objects that have a
  given attribute
• Speed up queries
• Slow down creation of objects and updating of
  attributes
• Choose attributes that have highly unique values


Guide to MCSE 70-294, Enhanced                          27




                                                             9
        Active Directory Partitions
• Database divided into groups called partitions, or
  naming contexts
    • Used to manage replication
• Partitions:
    •   Schema partition
    •   Domain partition
    •   Configuration partition
    •   Application partition


Guide to MCSE 70-294, Enhanced                            28




        Active Directory Partitions
               (continued)
• ADSI Edit:
    • Included with Windows Server 2003 Support Tools
    • Used to view and modify objects in various Active
      Directory partitions




Guide to MCSE 70-294, Enhanced                            29




                                 Schema
• Stores schema
• Contains definitions of all classes and attributes in
  entire forest
• Replicated to all domain controllers in forest
    • Content is the same throughout forest




Guide to MCSE 70-294, Enhanced                            30




                                                               10
                        Configuration
• Stores information about replication topology used
  in forest
    • Specifies how domain controller determines with which
      other specific partners it replicates
• Found on all domain controllers
• Same throughout forest




Guide to MCSE 70-294, Enhanced                           31




                                 Domain
• Contains users, computers, groups, and
  organizational units created in Windows domain
• Replicated to all domain controllers in domain
• Large amount of data
• Usually partition that changes most frequently




Guide to MCSE 70-294, Enhanced                           32




                            Application
• Cannot contain security principals
• Can be replicated to many different domains in
  forest
    • Without necessarily being included on all domain
      controllers
• Used when developer wants to store information
  in Active Directory


Guide to MCSE 70-294, Enhanced                           33




                                                              11
                                 Summary
• Active Directory is made up of several layers:
    • Extensible Storage Engine (ESE),
    • Database layer
    • Directory Service Agent (DSA)
• By logging all transactions, ESE can reapply
  transactions in event of system failure and bring
  data back to a consistent state



Guide to MCSE 70-294, Enhanced                        34




             Summary (continued)
• All objects and attributes available in Active
  Directory are defined in Active Directory schema
• To effectively manage replication of Active
  Directory, database is divided into groups called
  partitions




Guide to MCSE 70-294, Enhanced                        35




                                                           12

				
DOCUMENT INFO
Shared By:
Categories:
Stats:
views:728
posted:3/28/2010
language:English
pages:12
Description: Chapter 4 Active Directory Architecture