Lesson 3: Understanding Active Directory Concepts

Several new concepts are introduced with Active Directory directory services. You should understand their meaning as applied to Active Directory directory services.

After this lesson, you will be able to

Explain concepts associated with Active Directory directory services.

Estimated lesson time: 15 minutes

Schema

The schema contains a formal definition of the contents and structure of Active Directory directory services, including all attributes, classes, and class properties, as shown in Figure 9.4. For each object class, the schema defines which
attributes an instance of the class must have, which additional attributes it can have, and which object class can be a parent of the current object class.

Figure 9.4 The schema defines the contents and structure of Active Directory directory services

Installing Active Directory directory services on the first computer in a network creates the domain and the schema. The default schema contains definitions of commonly used objects and properties (such as user accounts, computers, printers, groups, and so on). The default schema also contains definitions of objects and properties that Active Directory directory services use internally to function.

The Active Directory schema is extensible, which means that you can define new directory object types and attributes and new attributes for existing objects. You can extend the schema by using the Active Directory Schema snap-in or the
Active Directory Services Interface (ADSI).

The schema is implemented and stored within Active Directory directory services itself (in the global catalog), and it can be updated dynamically. As a result, an application can extend the schema with new attributes and classes and then can use the extensions immediately.

NOTEWrite access to the schema is limited to members of the Administrators group, by default.

Global Catalog

The global catalog is the central repository of information about objects in a tree or forest, as shown in Figure 9.5. Active Directory directory services automatically generate the contents of the global catalog from the domains that make up the Directory through the normal replication process.

Figure 9.5 The global catalog

The global catalog is a service and a physical storage location that contains a replica of selected attributes for every object in Active Directory directory services. By default, the attributes stored in the global catalog are those most frequently used in search operations (such as a user's first and last names, logon name, and so forth), and those necessary to locate a full replica of the object. As a result, you can use the global catalog to locate objects anywhere in the network without replication of all domain information between domain controllers.

NOTEYou use the Active Directory Schema snap-in to define which attributes are included in the global catalog replication process.

When you install Active Directory directory services on the first domain controller in a new forest, that domain controller is, by default, a global catalog server. A global catalog server is a domain controller that stores a copy of the global catalog. The configuration of the initial global catalog server should have the
capacity to support several hundred thousand to one million objects, with the
potential for growth beyond those numbers.

You can designate additional domain controllers as global catalog servers by
using the Active Directory Sites and Services snap-in. When considering which domain controllers to designate as global catalog servers, base your decision
on the ability of your network structure to handle replication and query traffic. The more global catalog servers that you have, the greater the replication traffic. However, the availability of additional servers can provide quicker responses to user inquiries. Microsoft recommends that every major site in your enterprise have a global catalog server.

Namespace

Active Directory directory services, like all directory services, primarily comprise a namespace. A namespace is any bounded area in which a name can be resolved. Name resolution is the process of translating a name into some object or information that the name represents. The Active Directory namespace is based on the DNS naming scheme, which allows for interoperability with Internet technologies. An example namespace is shown in Figure 9.6.

Figure 9.6 Namespace diagram

Using a common namespace allows you to unify and manage multiple hardware and software environments in your network. There are two types of namespaces:

Contiguous namespace. The name of the child object in an object hierarchy always contains the name of the parent domain. A tree is a contiguous namespace.

Disjointed namespace. The names of a parent object and of a child of the same parent object are not directly related to one another. A forest is a disjointed namespace.

Naming Conventions

Every object in Active Directory directory services is identified by a name.
Active Directory directory services use a variety of naming conventions: distinguished names, relative distinguished names, globally unique identifiers, and user principal names.

Distinguished Name

Every object in Active Directory directory services has a distinguished name (DN), which uniquely identifies an object and contains sufficient information for a client to retrieve the object from the Directory. The DN includes the name of the domain that holds the object, as well as the complete path through the container hierarchy to the object.

For example, the following DN identifies the Firstname Lastname user object in the microsoft.com domain (where Firstname and Lastname represent the actual first and last names of a user account):

/DC=COM/DC=microsoft/OU=dev/CN=Users/CN=Firstname Lastname

Table 9.2 describes the attributes in the example.

Table 9.2 Distinguished Name Attributes

DNs must be unique. Active Directory directory services do not allow dupli-
cate DNs.

Relative Distinguished Name

Active Directory directory services support querying by attributes, so you can locate an object even if the exact DN is unknown or has changed. The relative distinguished name (RDN) of an object is the part of the name that is an attribute of the object itself. In the preceding example, the RDN of the Firstname Lastname user object is Firstname Lastname. The RDN of the parent object is Users.

You can have duplicate RDNs for Active Directory objects, but you can't have two objects with the same RDN in the same OU. For example, if a user account is named Jane Doe, you can't have another user account called Jane Doe in the same OU. However, objects with duplicate RDN names can exist in separate OUs because they have different DNs (see Figure 9.7).

Figure 9.7 Distinguished names and relative distinguished names

Globally Unique Identifier

A globally unique identifier (GUID) is a 128-bit number that is guaranteed to be unique. GUIDs are assigned to objects when the objects are created. The GUID never changes, even if you move or rename the object. Applications can store
the GUID of an object and use the GUID to retrieve that object regardless of its current DN.

User Principal Name

User accounts have a "friendly" name, the user principal name (UPN). The
UPN is composed of a shorthand name for the user account and the DNS
name of the tree where the user account object resides. For example, user Firstname Lastname (substitute the first and last names of an actual user) in
the microsoft.com tree might have a UPN of FirstnameL@microsoft.com
(using the full first name and the first letter of the last name).

Lesson Summary

In this lesson, you learned that the schema contains a formal definition of the contents and structure of Active Directory directory services, including all
attributes, classes, and class properties. For each object class, the schema
defines which attributes an instance of the class must have, which additional
attributes it can have, and which object class can be a parent of the current object class. Installing Active Directory directory services on the first domain controller in a network creates a default schema. The Active Directory schema is extensible.

You also learned that the global catalog is a service and a physical storage
location that contains a replica of selected attributes for every object in Active
Directory directory services. Active Directory directory services automatically generate the contents of the global catalog from the domains that make up the Directory through the normal replication process. By default, the attributes stored in the global catalog are those most frequently used in search operations (such as a user's first and last names, logon name, and so forth) and those necessary to locate a full replica of the object. As a result, you can use the global catalog to locate objects anywhere in the network without replication of all domain information between domain controllers.

Finally, you learned about contiguous namespaces and disjointed namespaces.
In a contiguous namespace, the name of the child object in an object hierarchy always contains the name of the parent domain. A tree is an example of a contiguous namespace. In a disjointed namespace, the names of a parent object and of a child of the same parent object aren't directly related to one another. A forest is an example of a disjointed namespace.