home
NEWS       BLOGS       FORUMS       NEWSLETTERS       RESEARCH       EVENTS       DIGITAL LIBRARY       CAREERS  
Network Computing Network Computing Powered by InformationWeek Business Technology Network

IMMERSE YOURSELF:

SOA

  |

Data Center

  |

802.11n

  |

Data Privacy

  |		 APO  |

Virtualization

  |

NAC

  |

Security

  |

Network Mgmt

  |

Enterprise Apps

  |

Storage & Servers



Directory Services: The Active Directory

June 30, 1999
If you're ready to migrate to Windows NT's Active Directory, don't miss our latest Network Design Manual chapter, brought to you by Prentice Hall PTR (ECS Professional).

To buy the book: (which contains this chapter)
Microsoft Technology: Networking, Concepts, Tools, 1/e
Shay Woodard, Interface Technologies, Raleigh, NC
Nick Gattuccio, Interface Technologies, Raleigh, NC
Marshall Brain, Interface Technologies, Raleigh, NC
Published October, 1998 by Prentice Hall PTR (ECS Professional)

Directory Services: The Active Directory

A computer network is a collection of a vast number of resources spread among many sites. Populated with users, applications, services, system resources and numerous devices, a network can be enormously complex. Despite this complexity, users need to have a comprehensive view of the network--one that presents them with a unified, logical window on its vast resources. Furthermore, for administrators to manage the complexity, a network has to be able to do several things. It must be able to identify its network objects precisely and uniquely; it must be able to search for and locate its network objects when asked; it has to support communication between all of the system's parts (and between the system and the outside world); and finally, it has to support robust security features and control user access to network objects.

Maintaining logical order in a network that may interconnect many sites and may support thousands of users with countless network objects creates unique challenges for the system. The task is so critical, in fact, that the network operating system devotes an entire system service to organizing network objects and their relationships. This system-level service is called directory services. Among its most critical tasks is offering users (and network administrators) a logical, complete view of the network, its objects, and its structure. The goal is to allow users to easily locate network resources, and use them efficiently.

Every network operating system implements some form of directory services. This is one of its core functions. But because system directories are typically organized and grouped in files, offering a two-dimensional view, typical directories have little value as organizational tools. This changes in Windows NT version 5, where the directory becomes hierarchical. This new directory understands relationships among its objects, as well as the network's contents.

The Active Directory

Microsoft brings business modeling together with network modeling, and makes directory services far more than some arcane tool rooted in server rooms. Rather, the Windows NT 5 implementation of directory services--which Microsoft calls the Active Directory--purposely exposes directory services to users. And it does this in a way that brings the architecture of the network and the structure of the business together in a unified view. The innovation is allowing users to locate and use network resources more efficiently, because the Active Directory's map of the network matches the structure of the business, which they are already familiar with.

In fact, Microsoft embeds in the Active Directory two features central to its vision of the future of networks:

1. Make wholly transparent any view-based distinction between inside and outside the local network (or domain), using a browser-based "active desktop" to present identical views of content, regardless of location.
2. Overlay network resources with a name-based logical structure that is not only Internet savvy, but that also emulates the business structures it represents.

The Active Directory uses the organization and naming schemes of the Internet to bring to the network the same hierarchical order that is used on the Internet. In this scheme, every object occupies a unique and searchable "namespace." This way, the Active Directory extends the concept of Internet "identity" from the global sweep of the Internet down through every tier of the corporate network. In other words, it joins the external (via the Internet) with the internal (local network) in a common naming scheme. It does this by "naming" every object on the network, and mapping each one's relationship to others (within domains). Because this map is compatible with the way the Internet maps names and objects, it creates a bridge.

Because it serves as the network's roadmap (and because the network's map emulates the structure of the business itself), the Active Directory can be a powerful tool for modeling and mapping the business itself. But before going farther into the Active Directory, let's back up and learn more about directories and directory services.

What Is A Directory Service?

Before we try to define directory services, let's ask the obvious: what is a directory?

At its simplest, a directory is a container of information about objects--people, places, and things. A directory gives users a logical view of these objects, but in a form that makes the information searchable, useful and reusable. For example, a telephone directory contains information about households, and it uses the last names of the household occupants to organize the information. With a telephone directory, one can locate a name, then determine the household's address and telephone number. However, only with great difficulty can one do the reverse--use a specific telephone number to learn the owner's name. In this example, the only service the directory offers is an alphabetical list of last names, along with each name's associated address and telephone number. The yellow pages offer a slightly different service. In addition to listing business names alphabetically, it goes further and groups businesses by type--restaurants, plumbing companies, dentists, grocery stores, etc.

An operating system's directory service differs from a simple directory in a very important way. In addition to serving as a container of information, it also provides a mechanism for making that information available to users. This is very important. A network directory service displays a list of all of the network's pieces, but also gives users a way to contact and use them. Furthermore, the directory service allows the user to control how he or she views these network objects, as well as the structure of their relationships.

A typical network is populated with a large number of object resources, like printers, applications, databases, users, servers, etc. Users must be able to locate these objects, even when they don't know the object's "name." Furthermore, administrators need to be able to maintain the network, change its contents as needed, add new resources, remove old ones, and otherwise manage the complexity. As networks grow larger and more complex, and as the Internet and network technology blurs distinctions between resources on local networks and those that live elsewhere, directory services have evolved to accommodate the demands of greater scale and complexity.

The directory service should let users see a complex network as an orderly, sensible structure, not just a huge basket of objects. Under a flat directory structure, this is difficult ý like using a spreadsheet to do the work of a database. The Active Directory reinvents directory services in a model that not only copes with a modern network's complexity, but makes it flexible and scalable as well.

The Active Directory: Overview

Rather than avoid the implications of rapidly escalating network scale and complexity, Microsoft's Active Directory embraces it. Building on fundamental directory services concepts, Microsoft adds layers of hierarchical structure based on Internet conventions. Using the Internet's name-based organizational scheme captured in the domain name system (DNS), the directory displays a unified network view that reflects its structure and architecture, and the relationships among its parts.

In the same way that it borrows web browser technology to create the desktop's appearance, the Active Directory appropriates the Internet's DNS to display its structure. By extension, the Active Directory can seamlessly extend the view of the local network out to the Internet. Because it "sees" the local network the same way it sees the Internet, it can easily extend its local view to include the Internet. And this extensible view need not be just of the Internet. In fact, the Active Directory's greatest value may be its ability to view complex inter-network relationships of virtually any kind ý like wide area networks (WANs), linked local networks (for example, supply chain partners sharing extranet connections), and even a company's local Intranet. The Active Directory gives users, managers, and administrators a familiar, orderly, and scalable view of network connections, regardless of scale.

The heart of directory services is the ability to locate, name, and communicate with all of its network resources. In a dynamic network at a growing company, this is challenging because network resources are constantly changing. Networks are highly dynamic. To accommodate a continuously changing network environment, the Active Directory uses DNS, whose primary role is matching people-centric network names (like MyComputer.Thiscompany.com) with their associated network-centric Internet Protocol (IP) addresses (like 215.115.2.2). DNS has to perform this translator service because the network and its users speak different languages. The network "knows" its objects by their IP addresses, since it uses Internet-based naming. Users, on the other hand, know their network objects by names, like "accounting department laser printer." Administrators build networks by organizing objects, while the system negotiates the network using IP addresses. The ability of DNS to map names to addresses--transparently, in the background--lets it mediate between the two. This lets it manage network resources consistently with Internet conventions, while at the same time allowing a name-based, logical view of the network for users.

The Active Directory locates and maps network resources not just by name, but also by its object's attributes. In fact, to the Active Directory, an object is its set of attributes. It doesn't know things, like printers, the way we think of them--as concrete objects. Rather, it knows objects as collections (or containers) of attributes. An object is the sum of its attributes. This allows the Active Directory to be a locator service. This is critically important. It can search a network (on behalf of users) to locate objects whose "names" it doesn't know, but whose attributes it understands. It literally asks of the objects, What are you? Where are you? What is your name? What state are you in (Busy? Out of paper? On vacation?), and with whom are you associated? The ability to search for network resources by attributes rather than name is a very powerful feature. It allows users to navigate through network resources without knowing their names, nor even their locations. For example, it lets a user print a report to the printer on the third floor in the Accounting department, or route a message to all employees at the Miami office, or prohibit employee access to all files in the "executive" directory. Examples of the power of its locator services are virtually limitless.

Containers & Domains The concept of the domain has long played a role in networking. But now Microsoft has placed it at the heart of the Active Directory. Its role is providing high-level structure to the network by using a hierarchical container-based structure to display it.

A container is a special kind of object that holds other objects. It is both a container and an object. It is much like a common directory, which is both an object (a folder) and a container of other objects (the documents contained in the folder). Objects, on the other hand, are simply collections of their attributes. As one moves up the domain hierarchy, increasingly larger containers hold increasingly large numbers of objects (many of which are containers themselves). At the highest level we find the largest of all containers--the domain. This structure allows us to see the domain in the familiar picture of a branching tree--a hierarchy with greater generality as one moves up the branching tree, and finer granularity as one moves down it.

Like other aspects of the Active Directory, its use of domains is familiar from experience using the Internet. This is where the power of the Active Directory is most visible. It allows the system to render for the user a very logical, structured view of the network's contents. This not only helps unify the internal with the external views of the network universe, but also supports the hierarchical, name-based view of network organization that we've discussed so far in this chapter.

In Internet terms, the domain (or "top level domain") is that part of an Internet address that comes before the familiar .com, .gov, .org, etc. Reading right to left, the host domain is named immediately left of the ".com"--it is the "Pontiac" in pontiac.com, and the "White House" in whitehouse.gov. The domain is the highest level of organizational, administrative, and security-systems order in the branching hierarchy of the host network.

Figure 7-1


Domain Model Echoes the Business Model
The Active Directory lets network administrators model the network so it corresponds with the business model.

More than simply a string of words in a network address, we see a pattern of order enforced by increasing levels of specificity--i.e., a hierarchy. This is not unlike the way a business itself is organized in a branching hierarchy of increasingly granular business units. This parallelism, where the network model echoes the business model, is depicted in Figure 3-1. The Active Directory lets us see how the network echoes the business as a whole. In the illustration, the domain tree reflects actual business units--both logically and functionally. The logical part you would expect of any well-designed network. The functional part, however, is an innovation of the Active Directory. This functional emulation of business organizational units extends downward all the way to the level of network objects (the domain tree's leafs).

Within domains, the Active Directory allows for the creation of administrative units, which it calls Organizational Units (OU). These are special containercontainer objects that allow administrators to create focused administrative boundaries. This is consistent with business models, where in addition to divisions and departments one commonly finds project teams and workgroups. Within OUs, administrators can segregate special sets of access rights, administrative controls, etc., in the same way they can for domains. The goal is to add administrative and organizational flexibility.

Namespace and Scalability

One concept central to the Active Directory is that of the namespace. The namespace defines (or bounds) the objects it manages, as well as helping organize the hierarchical relationships among them.

Every object in the Active Directory belongs to a unique namespace. While in Figure 3-2 we depict the namespace model in a highly generalized way, in fact the Active Directory tracks every single object on the network (printers, users, servers, applications, files, services, etc.). It identifies each uniquely, displays its location, tracks its relationships with the objects around it, and supports the network security model by controlling access to attributes of each object. (For a fuller discussion of object naming and uniqueness, see "Object Naming / Uniqueness" later in this chapter.)

Figure 3-2 shows contiguous domain trees joined into a forest. Being able to extend a network by aligning contiguous domains is central to network scalability. Because domains are administrative and security units as well as business organizational units, domain trees can support interdepartmental or interdivisional business relationships (joined by trust relationships in the Active Directory security model).

Figure 7-2


Domain Trees and the Forest
The domain tree name is always the DNS name of the root tree domain. Children of the tree root are always contiguous with the namespace of its parent root domain. A forest is made up of one or more domain trees that share a "trust relationship" and maintain a set of cross-references, but do not share a contiguous namespace.

Trust relationships are central to the network security model. Designed to maximize scalability yet minimize administrative overhead, NT uses Kerberos trust to provide user identification and authorization services for the system. (Kerberos trust is a security protocol that provides authentication services to ensure that users are authorized to access network resources, use files, etc.) A Kerberos trust between domain trees allows authorized users in one domain to share resources that reside in the other domain. This makes it easy for administrators to extend a network without sacrificing security in the process, since NT's security model supports user-authentication and access controls. NT enforces rigorous controls based on user permission to access objects and resources across the trust relationship. In fact, administrators can control access to resources across domains at the same level of granularity as within domains.

The Directory Services Architecture

The Active Directory goes much farther than conventional directory services, adding tools and features that make it an administrative and security platform as well as a file directory. It represents a thorough rethinking of the role of directory services in the network environment. To enable this functionality, it is built on a foundation made up of four architectural pieces--the Data Model, the Schema, the Administrative Model, and the Security Model. Following are brief summaries of each.

The Data Model

The data model is the anatomy of network objects. Remember, the Active Directory "knows" its objects by their attributes (objects are the sum total of their attributes). For example, printers (i.e., printer objects) may be defined by attributes like printer type (laser, ink jet, impact, etc.), output resolution, manufacturer, time of availability, and model number. The directory must "know" enough attributes to be able to identify each object uniquely. In another example, network users (users are also objects to the Active Directory) might have attributes such as last name, first name, department, email address, etc. Again, the set of attributes must be large enough that taken together they identify their object uniquely. Applications, data files, folders, and other system resources are also objects to the Active Directory.

The sum total of attributes by which any given object type (printer, user, etc.) is defined is the data model. Object attributes are the defining characteristics of the object types (the "object class" in the Active Directory's vocabulary). Furthermore, the attributes distinguish one member of the class from another. Then, every item within the object class (every printer, user, etc.) becomes an instance of its class and inherits the correct attributes for its class. A catalog of object classes and their defining attributes is contained in the directory's schema.

The Schema

The set of all attributes assigned to all classes of network objects is referred to as the directory's schema. Put another way, the directory's schema defines which attributes any given class of network object may possess. In fact, defining the directory's schema represents the first pass at applying business-level order to the network's object population. This is because schema definitions create the terms by which network searches for and locates objects, and the ways in which users can view them. It determines how the directory groups object classes (e.g., user class, printer class, etc.), and it defines the terms under which individual members (instances) of the class are differentiated one from the other (for example, users by last name or employee number, or printers by location and type). The Active Directory sees this as first-order business modeling in the sense that it calls upon managers to divide and classify categories of business organization.

The Administrative Model

Early views of network administration centered on a single-source administrative model. Essentially, the network formed a ring and the administrator stood in the center, equally responsible in all directions. The model defined both a figurative and literal picture where all parts of a network rely on a central administrative authority. But as networks have mushroomed in size over the years, and as their scale has extended ever more widely, centralized administration has become both inefficient and impractical (if not impossible).

The Active Directory solves this problem by applying its domain-based hierarchical structure to the directory's administration. In other words, the network model is the administrative model. Administration is distributed throughout the network using the same access-control and permissions scheme as any other network resource, and in the same hierarchical fashion. While administrative control originates at the top of the domain tree, increasingly local administrative control can be granted all the way down the chain. So while domain trees, sub-domains, organizational units, and individual users are represented as an organizational hierarchy, they can be represented as an administrative hierarchy as well.

Optimized for distributed administration, any user authorized by a higher administrative authority can perform administrative duties in their designated portion of the domain tree. For example, users could have limited administrative control over their workstation's settings, and a department manager might have the administrative rights to create new users on their segment of the domain (i.e., in their department, or "organizational unit"). This is possible, of course, because the business department and the directory segment are mirror images. At the same time, administrative control is highly specific. Permissions can be controlled not only by segment of the domain, but by object type as well. For example, a user might be able to change some printer setting (paper size, for example), but not be allowed to change its print resolution or other settings. This model provides fine-grained control over who performs what administrative functions on the network, while also allowing administrators to distribute responsibility very widely. This distributed administrative model works hand-in-glove with the network's security model.

The Security Model

The Active DirectoryActive Directory is an integral part of Windows NT security. Along with each object's attributes, the Active Directory maintains an access control list (ACL) for every object on the network. Each object's ACL tells the system who can view, use, modify, copy, delete, or otherwise have access to it. Whenever a user tries to use a network object or resource, the system validates the user against the object's ACL, and only allows access if the user has permission.

The security model is built on the principle that, because the directory has the ability to find every object on the network, it also has a parallel ability to hide them. Since every attempt to access a network object or resources has to be handled by directory:servicesdirectory services anyway (in order to locate it), the security model uses the directory to validate users against the object's ACL. In effect, users must "prove" they have the right to use (or even see, for that matter) a network object. This allows extremely fine-grained control over user access to the network. Administrators not only have control over which objects a given user (or group of users) can see and use, but also can regulate which attributes of the object are available. This level of control allows for a configuration where a user might be able to open a document, but not have permission to print it, change it or delete it. If a user has permission to find an object, then the next step is permission to see it. Next is permission to use it, permission to change it, permission to print it, etc., right down to permission to delete the object. Finally, users can be given permission to give permission--that is, have a limited scope of administrative control--to determine how users in their domain or organizational unit can interact with certain objects. This is where the security model interacts with the administrative model.

Questions For Managers

  • How do we track all of the objects and services on our network? Who designs the network model? Who delineates the domains? By what criteria? Is the network model documented? May I see the document?
  • How do we administer those objects?
  • How do we secure access to those objects? What is the procedure for assigning access rights? Who has administrative rights to assign and change user access rights? When a user needs access to a network resource, what does that person do?
  • Do we have logs and records of access rights and permissions? Are user profiles audited?

    • See our other Network Design Manual Chapters.






    Ready to take that job and shove it?

    Function:

    Keyword(s):

    State:
    SPONSOR
    RECENT JOB POSTINGS
    CAREER NEWS
    10 Search Engines You Don't Know About
    Go beyond Google and get vertical. These specialized search sites will help you find the business information you need -- fast.

    Yahoo Profits Fall 23%, Cuts 1,000 Jobs
    Ari Balogh was named to the post of chief technology officer as the companys for a "realignment" of employees.

    More articles from our career center










    InformationWeek U.S. IT Salary Survey 2008
    Salaries for business technology professionals are falling. Here's what you need to know in order to make good hiring decisions and personal career choices. Download Today
     
    ROLLING RIGHT ALONG
    Follow key Network Computing Reviews from conception to completion. This Week: Holistic APM.



    Network Computing Reports Emerging Enterprise Podcast Series: Secrets to Success








    TechSearch
    Microsite of the Week


    Powerful Information at Your Fingertips



    InformationWeek Business Technology Network
    InformationWeekInformationWeek 500InformationWeek 500 ConferenceInformationWeek AnalyticsInformationWeek CIO
    InformationWeek EventsInformationWeek ReportsInformationWeek MagazinebMightyByte and SwitchDark Reading
    Digital LibraryIntelligent EnterpriseInternet EvolutionNetwork ComputingNo JitterPlug Into The Cloud
    space
    Techweb Events Network
    InteropVoiceConWeb 2.0 ExpoWeb 2.0 SummitEnterprise 2.0 ConferenceMobile Business ExpoSoftware ConferenceCSI - Computer Security Institute
    Black HatGTECEnergy CampMashup CampStartup Camp
    space
    Light Reading Communications Network
    Light ReadingLight Reading EuropeUnstrungLight Reading's Cable Digital NewsConstantinopleInternet EvolutionPyramid Research
    Heavy ReadingLight Reading Live!Light Reading InsiderEthernet ExpoOptical ExpoTeleco TVTower Technology Summit
    space
    Financial Technology Network
    Advanced TradingBank Systems & TechnologyInsurance & TechnologyWall Street & TechnologyAccelerating Wall StreetBank Systems & Technology Executive SummitBuyside Trading SummitInsurance & Technology Executive Summit
    space
    Microsoft Technology Network
    MSDN MagazineTechNetThe Architecture Journal
    space


    App Infrastructure   |   Messaging & Collaboration   |   Network & Systems Mgmt   |   Network Infrastructure   |   Security  |   Storage & Servers   |   Wireless   |   Enterprise Apps
    About Us  |  Contact Us  |  Site Map  |  Technology Marketing Solutions  |  Advertising Contacts  |   Briefing Centers
    Copyright © 2008  United Business Media LLC  |  Privacy Statement  |  Terms of Service  |  Your California Privacy Rights