Active Directory Logical Structure

Active Directory Logical Structure


In Windows 2000, a domain defines an administrative boundary for a collection of objects that are relevant to a specific group of users on a network. A domain is an administrative boundary because administrative privileges do not extend to other domains and because each domain has a security policy that extends to all security accounts within the domain. Active Directory stores information about objects in one or more domains.
Domains can be organized into parent-child relationships to form a hierarchy. A parent domain is the domain directly superior in the hierarchy to one or more subordinate, or child, domains. A child domain also can be the parent of one or more child domains, as shown in Figure 1.1.


Figure 1.1 Example of a Domain Hierarchy
This hierarchical structure is a change from the flat domain structure of Microsoft® Windows NT® version 4.0 and Microsoft® Windows NT® version 3.51. The domain hierarchy of Windows 2000 allows you to search multiple domains in one query because each level of the hierarchy has information about the levels that are immediately above it and below it. This hierarchy information eliminates the need for you to know the location of a particular object in order for you to find it. In Windows NT 4.0 and earlier, you must know both the domain and the server where the object is located in order to find it.






Windows 2000 uses DNS naming standards for hierarchical naming of Active Directory domains and computers. For this reason, domain and computer objects are part of both the DNS domain hierarchy and the Active Directory domain hierarchy. Although these domain hierarchies have identical names, they represent separate namespaces.
Note
The domain hierarchy defines a namespace. A namespace is any bounded area in which standardized names can be used to symbolically represent some type of information (such as an object in a directory or an Internet Protocol [IP] address) and that can be resolved to the object itself. In each namespace, specific rules determine how names can be created and used. Some namespaces, such as the DNS namespace and the Active Directory namespace, are hierarchically structured and provide rules that allow the namespace to be partitioned. Other namespaces, such as the Network Basic Input/Output System (NetBIOS) namespace, are flat (unstructured) and cannot be partitioned.
The main function of DNS is to map user-readable computer names to computer-readable IP addresses. Thus, DNS defines a namespace for computer names that can be resolved to IP addresses, or vice versa. In Windows NT 4.0 and earlier, DNS names were not required; domains and computers used NetBIOS names, which were mapped to IP addresses by using the Windows Internet Name Service (WINS). Although DNS names are required for Windows 2000 domains and Windows 2000–based computers, NetBIOS names also are supported in Windows 2000 for interoperability with Windows NT 4.0 domains and with clients that are running Windows NT 4.0 or earlier, Microsoft® Windows® for Workgroups, Microsoft® Windows® 98, or Microsoft® Windows® 95.
Note
WINS and NetBIOS are not required in an environment where computers run only Windows 2000, but WINS is required for interoperability between Windows 2000–based domain controllers, computers that are running earlier versions of Windows, and applications that depend on the NetBIOS namespace — for example, applications that call NetServerEnum and other "Net*" application programming interfaces (APIs) that depend on NetBIOS.


Windows 2000 provides support for applications that use the NetBIOS networking API and the flat NetBIOS names used by these applications. This support for non-DNS domain and computer names allows computers that are running Windows NT 4.0 and earlier, or those that are running Windows 95 or Windows 98, to identify Windows 2000 domains. For example, in a mixed-mode environment, Windows NT 4.0–based backup domain controllers (also known as "BDCs") recognize a specified Windows 2000–based domain controller as the primary domain controller (also known as a "PDC"). They use NetBIOS names to locate the primary domain controller; therefore, each Windows 2000–based domain controller must have a NetBIOS name to allow computers that are not running Windows 2000 to log on. Likewise, other server and workstation computers are recognized by NetBIOS names.
When you create a new domain during the Active Directory installation procedure, the system provides a default NetBIOS domain name that matches the leftmost label in the DNS domain name up to the first 15 bytes (NetBIOS names have a limit of 15 bytes). You can change this name during the procedure, but you cannot change it thereafter. When you name a stand-alone server or workstation computer, you provide a computer name that is used as the NetBIOS name and is concatenated with the domain name to form the full computer name.
Note
An ASCII character is the equivalent of 1 byte. However, DNS host names are encoded in UTF-8 format and do not necessarily have only 1 byte per character.


DNS is the de facto naming system for IP-based networks and the naming service that is used to locate computers on the Internet. Windows 2000 uses DNS to locate computers and domain controllers (that is, to locate Active Directory). A workstation or member server finds a domain controller by querying DNS. For this reason, installing or upgrading to Microsoft® Windows® 2000 Server requires that a DNS infrastructure is in place or is installed simultaneously.
Windows 2000 DNS server is included with Windows 2000 Server and Windows 2000 Advanced Server, and can be used to integrate DNS and Active Directory for ease of DNS management. Windows 2000 DNS server can be installed at the time you install Windows 2000 Server, at the time you install Active Directory, or manually after you have installed either of them.

In accordance with DNS naming standards, Active Directory domains are created in an inverted tree structure, with the root at the top. In addition, this Windows 2000 domain hierarchy is based on trust relationships — that is, the domains are linked by interdomain trust relationships.
Note
The default interdomain trust relationships are created by the system during domain controller creation. The number of trust relationships that are required to connect n domains is n–1, whether the domains are linked in a single, contiguous parent-child hierarchy or they constitute two or more separate contiguous parent-child hierarchies.
When it is necessary for domains in the same organization to have different namespaces, create a separate tree for each namespace. In Windows 2000, the roots of trees are linked automatically by two-way, transitive trust relationships. Trees linked by trust relationships form a forest. A single tree that is related to no other trees constitutes a forest of one tree.
The tree structures for the entire Windows 2000 forest are stored in Active Directory in the form of parent-child and tree-root relationships. These relationships are stored as trust account objects (class trustedDomain) in the System container within a specific domain directory partition. For each domain in a forest, information about its connection to a parent domain (or, in the case of a tree root, to another tree root domain) is added to the configuration data that is replicated to every domain in the forest. Therefore, every domain controller in the forest has knowledge of the tree structure for the entire forest, including knowledge of the links between trees. You can view the tree structure in Active Directory Domain Tree Manager

A Windows 2000 tree is a DNS namespace: it has a single root domain and is built as a strict hierarchy; each domain below the root domain has exactly one superior, or parent, domain. The namespace created by this hierarchy, therefore, is contiguous — each level of the hierarchy is directly related to the level above it and to the level below it, if any, as illustrated in Figure 1.6.
Figure 1.6 Example of a Contiguous Tree Hierarchy










In Windows 2000, the following rules determine the way that trees function in the namespace:
· A tree has exactly one name. The name of the tree is the DNS name of the domain at the root of the tree.
· The names of domains created beneath the root domain (child domains) are always contiguous with the name of the tree root domain.
· The DNS names of the child domains of a tree's root domain reflect this organization; therefore, the children of the root domain called "somedomain" are always children of that domain in the DNS namespace (for example, child1.somedomain, child2.somedomain, and so forth).
Child domains can represent geographical entities (for example, the United States and Europe), administrative entities within the organization (for example, sales and marketing departments), or other organization-specific boundaries, according to the needs of the organization. Domains are created below the root domain to minimize Active Directory replication and to provide a means for creating domain names that do not change. Changes in the overall domain architecture, such as domain collapses and domain re-creation, create difficult and potentially IT-intensive support requirements. A good namespace design should be capable of withstanding company reorganizations without the need to restructure the existing domain hierarchy.
Note
Administrative privileges do not extend from parent domains to child domains. Privileges must be granted explicitly for each domain.





A forest is a collection of one or more Windows 2000 Active Directory trees, organized as peers and connected by two-way, transitive trust relationships. A single domain constitutes a tree of one domain, and a single tree constitutes a forest of one tree. Thus, a forest is synonymous with Active Directory — that is, the set of all directory partitions in a particular directory service instance (which includes all domains and all configuration and schema information) makes up a forest.
Trees in the same forest do not form a contiguous namespace. They form a noncontiguous namespace that is based on different DNS root domain names. However, trees in a forest share a common directory schema, configuration, and Global Catalog. This sharing of common schema and configuration data, in addition to trust relationships between their roots, distinguishes a forest from a set of unrelated trees. Although the roots of the separate trees have names that are not contiguous with each other, the trees share a single overall namespace because names of objects can still be resolved by the same Active Directory. A forest exists as a set of cross-reference objects and trust relationships that are known to the member trees. Transitive trusts at the root domain of each namespace provide mutual access to resources. (For more information about cross-reference objects, see "Name Resolution in Active Directory" in this book.)
Important
Tree and forest hierarchies are specific to Windows 2000 domains. A Windows NT 4.0 domain that is configured to trust or to be trusted by a Windows 2000 domain is not part of the Windows 2000 forest to which the Windows 2000 domain belongs.
The forest structure provides companies with the option of constructing their enterprise from separate, distinct, noncontiguous namespaces. Having a separate namespace is desirable under some conditions where, for example, an acquired company's namespace should remain intact. If you have business units with distinct DNS names, you can create additional trees to accommodate the names. An example of this type of organization is shown in Figure 1.7.







Figure 1.7 Example of a Forest That Has Two Trees

Domains within an Active Directory forest share a common directory schema, configuration information, and Global Catalog. They also have transitive trust relationships that allow users in each domain access to available resources in all other domains in the tree.
Note
The directory schema and configuration data are shared because they are stored in separate logical directory partitions that are replicated to domain controllers in every domain in the forest. (For more information about directory partitions, see "Active Directory Data Storage" in this book.) The data relative to a particular domain is replicated only to domain controllers in the same domain. (For more information about replication, see "Active Directory Replication" in this book.) The Global Catalog is a domain controller that stores all objects of all domains in an Active Directory forest, which makes it possible to search for objects at the forest level rather than at the tree level.
For more information about the contents of Active Directory configuration, directory schema, and Global Catalog, see "Active Directory Data Storage" in this book. For more information about searching in Active Directory, see "Name Resolution in Active Directory" in this book.
Forest Root Domain
The first domain created in the forest is called the forest root domain. The forest root domain cannot be deleted, changed, or renamed. When you create a new tree, you specify the root domain of the initial tree, and a trust relationship is established between the root domain of the second tree and the forest root domain. If you create a third tree, a trust relationship is established between the root domain of the third tree and the forest root domain. Because a trust relationship is transitive and bidirectional, the root domain of the third tree also has a two-way trust relationship with the root domain of the second tree.
The distinguished name of the forest root domain is used to locate the configuration and schema directory partitions in the namespace. The distinguished names for the Configuration and Schema containers in Active Directory always show these containers as child objects in the forest root domain. For example, in the child domain noam.reskit.com, the distinguished name of the Configuration container is cn=configuration,dc=reskit,dc=com. The distinguished name of the Schema container is cn=schema,cn=configuration,dc=reskit,dc=com. However, this naming convention provides only a logical location for these containers. The containers do not exist as child objects of the forest root domain, nor is the schema directory partition actually a part of the configuration directory partition. They are separate directory partitions. Every domain controller in a forest stores a copy of the configuration and schema directory partitions, and every copy of these partitions has the same distinguished name on every domain controller.
When Active Directory is installed on a Windows 2000 Server–based computer, configuration and directory schema information is copied from the parent domain to the new server. Updates to configuration and directory schema information are replicated to all domain controllers throughout the forest. The distribution of this configuration and directory schema information ensures that each domain controller is aware of all other trust-related domains and of the replication topology, which makes finding and using resources in other domains possible. (For more information about finding information in Active Directory, see "Name Resolution in Active Directory" in this book.)
Note
The Active Directory rootDSE is a figurative object that has no LDAP distinguished name; it is not an "entry" in the directory but is represented as a null distinguished name (" "). It does, however, have attributes and is known to LDAP as rootDSE. RootDSE is required by LDAP as an entry point to the directory. The distinction must be clear between this root — the set of attributes that LDAP uses to connect to a particular portion of the directory on a particular domain controller — and the root domain of the forest. In addition, both of these "roots" are distinct from the root of the DNS hierarchy, which is the empty space at the top of the namespace that is represented as a period (".") and that is required as an entry point to the DNS hierarchy

Active Directory provides security across multiple domains through interdomain trust relationships. When there are trust relationships between domains, the authentication mechanism for each domain trusts the authentication mechanism for all other trusted domains. If a user or application is authenticated by one domain, its authentication is accepted by all other domains that trust the authenticating domain. Users in a trusted domain have access to resources in the trusting domain, subject to the access controls that are applied in the trusting domain.
Note
"Access to resources" in any discussion of trust relationships always assumes the limitations of access control. Trust relationships allow users and computers to be authenticated (to have their identity verified) by an authentication authority. Access control allows authenticated users to use the resources (files, folders, and virtual containers) that they are authorized to use and prohibits them from using (or even seeing) resources that they are not authorized to use. For more information about resource authorization, see "Access Control" in this book.

Transitive and Nontransitive Trust
In Windows NT 3.51 and Windows NT 4.0, trust relationships must be created explicitly in one direction. A two-way trust relationship is established by creating two one-way trust relationships. Domains can be connected by explicit one-way or two-way trust relationships for the purpose of enabling access to resources, but they are not necessarily related in any other way.
In Windows 2000, domains can be joined to a domain tree or forest, and each child domain has an automatic two-way trust relationship with the parent domain. This trust relationship is also transitive. Transitive trust means that the trust relationship extended to one domain is extended automatically to any other domain that is trusted by that domain. Transitive trust is applied automatically for all domains that are members of the domain tree or forest. Therefore, when a grandchild domain is created, the trust relationship between the parent and child domains is accepted by the grandchild domain, and vice versa. For example, if a user account is authenticated by the parent domain, the user has access to resources in the grandchild domain. Similarly, if the user is authenticated by a child domain, the user has access to resources in the parent domain, as well as in the grandparent domain.
The effect of transitive trust in Windows 2000 domains is that there is complete trust between all domains in an Active Directory forest — every domain has a transitive trust relationship with its parent domain, and every tree root domain has a transitive trust relationship with the forest root domain.
Note
In Windows 2000, transitive trust relationships are always two-way trust relationships.
A nontransitive trust relationship can be created between Windows 2000 domains when a transitive trust relationship is not appropriate, but this trust relationship must be created explicitly. It can be created, for example, between two Windows 2000 domains that are not in the same forest.
A trust relationship between a Windows 2000 domain and a Windows NT 4.0 domain is always a nontransitive trust relationship. If one of these domains is an account domain and the other is a resource domain, the trust relationship is usually created as a one-way trust relationship. If there are user accounts in both domains, two one-way trust relationships can be created between them.
The trust relationship between two domains — whether one-way or two-way, transitive or nontransitive — is stored as an interdomain trust account object in Active Directory.
For more information about the nature and management of interdomain trust objects, see "Authentication" in this book. For more information about mixed-mode trust relationships, see "Determining Domain Migration Strategies" in the Deployment Planning Guide.
Direction of Trust
In describing trust relationships, arrows illustrate the direction of trust between domains as follows:
· If B is the trusting domain and A is the trusted domain, B-->A indicates that domain B trusts domain A. (The same trust relationship can be illustrated as A<--B, that is, A is trusted by B.) · When domain B trusts domain A (B-->A), users with accounts in domain A can be authenticated for access to resources in domain B. However, users with accounts in domain B are not trusted to be authenticated for access to resources in domain A.
A hierarchy of Windows 2000 domains is implemented by trust relationships between domains. The direction of the trust relationship between a parent domain and its child domain in Active Directory is two-way (A<---->B), but it has the following restrictions:
· The parent-child relationship between two domains in a domain tree is defined by a subordinate name relationship. For example, noam.reskit.com is a child of reskit.com, but noam.com is not a child of reskit.com. A parent-child trust relationship requires both a parent-child relationship and a direction of trust, as follows: Domain A can be specified as the parent of domain B only if B-->A and B is a subordinate name of A.
· When a new domain joins a domain tree as a child, a parent-child trust relationship is defined automatically that establishes a two-way, transitive trust relationship.
Note
Automatic configuration of replication topology requires that all parent-child trust relationships within the forest are bidirectional and transitive.
The use of two-way, transitive trust relationships reduces management time because it decreases by more than half the number of trust relationships that must be managed, as the diagram in Figure 1.8 illustrates.




Figure 1.9 Mixed Environment of Two Forests and a Windows NT 4.0 Domain

The following conditions are represented in Figure 1.9:
· A.com and D.com are the roots of separate trees in forest 1. The two-way, transitive, tree-root trust between them provides complete trust between all domains in the two trees of forest 1.
· E.D.com uses resources in C.A.com for everyday business operations. To shorten the trust path between the two domains, C.A.com trusts E.D.com directly. This trust relationship serves only the purpose of shortening the trust path for authenticating E.D.com users to use resources in C.A.com. The path is shortened by cutting the number of hops required for authentication from three (E.D.com to D.com, D.com to A.com, and A.com to C.A.com) to one (E.D.com to C.A.com), which increases the speed of authentication.
· G.com is the root of a single tree that makes up forest 2. The two-way, transitive trust relationship between G.com and H.G.com allows both domains to use each others' resources.
· Domain G.com in forest 2 implements an explicit one-way external trust relationship with domain D.com in forest 1; users in domain D.com are trusted to use resources in domain G.com. Because the trust relationship is nontransitive, no other domains in forest 1 have access to resources in G.com, and D.com does not have access to resources in H.G.com.
· Domain F is a Windows NT 4.0 domain that provides support services to the users in E.D.com. This one-way nontransitive trust relationship does not extend to any other domains in forest 1.



Thanks,
Anwar Mulani
an_km@rediffmail.com

Comments

Post a Comment

Popular posts from this blog

Windows XP Boot Sequence

WINDOWS XP BOOT SEQUENCE As with other Windows Operating Systems, when you turn on your PC, it goes through an elaborate boot up process. It begins when the computer performs the POST (power-on self test), followed by the POST for each adapter card that has a BIOS, for example, your video card. The BIOS then reads the MBR (Master Boot Record) which is in the first sector of the first hard disk and transfers control to the code in the MBR which is created by the XP Setup. This is where Windows takes over the startup process. What comes next? Here's what happens: 1. The MBR reads the boot sector which is the first sector of the active partition.This sector contains the code that starts Ntldr which is the boot strap loader for Windows XP. The first role of Ntldr is to allow full memory addressing, start the file system, read boot.ini and put up the boot menu. IMPORTANT: Ntldr must be located in root folder of the active partition along with Ntdetect.com, boot.ini, bootsect.dos (f
Read more

Clusters

Image
Chapter 1: Understanding Clusters and Your Needs 1.1 Writing a Request for Proposal (RFP) for a cluster that will succeed Picture yourself in the early 1980s. You are assigned the task of designing a new computing system. Your guidelines are slim at best. The situation can only be described as: "I don't know what I want, but I will know it when I see it." The only defense against this type of statement is to sit down and write what is called a Request for Proposal. The Request for Proposal would possibly look like: I don't know what I want in a computer system, but it should provide at least the following characteristics: § Availability § Reliability § Scalability The design of the cluster computer system evolved as an answer to such a Request for Proposal. The term "cluster" as it applies to the computer industry was popularized by Digital Computer Corporation in early 1983 with VMS version 3.7. Two VAX 11/750s maintained cluster communication at the rate o
Read more