Concept :
A directory service is a distributed database that stores information about network resources for easy lookup and management. Microsoft Active Directory is the latest directory service implementation for Windows 2000. The basic issues involved with directory services revolve around what information can be stored in a database, how it is stored, how specific information is queried, and how the results are processed. Active directory contains the directory service itself and the subordinate services that allow access to databases that support X.500 naming conventions.
You can use a user name to query the directory for information such as the user's phone number or e-mail address. The directory service is also very flexible and can be summarized ("Where is the printer?"). What is the name of the "or" server? ") to see an inductive list of available printers or servers.
The directory service also has the advantage of providing users with a single entry point to the entire enterprise network. Users can find and use the entire network resource without needing to know the exact name or location of the resource. You can also use a unified network organization and its logical view of resources to manage the entire network.
To ensure that the most effective and reliable active Directory is designed, you must understand the logical and physical structure of the network. It is also important to study and understand the organization's business structure and operations. Active Directory Separate the logical structure of a domain from the actual physical structure.
Logical Structure:
The logical structure of a network is composed of intangible items, such as objects, domains, directory trees, and forests.
The basic structure block of Active Directory is an object, which is a named set of specific properties that represent network resources. Object properties are characteristics of objects in a directory. Objects can also be grouped by class, which is a logical grouping of objects. Users, groups, and computers are examples of different object classes.
At the lowest level, some objects represent a single entity on the network, such as a user or a computer. These entities are called leaf objects, and they cannot contain other objects. However, in order to simplify the management and organization of the catalog, leaf objects can be placed inside other objects, called Container objects. Container objects can also contain other containers in a nested (or hierarchical) form.
The most common type of container object is an organizational unit (OU). You can use OUs to categorize objects and turn domains into some kind of logical management grouping. In particular, it is important to note that the structure and hierarchy of OUs in a domain is independent of the structure of any other domain.
All network objects can exist in only one domain, whether they are leaf objects or container objects. To reflect the characteristics of your organization's network, you can use domains to divide related objects into groups. Each created field stores only the information of the contained object, not the information of other objects. Currently, the maximum number of objects that can be maintained in a domain is 1 million.
Each domain represents a security boundary. Access to objects in each domain is controlled by Access control entries (Aces), which are contained in Access control lists (ACLs). These security settings do not span domain boundaries. In Active Directory, a domain can also be called a "partition." Because a domain is a physical partition of an Active Directory database, you can build its structure either by business functions (human resources, sales, or finance) or by location (geographic or relative).
When you divide the related domains into groups so that you can share global resources, you create a directory tree. Although a directory tree can contain only one domain, you can combine multiple domains of the same namespace in the hierarchy. You can use the Kerberos-based security feature to transparently connect domains in a directory tree through a two-way trust relationship. These trust relationships can be permanent (cannot be deleted), or they can be temporary. In other words, if domain A trusts domain B and domain B trusts domain C, domain A trusts domain C.
All domains in the catalog tree share a formal definition of all object types (called schemas). In addition, all domains in any given directory tree share a global catalog (GC). A GC is a central repository of objects in a directory tree.
Each directory tree can also be represented by the contiguous namespace. For example, if your company's root domain is "azureyun.com", you can create a separate domain for sales and technical support, with domain names of "sales.azureyun.com" and "support.azureyun.com", respectively. These domains are called subdomains. Unlike Windows NT 4.0, each domain automatically generates a trust relationship.
At the highest level, separate directory trees can be grouped into groups to form a "forest". You can use a forest to group different departments in your organization, and even different organizations together. These departments do not have to share the same naming scheme and operate independently, but can communicate with each other. All directory trees in the forest share the same schema, global catalog, and Configuration container. Furthermore, the Kerberos-based security feature provides a trust relationship between the directory trees.
Another advantage of Windows 2000 directory services is that you can uninstall Active directory without reinstalling the entire server operating system. To make a member server a DC, you only need to run the DCPROMO tool to add an Active Directory server. To remove an Active Directory server, you can also just run the DCPROMO tool.
Physical Structure:
Domain controllers and sites are the two basic components that handle the physical structure of a LAN configuration.
Unlike Windows NT 4.0, a network consisting only of computers running Windows 2000 does not have a primary domain controller (PDC) and a backup domain controller (BDC). In a Windows 2000 environment, all servers participating in network management are considered to be domain controllers. A domain controller (DC) stores a replica of the directory database, and replication between controllers in the domain is done automatically.
For enterprise networks across multiple geographies, it is important to understand the implications of the WAN design and architecture for understanding the impact of directory database replication on domain controllers and network performance.
Name space:
A namespace is a specified area with a specific boundary where you can resolve the logical name assigned to the computer. The primary purpose of a namespace is to organize a description of the resource by using the user to find the resource by its attributes or attributes. You can use the directory database of a given namespace to find an object without knowing its name. If the user knows the name of a resource, they can query for useful information about the object.
In particular, the design of the namespace ultimately determines how useful it is to the user as the catalog database grows. Sorting and searching algorithms do not solve the flaws in logical directory design
At the logical level, Windows Active Directory is just another namespace. In Active Directory, two primary information types are stored:
The logical location of the object.
A list of properties for this object.
You can assign properties to these objects, such as phone numbers, room locations, and so on, and use these properties to find the location of objects in the catalog database. With the expansion (modification) of the Active Directory architecture, searching with attributes becomes increasingly important. When objects, object classes, and/or properties of these objects are added to the catalog database, their structure determines their purpose for directory users.
Each container and object in the directory tree has a unique name. These namespaces are the full paths to all containers and objects, or branches, and leaf objects in the directory tree. The location of an object in the directory tree determines its distinguished name.
The distinguished name (DN) of the object contains the full path from the top level of a particular namespace to the entire directory tree hierarchy. Because the DN is useful for organizing the directory database, it is not helpful to remember the object, so the relative distinguished name (RDN) is also used in Active directory. RDN is part of the object name and is a property of the object itself.
Many networks use namespaces based on the domain Name System (DNS) that is currently used on the Internet. This DNS relationship helps you determine the shape of the Active directory tree and the relationships between the objects. The domain controller project is the domain listed in the distinguished name, and the common name (CN) project is a specific path to the user object in the directory.
Global Catalog:
The global catalog contains a partial replica of each Windows 2000 domain in the directory that is created automatically by the Active directory replication system. In this way, users and applications can find these objects in the Active directory domain tree as long as one or more properties of the target object are given. The global catalog also contains the schema and configuration of the directory partition. This means that the global catalog stores a copy of each object in Active Directory, but only a very small subset of their properties. Properties in the global catalog are those that are most commonly used in search operations, such as the user's first and last names, logins, and so on, which are required to find the full copy of an object.
With this common information, users can quickly find the object they are looking for, without needing to know which domain the objects are in, nor do they require an extension namespace that is adjacent to the enterprise. If the object is not found in the global catalog, the search feature queries the local domain partition for information.
You can use the Schema Manager tool to change the schema and define which properties are stored in the global catalog. Because changes to all global catalog servers replicate the global catalog, it is best to limit the number of properties stored in the local partition for performance and maintenance purposes.
Integration of DNS with AD:
Integration of DNS and Active Directory is a core feature of Windows Server. The DNS domain and Active Directory domain use the exact same domain name for different namespaces. It is important to understand that even though two namespaces share the same domain structure and they are different namespaces. Each namespace stores different data and manages different objects. DNS uses zones and resource records, while Active Directory uses domain and domain objects.
For example, if a property of an object is a fully qualified domain name for the server, such as SERVER1. SALES. azureyun.com), Active Directory queries DNS for the TCP/IP address of the server, and the Windows 2000 requestor can then establish a TCP/IP session with that server.
The integration of Active Directory with DNS is accomplished by having each Active Directory server publish its own address in a service resource record on the DNS host.
Globally Unique identifiers:
Because each object in the network must be identified with a unique attribute, Active Directory does this by associating the globally unique identifier (GUID) with each object. Even if the logical name of the object is changed, the number should be guaranteed to be unique and never changed by the directory database. The GUID is generated when the user or application creates the distinguished name (DN) in the directory for the first time.
Copy:
Although the network structure in Windows NT 4.0 is based on the PDC and BDC models, all servers on the Windows 2000 network are used as domain controllers (DCs), and there is no primary or secondary distinction between them. For Active Directory, all DCs are automatically replicated in the site, and multi-host replication is supported to replicate Active directory information for all domain controllers. Because of the introduction of multi-host replication, an administrator can update Active Directory on any Windows 2000 domain controller in the domain.
Multi-host database replication also helps control when changes are synchronized, what information is up-to-date, and when data replication is stopped to avoid duplication and redundancy. To determine what information needs to be updated, Active Directory uses a 64-bit update order number (USN). These numbers are created after they are associated with all properties. Each time an object is changed, its USN is incremented and saved with the property.
Each Active Directory server retains a table of the most recent USN for all replication partners in the site. The table includes the highest USN for each attribute. When the replication interval is reached, each server requests only those changes whose USN is larger than the USN listed in its own table.
Sometimes, you might have made changes to the same property on two different Active Directory servers before you copied all the changes. This results in a replication conflict. One of the changes must be declared as a more accurate change, and this change is used as the replication source for all other replication partners. To address this potential problem, Active Directory uses the property version number (PVN) value for the entire site. When a start write operation occurs, the PVN is incremented. The start write operation is a write operation that occurs directly on a particular Active Directory server.
When two or more property values with the same PVN in different locations are changed, the Active Directory server that receives the changes checks the timestamp of each change and updates it with the latest one. The most important branch of this problem is the installation and maintenance of the network Center clock.
Another replication problem is looping. Active Directory allows administrators to configure multiple paths for redundancy. To prevent changes from being updated indefinitely, Active Directory creates a list of USN pairs on each server. These lists are known as the newest vectors (UDV). They hold the highest USN for each start write operation. Each UDV lists all the other servers in the site in which they are located. When replication occurs, the requesting server sends its own UDV to the sending server. The highest USN for each start write operation can be used to determine whether the changes still need to be replicated. If the USN number is the same or higher, no changes need to be made because the requested server has been updated.
Changes to the group:
Another aspect of the logical planning process for Active Directory is the concept of a group. In Windows NT 4.0, an administrator can use two basic group types, local and global. Given the inherent limitations of this structure, Windows 2000 provides network administrators with the following groups, which are more powerful and more flexible:
A local group (also known as a "local group") for the scope
A group that is scoped to a domain (also known as a "domain local group")
A globally scoped group (also known as a "global group")
Scope is a universal group (also known as a "universal group")
An important change to note is that the global group can now contain other global groups. Although the global group is still used to collect users, it is able to place one group within another, allowing administrators to place them anywhere in the forest, making maintenance very convenient. However, a global group can only include users and groups from a domain in the Active directory forest.
Because many networks mix Windows 2000 and Windows NT 4.0 servers, before you create a group, you must determine the number and type of domains on your network and which domains are in mixed mode and which are local modes:
Mixed-mode domain. By default, the Windows 2000 operating system is installed in a mixed-mode network configuration. A mixed-mode domain is a group of computers on a network that run both Windows NT 4.0 and Windows 2000 domain controllers. (Mixed-mode domains can also run only Windows 2000 domain controllers.) )
Local mode domain. When a domain contains only Windows Server domain controllers, you can convert the domain to a cost ground mode.
Universal groups (New in Windows 2000) can contain all other groups and users in any directory tree in the forest, and can be used with any access control lists (ACLs) in the forest.
You can use a combination of global groups, domain local groups, and universal groups to control access to network resources. The basic purpose of a global group is to organize users into management containers that represent their respective domains. Universal groups can be used to include global groups from a variety of domains, thereby further managing the domain hierarchy at the time of Grant. You can add a global group to a universal group, and then assign permissions to the resource in the domain local group that is physically located. Using these methods to create groups, administrators can add or remove users from global groups in each domain to control access to entire enterprise resources without having to make changes in multiple locations.
Windows Server 2016-active Directory replication Concepts (i)
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
