Windows 2000 Operating System

-- Active Directory Service

COSC 516Yuan YAO

08/29/2000

Windows 2000 Included Products

Windows 2000 ProfessionalWindows 2000 ServerWindows 2000 Advanced ServerWindows 2000 Datacenter Server

Windows NT 4.0 WorkstationWindows NT 4.0 ServerWindows NT 4.0 Enterprise

Upgrade to Windows 2000

95 – 2000: automatic setup will report incompatibility,

some application have different components for two

98 – 2000: tricky due to lots of hardware and software

compatibility problems

NT 4.0 – 2000: easier but not without problems

What to expect if you

…are on the road (Remote users)…work at home (Home office users)… run a small business (Small business)…run a larger network (Medium-size and large enterprise)…provide internet services (Service provider)

Active Directory Service

A true hierarchical, distributed directory service for managing resources across an enterprise or extranet.

ADS Terminology

Directory and Directory Services Directory is an information store.Directory Services are a directory itself as well as the services

it provides, such as security and replication.

Workgroup and Domain A Windows 2000 workgroup is a logical grouping of networked

computers that share resources, such as files and printers, and maintain a local security database, which is a list of user accounts and resource security information for the computer it is on.

A Windows 2000 domain is a logical grouping of networked computers that share a central directory database, which contains user accounts and security information for the domain.

ADS Terminology

Domain Tree and Forest A domain tree refers to a hierarchical grouping of domains

that share a contiguous namespace, a common schema, and a common global catalog.

A domain forest is a collection of two or more domain trees that do not share a contiguous namespace, but do share common schema and global catalog.

NamespaceA collection of unique domain names.

ADS Terminology

Object and Organizational unitAn object is a representation of a network resource,

including users, computers, printers, and so forth. Organizational unit is an object that can hold other objects.

Multimaster replicationThe process by which Active Directory domains replicate

with each other and resolve conflicting updates.

Lightweight Directory Access Protocol (LDAP)

An Internet standard by which Active Directory clients and servers communicate.

Do you need Directory Service ?

A central database that keeps track of every resource and user in an enterprise-wide network.

If you don't need a full directory service yet, you should get ready by practicing the discipline of using a consistent naming scheme.

Importance of Directories

Become the points of reference for applications and user services.Provide single sign-on.Become increasingly important as business networks expand to include connections with business partners and customers.

Existing Directory Services

Bull, Computer Associates, Hewlett-Packard, IBM, Tivoli, and Unisys have offered directory solutions. But hefty price tags and lack of interoperability have limited their adoption. Active Directory brings a big buzz.Novell Directory Services (NDS) and the Novell ZenWorks software family have also made many administrators aware of the importance of directory services.

What is a hierarchical namespace?

Username

Value ofdepartmentattribute

Value ofprofessionattribute

Object name

Brown COSC Profession Brown@prof.cosc.seu

Brown ISMA Assistant Brown@assi.isma.seu

Scalability Comparison

Active Directory Service partitions can hold millions of objects and use indexed data storesNovell Domain Service partitions are limited to 1,000 objectsNT 4 Domain Service can only provide limited scalability, one NT 4 server stores the entire domain database

Transitive Kerberos Trusts

If domain A trusts domain B, and domain B trusts domain C, then domain A trusts domain C and vice versa.Trusts give user and group rights to traverse domains and are essential for single sign-on.It reduces the complexity of maintenance.

A Distributed Directory Service

Directory servers are typically distributed across a network so that they are easily reachable by clients and servers.Data relationships and namingReplicationCaching

Data Relationships & Naming

For NT 4, administrative authority could only delegate to the domain level.ADS gives the administrative authority down to the Organizational Unit level.

For NDS, user rights to other domain objects or common resources can be assigned to an Organizational Unit. For ADS, rights must always be configured for individual users and groups.

Replication

Domain Controller, a server that contains directory information and responds to database requests or routing requests for resources.NT 4's Primary and Backup Domain Controllers have been replaced in 2000 by a peer model. Any server can be promoted to AD domain controller status.Multimaster Replication replicates changes made to any single controller to all other controllers.

Caching

To improve response time for directory queries, directory servers can save a copy of frequently requested directory service information locally in Global Catalog (GC)

Migrating to Active Directory

Domains to Active Directory:Requires extensive planning and

testing NDS to ADS:

No good reasons to switch to Active Directory, unless plan to abandon NetWare completely. Better create a test-bed first.

Domain Modes

Mixed ModeAllows the domain controllers to interactive with

any domain controllers running previous versions of Win 2000 Server.

Native ModeAll the domains are integrated with Active

Directory, and all Windows NT 4 domain controllers are upgraded to Windows 2000 Server

Mixed Mode to Native Mode:

Upgrade all domain controllers.Reconfigure the domains by using Active Directory Migration Tool or FastLane, etc.Several points:

• Support for down-level replication ceases. • Can no longer add new down-level domain

controllers to the domain.• No more primary domain controller, all domain

controllers are peers.• The change is one way only.