Active Directory:

Windows 2000/2003 uses a network directory service called “active directory” to organise and
manage objects on a network.
It has a been designed specifically fro windows 2000 server (and subsequently Windows 2003
server) and uses standard naming conventions to better interrogate with other networks.

Schema
Active directory is a database that contains records of objects and information about these
objects.
To be logically organised and easily accessible by multiple types of programmes, a database
must have definitions for its components.
A ‘SCHEMA’ is a set of definitions of the kinds of objects and information associated with these
objects that the database contains.
Eg. One type of object is a printer and one type of information associated with that
printer is the location of the printer. This printer and location of the printer would be a definition
combined with the schema
.

Active Directory
User Computer Printer Domain
ACCT.

• Object Name
• Required Attributes
Schema
• Optimal Attributes
• Syntax

• User Name
• Users Full Name
• Password

• Account Description
• Remote Access OK

Active Directory schema may contain two types of definitions:

“Classes and attributes”
Classes (AKA object Classes)
Identify what type of objects can be specified in Active Directory eg User Acct, or printer

Attribute
Is a property associated with an object eg. User name, is the name of an attribute associated with
the user object, location” is an attribute associated with the printer object

Classes are composed of many attributes When you create an object, You also create a number
of attributes that store information about that object, which are then saved in active directory
database.

Workgroups
A
Windows server can be set up as either a workgroup model or a domain model.

A workgroup is a group of interconnected computers that share each others resources without
relying on a server (in other words, a type of P@P network)
Computers in a Windows workgroup can run either client version of windows in 2000 PRO, XP
or Server.
Each computer in the workgroups has its own database of user accounts and security privileges,
Because of this each user must have a separate account on each computer that is wanted to be
accessed by the user.
This centeralised management results in significantly more administration then a client server
network. Workgroups are practicle for groups of more than about 10 accounts
They are however, simple to design and implement and may be the best solution for a small
group who have a few security requirements.

Domains
A domain model is the type of Windows network that follows the client/ server architecture.
A domain is a group of users, servers and other resources that share a database of account and
security information
The database that domains use to store objects and attributes is contained within Active
directory.
Domains are established on a network to make it easier to organise and manage resources and
security.
Multiple domains in organisation

University
Domain

Ag
Domain Science
Engineering Domain Life
Science

Chemical
Engineering Electrical Mechanical
Engineering Engineering
Keep in mind that a domain is not confined by geographical location boundaries. Computers and
users belonging to a domain may be located in many different locations, No matter where they
are located, they get their object resource and society information from the same database and
some portion of active directory.

Depending on the network environment, you can define domains according to function, location
or security requirements.

The directory containing information about objects in a domain resides a computer called the
domain controller.

A windows network can use multiple domain controllers in fact, if it is possible you should have
at least 2 (D.C’s) on each network so that if one fails, the other will continue to retain your
domains database.

Servers on a windows network that do not store directory information on them are called
“member servers” Because they don’t contain a database of of users and their associated
attributes, member servers cant authenticate users.

Windows servers in a P2P environment are called “stand alone

When a network use4s multiple domain controllers any change to the database on one D.C is
copied to the database on the other DC
OMG PORSCHE!!!!! This is known as “replication” Replication ensures redundancy so that in
the case of a failure to one DC, another can step in to allow clients to log on to the network, to be
authenticated and access resources.

Organisation Units
Are windows 2000/03 (Active Directories) containers to hold multiple objects with similar
characteristics. An OU can contain over 10million objects and each OU can contain multiple
OU’s
 University 
Domain

Information 
Engineering  Life Science 
Technology 
Domain Domain
Domain

Electrical 
Engineering

1st Year 2nd Year

3rd Year 4th Year

Tree’s And Forests

Trees and forest are the nos directory structure that exist above domains.
Many large organisations use multiple domains in their networks- Active directory organises
multiple domains heirachally in a “domain tree” AD’s domain tree is an example of a NOS tree.
At the base of the AD tree is the ‘Root Domain’ From the root domain “child domains” branch
out to separate objects with the same policies.
Under the child domains multiple multiple OU’s branch out further subdividing the networks
systems and objects. A collection of one or more trees is known as a forest ALL trees in a forest
share a common schema

Domains within a forest can communicate but only domains within the same tree share a
common active directory database Also objects belonging to different domain trees are named
separately.

Trust Relationships
The relationships between two domains in which one domain allows another domain to
authenticate its users is known as a “trust relationships” each child and parent domain within a
domain tree and each top level domain in a forest share a “two way trust relationship” this means
a user in domain A (ROOT) is recognised by and can be authenticated by domain b (Child) and
vice versa. In additio0n a user in a domain A can be granted rights to resources in domain B and
vice versa.

When a new domain is added to a tree, it immediately shares a 2-way transitive trust with the
other domains in the tree. This allows a user to log onto and be authenticated by a server in any
domain within the domain tree.

This does not necessarily mean the user has privileges to access any resources in a tree. The
user’s permission has to be assigned separately for the resources in each different domain

Univ 2 Way Transitive

2 Way Transitive Trust
Trust

Life SCI Engin.

TREE

The other type of trust supported by Active Directory is an “Explicit one way trust”
In this scenario 2 domains that are not part of the same tree are assigned a trust relationship. This
trust does not apply to other domains in the tree. Explicit one way trusts enable domains from
one tree to share resources form domains in another tree.

Naming Conventions
Naming or addressing conventions in Active Directory are based on the naming conventions
used on the internet ie DNS

In Internet terminology the term “namespace” refers to the complete database of hierchal names
to map IP addresses to their hosts names. The internet namespace isn’t contained on just one
computer. Instead it is divided in many smaller spaces on computers at different locations ie.
DNS servers

In Active directory, the term namespace referred to a collection of object names and their
associated places in the windows network.
Because Active Directories namespace follows the conventions of the Internets namespace, when
you contact your windows Active Directory server to the internet, there 2 namespaces are
compatible.
 • Distinguished Names (D.N)
• A distinguished name on the internet is the url of a file eg.
www.games.com/index/cheats.html

Distinguished names are a long form of the object name explicitly its location within a trees
containers and domains.

Includes a domain component name, the names of domains it belongs to: an OU (OR container)
name and common name. The common name must be uniquie within a container.

DC= Domain name

OU= Organisational unit name
CN= Object class
CN= Object name

E.g. a user Mary Smith in the legal dept of an org. named “trinket makers” would have the
following DN.
• /O=internet - organisation=internet
• /DC= COM – Domain Component = COM
• /DC= trinket makers- Domain component = Trinket makers(the full domain component
is trinketmakers.com)
• /CN= Users – Common names = legal
/CN = MSmith – Common names = MSmith

Another way of expressing this is

Trinketmakers.com/legal/msmith

Relative Distinguished Name (RDN)

A name that uniquely identifies an object within a container. For most objects the same as its
common name as the DN convention. An RDN is an attribute that belongs to an object. This
attribute is assigned by an administrator when the object is created.
Eg Mary Smith’s RDN is = msmith

User principal Name (UPN)

The preferred naming convention for users in email and internet related services. A users UPN
looks like the DN followed by the users root domain, after the @ symbol
Eg. msmith@trinketmakers.com