Active Directory
| Windows Server Active Directory | |
|---|---|
| Basic data
|
|
| developer | Microsoft |
| operating system | Windows |
| Active Directory Domain Services | |
Active Directory ( AD ) is the name of the directory service from Microsoft Windows Server , with Windows Server 2008 and higher subdividing the service into five roles and the core component of which is called Active Directory Domain Services ( AD DS ).
In such a directory ( English directory ) is a list of assignments such as in a phone book, the phone numbers assigns the respective terminals (owners).
Active Directory enables a network to be structured according to the real structure of the company or its spatial distribution. To do this, it manages various objects in a network such as users, groups, computers, services, servers, file shares and other devices such as printers and scanners and their properties. With the help of Active Directory an administrator can organize, provide and monitor the information of the objects.
Access restrictions can be granted to users of the network. For example, not every user is allowed to view every file or use every printer.
Server roles
Since Windows Server 2008, five different server roles are grouped under the term Active Directory:
- Active Directory Domain Services (Active Directory Domain Directory Service, AD DS) is the current version of the original directory service and the central point of domain and resource management.
- Active Directory Lightweight Directory Services (Active Directory Lightweight Directory Service, ADLDS) is a functionally restricted version of AD DS that is used to connect applications or services that require LDAP- compliant information from the directory. Implemented for the first time in Windows Server 2003, the service was called Active Directory Application Mode (ADAM) there.
- Active Directory Federation Services (ADFS) are used for web-based authentication of users when they are in areas outside of the AD-DS infrastructure.
- Active Directory Rights Management Services (Active Directory Rights Management Services, ADRMS) protect resources against unauthorized access using cryptographic methods.
- Active Directory Certificate Services (Active Directory Certificate Services, ADCS) provide a public key infrastructure.
The four main components
Lightweight Directory Access Protocol (LDAP)
The LDAP directory provides information about users and their group membership, for example. However, other objects, such as a computer's certificates, are also stored in the directory. LDAP itself is not a directory, but a protocol with which it is possible to query information from an LDAP directory using a certain syntax.
Kerberos protocol
Kerberos is a protocol with which the user is authenticated so that he receives a so-called “ Ticket Granting Ticket ” (TGT). With this it is possible to get service tickets for access to a certain service within the network. The user only has to enter his password once to receive the TGT. The service tickets are then obtained in the background.
Common Internet File System (CIFS)
The CIFS protocol is intended for storing files in the network. In this case, DNS to find the different computer systems and service information ( SRV record used). Due to the standardized protocol, it is also a way of connecting to the Internet.
Domain Name System (DNS)
Unlike earlier Windows versions, such as Windows NT 4.0, which used NetBIOS for name resolution , Active Directory requires its own DNS. To be fully functional, the DNS server must support SRV resource records.
For reasons of compatibility, Windows 2000 or XP clients with the appropriate configuration are still able to locate resources in the network with the help of NetBIOS or WINS, even when using Active Directory .
construction
Components
Active Directory is divided into three parts: schema, configuration and domain.
- A schema is a template for all Active Directory entries. It defines object types, their classes and attributes as well as their attribute syntax. Which object types are available in Active Directory can be influenced by defining new types. The underlying pattern for this is the “schema” that defines the objects and their attributes.
- The configuration describes the Active Directory forest and its trees.
- After all, the domain contains all the information that describes itself and the objects created in it.
The first two parts of Active Directory are replicated between all domain controllers in the overall structure, while the domain-specific information is generally only available within the respective domain, i.e. on their respective domain controllers. That is why there is also a so-called global catalog in each domain . It represents all the information from its own domain and also contains important partial information from the other domain in the overall structure. B. Cross-domain search operations.
Database
Active Directory uses a Jet (Blue) database to store information about network objects , which Microsoft also uses for the Exchange Server . It is relational , transaction-oriented and uses " write-ahead logging ". The Active Directory database is limited to 16 terabytes and each domain controller can create up to 2 billion objects.
The database file “NTDS.DIT” contains three main tables: the “schema table” for storing the schemas, the “link table” for storing the object structure and the “data table” for storing the data.
ESE (extensible storage engine) arranges the Active Directory data stored according to a relational model according to a given scheme in a hierarchical model.
Under Windows 2000, Active Directory uses the Jet -based ESE98 database.
Objects
In contrast to the object-oriented directory system eDirectory from NetIQ , Active Directory can be described more as object-based - and hierarchical.
The data records in the database are defined in Active Directory as "objects" and their properties as "attributes". The attributes are defined depending on their type. Objects are uniquely identified by their name.
The group policy settings are saved in group policy objects. These are also assigned to domains and locations.
Object categories
Objects can be divided into two main categories:
- Accounts, such as user , group , and computer accounts
- Resources such as file and printer shares
Storage in containers (organizational units)
The possibly up to many millions of objects are stored in containers (organizational units), also called OUs (organizational units). Some containers are predefined, any other organizational units can be created with sub-units (sub-organizational units). As an object-based system, Active Directory supports the inheritance of properties of an object container to subordinate objects, which can also be containers again. This enables Active Directory to build networks logically and hierarchically.
hierarchy
Forest
The combination of several related domains is called "forest" in the English original, and "overall structure" in German. The most important information of all domains contained can be called up centrally in the global catalog, and all domains use the same directory scheme. The use of security information (e.g. user rights / group assignments) and schema extensions are possible across domains. The overall structure can contain different trees , which are domains that are in the same DNS namespace (e.g. buchhaltung.meinefirma.de and meinfirma.de). Even a single domain already forms an overall structure, which can later be supplemented by further domains.
Organizational units
An organizational unit (OU) is a container object that is used to group other objects in the AD. In addition to objects, an OU can also contain other OUs. The freely definable hierarchy of the OUs simplifies the administration of Active Directory. As a rule, it is based on the network structures (network management model) or on the organizational structure of the company. The OUs are the lowest level of Active Directory in which administrative rights can be divided.
Locations
One possibility of subdivision are locations. These represent a spatial structure of the IP subnets within the overall topology .
The fast networks ( LAN ) of the locations are mostly interconnected by slower networks ( WAN ). The formation of the location is therefore important for the control of the network traffic that results from replication processes. Domains can contain locations and locations can contain domains.
It is fundamental to carefully plan the corporate information infrastructure into a hierarchical division into domains and organizational units. For this purpose, subdivisions based on geographical locations, tasks or IT roles or a combination of these models have proven useful.
Domain controller and replication
Windows NT
Under Windows NT there was always an excellent controller for each domain, the primary domain controller (PDC), which was allowed to make changes to the user and computer database ( SAM ). All other domain controllers served as a backup copy that can be upgraded to a PDC if necessary.
From Windows 2000: multimaster replication
Active Directory uses a so-called multimaster replication for the replication of the directory between the domain controllers. This has the advantage that each replica can be written to and synchronized. Local administration is thus completely possible in the case of distributed implementations. In contrast to NT4 domains, all domain controllers (DC) from Windows 2000 onwards have a writable copy of the Active Directory database. The change of an attribute on one of the DCs is passed on (replicated) to all other DCs at regular intervals. This means that all DCs are at the same level. The failure of a DC is irrelevant for the Active Directory database, since no information is lost. The replication interval can be set to 15 minutes or more, depending on how often it is changed. Windows 2000 Server replicates the AD by default after 5 minutes at the latest, Windows Server 2003 replicates it by default after 15 seconds at the latest. Since a replication takes a maximum of 3 hops, depending on the server version used, the replication interval for a domain is 15 minutes or 45 seconds.
Naming
Active Directory supports naming and access using UNC / URL and LDAP URL names. Internally, the LDAP version X.500 is used for the name structure. Each object has a fully qualified name (distinguished name, DN). A print object is called, for example, “LaserDrucker3” in the organizational unit “Marketing” and the domain “foo.org”. The fully qualified name is thus "CN = LaserDrucker3, OU = Marketing, DC = foo, DC = org". "CN" stands for "common name". "DC" is the domain object class (domain component), which can consist of many parts. The objects can also be named according to the UNC / URL notation. This is characterized by the reverse order of the identifiers, which are separated from one another by slashes. The above object could therefore also be referred to as “foo.org/Marketing/LaserDrucker3”. To address objects within the container, relative names (relative distinguished names, RDNs) are used. For the laser printer this would be "CN = LaserDrucker3". In addition to its globally unique name, each object has a globally unique 128-bit number (globally unique identifier, GUID). This is usually represented as a character string and does not change when the object is renamed. Furthermore, each user and computer object can also be addressed uniquely via its assigned UPN ( User Principal Name ), which has the structure “Object name” @ “Domain name”.
Alternatives to Windows Server
In addition to Active Directory, there are other directory services that implement LDAP and Kerberos, but are not AD-compatible. However, some software products also emulate an Active Directory. This allows Windows and other clients to join a domain without additional software and use most of the options of an Active Directory, such as B. the central authentication and administration, without using Windows Server.
samba
In addition to Windows Server, the free software Samba for Linux and Unix systems can also provide an Active Directory directory service. The current version 4 includes an implementation of Active Directory and can thus replace a Windows server in many cases. This was made possible not least by the support the Samba project had received directly from Microsoft.
eDirectory
The NetIQ eDirectory developed by Novell offers functions similar to Active Directory . It is available for Windows as well as for Linux and, unlike Active Directory, also allows the management of an inhomogeneous IT infrastructure. Using the Domain Services for Windows attachment , eDirectory can emulate an Active Directory.
See also
- Directory service , Kerberos (computer science) , LDAP
- Flexible single master operations - Certain operations in Active Directory can only be carried out on specially designated servers, the operations masters
- The Active Directory Services Interface is a programming interface that Microsoft provides on the basis of the Component Object Model (COM).
literature
- Ulf B. Simon-Weidner, Florian Frommherz: Active Directory - Deployment, Administration and Troubleshooting . Heinemann Verlag 2010, ISBN 978-3-941034-06-8 .
- Carlo Westbrook: Active Directory in Windows Server 2012 R2 - Planning and practical use in Windows networks . CertPro-PRESS 2016, ISBN 978-3-9447-4902-0 .
Individual evidence
- ↑ Active Directory Services . Microsoft Corporation. March 25, 2009. Retrieved October 7, 2010: “Active Directory services include [...] (AD CS), [...] (AD DS), [...] (AD FS), [.. .] (AD LDS), and [...] (AD RMS) "
- ↑ Samba Team Releases Samba 4.0 (English), www.samba.org, February 19, 2013
- ↑ Peter Siering: Samba 4 is coming. SambaXP 2010 - Conference on the free Windows server. Heise online , December 2010, accessed on July 14, 2014 .
Web links
- Active Directory FAQ Wiki ( Memento from May 31, 2009 in the Internet Archive )
- Chapter "Active Directory Domain Services" in the book "Windows Server 2008 R2" (Online readable OpenBook edition of the work published by Galileo Press Verlag)
- Active Directory overview