Windows 2003 Active Directory: An overview
Times gone by
Some years ago, you could have been excused for thinking that selecting the right server software for your Windows network was a tough job. Microsoft hasn’t always been the toughest dog in the pound. On one hand Microsoft’s NT4 platform provided good integration and, more importantly, a platform that IT managers were immediately familiar with. On the other hand, Novell had a rock solid, lean, and world proven product in Novell Netware (4.1 or 5). The secret at the heart of the world dominance of Novell, and the foot blocking the door of Microsoft in the critical international corporate server market, was the inclusion of a directory service called NDS (Novell Directory Services). Such a directory allowed for scalable and more easily managed networks, and lent itself well to multi-office, global networks, at least it was the better alternative to the provisions in Windows NT4.
Fig 1: Novells NDS was world class…at the time.
For those of you knew to the idea of a Directory in network terms, you can think of it as a telephone directory, with each entry being a network object, such as a user or a printer or a network share, rather than a piece of contact information. This information can be structured in to logical containers, called Organisational Units (OU’s) allowing for a more manageable environment when dealing with large numbers of users and other objects. This directory can be duplicated and replicated across multiple servers, allowing for redundancy and a distributed structure to be built in to the network design. This directory, like its paper based name sake, can be searched quickly an easily, though this can be done far faster than turning the pages of the book. Allowing for a logical structure and design allows IT Departments to apply policies to groups of users or computers based upon the needs of the business.
Clearly, in order for Microsoft to gain global dominance in the server field, they had to rework the server platform, and make it scalable, reliable and resilient from the ground up, and without completely reinventing the wheel. Thus Active Directory was born.
Learning the basics
Before we begin, lets quickly cover the basics of Active Directory. Any Active Directory installation goes hand in hand with a correctly setup DNS server running on your network. The reliance on DNS is apparent in Windows 2000, and it’s almost impossible to run a Windows 2000 network with out it being underpinned by DNS. This is very different from the old NT networks, which could do without, or would most likely use WINS which was a Microsoft ‘alternative’ to DNS offered up at the time. Such is the reliance on DNS, that it should be the first point of call when fault finding an issues with AD working or replication issues.
Active Directory itself is made up of three ‘logical’ partitions, these being ‘Domain’, ‘Configuration’ and ‘Schema’. Within the file system these are stored in the NTDS.DIT on any domain controller. The Domain partition stores information relating to the domain, while the Configuration partition holds information relating to the forest structure. Finally the Schema holds information on the definition of objects within the network. These can roughly be associated, in order, with the following tools; Active Directory Users and Computers, Active Directory Sites and Services, and ADSIEdit.
Is there a spin doctor in the house?
You’re not going to be bowled over by swathes of new features in Active Directory 2003, the most visible new features are to be found in the management tools which, as part of the Admin Pak, can be installed on a Windows XP machine and will work quite happily with Windows 2000. One of the most useful features of the new AD tools, for the general IT person, is the ability to create and store queries in Active Directory Users and Computers. You can now create queries to display users, computers, or any other object you can think of, based on pretty much any attribute you can think of. Microsoft have wisely included some predefined criteria, for performing the most common searches, which include; Disabled Accounts, Accounts not logged for xx days, Username (which can be the usual starts with, ends with, or contains etc), Description, and Expired Passwords. These queries alone should be able to help most IT folk, but the list of objects and attributes are endless.
Fig 2: Queries let you quickly find common groups of objects
We will be covering queries in further detail in a future article. There are also significant changes to the Group Policy management facilities of AD Users and Computers. Again, these features will be covered in further detail in future articles.
There are also, however, several overhauls under the bonnet as well that should be given due attention. Clearly the priority with which you regard these new features will depend squarely upon the kind of network you have, it’s structure, and your job role.
One of the most interesting features of this release is in actual a separate release balancing on the coat tails of Active Directory 2003. Active Directory / Application Mode (or ADAM to it’s closest friends) is a separate application that should proof to be a boon to application developers and IT Managers alike. As Active Directory is a customisable database that allows for replication across various internet links and connections, many applications (bespoke and otherwise) can use it to store data relating to a package and its users, as well as for authorisation of users. This means that the programmers of such applications needn’t reinvent the wheel when it comes to creating distributed data stores, and development cycles can be reduced. It does, however, introduce several massive problems in turn mainly a big increase in bandwidth and big lag. Network links between branch offices are often slow, the additional data added by such applications can easily result in these lines crawling to halt. Even in the biggest of offices, with the fastest of lines, replication data management can be black art, and additional replication data is never needed. In addition to this issue is that of replication speed. In a busy office with multiple branches (the kind of network that could well make use of such bespoke applications running on distributed data stores such as AD) the replication of all this new data means that none of the offices are ever going to be seeing the latest of information.
Due to these issues most application developers have turned away from using AD as an application data store. Microsoft seeks to change that by introducing a stand alone version of Active Directory tailored towards application data storage. ADAM is available as a download from Microsoft and is installable on either a Windows 2003 server or a Windows XP workstation. When installed it runs in the context of a nominated account, and as it’s separate to Active Directory replication schedules can be configured separately. On top of that, multiple instances of ADAM can run on the same machine, which should allow developers and others alike to test different schema setups far more easily that before.
Fig 3: Active Directory running under XP, who would of thought it!
It should be said that Microsoft has included a new Application Directory Partition feature in AD2003, which allows for a new fourth ‘logical’ partition, called ‘Application’. This new partition is tailor made to store data from 3rd party AD aware programs, and means that data for Ad aware programs can be stored outside of the main three partitions, and can have separate replication schedules. This obviously has several of the advantages that benefit the ADAM approach, but with ADAM you are able to run multiple instances, something which cannot be done with a normal AD installation.
One of the areas that people have been most vocal about is that of replication traffic. Microsoft have long had a reputation for bloat-ware, applications that seem to be unnecessarily large in the file department, and they have been working hard to try to cut down on the amount of data moved across network links in the name of AD replication.
One of the most apparent examples of the new improvements in replication techniques can be seen in the form of Linked Value Replication. This new feature will seem logical to some, but was much desired in the Active Directory 2000. Linked Value Replication allows single values of multi-value attributes to be replicated between servers, so that, for example, when you add a new member to a security group containing 1000 users, only that one new user is replicated. Previously, all the values in multi-valued attributes where replicated, so that all 1000 members would have had to have been replicated in order for just that one new user to be included in the group. Even in my current small network, with three branch offices and 6 servers, this could make a real difference. On side note, Microsoft have now removed the maximum limit of objects within a group which was set to 5000. You can now have an infinite number of members within a group.
With bandwidth in mind, Microsoft has also included ‘cached credentials’. Cached Credentials allow users at remote branch offices, which have a domain controller running,, to log on even without a connection to a Global Catalogue server. Even though modern leased line and wan links are far more reliable than they once were and have up times rated in the area of 99.99%, they still fail, and if you consider that a lot of small remote offices are connected via some form of fixed DSL line you can see why anything that allowed users to get working while a line was down would be a great boon.
One last improvement that can be grouped in to the bandwidth saving category is ‘Install of Replica from Media”, which is, as I’m sure you would agree, a catchy title! In simple terms this allows you install a copy of the Active Directory database via a network copy, or a CD or any other media, rather than relying on the replication to take place across the network. Imagine, if you will, that you are on site at a remote branch office installing a new Domain Controller. The connection to the branch office is a low speed leased line, or possibly a form of DSL (which may not be the most reliable of beasts), and you know that the AD replication will take some time. In a hurry to move on you pull out a copy of the AD database on CD, or DVD, from your bag of tricks, and install it in a matter of minutes. It would seem that we are being smothered in new bandwidth saving features, which in all is no bad thing.
While I hope that, after reading this article, you agree with me that Active Directory 2003 has some significant improvements over the previous version, there are still several areas where future improvements could be made. The Active Directory is an important, and complex, part of any network, and as such further facilities to document the layout of any Active Directory setup would be very useful. On a more important note, better tools are needed in the area of Health Monitoring. There are several good tools in the market for monitoring and assessing your Active Directory installation, but these often come with a great cost. Its about time that these kind of tools, at least basic versions of them, where a feature of even the most minimal installations.
If the current version is anything to go by, the future of Active Directory is promising.