[an error occurred while processing this directive]


Exploring 2000 - The active directory demistified
(January 1999)
Bob Walder looks at recent developments to the current domain model of Active Directory

This article is based on NT 5.0, Beta 2.

Something that is common across the Windows 2000 product range is Microsoft’s response to Novell’s NDS – Active Directory. Directory services are increasingly important in today’s corporate networks, and Microsoft is finally ready to admit that its offerings to date – namely the archaic flat-file naming system inherited from the old LAN Manager days – is less than adequate for an enterprise network operating system. The main aim of Active Directory is to provide a centralised repository for all network resources such as servers, shared drives, printers and users. Unlike the current Trusted Domain model used by NT 4.0, Active Directory will provide a single hierarchical directory structure across the whole enterprise if required.

What’s the difference between the Domain and Active Directory?

Just as with NT 4.0, the Domain is a central piece in the Active Directory puzzle, but this time there are no Primary or Backup Domain Controller designations. Instead, any server can be a Domain Controller, and all DCs participate equally as peers in a multi-master replication scheme that sees domains distributed and replicated across any number of servers in an enterprise. A single domain can span multiple physical locations or sites, and inter-site replication can occur within a domain even if a particular DC is unavailable.

The domain itself is the unit of replication, and any change at one site or another within a domain is replicated to the other sites (sites are usually physical divisions of a network, often connected by slower WAN links). Since there is no one "leader of the pack" when it comes to Active Directory domains, changes can be made simultaneously at all sites or controllers within a domain. The Active Directory uses update sequence numbers (USNs) to track changes on a per-attribute basis, though some more serious changes are locked down to a single domain controller at a time (though this can change dynamically). Replication is one of the key areas of Active Directory and is the one factor that could make or break a large, distributed Windows 2000 network. It will be interesting to see how well Active Directory copes with this most difficult task – a task that even Novell struggled with in the early releases of NDS.

Organisational Units

One major change for Active Directory is the introduction of Organisational Units (OUs) within a domain, each of which can contain other OUs or objects such as users or servers. This allows a meaningful hierarchical structure to be built within a single domain if required, thus providing the means to eliminate trusted domains completely. Access to objects is controlled by Access Control Lists (ACLs) populated with Access Control Entries (ACEs). Thankfully, OUs are also administrative boundaries, and can thus be used for organising user and resource objects into logical administrative groups.

Various administrative tasks (such as access rights specification) can then be delegated to the administrator for a specific OU, thereby freeing domain administrators from having to support such changes directly. OUs also provide inheritance of access rights, thus allowing access to resources specific to a particular organisation to be restricted to members of that OU. Within a domain, access permissions are cumulative unless explicitly denied, and administration rights are limited to domain boundaries by default. This all serves to greatly simplify administration of large enterprise networks under Windows 2000.

Trees and forests

In something that looks suspiciously like the old Trusted Domain model, multiple domains can be linked together in a domain tree. In order to participate in a tree, all the domains must form a contiguous name space and share a common schema, configuration, and global catalogue. A tree must have a distinct name, and this is always the DNS name of the domain at the root of the tree – DNS is actually used as the location service that allows a client to find a directory service containing the desired copy of the directory.

Active Directory also provides subsets of the key X.500 protocols - including Lightweight Directory Access Protocol (LDAP) - this enables it to participate in mixed Internet and X.500 environments. The contiguous namespace means that if the root domain is named NSS.COM, then the IT domain below it will be named IT.NSS.COM, the SUPPORT domain below that will be named SUPPORT.IT.NSS.COM, and so on. This is much the same idea as naming OUs within a domain. Renaming the root domain renames the tree and all child domains within it.

Domains within a tree do not need explicit trusts to be assigned as in the current trusted domain model. Instead, all domains are linked by transitive trust relationships based on Kerberos authentication. This means that users can access resources in other domains via these automatic trust relationships that are discarded once they are no longer required. However, at present, the domain remains the scope of administration - this means that administrative rights are not inherently transitive. Where organisations need to support several completely separate namespaces, trees can be grouped together into a forest and each tree will represent a separate namespace. As with domains in a tree, all trees in a forest share a common schema: configuration, and global catalogue. All trees in a forest trust each other through transitive, hierarchical Kerberos trust relationships, but unlike trees, a forest does not need a distinct name.

and forests are thus a refinement of the original
domain tree concept, and are designed to provide a multi-domain structure which is much more straightforward and intuitive to use than the current trusted domains model. It does, however, leave Microsoft open to the criticism that Active Directory is not a complete reworking or replacement of the existing domain system, despite assurances to the contrary. Earlier, we mentioned that all domains within a tree (as well as trees within a forest) must share a common global catalogue. This is designed to provide a global search mechanism to simplify the user’s view of the enterprise-wide domain structure in large organisations.

The global catalogue (GC) is a partial index of select objects in the domain tree, combined with a search engine. To find a resource in the domain tree, wherever it may be located in the enterprise, a user queries the GC for that resource based on one or more of its attributes (i.e. find all printers that have A3 capability). The GC then returns the location of the desired resource, but only if the user performing the query has the appropriate access rights to that object.

Not as integrated as it could be

This current Active Directory goes a long way towards rectifying many of the shortcomings inherent in the domain model currently employed by NT Server 4.0. However, it still shows signs of not being as "integrated" as it could be. For instance, when publishing a disk share within the Active Directory, it is first necessary to create that share and set security with Explorer just as you would under NT 4.0. It is thus a two-step operation, one which could and should be reduced to a single step, where the publication of a share within AD is all that is required, and security is then set by dragging and dropping user and container objects accordingly.

This "ideal situation" is actually similar to how the task would be achieved under NDS. This is just one example of the sort of inconsistency that provides fodder for the AD sceptics, and goes a long way towards prejudicing corporate IT managers against a new and untried system which still shows signs of not being as complete and polished as it should be.