What's
new in Active Directory in Windows.NET Server
Host: Tarun Arora, Consultant, Microsoft Consulting Services,
India
December
20, 2002
DeepakG_[MS]: Hello friends!
DeepakG_[MS]: Today we have with us Tarun Arora - he works as a consultant
with Microsoft Consulting Services
Tarun_MS: Hi
DeepakG_[MS]: he specializes in helping enterprises deploy Microsoft
Solutions effectively, especially from infrastructure and configuration
point of view. Today we'll explore what features are instore for us
in Active Directory component of Windows.NET server
DeepakG_[MS]: Tarun, since I don't see any questions yet, why don't
you start with a brief intro on new AD features of Windows.NET server
Tarun_MS: Sure ... Deepak
Tarun_MS: As
Deepak mentioned we are going to focus on AD in Windows.Net , we would
restate some critical facts about AD in Windows 2000 and build from
there ....
Tarun_MS: As most of us are aware, A directory
service is a network service that stores information about network
resources and makes them accessible to users and applications. Directory
service provides a consistent way to name, describe, locate, access,
manage, and secure information pertaining to network resources.
Tarun_MS: Active Directory (AD), the directory service
that is included with Microsoft Windows 2000 and Microsoft Windows
.NET Server, provides a means of centrally organizing, managing, and
controlling access to network resources. Active Directory makes the
physical network topology and protocols transparent so that a user
on a network can access a resource without knowing where the resource
is or how it is physically connected.
Tarun_MS: Whenever
we plan for deploying AD, we look into two aspects of AD design ........
Tarun_MS: Logical Structure of AD
Tarun_MS:
and Physical Structure of AD
Tarun_MS: The logical
structure of Active Directory is flexible and provides a means for
designing a directory hierarchy that makes sense to both users and
administrators.
Tarun_MS: The core unit of the logical
structure in Active Directory is the domain.
Tarun_MS:
A domain is a collection of computers that share a common directory
database. A domain contains at least one domain controller (DC). The
first Windows .NET domain that you create is the forest root domain,
which contains the configuration and schema
Tarun_MS:
Active Directory domain has the following characteristics:
Tarun_MS: A domain is a security boundary. Every domain has
its own security policies and security relationships with other domains.
Tarun_MS: A domain is a unit of replication. All domain
controllers in a domain contain a copy of the directory information
for their domain, and can replicate changes to information in Active
Directory to all other domain controllers in the domain.
Tarun_MS: A domain defines a namespace.
Tarun_MS:
Windows .NET Active Directory introduces domain and forest functional
levels also know as domain and forest functionality.
Tarun_MS:
Domain and forest functionality provides a way to enable new domain-wide
or forest-wide Active Directory features within your network environment.
Tarun_MS: If all domain controllers in your domain or
forest are running Windows .NET Server, then you can set the functional
level to Windows .NET, and all new Active Directory domain-wide and
forest-wide features will be available.
Tarun_MS:
Windows .NET Server provides the ability to rename existing domains.
Tarun_MS: This is something which most of the customers
having been requesting .....
DeepakG_[MS]: (sowmya): You discussed about replicating changes across
domains. How do we do this? Could this also e configured for a fail-over
process in case one of the ADs crashes?
Tarun_MS:
somaya... when we talk of AD, it is not going to be hosted on just
one server .... AD is distributed directory
Tarun_MS:
The information is distributed on domain controllers across the forest
.......
Tarun_MS: All the DCs in one domain would
have similar local copies of domain information, so in case one of
the DCs is down... other DCs can very well take care of the client
although there are certain critical roles which are specifically associated
with the first server in the domain but there are various tools available
to transfer even these roles onto other DCs in the domain from the
failed DC
Tarun_MS: example a command called NTDSUtil
Tarun_MS: yes you are right ... AD has lots of self recovery
procedures built in ...
DeepakG_[MS]: Are there any new features that are being introduced
in Windows.NET server?
Tarun_MS: Yes ... I would like
to explain domain rename first ....
Tarun_MS: Renaming
domains can accommodate acquisitions, mergers, name changes, or reorganizations.
Tarun_MS: Domain rename allows you to:
Tarun_MS:
Change the DNS and NetBIOS names of the forest-root domain.
Tarun_MS: Change the DNS and NetBIOS names of any tree-root
domains.
Tarun_MS: Change the DNS and NetBIOS names
of any tree-root domains.
Tarun_MS: Change the DNS
and NetBIOS names of any parent and child domains.
Tarun_MS:
Restructure the position of a domain in the forest.
Tarun_MS:
We can only rename domains in a forest where all of the domain controllers
are running Windows .NET Server and the forest functional level has
been raised to Windows .NET.
Tarun_MS: So lets talk
about another cool new feature of AD in Windows .Net which is called
Forest Trusts
Tarun_MS: In Windows 2000, if users
in one forest needed access to resources in a second forest, an administrator
could create an external trust relationship between the two domains.
Tarun_MS: External trusts are one-way and non-transitive,
and therefore limit the ability for trust paths to extend to other
domains only when explicitly configured.
Tarun_MS:
In Windows .NET Server, administrators can create a forest trust to
extend two-way transitivity beyond the scope of a single forest to
a second Windows .NET forest.
Tarun_MS: In other words,
with forest trusts you can link two disjoined Windows .NET forests
together to form a two-way transitive trust relationship between every
domain in both forests.
Tarun_MS: This would mean
....... simplified management of resources across two Windows .NET
forests by reducing the number of external trusts necessary to share
resources with a second forest.
Tarun_MS: · User Principal
Name (UPN) authentication can be used across two forests.
Tarun_MS: Now I would move into Physical Structure of AD
Tarun_MS: Active Directory organizes the directory into
sections, or partitions, that are stored on domain controllers (DC)
Tarun_MS: Different types of partitions can store different
types of data.
Tarun_MS: This-and the fact that partitions
can store a very large number of objects-means that Active Directory
can expand as an organization grows.
Tarun_MS: As
you would know, in Windows 2000 we had three different partitions
of AD namely, Domain Partition, Configuration Partition and Schema
Partition
Tarun_MS: Beginning with the Windows .NET
Server family release, Active Directory supports application directory
partitions.
Tarun_MS: Application directory partitions
can contain a hierarchy of any type of objects except security principals,
and can be configured to replicate to any set of domain controllers
in the forest.
Tarun_MS: Unlike a domain partition,
an application directory partition does not need to replicate to all
domain controllers in a domain, and it can replicate to domain controllers
in different domains of the forest.
Tarun_MS: Let
me take an example to explain this .....
Tarun_MS:
We know that in Windows 2000 we can integrate DNS data with AD ....
Tarun_MS: it means that I don't need to manage DNS files
and all of the DNS data is replicated as part of AD ....
Tarun_MS: this is something which is possible with Windows
2000 ... now where is the catch in this - I am replicating this information
to every domain controller in my AD domain .... this data is used
only on those servers which are configured to act as DNS servers .....
so in Windows 2000 I am just replicating this data to some servers
where it would never be used ......
Tarun_MS: Now
things would be handled differently in Windows.Net. Since I have Application
Directory Partition, I would keep this data in AD but would store
this in Application Directory Partition ... by doing so ... I can
control where all would this data be replicated ...
Tarun_MS:
hence I would utilize my precious network bandwidth in much more judiciously.
Tarun_MS: By enabling users to control the scope of replication
and placement of replicas, application directory partitions enable
them to store dynamic data in Active Directory without significantly
impacting network performance.
Tarun_MS: There is
the additional benefit of Active Directory replication, which alleviates
the vulnerability to service interruption that occurs when dynamic
data is stored on a single server.
DeepakG_[MS]: Are there any improvements in the area of Group Policy?
Tarun_MS: In Windows 2000, storing dynamic data in a domain
partition can cause problems.
Tarun_MS: The data is
replicated to all domain controllers in the domain, which is often
unnecessary, could result in inconsistent data due to replication
latency, and could have an adverse impact on network performance.
Tarun_MS: In addition, domain partitions are not suitable
for applications that need to replicate data across domain boundaries.
Tarun_MS: Another key thing to be kept in mind is before
we introduce Windows.Net Server in our current AD environment running
on Windows 2000.....
Tarun_MS: we need to prepare
Windows 2000 AD to host Windows.Net server
Tarun_MS:
ADPREP is a command line tool used to prepare Windows 2000 forests
and domains for Windows .NET Server.
Tarun_MS: · ADPREP
/FORESTPREP prepares a Windows 2000 forest for Windows .NET Server.
Tarun_MS: · ADPREP /DOMAINPREP prepares a Windows 2000
domain for Windows .NET Server.
DeepakG_[MS]: (Sanban): Hi Tarun, Can we delete custom attributes
from AD Schema
Tarun_MS: No ... we can not delete
attributes from Schema.
DeepakG_[MS]: Thanks for joining us Tarun..
DeepakG_[MS]: the information you gave today was very deep and I am
sure it will be helpful for anyone considering a move to Windows.NET
Server
Tarun_MS: pleasure is mine ... Deepak
DeepakG_[MS]: Don't miss the chat next week - we are discussing internals
of CLR and JVM!!!
DeepakG_[MS]: especially comparison between the intermediate code
generated by these two platforms!
DeepakG_[MS]: so do tune in - the chat next week is on Thursday at
4:00 PM
