Active Directory FAQ
The release of Microsoft's Windows 2000 Server operating system represented a significant improvement over previous versions of Windows. Most importantly, Windows 2000 Server introduced Active Directory - Microsoft's implementation of a directory service. Through Active Directory - and a major reworking of the Windows NT domain model - Windows is now able to provide a scalable and robust network architecture. This page attempts to answer the most common questions regarding Active Directory and describe the Active Directory architecture ITS has built.
Please note: Active Directory is only available through Windows 2000 and later Server products (excluding Web-only server editions). Windows 2000 Professional and XP do not provide Active Directory services. However, Windows 2000 Professional - and later versions of Windows, such as Windows XP - are natively able to access Active Directory services (i.e. no further software need be installed on these systems). For more information, see item 7 below.
- What is a Directory Service?
- What is Active Directory?
- What is IMSS doing in regards to Active Directory?
- What is the difference between a domain and an OU, and why does IMSS recommend one over the other?
- Who can request an OU?
- How does one join Active Directory?
- Do I need to upgrade my operating system to take advantage of Active Directory?
- Where does Exchange 2003 fit in?
- Where can I get more information regarding Active Directory?
1. What is a Directory Service?
A directory service is primarily a network directory that provides a single, logical and consistent database in which to store information about the network and all network-based resources - such as users, computers, files, printers, applications, shares etc. As businesses and organizations grow in size and become ever-more dependant upon networked-computing, so the work and overhead involved in managing all these entities and their complex relationships grows too. A directory service helps alleviate some of the management overhead by providing a single, consistent point of management. It can also act as a central authority that can securely authenticate resources and manage the identities and relationships between them. As it is a central authority, users need not keep multiple accounts - a single logon means their account is authenticated for all resources to which they have been granted access.
2. What is Active Directory?
Active Directory is a collective term for Microsoft's integrated set of directory services. Most significantly, Active Directory provides a central, searchable information repository (allowing simple sharing of network resource information), while acting as the central authority for network security.
All network resources are represented in Active Directory as objects and each object can be assigned certain attributes, which characterize the object. For example, a user object in Active Directory can have attributes such as First Name, Last Name, Phone Number etc.
Objects can placed into containers - logical groupings of related objects. For example, a Math Users container might contain all the users in the Math department. These containers can then be nested within other containers, creating a hierarchical directory structure that is used to represent an organization's administrative structure, as in Figure 1. The most common container object in Active Directory is known as an Organizational Unit or OU.
Figure 1 - Active Directory has an object-oriented, hierarchical structure.
The largest unit in Active Directory is known as a Domain. It can also be considered the largest container object. Each domain is a both a security and administrative boundary. The top-level domain is known as the Root Domain and subsequent domains sit below the root domain, and are known as Child Domains. These child domains can themselves be parents to further child domains. Together, the root domain and it's offspring comprise a Domain Tree. Within each domain, the hierarchical structure is continued with Organizational Units. Finally, and outside of the OU structure, user accounts can be put into Groups, as in Figure 2.
The hierarchical nature of Active Directory, combined with user groups, allows for easy delegation of administrative tasks and application of administrative policies, as in Figure 2. For example, Administrator A can be assigned full permissions to administer OU A. Administrator A can now create and manage users, printers, containers and other directory objects within their own OU. However, their administrative rights are restricted entirely to that OU - elsewhere they only have regular user rights.
In addition, a Policy can be defined for that OU, such that all objects within the OU are subjected to that policy. These policies, which can be applied to users and groups (as well as OUs) are are known as Group Policies. For example, a group policy is defined for the Dept A Users group, stating that all user passwords must have at least eight characters. Any user whose account is a member of Dept A Users, must now have a password that contains at least 8 characters.
Figure 2 - The hierarchical structure of Active Directory allows for easy delegation of authority,
and application of administrative and security policies (Group Policies).
3. What is IMSS doing in regards to Active Directory?
IMSS, in collaboration with various groups on campus, has developed an Active Directory infrastructure that we feel best meets the needs of Caltech and its decentralized structure. Our research and Microsoft's own recommendations have led to a design that comprises a single tree anchored by the root domain, ad.caltech.edu. In this scenario, the root domain will house the vast majority of divisions, departments and groups across campus, as in Figure 3.
IMSS envisions that the vast majority of groups on campus will be assigned an Organizational Unit within the ad.caltech.edu domain, to which they will be granted full administrative control. Likewise, IMSS' Windows-based services will be hosted on servers sitting in the ad.caltech.edu domain. IMSS will continue to create user accounts for all Caltech associates who currently are eligible for an IMSS account, there by reducing the administrate overhead of account maintenance for departments. These accounts will also sit in the ad.caltech.edu domain.
Figure 3 - Simplified graphical representation of IMSS' Active Directory structure.
4. What is the difference between a domain and an OU, and why does IMSS recommend one over the other?
In Active Directory, each domain is responsible for storing and updating its individual domain-directory - which collectively comprise the organization's Active Directory. In addition, a domain is responsible for authenticating access to all resources that are housed in its domain. In reality, these tasks are accomplished by the Domain Controllers - servers that run Active Directory services. These domain controllers are similar to Windows NT's Primary Domain Controllers, although the hardware requirements for Active Directory domain controllers are significantly greater than those of NT. In addition, administering and maintaining an Active Directory domain is substantially more challenging and complex than the older, NT-style domain structure.
Thus, it can be seen that there is considerable overhead involved in running a domain within Active Directory - in administrative, financial and personnel terms. There are also other, significant, network issues that are involved in running a separate domain. IMSS envisions that most groups may wish to avoid investing the time and resources involved in maintaining a separate domain, yet still desire the control and autonomy implied by such a domain. For those groups we recommend they are assigned an Organizational Unit, within the ad.caltech.edu domain.
Organizational Units are conceptually similar to domains, in that they are essentially administrative boundaries. For groups who are assigned an OU, IMSS will delegate complete administrative control of the top-level OU to a defined group of OU Administrators. The OU Administrators will then be able to create users, groups, computers, further OUs etc. within their top-level OU, at their discretion. They can also set rights and access permissions to resources in their OU structure and define Group Policies that apply to their resources. However, these rights and policies will be entirely limited to their OU structure - i.e. a given group of OU Administrators would have no administrative rights to users, groups, computers etc. that existed outside of their OU structure, unless explicitly granted to them.
5. Who can request an OU?
One of the primary benefits of Active Directory is to allow full autonomy and self-administration to the various departments on campus, within a campus-wide architecture. Thus, IMSS will primarily create and assign top-level OUs within the ad.caltech.edu domain at the division or department level. The hierarchical structure of Active Directory then allows for sub-OUs to be created below the top-level OU, at the discretion of the top-level OU administrators. This means that requests for OUs by individual labs within a certain department should go to their department's or division's OU administrators, and not to IMSS. However, certain Caltech-affiliated groups, organizations and labs may request a top-level OU if a suitable requirement can be shown. These requests will be dealt with on a case-by-case basis.
6. How does one join Active Directory?
IMSS is currently accepting requests to join Active Directory. We require a name for the OU and a list of names of those people who will be responsible for administering the OU. Before requesting entrance to Active Directory, we strongly recommend that those who will be responsible for administering an OU begin researching Active Directory and how common administrative tasks are carried out. Some relevant links are provided at the bottom of this page.
7. Do I need to upgrade my operating system to take advantage of Active Directory?
Although only Windows 2000, XP, and 2003 will be able to benefit from all the features of Active Directory, other versions (Windows 9x and NT) can still take advantage of the primary benefit - searching the directory. This will enable any Windows client to locate the resources they desire by simply querying Active Directory. One important thing to note, however, is that only Windows 2000, XP, and 2003 operating systems are natively Active Directory-aware. This means that no extra software is needed to benefit from Active Directory.
In order for a Windows 95, Windows 98, Windows ME - collectively known as Windows 9x computers - or Windows NT system to access Active Directory, it is necessary to install the Active Directory Client Extension software. In addition, after installing the client software, it is necessary to configure those systems to be able to use NTLMv2 - a stronger security protocol that will be enforced in the new domain. We have created two simple guides that detail, step-by-step, the installation process.
For users who have computers running Windows 9x or Windows NT computers, please see the following guides:
- Installing the (DSClient) Active Directory Client Extension for Windows NT 4.0 Computers
- Installing the (DSClient) Active Directory Client Extension for Windows 9x Computers
8. Where can I get more information regarding Active Directory?
There are a multitude of resources on the Internet that relate to Active Directory. Not surprisingly, many of the best can be found on Microsoft's own web pages. The following resources contain additional information that is relevant to this section.