Active Directory, when installed, develops a hierarchy in which each domain, organizational unit, resource, and so on possesses a particular and unique name within the namespace. This nomenclature provides the ability to define an organization from a network perspective, tightly integrating the network infrastructure into a particular business model. These divisions are known within the directory as sales. This naming standard is what defines the hierarchy of Active Directory. Part of this adaptation includes elements of the X.
Active Directory is not an X. Like Active Directory, every object within must have a name. The X. Logic would have it then that two objects in the directory can have the same RDN as long as they have a different parent object. A real-world example of this would be two towns named Columbia, one in South Carolina and the other in Maryland. In other words, traveling downward from the root of the directory from parent to child to object, the DN is formed. Think of the way a file system is structured. The user Bob Jones works in the technical division of Technelogic Corporation. The DN of Bob Jones identifies him as a user object.
If all of this sounds a lot like a DNS namespace, it is—sort of. DNS is a set of protocols and services that provide name-toaddress resolution. DNS also provides the hierarchical structure inherent to Active Directory. The logical organization of directory objects and the extensibility inherent in this relationship mean that Active Directory can be tailored to fit the business model of any company.
Another benefit of this logical architecture is the ability to easily find objects within the directory on a Windows network. Logical structure elements include objects, the schema, domains, containers, organizational units OUs , trees and forests, sites and domain controllers. The most basic element of the Active Directory logical makeup is the object and its related attributes.
The following sections outline the common logical elements found in a typical Active Directory structure.
Objects An object in Active Directory is defined as any item contained in the directory that has a common set of attributes. Examples of objects are users, workstations, servers, printers, databases, files, and so on. An object is anything in the directory that has properties or attributes and is further defined by class definitions. An object can exist as a parent container or a child object in a directory hierarchy as well. This relational concept of parent and child is adopted from the X.
Ted Laux - Networking Books Indexed
A quick word to Novell and Microsoft Exchange administrators: If many of these terms seem familiar to you, this is probably due to the directory standards implemented in these products. An attribute is a categorical set of information or characteristics that define an object. It is the actual value of the attribute that provides uniqueness. The attribute may have any value that conforms to the current logon naming standard currently in place on your network. Therefore, understanding object attributes provides a mechanism for querying the directory for network resources or objects.
Object Classes Active Directory groups objects by their attributes. All of the aforementioned objects are categorized as users, groups, computers, organizational units, domains, databases, and so forth. These are logical groupings and can help to organize resources in the directory. The hierarchy is composed of logical units that consist of containers, domains, and organizational units, which in turn house the objects that we discussed previously. Containers Simply put, a container is a store for other objects in the directory.
Containers have attributes just like objects and are crucial to the theory of a hierarchy. Examples of containers are domains and organizational units. Domains Domains are the building blocks of a Windows network perhaps much to the dismay of many readers and define the structure of Active Directory. A domain stores objects such as users, computers, servers, and security policies. While a domain acts as a logical boundary or container for the objects within, it also is essential in forming security boundaries on a Windows network.
This means that security settings are contained in the domain and do not cross over the boundary edge of the domain—though it is still possible for domains to interact with other domains. We cover the semantics of this later; for now, just remember that domains are the essence of Active Directory and Windows Server networks. Organizational Units OUs OUs help to further subdivide the structure of the directory into manageable partitions. The OU is a container just like a domain and helps to create smaller, more manageable administrative units.
This eases administration and allows for delegation of resources. Relational Components The last subset of the divisional elements that we will discuss details the relationship between domains. These relationships are defined by trees and forests and further define the hierarchical structure of the directory and the namespace. When using multiple domains in Windows , a hierarchy is formed that creates a contiguous namespace and is formally referred to as a tree.
Remember that the directory is composed of objects and containers that hold these objects, one of which is the domain. A tree forms a logical top level to a hierarchy of multiple domains that are contained within the same namespace. Within the tree, the domains are interconnected via trust relationships and share three common components: the schema, unified configuration, and a GCS. Trust relationships are formed when one or more domains are joined in the same namespace in Active Directory and a link between the two is formed. This differs from the way that trusts were implemented in previous versions of the NT legacy where trusts had to be initiated by the administrator.
When a domain is grafted into the tree, a trust is automatically generated between the two. A trust forms a singular administrative unit of control over all domains that participate. Trusts are integral to being able to access network resources across multiple domains. No doubt there are administrators out there who are cringing over all this talk of domains and trusts. These concepts were a nemesis to system administrators of Windows NT networks due to the nightmare of managing multiple trusts between many domains.
Microsoft recognized this intrinsic flaw in NT and has implemented the concept of transitive trusts in Windows , reducing the number of trusts necessary to manage a unified domain structure. To see how domains and trusts apply in the directory, look at the example of the company Technelogic, Inc. It is also true that these new divisions or sectors may have an established name in the market in which they do business that precludes them from changing to the name of the parent or sister company.
The issue arises within Active Directory as to how to merge the two namespaces into a single manageable network. To address this need, the concept of a forest was born, which allows two disjointed namespaces to exist together in the same Windows network. By default, the first tree created in the forest forms the root of the disjointed namespace. Trees in the forest do, however, share a common schema, configuration, and catalog server, just as within a single tree see Figure 1. The Global Catalog Server GCS The GCS is created by Active Directory replication we discuss replication and replication theory in greater detail later in the book and provides a complete view of every object contained in the directory.
This catalog is a central repository for objects and their attributes and can be thought of as the index of the entire network. The GCS stores a replica of every object in the directory, but only key attribute fields are stored to reduce storage capacity and streamline the query process.
This data is referred to as binding data and is accessible by administrators and users alike. CNS Corp. These elemental, organizational, and relational components join to form the logical structure of Active Directory. The two elements that give physical structure to Active Directory are sites and domain controllers. Active Directory Sites Most businesses today are spread across some territory, regardless of size. Sites are physical locations marked by a server that possesses a copy of the Active Directory, which in turn must be a domain controller.
There are only two types of servers in Windows domain controllers and member servers. All servers may be installed as member servers and later promoted to domain controllers should the need arise. In Windows NT you were stuck with the decision of member server or domain controller once the software was installed unless you reinstalled from scratch. This feature on Windows server offers far greater flexibility when it comes to reorganizing the network, and it saves time and money by not having administrators spending hours reinstalling servers that were member servers as domain servers, or vice versa.
The concept of a site is important in the planning phase of Active Directory for several reasons. First, domain controllers generate considerable traffic on a network due to the amount of data that must replicate to each copy of Active Directory one copy per domain controller. Logically, then, it is important that domain controllers be interconnected by high-speed connections.
Usually a site is on a local area network LAN or some other type of fast network. If sites are linked via slow links, the net result is a network that is bogged down, and Active Directory replication will fail. Windows also offers the added flexibility of defining your sites by IP subnet, which aids overall integration of Active Directory, even at the network level. Note that sites are part of the physical makeup of Active Directory and do not partake in the namespace.
Domain Controllers Domain controllers are servers that house a copy of Active Directory and authenticate users to resources on the network. Unlike Windows NT, there is only one type of domain controller in Windows All changes to the Active Directory hierarchy are replicated to other domain controllers throughout the network. Member servers can be promoted to domain controllers using the upgrade utility Dcpromo. Once sites are created and domains are functioning with a copy of Active Directory, domain controllers work cooperatively to replicate and process Active Directory and updates to it.
Each domain stores a copy of local domain object information called a partition. The GCS serves to unify all directory object information together in one central database, retaining information from each partition. Replication In order for users to access objects across the enterprise, it is imperative that information is shared within and across sites. This process of sharing Active Directory information is known as replication.
Each time an object in the directory is added or modified, replication takes place instantly. It is quite easy to see how this could add up to quite a bit of network traffic, particularly on larger networks; hence, the reason that sites are typically connected by high-speed network links. Considering the process of replication, it is logical that the Active Directory database on all domain controllers are writeable copies, which is functionally different from the way that Windows NT domain controllers operate.
In Windows NT, only the primary domain controller contained a writeable copy of the security database, and backup domain controllers were instituted for fault tolerance holding a readonly copy of the database. The fact that all domain controllers contain writeable copies of Active Directory means a Windows network provides greater functionality and flexibility than previous versions. The ability for all domains to write a replica in a given partition is referred to as multiple-master replication.
The two key benefits that replication provides are availability of resources to users and fault tolerance of Active Directory information see Figure 1. Partitions As previously mentioned, each site houses local Active Directory information. In an environment where there are multiple sites or domains, each site holds a subset of the directory called a partition. Domain controllers use domain name information of each object to refer to its location within the directory.
Security Features of Active Directory Active Directory is integral in managing network objects; therefore, it is tightly integrated into the security subsystem of Windows All access and permission to objects is granted through the directory. Many of the security ideas adopted by Microsoft for use in Active Directory are part of the X. Access Control Lists Users are permitted to use a resource on the network by way of access control lists ACL , which determine who can use or manipulate another object resource.
ACLs define rights with a level of granularity down to the object attribute and class level. ACE provides rights assigned to each user defined in the directory. An example of ACE functionality would be assigning rights to a particular directory on a file server on a Windows network. Some users or groups of users may have only read access to the directory, where others can read or write to the directory. Trusts and Other Relevant Terms Having the flexibility to create multiple domains and sites would be useless if users from one domain could not access resources in another domain.
The establishment of a trust means that the joined domains share a common schema, configuration, and GCS and partake in the namespace of the hierarchy. Two types of trusts exist in a Windows network: transitive trusts and explicit trusts. Transitive Trusts By default, when a new domain is grafted to an Active Directory tree, a transitive trust is established between the domains.
These are two-way trusts and are authenticated by Kerberos authentication. Users are then able to access resources throughout the network. These implicit trusts allow pass-through access to other domains as previously discussed refer to Figure 1. Explicit Trusts Explicit trusts are one-way trusts and are the mechanism of resource access used in tree relationships between forests. This is accomplished through inheritance, where permissions are propagated to all objects in child containers in the directory. This feature eases the administration of applying permissions to objects throughout the directory.
Delegation A trend long popular with many organizations is allowing business managers or workgroup managers to administer the resources that their respective units use on a daily basis. Through delegation, a Windows administrator can assign other users the ability to manage a set of resources or objects on the network. This helps to offload the administrative load of the administrators so they can focus on higherlevel network maintenance and monitoring. Summary In this chapter we discussed directories, directory services and nomenclature, Active Directory features and functionality.
A directory is a hierarchical database of descriptive information organized for fast and efficient retrieval. Active Directory is comprised of logical and physical components, both of which contain elements critical to the structure and design of the tree hierarchy. A Windows Active Directory object such as users, printers, servers, etc. The directory is flexible and extensible, capable of tremendous scalability, and can contain millions of objects. This flexibility, extensibility, and scalability of Active Directory make Windows the perfect network operating system for any organization.
Knowledge of the these concepts helps to better understand how directory components communicate and how certain functions, such as authentication, come to pass within the directory. In lieu of this information, it is logical to assume that Active Directory must exist somewhere within the security subsystem of Windows The Windows security subsystem functions to provide access to resources through authenticating user logons on the local server and throughout a Windows network.
Figure 2. Windows , like most well-designed operating systems, is comprised of modular blocks of code. These individual components are responsible for a given task or function in the operating system. Active Directory and all related elements are contained within the kernel mode layer of the operating system, which means it has direct access to physical memory and executes in an isolated area of memory. The Windows security subsystem has four main functions.
First and foremost, it operates as a store for security policy and account information, which is accessed by the directory to verify user rights to network objects. Trust information is also stored here. Another function of the security infrastructure is to implement security models for all objects. Finally, all Active Directory authentication takes place through the security subsystem.
The Windows Security Subsystem The security subsystem in Windows is an integral part of directory services as logon and object access functions are provided through the directory with a little help from the Global Catalog. The security subsystem is home to several Active Directory components, including the LSA and related dynamic link libraries DLLs , which function together to provide access to resources throughout. The following section describes the LSA and its subcomponents. See Figure 2. The LSA Components A network would be of little consequence if users could not access resources on the network.
Additionally, securing data on a corporate network is a major concern for most companies.
Zero-day RPC flaw in Microsoft DNS exploited in the wild
The LSA is the component of the security subsystem responsible for checking user permissions. It serves to generate an access token upon user logon to the network, authenticates users, manages the audit policy of the system, and manages local security policy. An access token is generated by the LSA and contains user and group information. It is this information that is checked against the Access Control List ACL of a directory object, which in turn allows or denies access to objects. Secure Sockets Layer authentication module. Kerberos v5 authentication module.
Provides secure channel communications to the domain controller and passes Security Identifier SID and user rights information to the client. Security Account Manager provides legacy NT authentication support Kerberos is the primary authentication protocol in Windows The Directory Services module houses the subcomponents that provide directory service functionality such as queries via LDAP and replication. It is important to note that legacy authentication facilities such as NTLM are provided strictly for backwards compatibility and coexistence scenarios, and their use is dictated only by integrating legacy Windows NT servers and domains with a Windows network.
Such a configuration is called a mixed-mode environment. While it is beyond the scope of this book for a thorough technical description on the various authentication methods and protocols, it is important to consider from a security standpoint whether to integrate legacy systems into a Windows network due to the weaker nature of these systems.
Kerberos v5 security protocol is the preferred protocol of Active Directory authentication and an extremely robust security dynamic. At the lowest level of the directory service module is the Extensible Storage Engine, and it is there that we start our discussion on this aspect of the architectural aspect of Active Directory. It uses a version of the Jet database engine the same technology found in the Exchange Serve mail product, part of the BackOffice suite and is also the underlying technology of the Windows Internet Name Service.
The design of that database is optimized for storage and retrieval of data. For example, the database can store multiple instances of a value for an attribute, say in the case of phone numbers and address information. The ESE is the bottom layer in the directory service module and has direct dependencies to Windows NTFS v5; therefore, an NTFS volume must be present before installing a domain controller or promoting a domain controller using the dcpromo utility. All access to the directory database is filtered through this component, which provides access to the physical database and query services to the database.
It is here that data within the tables of the database are presented in a hierarchical manner to Active Directory. The DSA functions to process transactions to and from the database layer on to the five service agents. The DSA is also responsible for enforcing the schema policy of the database and formatting the data for presentation to applications. Agents Five agents act as interfaces to the three layers of the directory service module and the programs that request Active Directory services or data. REPL site replication.
Provides the replication features for intersite, interdomain, and DC replication via multiple transports. Provides backward compatibility for Windows NT 4. Used primarily by Outlook clients for address book compatibility on older systems. Integrate Exchange Server functionality. It is important to note that some of these agents provide compatibility and functionality with legacy Windows NT systems as well and are critical to legacy integration. When considering Active Directory physical architecture, it is also helpful to examine the logical structure of these components to further understand interaction and functionality.
These include DNS, partitions, and the schema. In LDAP 3. The rootDSE is not part of any namespace. The purpose of the rootDSE is to provide information about the directory server. Contained in the rootDSE is a configuration container that houses metadata for the network.
Metadata is data about data. Metadata describes how and when and by whom a particular set of data was collected, and how the data is formatted. Metadata is essential for understanding information stored in databases. Remember that Active Directory is a name and further a namespace, the defining standard of which is the naming hierarchy, and so it defines the network.
The directory container houses information about Active Directory naming contexts specifically regarding the schema, sites, partitions, and various services that intertwine with Active Directory. The schema-naming context contains the attribute and classes for objects in the directory. The sites-naming context contains information on all domain controllers, site lists, and replication information.
The partition-naming context identifies partition structure of the directory. Information about the rootDSE can be viewed using the Active Directory Browser, a tool for locating objects, object attributes, and naming contexts within the directory. Choose Object Viewer, and a New Object window will appear asking for path information.
The rootDSE object is displayed. Click OK and the container information is returned. The new management principles inherent in Active Directory are light years ahead of the decentralized management of previous versions of Windows NT. Still, you may encounter a snafu or two along the way. Here are a few things to look out for. Taking time to consider domain structure, server hardware, and network liabilities will help save you from headaches down the road.
Windows Domain Implementation As of this writing, there are still some limitations to the domain and child domain relationship that cause excessive administrative cost in Windows Remember that a Windows network can be subdivided into child domains and sites to structure an organization as a hierarchy by division or business unit.
These child domains are interconnected by transitive trusts that are automatically established when the new domain controller and respective site are grafted to the tree. The administrative limitation to this design is apparent when trying to delegate permissions or authority to child domains in the hierarchy, as permissions do not cross over the natural security boundaries formed when a domain is created. This does not mean that this authority cannot be implemented in child domains; rather, the rights must be applied to each of the child domains in the tree.
Depending on the size of your organization, this could add up to a rather large task. The catch in this recommendation is that single-site architecture requires that all domain controllers in the domain be connected by high-speed LAN connections or high-speed telecom links. We discuss the different domain architecture best practices later in the book. For now, just remember that the single domain model may be the best way to go for most organizations. Just as in Exchange Server, planning domain controller hardware needed to support larger Active Directory implementations of the database is critical to the overall success of deploying a fast and functional Windows network.
Do not cut corners when it comes to deploying these key elements. Network Bandwidth Considerations A network of workstations and users can easily add up to MB of space or greater in an Active Directory deployment. The primary need for high-speed links between sites is due to the replication of such massive data stores between domain controllers. All information updated on one domain controller in a Windows network is replicated to all other domain controllers; hence, the need for high-speed links.
Plan very carefully when designing the structure of your physical network, considering replication issues. More about this later in the book. Summary Active Directory serves administrators and end users by unifying directory services into a hierarchical tree. The architectural components of Active Directory provide rapid access to directory features and furnish administrators with a means to control access to network resources and delegation of authority to objects in the hierarchy.
In order to command control of such functions, Active Directory must be tightly integrated into the security architecture of Windows Active Directory exists in the security subsystem of Windows , a low-level kernel mode service of the operating system. The Directory Services module within the LSA architecture provides directory security, support, and functionality and is comprised of five API elements called agents that provide hooks from directory services to application layer programs.
Additionally, three sublayers in the Directory Services module—the Directory Service Agent, the Extensible Storage engine, and the Database layer—provide support for directory semantics and transaction processing, replication, and object attribute storage and access. In the next chapter, we begin looking at the steps necessary in planning a successful implementation of Active Directory.
These cannot be overlooked due the restrictions placed on Active Directory network dependencies and the organizational characteristics of the directory itself. Many of you reading this book may feel you have enough experience to skip ahead and jump right into the actual installation of Active Directory. I strongly urge you to refrain from doing this and pay particular attention to this chapter.
It was not so long ago that the IBM Selectric, secretaries, and printing calculators were commonplace. Business moved at a steady pace, and companies were comfortable with the pace at which work was done. Today, businesses must plan for every contingency lest they fall prey to the fiercely competitive market of the new millennium. What is driving business so fast and furiously these days? The computer revolution has driven most businesses to new highs or out of business all together.
The same computer technology that saves one company one year may sink it the next in the hands of the competition. As business has changed, so has the computer network. The majority of companies with mainframes are now replacing them with multiple smaller, faster, multitiered, Web-based systems. The printed corporate directory has made way for the electronic phone book. Networks span continents and the globe. These technological advances have been integral in shaping this sea change, and business has embraced the new technology, forming a bond between companies and their networks.
If you take a moment to examine your existing network you will find examples of this amalgamation of industry and technology see Figure 3. This brings us to the functional and integration issues surrounding the implementation of a Windows network. Site replication is one.
- Ethics and the Environment: An Introduction (Cambridge Applied Ethics)?
- Windows 2000 active directory survival guide.
- Product details.
Sites have conditions placed on them; for example, fast network connections so that directory replication will not bog down the network. Administrative roles may also change with the advent of delegation and organizational units OUs. Planning for such contingencies ahead of time will prevent headaches down the road. The information-gathering phase of Active Directory implementation is the single most important aspect of the rollout. This chapter focuses on the planning phase of Active Directory and Windows to help you avoid the common pitfalls associated with an Active Directory deployment.
Organizational Characteristics The effect an Active Directory deployment will have on your company is profound. Therefore, the best way to plan for Active Directory is to involve all areas of business, from accounting to corporate to IT. Doing so will not only help the deployment, it will also serve to set expectations within the company.
Another tangible benefit of involving varying business units is the brain share that evolves from such interaction. This type of communication between parties can produce amazing results on how to realize this new technology! The greatest benefit of involving other parts of the company comes in gathering information necessary for a successful installation. Active Directory tightly integrates into your business, starting at the naming hierarchy. Critical tools such as objects queries, or even more important, e-mail, rely on proper naming schemes.
It is therefore recommended that a central team be formed to undertake the task of designing the Windows network. A typical team will consist of upper and middle managers who submit approval to executives; IT members, including those responsible for messaging systems; and DNAs. Systems and operational managers are key, as are members of security if you have such a department. This planning team should task themselves with discovering the technical structure of your organization and business aspects of your company as they pertain to the network see Figure 3.
Technical members should gather as much information on the physical network as possible. Now would be a good time to put together a graphical map of your network topology. Identifying wide area network WAN links and their respective bandwidth is exceedingly important in the overall planning for Windows The planning team should meet several times to provide updates to the group, and at least one person should act as the scribe, compiling all of the information gathered. This information should then be disseminated up the chain of the organization for approval. Now, on to some of the specific information you will need.
Another caveat to this discussion is the fact that this is a transient business. Documentation helps to alleviate the stress of migrating new IT personnel. Business Persona What business is your company in? Why does it matter when planning for your Active Directory implementation? Geographic dispersal, handling of administrative tasks, security, growth, and acquisition all affect the way you will deploy Active Directory. Physical Location Chances are the company that you work for has more than one location, whether it is in the same building, city, state, country, or around the globe.
Knowing the topological layout of your network is critical to the success of Active Directory deployment. Test the link speed between all of your links and make sure you understand the actual link speed. In addition, the reliability of the link may affect decisions on site placement.
Check the traffic on local subnets too, as this may ultimately influence site placement. Administrative Models Another important consideration when planning for Active Directory is the administrative model that your company uses both for network resource management and departmental supervision.
Typically, an organization can classify these three ways; centralized, decentralized, or a combination of both. Centralized organizations usually have a set administrative policy in which all network administration is filtered through the IT department or corporate domain similar to the way a single master model functioned in previous versions of NT.
This model is not limited to small and mediumsized companies. Many larger organizations have adopted this model for the comfort that it offers from a security standpoint and a reduction in support calls see Figure 3. Decentralized organizations often encompass many business units or company divisions, or they are separated by vast distance where central administration may be impossible see Figure 3.
Each of the separate divisions handles administrative functions independently. This model provides challenges presented by the politics that are so often found between different divisions or geographic locations. Face it, business is conducted differently from one part of the country to the next, and certainly around the globe.
These politics are often present within a single location, and it is the job of the team, particularly upper managers, to get past such hurdles in rolling out Active Directory. Some organizations may find that they use a combination of centralized and decentralized models in business. Functions such as technical, sales, or manufacturing may be decentralized, and those closer knit I have worked for organizations where this type of gridlock effectively shut down projects.
One that comes to mind was a decentralized organization comprised of several IT divisions. A massive undertaking was begun to develop a corporate intranet that would house useful tools and applications for the user community. Eight months passed, and after countless meetings and torturous teleconferences, no decision could be reached as to the content and format of the navigation bar that would serve as the header of every page. This senseless barricading can drag a project out for eternity and frustrate even the most patient of team members.
Do everything possible to avoid these fortified positions and work toward the common goal of bringing the project to fruition. It is the job of IT to serve the customer the end user , and when this situation occurs, it is the customer who suffers the most! In the end, there is no right or wrong way to structure a company— each company has a unique identity. You may find that the planning team has very little say in the matter.
However, an organization that is flexible may take suggestions from the planning group and embrace recommendations offered. Such open-mindedness will prove a great ally in integrating Active Directory into your network. Overall, most organizations will reflect a combination of these models in order to form a more perfect union see Figure 3. And if this is not the case today, as a company evolves, so too does the IT department.
Security policymakers are a critical asset to the planning team. This will help in applying policies and permissions to network resources after Active Directory is installed. Planning for such things and entering into the implementation phase prepared reduces the time to project completion, and saves money and frustration as well. The majority of companies take data security very seriously, and making any changes to existing policy will almost always have to be run up the ladder for approval. A glitch caused by a lack in planning the network could cause outages resulting in potential revenue lost.
Planning for the future growth of the network keeps you one or more step ahead of the competition. Mergers and acquisitions are commonplace today, and an organization may grow at explosive rates. Still, an organization may fracture or splinter into decentralized factions or separate billable companies.
The participation of upper management in Active Directory planning to provide such details is imperative. Keep the following in mind when in the planning phase: What is the projected growth rate of the company, and in what divisions can this growth be expected? Failing to plan for future growth will ultimately result in working many extra nights and weekends on your part, not to mention looking bad in the eyes of your superiors.
Design the network so that it can be easily expanded. Is the company poised for restructuring or reorganization? Again, IT organizations should be included in this type of information ahead of time so the necessary planning can take place. What potential mergers are in store for the company?
Merging another company into an existing Windows network requires careful planning because of the namespace design that must take place which we discuss in upcoming chapters. See Figure 3. Is the company planning any downsizing or splintering? If downsizing, it may become necessary to reorganize parts of the network into existing sites; or in the case of splintering, you may need to develop a new namespace for the new company.
The characteristics that make up your company directly affect the way you architect your Active Directory schematic. Gather as much information on company structure during this essential phase, and pay particular attention to security policies, user habits, geographic locales, network layout, and administrative constitution. Several other specific factors.
- Space Enterprise: Living and Working Offworld in the 21st Century (Springer Praxis Books Space Exploration)!
- pentest-notes/ecejyredagij.ml at master · wwong99/pentest-notes · GitHub.
- Edit This Favorite.
- Catalogue Search.
Assessing Organizational Characteristics A network is made up of many defining elements that call for particular attention when implementing a Windows network. These include user considerations, WAN connections, the Internet, remote access to network resources, legacy system integration, mail systems, and integration with existing directories. Replication of the directory between domain controllers and sites is a major consideration when architecting your Windows network.
Design aspects of the namespace must also weigh heavily in the decision process. The name hierarchy is the defining aspect of Active Directory and the way that your users access network resources. If your company has an Internet presence, this may affect the way you design your naming structure. Physical Network Considerations As mentioned earlier, a Windows network is dependent on highspeed links between domain controllers for the replication process to work effectively.
Therefore, your physical network, especially wide area links and utilization of all links, should meet several conditions when considering the placement of domain controllers and the construction of sites. Further, these links may appear to have the bandwidth needed to include all of your domains in a single site where replication takes place instantly, but upon further inspection the utilization on these links might be pegged out. Your router manufacturer may offer such tools as well. Gathering statistical information of network utilization and link integrity is not only key to a successful Active Directory implementation, but is a good measure of overall network health.
Keep in mind the following questions when designing your Windows network: How much bandwidth will be available for replication between domain controllers during all times: morning logon peaks, normal operation, and even weekends and off-hours? Simply measuring utilization during normal business hours does not give the mean average of network capacity. If utilization is stressed during morning logon and logoff periods, the net result will be slow performance or complete failure of Active Directory replication.
This translates into you, the administrator or installer, having to track down these failures later i. What good is a link if it experiences percent downtime? This may be common if you are not partnered with a reputable service provider. This scenario is also common when your network branches out overseas or in developing countries where the telecom infrastructure is not up to par. Consider alternatives such as satellite links rather than leased lines—the prices are often competitive. User Base Considerations The way that your user community interacts with the network is just as important when developing network architecture as any other issue we have discussed.
Considering the ways in which users are grouped, transient users and user transfers between divisions, and international users, are all integral in the overall design of your network see Figure 3. Integrating the Internet It is almost unheard of for a company to not participate in the global network community of the Internet. The Internet is not only a rich source of information, it allows a company to interact with business partners through e-mail or even EDI, not to mention an Internet Web presence that serves as a marketing or commerce interface to the rest of the world.
The Internet has reshaped the way in which business is conducted in the modern business climate, creating a truly global business interconnect. Windows is an exemplary example of the delivery of this promise. The namespace hierarchy provided in Active Directory comes in part from the DNS service, which is the same name registration service used on the Internet. If your company currently has an Internet presence, chances are it also has a name registered with the Internic a.
Network Solutions, Inc. The Internic is a global name registration service that provides domain name to Internet protocol address mappings for the most popular top-level domains e. With Active Directory, you have the option of integrating or not your existing Internet namespace with your Active Directory namespace, providing directory queries and transparent user name to e-mail address registration and resource availability to the outside network.
Choosing separate internal and external namespaces may require more stringent security standards in many corporate networks. While it may be second nature for many to go to work and open up a Web browser for Internet sessions or send Internet e-mail around the globe, many companies today are still precluded from such activities because of security concerns.
I have worked in both arenas, and I am typically biased toward the latter because I feel the Internet is a rich source of information if only from a support standpoint. Security aside, Internet browsing open to the entire user community may seem innocent enough. However, the Internet is far from innocent, and many companies do not want to open themselves up to liability because of the potential for users to access noncompany-related material.
Whether you fall into one category or the other, the Internet standards offered in the Windows product line offer the same rich feature set regardless of your Internet connection. Non-Microsoft Systems Integration with Active Directory The Windows networking family of operating systems was first introduced in , making it somewhat of a late player in the network operating system game.
Because of the time and money corporations have expended on these systems, they are still resident in many server rooms and data centers. With this in mind, Microsoft has attempted to overcome interoperability issues associated with heterogeneous environments through the use of open standards. Novell offers directory services through NDS, and several Unix manufacturers offer directory services as well.
Why is this significant? Simple, none of the directory functionality was available using the gateway; essentially, only file sharing was available. In addition, File and Print services were offered as add-ons—for additional cost. Unix integration with NT out of the box has been practically nonexistent until now, although Microsoft recently released a set of add-on tools available for NT 4.
Many third-party products have emerged to fill the gaps caused by interoperability issues surrounding NT and other network operating systems. Microsoft has made a diligent effort to make the new Windows product much more data-center friendly through the adoption of open standards. This is true not only for non-Microsoft systems, but for legacy NT systems as well. In planning your network, try to account for all of the different systems that support your organization, and try to determine if interoperability will be an issue.
Do these systems offer directory services, either mail systems such as Exchange or Lotus Notes, or resource directories such as NDS this product is also available for NT but not supported by Microsoft? If a DNS namespace already exists, it may be a good idea to adapt or migrate the information stored there for use with Windows DNS servers more on this later. Determine if legacy support for NT will occur as well. Many organizations may have a sizable rollout on their hands and will have to plan for legacy coexistence.
Other Considerations It is also important to consider some of the new features in Windows that are not open standards but may affect the deployment. Kerberos security is the primary and preferred method of authentication. Other systems may offer Kerberos authentication or a single logon mechanism to multiple systems. Certificates are another authentication method that is commonly used today. Certificate Server is standard issue in Windows and is widely used in Web-based systems. Familiarize yourself with these protocols and determine if they have a place in your company.
Microsoft also offers the Zero Administration Kit ZAW as part of the network operating environment that, if implemented, may have an impact on your network bandwidth and should be considered during planning. While there are currently no metrics to support the exact impact caused by implementing ZAK, allocate sufficient bandwidth to support this feature and never use it over WAN links. Best Practices While this book can never assume the responsibility of teaching planning strategies, there are some guidelines that you can follow in order to make your Active Directory implementation go smoothly.
Here are a few ideas to get you going: Know your network backward and forward; not just the physical network, everything. While many reading this book may have grown their present network from the ground up, other members of the technical staff may be adoptive parents and will certainly need to come up to speed. Make sure that everyone from the technical side who will participate on the team is on the same page as far as the network topology and architecture are concerned. This will in the end produce a favorable result. Utilize a network-mapping tool such as Visio to provide visuals not only to the technical people, but also to help the business unit team members visualize what you are verbally trying to articulate.
Organize all information in a clear and concise manner, and store it on a network share to which everyone in the group has access. Create a distribution list in your mail system for group members to use for mailings to the group. When forming your team, keep in mind that the rollout of this product will ultimately affect everyone in your organization. It would be wise to diversify your team to include members from all critical areas of the company.
Run all proposals up to the very top of the management chain. These reports should be simple and concise, and they should spell out the pros and cons of each decision. This will help in the design of Active Directory; particularly, since there are provisions in Windows for classifying physical structure components by subnet.
Design a solid administrative model and adhere to it. Designate business unit administrators to oversee the creation of user accounts and resource management. If you are uncomfortable in doing this, implement a change control mechanism by which these changes are approved by an IT administrator or the security department before changes occur, so there is a record of the transaction.
If your company already has a security policy in place, review it thoroughly and make changes as the Active Directory structure forms. If you are planning on putting all servers within the same domain and you have links other than LAN connections, test these links over a period of time—say, a month—during all hours of operation. Compile this data into a chart if possible to determine whether you need to break up the network into different sites. If a link is only K but supports only two users who run their applications from a local server at that site, chances are that site will work as a member of the domain and replication will not falter.
The rule of thumb is to consider both bandwidth and link speed in determining site placement. Careful planning is the key to victory. Active Directory impacts the entire company. Pick your team members carefully, and bear in mind that you will be working together for some time to achieve the desired result. The team must document not only the organizational qualities of the network, but those of the organization as well. Administrative models, security, geography, and company growth should all play a part in the final architecture. It is a lightweight client used to make queries to X.
LDAP is gaining momentum as the Internet directory standard capable of providing open access to directory services on the corporate network or Internet, as well as integrating heterogeneous directories. LDAP was originally conceived as a way to simplify access to a directory service that was modeled according to the X.
Many of the new features of LDAP go beyond the original specification or definition and identify LDAP as the solution needed to make global directory services a reality. DAP provides this functionality under the original specification, but it is too bulky for use over WAN links. LDAP, X. The adoption of LDAP as a standard access protocol has been universally welcomed and endorsed by all the leading industry players.
Since its widespread adoption in April , LDAP has gained tremendous momentum in the quest for unified directory functionality—much in the same way as X. Both offer considerable value, and features of both are integrated in Active Directory. In this chapter, we look at X. What Is X. First released in , the X. In Windows , the directory servers are domain controllers, and the portion of the directory held by each is referred to as a partition.
These servers cooperate to provide a distributed directory service to users or user applications in such a way that these user applications need not be aware of the location of the information they are accessing. In other words, the user or user applications can connect to any directory server and issue queries to access information anywhere in the global directory.
An example of this might be that X. These possess the access control and security mechanisms necessary to allow unlimited internal and external access, and they can hold a wide variety of data, ranging from databases to network appliance information. Commercial implementations of X. In addition to these selling points, X.
This scalability makes the X. It provides an open system protocol for accessing standardized directory servers for use by users and computer systems. One key feature it provides is a powerful searching facility that allows users to construct arbitrarily complex queries. DAP and the other X. More on X. The vast majority of the specification addresses the data and information model and the protocols required to provide a fully distributed service based on a model of cooperating directory servers.
Each of these servers is responsible for a portion of the overall Directory Information Base DIB , linking together to provide a single logical directory for users accessing the service. To support this model, the X. The query language used is very similar to that found in the DAP specification. The aim is to let users quickly and easily create and query directories of people and information e.
As a lightweight access protocol, LDAP has become the standard way to access directory services. With technology improvements over the last few years, this argument against the use of DAP has receded, and some vendors ship full DAP products that work on all but the oldest desktop systems. As defined in the RFC, the primary goal of LDAP is to minimize the complexity of the client so as to facilitate widespread deployment of applications capable of utilizing the directory service. These limitations are being addressed in the new LDAP v3 specification.
Support for an extension mechanism to allow future development to the LDAP standard has also been defined. This essential work facilitates directory application development and deployment. Windows supports both versions of the protocol for client access to directory information. When the connection is established, the LDAP v3 client will detect it is talking to an LDAP v2 server, and it will be able to decide if it wants to continue; it may decide not to, because critical LDAP v3 functionality it requires for its specific application will not be available.
LDAP offers a simpler, lightweight alternative that fits more closely with the ideals of the Internet protocol suite. This provides an easy mechanism for systems integrators to provide directory access to their applications. Consequently, LDAP has become the protocol used by the majority of directory access clients. The emergence of X. In the case of directories, X.
Uptake of X. SMTP and X. LDAP is only a protocol, and it does not define a broader set of directory concepts such as those offered by X. LDAP emerged as an offshoot of X. The research community never really adopted X. Many proprietary directory systems have in the past been described as being X. What this often means is that features and functions described in X. Although X.
Now that most of the outstanding issues have been resolved either through industry or standards body initiatives, commercially attractive X. It is ironic that this has come at a time when LDAP-based servers are coming on to the market, apparently forcing a distinction between the roles of the two. One of the things X.
Skip to: Bottom. Log In. My Account. Remember to clear the cache and close the browser window. Search For:. Advanced Search. Windows active directory survival guide : planning and implementation. Personal Author:. Schwartz, Richard. Publication Information:. General Note:. Subject Term:. Microsoft Windows Computer file. Operating systems Computers.