defines attributes an instance class must have and those
attributes that are optional
What Object classes can be parents
Default schema contains definitions of most commonly used
• Extensible schema
Can name new object types and their attributes
Or new attributes of existing objects
Not for the faint hearted
• The global catalog is the central repository of information about
objects in a domain tree or forest.
• Contents generated by AD Services
• Only the most frequently used attributes
• The global catalog is a service as well as a physical storage
location that contains a replica of selected attributes of every
object in the Active Directory store.
• By default, the first domain controller is a global catalog server.
• Additional domain controllers can also be designated as global
catalog servers by using the Active Directory Sites And Services
Distinguished Names (DNs)
• Objects are located within Active Directory domains according to
a hierarchical path.
• Every object in the Active Directory store has a DN, which
uniquely identifies the object.
• The DN includes the name of the domain that holds the object
as well as the complete path through the container hierarchy to
For example: if John Smith works for msft.com and is a member
of the CONTOSO domain his DN is
• The RDN is one of an object’s attributes.
• The RDN is part of the full DN. For example: CN=John Smith
• Active Directory services allows duplicate RDNs for objects, but
no two objects with the same RDN can exist within the same
Globally Unique Identifiers
• Assigned to every object
• 128 bit number
• Never changes
• Identifies Object regardles of
• Unique across Domains
• Stored in an Object attribute
• Can move objects but GUID
stays the same
User Principal Names
• The UPN is a friendly name that is shorter than the DN and
easier to remember.
• The UPN consists of a shorthand name that represents the user
and usually the DNS name of the domain where the object
• Independent of DN
• Example: firstname.lastname@example.org
Active Directory Structure
• Data model
Can be updated dynamically
Protected by ACL’s
• Security model
Trusted Computer Base
• Administration model
Authorized to perform certain set of actions
• Directory System Agent
Manages all AD service functions
• Active Directory Service Interfaces (ADSI)
Easy to write applications
Developers - C++, VB
Administrators - C++, VB, Script
Users - Script
• LDAP C API
Ability to work with many types of clients
• Windows MAPI
Outlook or other legacy apps
Active Directory Key Service
• LDAP provides the API for LDAP clients and exposes the ADSI so
that additional applications can be written that can talk to the
Active Directory services.
• REPL is used by the replication service to facilitate Active
Directory replication via RPC over Internet Protocol (IP) or
Simple Mail Transfer Protocol (SMTP).
• SAM Provides down-level compatibility to facilitate
communication between Microsoft Windows 2000 and Microsoft
Windows NT 4.0 domains.
• MAPI supports legacy MAPI clients.
Directory System Agent
• Object identification
Maintains GUID association with object
• Transaction processing
Commit / Rollback
• Schema enforcement of updates
Duplication and Synchronization of directory information
Change in an object may conflict with other object in same or other
Any change you make on the master is made on all replicas
Ie. Schema changes must be replicated to preserve consistency
• Access control enforcement
• Support for replication
• Provides an object view of database information by applying
schema semantics to database records
• Is an internal interface that is not exposed to the public
• Follows the parent references in the database and concatenates
the successive RDNs to form DNs
• Translates each DN into an integer structure called the DN tag,
which is used for internal access
• Is responsible for the creation, retrieval, and deletion of
individual records, attributes, and values
Extensible Storage Engine
• A new and improved version of the JET database
• Implements a transacted database system that uses log files to
ensure that committed transactions are safe
• Stores all Active Directory objects
• Comes with a predefined schema that defines all the attributes
required and allowed for a given object
• Stores attributes that can have multiple values
• Can handle sparse rows
Introduction to Namespace
• Consists of
• The Active Directory namespace is the top-level qualified domain name for the
• You must determine whether the internal and external namespaces will be the
same or separate.
Internal - Inside the firewall
External - Outside the firewall
Registered Domain Name
• Your name space architecture should be:
adaptable to change
able to distinguish between internal and external resources
protect company data
• Same internal and external name space
Internal users can access both intranet and internet servers
External users external users can access internal resources
Company DNS divided into two zones
One resolves resources for external users - outside the firewall
The other resolves resources for internal users – inside the firewall
May need to duplicate the external zone for internal user access
• Advantage - Single logon, Consistent naming
• Disadvantage – complicated, duplication, different view of internal and
• Different internal and external name space
Requires registering two Domain Names
If internal name not reserved someone else may use it???
Two DNS Zones
Distinct difference between internal and external resources
No overlap or duplication
Registering two names
Different logon names and email names
Introduction to OU Planning
• OUs should reflect the details of the organization’s business
• Create OUs to delegate administrative control over smaller
groups of users, groups, and resources.
• OUs eliminate the need to provide users with administrative
access at the domain level.
• OUs inherit security policies from the parent domain and parent
OU unless inheritance is specifically disabled.
Creating the OU Structure
• You should begin your OU design by creating an OU structure
for the first domain in the namespace.
• When you create an OU, you should determine who will be able
to view and control certain objects and what level of
administration each administrator will have over the objects.
OU Design Guidelines
• Create OUs to delegate administration.
• Create a logical and meaningful OU structure that allows OU
administrators to complete their tasks efficiently.
• Create OUs to apply security policies.
• Create OUs to manage the visibility of published resources.
• Create OU structures that are relatively static. OUs also give the
namespace flexibility to adapt to changing needs of the
• Avoid allocating too many child objects to any OU.
Structure the OU Hierarchy
• Administration-based or object-based Ous
Users, Computers, applicatiosn
• Geographical-based Ous
Eastern, Central, Rocky Mountaion ..
• Business function–based Ous
Accounting, Finance, Marketing, Manufacturing
• Department-based Ous
Shipping, Receiving, Sales
• Project-based Ous
Introduction to Site
• The physical design of a Windows 2000 network is demarcated
• The Active Directory replication engine allows you to
differentiate between replication over a LAN and replication over
• How you set up your sites affects Windows 2000 with respect to
workstation logon and directory replication.
• In Active Directory services, sites are not part of the namespace.
• Properly planned sites ensure that network links are not
saturated by replication traffic, that Active Directory services
stay current, and that client computers access resources that are
closest to them.
• When planning how to group subnets into sites, consider the
connection speed between the subnets.
• When planning sites, consider which domain controllers
workstations should use.
• To have a particular workstation log on to a specific set of
domain controllers, define the sites so that only those domain
controllers are on the same site as the workstation.
• When planning sites, consider where the domain controllers will
• Configure sites so that replication occurs at times or intervals
that will not interfere with network performance.
• When implementing sites in branch offices, base your planning
on the size of the branch office.
The Active Directory
Database and the Shared
Created when Active Directory Services is installed
The Active Directory
• The database is a file named Ntds.dit, which is the directory for
the new domain.
• The default location for the database and the database log files
is %systemroot%\Ntds, although you can specify a different
• The database contains all the information stores in the Active
• The Ntds.dit file is an ESE database that contains the entire
schema, the global catalog, and all the objects stored on that
The Shared System Volume
• The shared system volume is a folder structure that exists on all
• The shared system volume stores scripts and some of the group
policy objects for the current domain as well as the enterprise.
• Replication of the shared system volume occurs on the same
schedule as Active Directory replication.
Introduction to OUs and
• Each Active Directory object is a distinct named set of attributes
that represents a specific network resource.
• Before objects are added to Active Directory services, you
should create the OUs that will contain those objects.
Adding Objects to OUs
Computer Contact Group
Printer User Shared Folder
Modifying Attributes and
• You can modify the attributes of an object to change or add
• You can modify an object’s attribute by opening the properties
for that object in the Active Directory Users And Computers
• To maintain security, delete objects when they are no longer
• You can move objects from one location in the Active Directory
store to another location.
• You should move objects when organization or administrative
Managing Active Directory
• Use Active Directory permissions to determine who has the
permissions to gain access to the object and what type of access
• The object type determines which permissions you can select.
• Permissions inheritance minimizes the number of times you need
to assign permissions for objects.
Control of Objects
• You can delegate administrative control of objects to individuals.
• Use the Delegation Of Control wizard to delegate control of
• An administrator can delegate specific types of control.
• The most common method of delegating control is to assign
permissions at the OU level.
• To delegate administrative control, you should try to follow
• You can access the Delegation Of Control wizard through the
Active Directory Users And Computers snap-in.
Guidelines for Administering
Active Directory Services
• Coordinate Active Directory structure with other administrators.
• Complete all attributes when creating objects.
• Use deny permissions sparingly.
• Ensure that at least one user has Full Control permission for
• Ensure that delegated users take responsibility and can be held
• Provide training for users who control objects.