This article is based on NT 5.0, Beta 2.What’s the difference
between the Domain and Active Directory?
Organisational Units
Trees and forests
Not as integrated as it could be
Something that is common across the Windows 2000 product range is
Microsoft’s response to Novell’s NDS – Active Directory. Directory services
are increasingly important in today’s corporate networks, and Microsoft is finally
ready to admit that its offerings to date – namely the archaic flat-file naming
system inherited from the old LAN Manager days – is less than adequate for an
enterprise network operating system. The main aim of Active Directory is to provide a
centralised repository for all network resources such as servers, shared drives, printers
and users. Unlike the current Trusted Domain model used by NT 4.0, Active Directory will
provide a single hierarchical directory structure across the whole enterprise if required.
What’s the difference between the Domain and Active Directory?
Just as with NT 4.0, the Domain is a central piece in the Active Directory puzzle, but
this time there are no Primary or Backup Domain Controller designations. Instead, any
server can be a Domain Controller, and all DCs participate equally as peers in a
multi-master replication scheme that sees domains distributed and replicated across any
number of servers in an enterprise. A single domain can span multiple physical locations
or sites, and inter-site replication can occur within a domain even if a particular DC is
unavailable.
The domain itself is the unit of replication, and any change at one site or another within
a domain is replicated to the other sites (sites are usually physical divisions of a
network, often connected by slower WAN links). Since there is no one "leader of the
pack" when it comes to Active Directory domains, changes can be made simultaneously
at all sites or controllers within a domain. The Active Directory uses update sequence
numbers (USNs) to track changes on a per-attribute basis, though some more serious changes
are locked down to a single domain controller at a time (though this can change
dynamically). Replication is one of the key areas of Active Directory and is the one
factor that could make or break a large, distributed Windows 2000 network. It will be
interesting to see how well Active Directory copes with this most difficult task – a
task that even Novell struggled with in the early releases of NDS.
Organisational Units
One major change for Active Directory is the introduction of Organisational Units (OUs)
within a domain, each of which can contain other OUs or objects such as users or servers.
This allows a meaningful hierarchical structure to be built within a single domain if
required, thus providing the means to eliminate trusted domains completely. Access to
objects is controlled by Access Control Lists (ACLs) populated with Access Control Entries
(ACEs). Thankfully, OUs are also administrative boundaries, and can thus be used for
organising user and resource objects into logical administrative groups.
Various administrative tasks (such as access rights specification) can then be delegated
to the administrator for a specific OU, thereby freeing domain administrators from having
to support such changes directly. OUs also provide inheritance of access rights, thus
allowing access to resources specific to a particular organisation to be restricted to
members of that OU. Within a domain, access permissions are cumulative unless explicitly
denied, and administration rights are limited to domain boundaries by default. This all
serves to greatly simplify administration of large enterprise networks under Windows 2000.
Trees and forests
In something that looks suspiciously like the old Trusted Domain model, multiple domains
can be linked together in a domain tree. In order to participate in a tree, all the
domains must form a contiguous name space and share a common schema, configuration, and
global catalogue. A tree must have a distinct name, and this is always the DNS name
of the domain at the root of the tree – DNS is actually used as the location
service that allows a client to find a directory service containing the desired copy
of the directory.
Active Directory also provides subsets of the key X.500 protocols - including Lightweight
Directory Access Protocol (LDAP) - this enables it to participate in mixed Internet and
X.500 environments. The contiguous namespace means that if the root domain is named
NSS.COM, then the IT domain below it will be named IT.NSS.COM, the SUPPORT domain below
that will be named SUPPORT.IT.NSS.COM, and so on. This is much the same idea as naming OUs
within a domain. Renaming the root domain renames the tree and all child domains within
it.
Domains within a tree do not need explicit trusts to be assigned as in the current trusted
domain model. Instead, all domains are linked by transitive trust relationships based on
Kerberos authentication. This means that users can access resources in other domains via
these automatic trust relationships that are discarded once they are no longer required.
However, at present, the domain remains the scope of administration - this means that
administrative rights are not inherently transitive. Where organisations need to support
several completely separate namespaces, trees can be grouped together into a forest
and each tree will represent a separate namespace. As with domains in a tree,
all trees in a forest share a common schema: configuration, and global
catalogue. All trees in a forest trust each other through transitive, hierarchical
Kerberos trust relationships, but unlike trees, a forest does not need a distinct name.
Trees and forests are thus a refinement of the original domain tree
concept, and are designed to provide a multi-domain structure which is much more
straightforward and intuitive to use than the current trusted domains model. It does,
however, leave Microsoft open to the criticism that Active Directory is not a complete
reworking or replacement of the existing domain system, despite assurances to the
contrary. Earlier, we mentioned that all domains within a tree (as well as trees within a
forest) must share a common global catalogue. This is designed to provide a global search
mechanism to simplify the user’s view of the enterprise-wide domain structure in
large organisations.
The global catalogue (GC) is a partial index of select objects in the domain tree,
combined with a search engine. To find a resource in the domain tree, wherever it may be
located in the enterprise, a user queries the GC for that resource based on one or more of
its attributes (i.e. find all printers that have A3 capability). The GC then returns the
location of the desired resource, but only if the user performing the query has the
appropriate access rights to that object.
Not as integrated as it could be
This current Active Directory goes a long way towards rectifying many of the shortcomings
inherent in the domain model currently employed by NT Server 4.0. However, it still shows
signs of not being as "integrated" as it could be. For instance, when publishing
a disk share within the Active Directory, it is first necessary to create that share and
set security with Explorer just as you would under NT 4.0. It is thus a two-step
operation, one which could and should be reduced to a single step, where the publication
of a share within AD is all that is required, and security is then set by dragging and
dropping user and container objects accordingly.
This "ideal situation" is actually similar to how the task would be achieved
under NDS. This is just one example of the sort of inconsistency that provides fodder for
the AD sceptics, and goes a long way towards prejudicing corporate IT managers against a
new and untried system which still shows signs of not being as complete and polished as it
should be. |
|
