ISA Server and the Active Director.

The Active Directory is the network directory service in Windows 2000 networks, and since its release, IT professionals have had to face the fact that in Microsoft networking, all roads lead to the Active Directory. Indeed, as Microsoft continues to introduce new .NET server products and features, we continue to see how the Active Directory drives Microsoft networking and how important its features and management functions are. If you are deeply immersed in a Windows 2000 network, you know this statement is all too true.

Curt Simmons is the Author of ‘Microsoft ISA Configuration and Administration

Click Here to purchase his book from (April, 2001)

The good news is that Microsoft products, like ISA Server, are written to take full advantage of the features of the Active Directory. Integration and functionality is typically easy, enabling you to build on what you already know. ISA Server is no exception to this rule, and if you are using ISA Server Enterprise edition on an Active Directory network, you most likely have run the Enterprise Initialization tool. It is quick and simple to use, but it may have left you wondering exactly how the tool prepares the Active Directory for ISA Server.

The Active Directory contains a schema, which is essentially a schematic, or roadmap, of all of the objects that can be held in the Active Directory. In order to define each object, attributes are used. For example, a user account object might contain certain attributes, such as username, password, address, phone number, e-mail address and so forth. By defining the values for these attributes, you define the object itself. The Active Directory contains hundreds of objects in its default schema – most everything you need for a Microsoft network. However, when you implement a new server product, such as ISA Server, the Active Directory schema must be modified in order to include specific objects and attributes used by that product. By adding these objects, ISA Server can then hook into the Active Directory so that configuration information for arrays and similar data is stored not on one centralized computer, but via domain controllers throughout the forest.

When you run the Active Directory initialization tool, the schema is modified to include these Active Directory objects. The process is one-way, meaning that you cannot remove the objects from the Active Directory at a later time. You can deactivate them, but they cannot be removed.

Though too numerous to list here, the objects and attributes for those objects are written to the schema so that ISA Server can use them with the Active Directory. You might wonder what kind of impact the Enterprise Initialization tool has on the Active Directory. After all, performance and replication are always foremost issues in the minds of Active Directory administrators. When you run the Enterprise Initialization tool, the schema master domain controller writes the changes to the Active Directory schema. You may recall that the schema master is a single master operation role while most of the roles in the Active Directory are considered multi-master roles. In other words, you can make changes to the Active Directory from any domain controller under most circumstances, but some management functions can only be performed from one master domain controller. In this case, the Schema master is one of those roles. The administrator who wishes to initialize the enterprise must be logged onto the schema master domain controller as a member of the Schema Admins group. Once the schema write has taken place with the Enterprise Initialization wizard, the process of replication can then begin. The Schema master computer begins to contact its replication partners, and so forth, until the changes to the schema are replicated throughout the entire forest, since each domain controller maintains a copy of the schema. Once replication is complete, the domain container then holds information about array configuration in that domain. Likewise, the configuration contains information about all domains in the forest as well as the entire forest schema. The enterprise policy that you create is stored in this container, and is therefore replicated throughout the entire forest.

In terms of replication and storage space, ISA Server’s modifications to the Active Directory have a total impact of about 2 MB on global catalog storage and generates about 6 MB of replication traffic. Of course, this 6 MB of replication traffic is a one-time occurrence that occurs when the schema write is being replicated to all domain controllers. This amount of replication should have a negligible hit on replication performance, but if your environment is having replication performance problems in general, you should consider running the initialization tool during off-peak network hours. The Enterprise Initialization tool is available from the ISA Server CD-ROM’s auto-start screen where a couple of mouse clicks starts the initialization procedure.

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top