لطفا منتظر باشید ...
Publisher| Active DirectoryConcepts |
central repository of information on
a WS2003-based network. Active Directory stores information about
where different resources are located on the network. These resources
include user and group accounts, computers, printers, and shared
folders. Active Directory can be used to locate these resources
quickly so that administrators can create, delete, configure, and
maintain them as needed, and ordinary users can access them if they
have suitable permissions to do so. Active Directory gives
administrators a great deal of flexibility in how their network
resources should be administered. By managing resources from any
location in the enterprise, you can centralize IT administration in a
few users or a single location. On the other hand, Active Directory
allows you to create structure using domains and OUs and then to
delegate authority over these portions. This allows for decentralized
administration in which certain administrative tasks are devolved to
various trusted users throughout the enterprise. Active Directory is
managed primarily through the GUI but can also be programmatically
accessed through an API called the Active
Directory Service Interface (ADSI). By writing scripts that use ADSI,
administrators can automate most Active Directory administrative
procedures, but this requires a good understanding of VBScript or
JScript and is beyond the scope of this book.
Logical Structure of Active Directory
In its most abstract sense, Active Directory
represents a company's network resources using a
hierarchical structure of logical objects such as the following:
- Forest
The most encompassing logical construct
in Active Directory. A forest is a collection of domain trees linked
together at their roots by transitive trusts.- Tree
Also called a domain tree, a hierarchical
grouping of domains beginning with a root domain and branching out to
child domains. Trees must form a contiguous DNS namespace, and a
forest can consist of one or more trees joined at their roots by
transitive trusts.- Domain
The primary administrative boundary for
WS2003 networks. Domains are named using DNS, and a tree consists of
one or more domains hierarchically joined by transitive trusts.- Organizational unit (OU)
Logical containers you can use to group objects
in a domain for security and administration purposes. You can create
hierarchical treelike structures of OUs to reflect your
company's geographical, organizational, or
administrative structure.- Object
A user, group, computer, printer, shared
folder, or anything else that can be
"contained" within a domain or OU.
For example, a user object represents an employee within your
company, a computer object represents a physical computer, and so on.- Trust
A secure communications channel between
domains, domain trees, or forests. Trusts enable users in one domain
to be authenticated by a domain controller in other domains and may
be transitive, one-way, or cross-linked in nature.
For more information on these topics, see
Domain , Domain Controller ,
Forest , OU , and
Trusts . For more information on specific types
of Active Directory objects, see Group s,
Printing , Shared Folders ,
and Users .
Planning Active Directory
A big part of planning for an Active
Directory deployment involves planning the logical structure that
best meets your company's administrative and
security needs. Figure 4-1 illustrates the logical structure of an
Active Directory with domains represented by black dots, trees by
shaded areas, and trusts by lines joining domains. The entire diagram
represents the forest. In addition, domains may also contain
organizational units. An OU is a logical container that can be
created to enclose other Active Directory objects, such as users,
computers, groups, printers, or even other OUs.The typical approach to creating the logical structure for Active
Directory is to create your domains and trees in a way that mirrors
the geographical or administrative structure of your company. For
example, you might create separate domain trees for your American and
European offices with the root domain of each tree representing
headquarters and child domains representing branch offices. Then you
would create OUs within your domains to establish a more granular
level of logical structure. For example, you could create separate
OUs for your management, sales, human resources, and customer support
departments. Then within your sales OU you could create additional
OUs for different product groups. The key idea in planning the
logical structure of Active Directory is that the domains and
upper-level OUs you create should be relatively stable and unchanging
in order to simplify administration through delegation and use of
Group Policy.The most important thing to remember when planning your Active
Directory structure is to keep it simpleif you can get by
using only one domain, then do so. On the other hand, there are
sometimes advantages to having multiple domains (or even multiple
trees) in your forest, the main one being that by partitioning Active
Directory into multiple domains you have better control over
replication traffic, an issue of particular importance in a company
spanning several locations connected by slow wide area network (WAN)
links. Planning an Active Directory implementation is a complex
subject, however, and is beyond the scope of this book; for a good
book on this subject, see Active Directory
(O'Reilly).
Figure 4-1. Typical logical structure of Active Directory
DNS and Active Directory
Since Active Directory domains are named using DNS,
planning Active Directory also involves planning the DNS names of the
domains within your forest. The most important choice is your root
DNS name, the name of the first domain of your forest (called the
forest root domain). You should generally select a root DNS name that
reflects the largest scope of your entire organization, taking into
account all of its branch offices, subsidiaries, partners, and even
planned acquisitions and mergers. For more information on
implementing a DNS WS2003 namespace for Active Directory, see
Planning DNS under
DNSConcepts later in this chapter.In Windows 2000 (W2K) it was important to plan your DNS naming scheme
and domain structure carefully since you couldn't
rename domains after you created them in Active Directory. W2K did
allow you to restructure your forest by creating new domains and
using the MoveTree utility from Support Tools to
move objects from old to new domains, but this was not a trivial
procedure. WS2003 takes things a little further and now allows you to
rename your domains, including your forest root domain, and to
restructure your forest more easily by repositioning domains within a
tree or forest. To accomplish these tasks, Microsoft provides a
Domain
Rename tool that is available on its web site (use search.microsoft.com and search for
"domain rename tool" to find the
current URL for downloading it[1]). Note that this tool works only if all your domain
controllers are running WS2003 and can't be used to
change which domain is the root domain of your forest, to add or
delete domains from your forest, or to change the name of a domain to
the same name that another domain gave up in a previous
restructuring. The main thing to remember is that the procedures
involved are still complex and aren't intended for
everyday administration; they should be used only for an exceptional
event such as your company being acquired through a merger or
changing its business identity.
[1] At this writing it is
http://www.microsoft.com/windowsserver2003/downloads/domainrename.mspx.
Delegation and Group Policy
While a simple deployment of one domain
could be managed by a single administrator, enterprises that have
many domains and OUs can take advantage of two powerful features of
WS2003 that simplify administering and securing Active Directory:
delegation and Group Policy. Delegation lets an administrator assign
limited administrative rights over domains and OUs to trusted users
in order to distribute the burden of managing Active Directory. Group
Policy allows policy-based management of user and computer objects
within Active Directory. See Delegation and
Group Policy later in this chapter for more
information.New to WS2003 is the ability for administrators to set quotas
limiting the number of objects that can be created in Active
Directory by a user who has been delegated limited administrative
authority. This new feature can be managed only from the command
line; see dsadd, dsget,
dsmod, dsmove, and
dsquery in Chapter 5 for more
information.
Schema
One final aspect
of Active Directory's logical structure is the
schema, which defines the classes of objects the directory may
contain and the attributes these objects may have. Active Directory
comes with a default schema that may be suitable for most companies,
but the schema is also extensible for companies that need to create
new object types and attributes. Modifying the schema is beyond the
scope of this book.
Topological Structure of Active Directory
Besides logically representing your
company's network resources, Active Directory can
also topologically represent your company's IP
internetwork. Large computer networks based on IP generally have a
mesh-like structure in which smaller networks called subnets are
joined together with routers into a single large internetwork. These
subnets may be located at different geographical locations, in which
case WAN links are used to connect locations. To ensure that Active
Directory performs optimally over slower WAN connections, a
topological structure can be created within Active Directory to
reflect the WAN connections of your internetwork. The main elements
of such a topology are sites. A site is a
grouping of subnets that have high-speed (local area
networkLAN) connections throughout. Sites are joined to other
sites using site links (the logical counterpart in Active Directory
to physical WAN links). Sites are important because domain
controllers replicate portions of Active Directory with one another,
and using sites allows replication traffic to be controlled so that
it doesn't swamp the available bandwidth of slow WAN
links. See Site later in this chapter for more
information on these topics.
Physical Structure of Active Directory
From a physical
perspective, Active Directory resides on special servers called
domain controllers , which authenticate users and
enable them to locate and access resources across the forest. To
ensure scalability, Active Directory is partitioned into
naming
contexts (NCs), which are contiguous
subtrees of directory objects
and units of replication. Each domain controller has a replica of
three directory partitions:
- Schema NC
Contains the classSchema and attributeSchema
objects, which define the kinds of objects that can exist in the
forest. Every domain controller in the forest contains a full replica
of the same schema NC.- Configuration NC
Contains objects that define the
replication topology and other forestwide information. Every domain
controller in the forest contains a full replica of the same
configuration NC.- Domain NC
Contains objects like users and computers that
belong to the local domain. Every domain controller in a domain
contains a full replica of the domain NC for that domain, but domain
controllers in one domain don't contain replicas of
domain NCs for other domains.
Synchronization between domain controllers
in a domain is maintained using multimaster
replication, a process in which all
domain controllers within a domain are peers and contain writable
copies of the Active Directory partition for the domain (this is
different from NT, in which only one domain controller, the PDC,
contained a writable copy of the domain database). To speed queries
across multiple domains in a forest, a subset of commonly used Active
Directory objects called the global catalog is maintained by each
domain.
Directories and Files
The Active Directory database and log files
are located by default in the directory
%SystemRoot%\NTDS and must be located on an NTFS
partition. The main directory database file, or datastore, is
NTDS.dit; it uses the
Extensible Storage Engine (ESE) database
engine in Microsoft's Exchange Server. The database
can grow to a maximum size of 16 terabytes and can contain more than
10 million objects, which means Active Directory can support even the
largest enterprise networks. The database defragments and repairs
itself automatically, but it can also be taken offline and manually
defragmented using the ntdsutil utility to
reclaim unused space in the directory database. For better
performance, Active Directory log
files can be placed on a separate physical disk (these log files
record transactions written to the datastore and can be used to help
restore a system if the datastore volume is lost). A typical
configuration might be:
- WS2003 operating system installed on a mirrored volume
- Datastore located on a RAID-5 volume with at least 4 GB to
accommodate future datastore growth - Log files located on a mirrored volume
|
SYSVOL
Installing
Active Directory creates and shares the directory
%SystemRoot%\sysvol\sysvol with the share name
SYSVOL. The SYSVOL share contains NETLOGON shares, Group Policies,
logon scripts, and other important files that are replicated by the
File Replication Service
(FRS) to all domain controllers in the domain. Other than placing
your logon scripts into the correct subdirectory of SYSVOL, you
shouldn't fool around with any of the files stored
there.
