Question

Active directory (AD) is arguably the most critical component of Windows Server 2008, certainly for larger organizations. It enables corporations to manage and secure their resources from a single directory service and with a common interface—a very powerful tool. Because it is so powerful and offers so many features and capabilities, it sometimes can be complex to those looking at it for the first time. This week, we are going to learn about AD in detail, starting with the fundamentals. As we progress during the week, you will begin to see it's not that intimidating after all. First, though, let's get the fundamentals down. What exactly is a directory service, and what are some examples in industry? Next, let's get the definition of active directory down—what exactly is it, and what benefits does it provide? After this, we'll look at the details on how it is implemented in the business environment.

What is a directory service?

What are some examples of a directory service?

What is the definition of AD?

What are the benefits of AD?

How is AD implemented in a business environment?

Answer 1

Directory services

Directory services are software systems that store, organize and provide access to directory information in order to unify network resources. Directory services map the network names of network resources to network addresses and define a naming structure for networks.

The directory service provides transparency to protocols and network topology, permitting users to access resources without having to be aware of the physical location of the devices. It’s an important component of the network operating system and is a central information repository for a service delivery platform.

Directory services are network services that identify every resource such as email address, peripheral devices and computers on the network, and make these resources accessible to users and applications.

Specific directory services called naming services map the names of resources in the network to the respective network address. This directory service relieves users from having to know the physical addresses of network resources. Directory services also define namespaces for networks, which hold one or more objects as name entries.

Directory services hold shared information infrastructure to administer, manage, locate and organize common items and network resources. It is also a vital component of network operating systems. A directory service is the collection of software and processes that store information about your enterprise, subscribers, or both.

Directory Server

Directory Server provides a central repository for storing and managing information. Almost any kind of information can be stored, from identity profiles and access privileges to information about application and network resources, printers, network devices and manufactured parts. Information stored in Directory Server can be used for the authentication and authorization of users to enable secure access to enterprise and Internet services and applications. Directory Server is extensible, can be integrated with existing systems, and enables the consolidation of employee, customer, supplier, and partner information.

Directory Server provides the foundation for the new generation of e-business applications and Web services, with a centralized and distributed data repository that can be used in your intranet or over your extranet with your trading partners.

Example of Directory Service

An example of a directory service is the Domain Name System (DNS), which is provided by DNS servers. A DNS server stores the mappings of computer host names and other forms of domain name to IP addresses. A DNS client sends questions to a DNS server about these mappings e.g. what is the IP address of test.example.com? Thus, all of the computing resources i.e. hosts become clients of the DNS server. The mapping of host names enables users of the computing resources to locate computers on a network, using host names rather than complex numerical IP addresses.

Whereas the DNS server stores only two types of information: names and IP addresses, an Lightweight Directory Access Protocol (LDAP) directory service can store information on many other kinds of real-world and conceptual objects. Sun Java System Directory Server stores all of these types of information in a single, network-accessible repository. You may for example want to store physical device information, employee information (name, E-mail address), contract or account information (name, delivery dates, contract numbers, etc.), authentication information, manufactured production information. It is worth noting that although a directory service can be considered an extension of a database.

Directory services generally have the following characteristics:

Hierarchical naming model
A hierarchical naming model uses the concept of containment to reduce ambiguity between names and simplify administration. The name for most objects in the directory is relative to the name of some other object which conceptually contains it.

Extended search capability
Directory services provide robust search capabilities, allowing searches on individual attributes of entries.

Distributed information model
A directory service enables directory data to be distributed across multiple servers within a network.

Shared network access
While databases are defined in terms of APIs, directories are defined in terms of protocols. Directory access implies network access by definition. Directories are designed specifically for shared access among applications. This is achieved through the object-oriented schema model. By contrast, most databases are designed for use only by particular applications and do not encourage data sharing.

Replicated data
Directories support replication i.e. copies of directory data on more than one server, which make information systems more accessible and more resistant to failure.

Datastore optimized for reads
The storage mechanism in a directory service is generally designed to support a high ratio of reads to writes.

Extensible schema
The schema describes the type of data stored in the directory. Directory services generally support the extension of schema, meaning that new data types can be added to the directory.

Active Directory

Active Directory (AD) is a Microsoft product that consists of several services that run on Windows Server to manage permissions and access to networked resources.

Active Directory stores data as objects. An object is a single element, such as a user, group, application or device, such as a printer. Objects are normally defined as either resources -- such as printers or computers -- or security principals -- such as users or groups.

Active Directory categorizes objects by name and attributes. For example, the name of a user might include the name string, along with information associated with the user, such as passwords and Secure Shell (SSH) keys.

The main service in Active Directory is Domain Services (AD DS), which stores directory information and handles the interaction of the user with the domain. AD DS verifies access when a user signs into a device or attempts to connect to a server over a network. AD DS controls which users have access to each resource. For example, an administrator typically has a different level of access to data than an end user.

Active Directory Benefits

Active Directory provides the following network services:

• Lightweight Directory Access Protocol (LDAP) – An open standard used to access other directory services
• Security service using the principles of Secure Sockets Layer (SSL) and Kerberos-based authentication
• Hierarchical and internal storage of organizational data in a centralized location for faster access and better network administration
• Data availability in multiple servers with concurrent updates to provide better scalability

Several other services comprise Active Directory. They are Lightweight Directory Services, Certificate Services, Federation Services and Rights Management Services. Each service expands the product's directory management capabilities.

Lightweight Directory Services (AD LDS) has the same codebase as AD DS, sharing similar functionalities, such as the API. AD LDS, however, can run in multiple instances on one server and holds directory data in a data store using Lightweight Directory Access Protocol (LDAP).

LDAP is an application protocol used to access and maintain directory services over a network. LDAP stores objects such as usernames and passwords and shares that object data across the network. Active Directory Domain Services uses a tiered layout consisting of domains, trees and forests to coordinate networked elements.

Implementation of active directory in business environment.

Active Directory is internally structured with a hierarchical framework. Each node in the tree-like structure is referred to as an object and associated with a network resource, such as a user or service. Like the database topic schema concept, the Active Directory schema is used to specify attribute and type for a defined Active Directory object, which facilitates searching for connected network resources based on assigned attributes. For example, if a user needs to use a printer with color printing capability, the object attribute may be set with a suitable keyword, so that it is easier to search the entire network and identify the object's location based on that keyword.

A domain consists of objects stored in a specific security boundary and interconnected in a tree-like structure. A single domain may have multiple servers – each of which is capable of storing multiple objects. In this case, organizational data is stored in multiple locations, so a domain may have multiple sites for a single domain. Each site may have multiple domain controllers for backup and scalability reasons. Multiple domains may be connected to form a domain tree, which shares a common schema, configuration and global catalog used for searching across domains. A forest is formed by a set of multiple and trusted domain trees and forms the uppermost layer of the Active Directory. Novell's directory service, an Active Directory alternative, contains all server data within the directory itself, unlike Active Directory.

You need to begin your analysis of the business and technical requirements by addressing the organization's administrative model.

1) Designing the Envisioned Administrative Model

During this phase of the Active Directory design, you assess the current administrative model that is being used by an organization. This information has a major effect on the Active Directory structure that will be put into place—for example, the number of domains that are created.

2) Determining the Administrative Model

Determining the administrative model that a business has implemented is important to the Active Directory design process. The administrative model basically determines who holds the decision-making authority within a business and who is responsible for implementing these decisions.

3) Identifying Responsibilities for Administering Resources

After the administrative model within the organization has been identified, the next step is to identify who is currently responsible for administering network resources. When determining administrative responsibilities, consider the following questions:

• Who is responsible for what?

Determine which individuals or groups within the business should have administrative privileges and what their responsibilities are. For example, a group of individuals might have been given the responsibility of administering user accounts, whereas another group might have administrative privileges over network printers.

• Where do these privileges apply?

Do the permissions apply throughout the organization or only to certain areas? For example, in an enterprise network, if a user has been given administrative authority over user accounts, should this privilege apply to all domains and organizational units (OUs) or just specific ones? In other words, what is the scope of the administrative privilege?

• What type of privilege is assigned?

Does the individual or group have full administrative privileges or control over only certain aspects? For example, what level of control does the individual or group have over user accounts? Does the individual or group have full control or control over only certain aspects of user accounts?

4) Determining the Type of IT Organization

To effectively design an Active Directory hierarchy, the current structure of the IT organization within the business must be assessed. After the current structure has been documented, the design team can work with the company to determine whether there are any areas that need improvement or areas that can be restructured for easier administration. This information will assist in creating a design that meets the requirements of the business.

When assessing how the IT organization within a business is structured, determine the model that is currently in place. Is the network administration centralized or does the business allow for distributed administration (decentralized)? Determining this will ensure that the needs of the IT organization are identified and reflected in the administrative model that is developed.

5) Developing a Model for Administration

After you've characterized the type of IT organization that a business has in place, the next step is to develop a model for its administration. The administration model that is chosen determines the organization of the Active Directory structure. The type of model that is developed should be based on the structure of the IT organization

6) Creating the Conceptual Design of the Active Directory Forest Structure

In most cases, a single-forest structure should be sufficient. You also want to keep your Active Directory design as simple as possible. With that in mind, a single-forest structure is usually recommended for administrative purposes. However, in some instances, it will be necessary to consider a multiple-forest environment to meet the requirements of a business. This type of model is one of the most difficult to design and administer, so when you're considering the forest structure, keep the following topics in mind:

• Business reasons
• Trusts relationships
• Schema issues

7) Creating the First Domain in Active Directory

The first domain created within Active Directory becomes the forest root domain. This is the domain that represents the entire business. It is important to plan which domain will become the forest root domain because it can be difficult to restructure the Active Directory hierarchy if this domain must be renamed.

Careful planning is required when choosing a name for the forest root domain because other domains added to the structure might inherit a portion of their namespace from the root domain.

8) Domain-Wide Policies

If there is a need to create different security configurations for different groups of users and computers throughout the business, it might be necessary to create more than one domain. Only a thorough assessment of a business's security requirements can determine whether more than one domain will be needed. The following are some security options set on a domain basis:

• Password policy—Password policies determine the requirements for user passwords, such as a minimum password length.
• Account lockout policy—An account lockout policy determines the guideline for locking a user account out of the system.
• Kerberos policy—A Kerberos policy determines the settings pertaining to Kerberos security, such as session ticket expiration time.

9) Active Directory Objects

Objects are components or resources that make up your physical AD environment and to which attributes can be defined. Some of the common AD objects are as follows:

• User: Every member of the organization is denoted in AD through a user object. This object contains employee details such as first name, last name, office, telephone number, and so on.
• Contact: A contact object is used to store the contact of vendors or suppliers, who are not in the employ of the organization. Only the name of the person and the contact details are stored. These contacts, unlike users, are not offered access to network resources.
• Printer: Refers to the printers in the network. All printers in the organization’s network can be represented using printer objects in the AD environment.
• Computer: This object contains information about all the computers in the network
• Shared folder: This allows users to access folders from other computers on the network that have been marked as shared. It should be noted that only folders, and not individual files, can be shared. If an individual file needs to be shared, it should be placed within a folder.
• Group: A group is a collection of directory objects put together so that certain security policies can be assigned to them. For example, an organization would want only a particular department to have access to certain documents. In that case, the network administrator would create a group containing all the department members and add a security policy, providing them access to the file server containing the documents.
• Organizational units (OUs): OUs help in structuring your network resources in an easy to locate manner. An OU is nothing but a container within which objects such as users, printers, computers, and others can be placed. OUs should be contained within a single domain; they cannot be shared across domains. The hierarchical arrangement of OUs, however, can be followed across domains
• Builtin: This is a container object that contains several default groups. These default groups are created automatically when you first install Active Directory Domain Services. Security policies can be assigned to the builtin container groups.