DPRO-90588
Mary I. Hubley, MaryAnn
Richardson
Technology Overview
25 September 2003
Windows Server 2003 Active Directory: Perspective
Summary
The Windows Server 2003 Active Directory lies at the core of the Windows Server 2003 network
infrastructure, providing authentication and authorization services, central administration and information
sharing.
Table of Contents
Technology Basics
Technology Analysis
Business Use
Benefits and Risks
Standards
Technology Leaders
Technology Alternatives
Insight
List Of Tables
Table 1: Windows Server 2003 Active Directory Standards Support
Gartner
© 2003 Gartner, Inc. and/or its Affiliates. All Rights Reserved.Reproduction of this publication in any form without prior written permission is forbidden. The information contained herein has been obtained from sources believed to be
reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations
thereof. The reader assumes sole responsibility for the selection of these materials to achieve its intended results. The opinions expressed herein are subject to change without notice.
Windows Server 2003 Active Directory: Perspective
Technology Basics
Active Directory (AD) is the directory service in the Standard, Enterprise and Datacenter versions of the
Windows Server 2003 family. (While Windows Web Server 2003 can participate in a directory service, it
cannot operate one.) AD gives Windows administrators the ability to centrally organize, manage and
control access to all network resources, including desktops and applications, as well as to monitor and
manage network devices. It not only stores information about network resources but also provides a
consistent way to name, describe, locate, manage and secure this information as it applies to both users
and applications.
Active Directory consists of both logical and physical components. Each must be taken into consideration
when designing the network infrastructure. AD’s logical components organize network resources to match
the organizational structure. AD’s physical components configure and control where and when data
replication and login traffic can occur over the network.
Active Directory’s Logical Structure
The basic logical component in AD is the domain, defined by the administrator as a collection of
computers that share a common directory database, security policies and security relationships. For
example, an organization can set up a separate domain for each department or region.
Domains, in turn, can be partitioned into Organizational Units (OUs). An OU is a collection of users and
computers that have been given certain administrative rights. Instead of having one person administer an
entire domain, AD let’s you delegate specific administrative tasks over organizational units. For example,
under the domain headquarters you can create an OU named HR that contains all user accounts and
computer objects for that department. Then, you can delegate the responsibility for maintaining
passwords to someone in that department. If necessary, you can also delegate the authority to create,
delete or manage user accounts or groups within the OU,
Multiple domains can be organized into trees. A tree is a hierarchical arrangement of domains that have
the same Domain Name System (DNS) name. When a domain is added to an existing tree, the new
domain becomes a child domain of the parent domain. The name of the child domain is combined with the
DNS name of the parent to form the child’s DNS name.
Trees can be grouped into forests. A forest is a group of trees that do not share a common DNS name but
do share a common configuration and schema—an attribute repository that allows attributes and object
classes to be redefined separately from the AD objects. Every domain in a forest can share resources and
administrative functions with the other trees in the forest. Every domain trusts every other domain in a
forest. The forest is the security boundary—not the domain.
Trusts can be established between two forests to provide a one-way or two-way transitive trust
relationship between every domain residing within each forest. For example, forest-to-forest trusts can be
established between companies undergoing mergers or acquisitions, or between collaborative business
extranets.
One- or two-way transitive and nontransitive trusts can be established between any non-Windows
Kerberos v.5 realm and a Windows Server 2003 domain. Active Directory also supports one-way,
nontransitive trusts for connections to Windows NT networks from an external organization.
Active Directory’s Physical Structure
© 2003 Gartner, Inc. and/or its Affiliates. All Rights Reserved.
DPRO-90588
25 September 2003
2
Windows Server 2003 Active Directory: Perspective
Active Directory’s Physical Structure consists of these basic components: site, domain controller (DC) and
Global Catalog Server (GCS).
A site is a high-speed subnet, or subnets, connected by a high-speed link. A domain controller is a
Windows 2000 or Windows 2003 Server computer that stores a replica of the AD logical structure.
Because AD’s logical and physical structures are independent of each other, a single site can have
multiple domains, or there can be multiple sites in a single domain. The domain controllers manage the
directory structure, including:
•
Multimaster replication change management
•
User logon management
•
Authentication and directory searches
The Global Catalog Server is a separate Windows 2000 or Windows Server 2003 computer that stores a
subset of the object attributes contained on a domain controller, including schema, configuration, a
read/write copy of the local domain and partial replicas of the other domains in the forest.
Once a user has successfully logged on to a DC, the user’s universal group membership is obtained from
the GCS and stored on the local DC cache. When the user logs into the DC again, the DC can check the
cache to verify the user rather than contact the GCS. This reduces demand on slow or unreliable
networks and maintains availability even if the GCS is down.
AD’s Group Policy features give administrators the ability to specify Group Policy settings for a site,
domain or OU.
Multimaster Replication
Because AD is based on a multimaster replication model, changes to any AD object can be made to any
domain controller in a network, and those changes will be automatically replicated to the rest of the
domain controllers in the domain. The Knowledge Consistency Checker (KCC) calculates the best
connections for replications to the domain controllers based on site knowledge. The following protocols
are used for data replication:
•
Remote procedure call (RPC)—Active Directory replication uses RPC over IP for replication within a
site. Domain, schema, configuration and global catalog replication can take place over RPC.
•
Simple Mail Transfer Protocol (SMTP)—SMTP supports schema configuration and global catalog
replication. However, you cannot use SMTP to replicate the domain partition to domain controllers of
the same domain. This is because some domain operations, such as Group Policy, require the
support of the File Replication service (FRS), which does not yet support an asynchronous transport
for replication. Only RPC can be used to replicate the domain partition.
Features Specific to Windows Server 2003 family
While Active Directory is operable on Windows 2000 servers and will work in mixed Windows
2000/2003/NT environments, to take advantage of all of its features, AD must be installed on a computer
running Windows Server 2003. Features that work only with Windows Server 2003 include:
•
Schema management
•
Support for inetOrgPerson schema
•
Domain Rename
© 2003 Gartner, Inc. and/or its Affiliates. All Rights Reserved.
DPRO-90588
25 September 2003
3
Windows Server 2003 Active Directory: Perspective
•
Tools for creating cross-forest trusts
•
Enhanced AD health monitoring
•
Resultant Set of Policy (RSoP) tool for verifying policies in effect for any user or computer on a
domain
•
Setup Wizard
•
Support for over 5,000 members in a Group
•
Ability to disable replication compression
Schema Management
The Windows Server 2003 AD database comes with 200 object types and over 1,000 attributes. By
modifying the schema, users can extend this number, as well as deactivate some, but none can be
deleted. Schema modifications must be based on standard X.500 naming conventions and cannot conflict
with other modifications. Schema modifications are replicated to every domain controller in the forest; to
avoid AD from becoming corrupted through schema object conflict, schema modification must be
managed in a structured manner.
AD Application Mode
For organizations that don’t require the full functionality of AD, Windows Server 2003 provides AD
Application Mode (AD/AM) Server, a lightweight version of AD with a different schema that provides
application directories without requiring the complex authentication services inherent in AD.
Upgrading to Windows Server 2003 AD
Active Directory can be installed at one of the following domain functional levels:
•
Windows 2000 mixed—supports Windows NT 4.0, Windows 2000 and Windows Server 2003 family
domain controllers
•
Windows 2000 native—supports Windows 2000 and Windows Server 2003 family domain controllers
•
Windows Server 2003, Interim—supports Windows NT 4.0 and Windows 2000 and Windows Server
2003 family domain controllers
•
Windows Server 2003—supports Windows Server 2003 family domain controllers
While AD can be installed on Windows NT or Windows 2000 servers, users must upgrade to the Windows
Server 2003 domain functional level to take advantage of Windows Server 2003-specific features, such as
schema management, support for Kerberos Key Distribution Center (KDC) version numbers, domain
rename, cross-forest trusts and the inetOrgPerson class. Windows Server 2003, Interim is used only for
direct upgrades from Windows NT 4.0 to the Windows Server 2003 family, directly bypassing Windows
2000. Windows 2000 domain controllers will not function in a Windows Server 2003, Interim installation.
Domain controllers running earlier operating systems cannot be introduced into a domain functional level
that does not support them. Once you have raised the domain functional level, you cannot lower it.
Active Directory Migration Tool (ADMT)
Version 2 of ADMT for migrating NT domains to AD adds support for password migration between
domains, and scripting and command-line interfaces that allow the development and testing of migration
scripts.
© 2003 Gartner, Inc. and/or its Affiliates. All Rights Reserved.
DPRO-90588
25 September 2003
4
Windows Server 2003 Active Directory: Perspective
Technology Analysis
AD gives the organization a great deal of flexibility in setting up its network infrastructure. However, not all
structural combinations will work with every organization. For example, AD allows multilevel nesting of
organization units or groups, but when deployed to more than five levels, the resultant structure can lead
to poor performance. Since domain setup involves translating job functions into AD access rights, failure
to account for the political aspects of this process can result in significant delays in design and
deployment. It takes time to analyze the present organizational structure before changing or adapting it to
AD. A documented migration plan should be in place, followed by a pilot migration, before AD is placed
into production.
DNS/WINS Compatibility Issues
Because AD uses DNS for name resolution while Win NT domains use Windows Internet Naming Service
(WINS), an NT upgrade will involve setting up a DNS server on an existing or new server and installing an
additional copy of Windows 2000/2003 to run DNS. In a WinNT Server environment, a WINS server is
used for name resolution and an Internet service provider’s (ISP’s) DNS server is used for Internet name
resolution. Thus, a WinNT client is usually configured with two IP addresses, one for WINS and one for
DNS. When NT clients are migrated to an AD environment that uses DNS for name resolution, all
references to WINS IP addresses must be removed, and all DNS IP addresses must be reconfigured to a
local DNS server rather than the ISP’s Internet DNS Server. For Windows clients to access the Internet,
the local DNS server must be configured to forward unresolved requests to the ISP’s DNS server,
Maintaining Availability
In addition to migration planning, both maintenance and disaster recovery plans should be in place to
guarantee maximum uptime and availability. The maintenance plan should include proactive monitoring,
backups and defragmentation.
Plans should include backing up and restoring the AD database in response to events that result in:
•
A corrupted or invalid schema
•
Missing DNS records
•
Damaged or corrupted information
•
An inoperable configuration
Because the AD is continually in use, it is not possible to simply make a copy of it as with other database
files. Instead, the AD backup utility must be used to perform a separate online backup of each DC,
including the system-state data. Since all DCs in a domain are full-replica partners, a DC with no backup
can still be restored from backup media (that is, tape, CD, DVD or file copy over a network). First, the AD
backup utility should be used to create a backup of an existing domain controller onto external media.
Then, the Active Directory Installation Wizard must be run to install the DC to the failed machine from the
backup media.
By default, AD runs the Garbage Collection process every 12 hours. This process removes “Tombstones”
or remnants of deleted objects, as well as any unnecessary log files. It then performs an online
defragmentation to reclaim space in the directory for new objects; however, this has no effect on file size.
To reduce file size, the default online defragmentation should be supplemented with offline
defragmentation to recover unused space. Offline defragmentation can be scheduled to occur on an asneeded basis by using Garbage Collection to log an event showing when the ratio of current DB size to
© 2003 Gartner, Inc. and/or its Affiliates. All Rights Reserved.
DPRO-90588
25 September 2003
5
Windows Server 2003 Active Directory: Perspective
white-space content reaches a specified level. By helping to reduce the size of the AD database files,
offline defragmentation can improve directory performance and availability.
Desktop and Replication Requirements
While all Windows clients can log into an AD domain and access shared resources, only Windows 2000
and Windows XP clients can use all of AD’s features including Group Policies.
Another factor that must be taken into consideration when implementing AD is replication requirements.
AD won’t function properly if it cannot complete its replication cycles due to inadequate network
bandwidth or poorly configured DC hardware.
Business Use
AD is mainly deployed as an identity and applications manager for managing single sign-on, passwords,
adding and deleting users, and user provisioning. Combined with Group Policy, AD controls security
settings for remote desktop management, including:
•
Automatic software distribution and installation
•
Desktop configuration
•
Software repair
AD is also used in applications services. Third-party software, such as SAP and J.D. Edwards, can work
with AD.
Benefits and Risks
Benefits:
•
Desktop management
•
Network security
•
Ability to upgrade to Exchange 2000 which requires AD
•
Central management of users throughout the enterprise
•
Multimaster replication change management
•
AD’s delegation capabilities
•
User access to millions of objects without knowledge of physical location or connection to the network
Risks:
AD migration and deployment involves specific costs that must be managed to minimize risk to the
organization. These costs include:
•
Windows 2000/2003 software licenses
•
Staff retraining
•
Third-party AD migration and management tool licenses
•
Replacement or upgrade of older hardware devices including servers to be used as domain
controllers—(Microsoft’s hardware compatibility list should be checked to ensure that existing
hardware device drivers will continue to work with AD.)
© 2003 Gartner, Inc. and/or its Affiliates. All Rights Reserved.
DPRO-90588
25 September 2003
6
Windows Server 2003 Active Directory: Perspective
•
Replacement or upgrade of desktop systems to take advantage of AD Group Policies
Standards
Table 1: Windows Server 2003 Active Directory Standards Support
Standard
Dynamic Host Configuration Protocol
Description
Network address
Version
RFC 2131
management
DNS Dynamic update protocol
Host names management
RFC 2136, 2782 and 3007
Simple Network Time Protocol
Distributed time service
RFC 2030
Lightweight Directory Access Protocol (LDAP) v.3
Client directory access
RFC 2251
Directory application
RFC 1823
LDAP “C”
programming (API)
LDAP Data Interchange Format (LDIF)
Directory synchronization
2849
LDAP
Directory schema
RFC 2247, 2252 and 2256
Kerberos v.5
Authentication
RFC 1510
X.509 v# certificates
Authentication
ISO X.509
TCP/IP
Network transport
RFC 791 and 793
Technology Leaders
An organization can use Microsoft-provided tools and utilities to deploy and manage AD, but users may
find that the additional features provided by third-party tools make managing more complex environments
easier. These products provide tools for migrating to AD from older network operating systems, as well as
AD change management, monitoring, and event detection and correction. Leading vendors of AD
management technologies include NetIQ (www.netiq.com), Quest Software (www.quest.com), BindView
Corporation (www.bindview.com) and Aelita (www.aelita.com). Netpro (www.netpro.com) provides
monitoring and security products for AD. Full Armor (www.fullarmor.com) provides a management
solution for group policies.
Technology Alternatives
An alternative to AD on Windows Platforms is Novell’s eDirectory.
Insight
When properly implemented, Windows Server 2003 Active Directory can enhance productivity and
security within any size organization. These benefits, however, do not come without incurring substantial
costs in licensing, hardware and network upgrades, staffing, setup and maintenance.
© 2003 Gartner, Inc. and/or its Affiliates. All Rights Reserved.
DPRO-90588
25 September 2003
7