Active Directory Architecture

1
Active Directory Architecture

• Chapter Four

2
Active Directory Physical Database Storage

• Layers
• Provide the directory service
• Include
• Extensible Storage Engine (ESE)
• Database layer
• Directory Service Agent (DSA)

3
Active Directory Layers
4
Active Directory Physical Database Storage

• Extensible Storage Engine
• Lowest level
• Directly responsible for manipulating database
• All objects stored in nonhierarchical form
• Rows in database table
• Extensible Storage Engine (ESE) is the underlying
  engine that physically stores the AD data
• Database layer
• Responsible for providing object-oriented
  hierarchical view
• Database Layer makes a flat data structure
  hierarchical with objects

5
Active Directory Physical Database Storage
(continued)

• Directory Service Agent
• Third layer
• Responsible for enforcing semantics
• Govern how objects in Active Directory are
  created and manipulated
• Directory System Agent (DSA) creates an instance
  of the directory service
• Only adjacent layers communicate with one another

6
Extensible Storage Engine

• Active Directory store
• Transactional database
• Based on Extensible Storage Engine
• Transaction
• Each addition, modification, or deletion
• Needed data is loaded from disk to memory

7
Extensible Storage Engine (continued)

• Transaction
• First thing that happens
• Operation is logged to hard disk
• Modification transaction performs made to the
  in-memory copy of data
• Manipulating in-memory copy of data is faster
  that going to disk

8
Extensible Storage Engine (continued)

• Least recently used
• Storing entire database in memory is not
  practical
• Move data that is no longer needed
• Write changes back to hard drive
• Least recently used algorithm to write to disk
• When memory is running low
• System is at a period of low activity

9
Extensible Storage Engine (continued)

• Transactions
• ESE writes all transactions to log before they
  are made to in-memory copy
• Next time domain controller starts, ESE can use
  transactions recorded in log
• Reapply changes to copy of data stored on hard
  disk
• Called recovering the database
• Done without user intervention

10
Extensible Storage Engine (continued)

• Checkpoints
• Shorten recovery times
• Reduce amount of hard drive space logs take up
• Completed transactions written back to disk
• Fact that transactions were successfully written
  is noted
• ESE only needs to reapply transactions from point
  of last checkpoint
• Transactions can be deleted from log

11
Active Directory File Structure

• Files
• NTDS.DIT
• EDB.LOG
• EDBXXXXX.LOG
• EDB.CHK
• RES1.LOG and RES2.LOG
• TEMP.EDB

12
NTDS.DIT

• Actual Active Directory store
• Stores all objects and their attributes
• Located in SYSTEMROOT\ NTDS folder on domain
  controllers
• Made up of three tables
• Schema table
• Data table
• Link table

13
How Data is Written to the Database

• Ready to make a change
• The change is accepted and a transaction is
  created
• The transaction is written to a transaction log,
  Edb.log.
• When the Edb.log file is full of transactions, it
  is renamed to Edb0001.log.
• Supports rollbacks to ensure that transactions
  are committed to the database.

14
EDB.LOG

• Current transaction log file
• Changes to Active Directory are noted first in
  transaction log file
• Size of EDB.LOG is always 10 MB

15
EDBXXXXX.LOG

• When EDB.LOG is filled, it is renamed to
  EDBXXXXX.LOG
• XXXXX is a number increased by one each time a
  new log file is created
• Every 12 hours
• Garbage-collection process runs
• Deletes old EDBXXXXX.LOG

16
EDB.CHK

• Checkpoint file
• System recovering from failure
• Uses EDB.CHK file to determine what transactions
  should be written to database
• The EDB.CHK file identifies the point where the
  database engine needs to replay the logs.
• The transaction is written to a database stored
  in memory on the DC
• The change is written to the physical file on the
  disk

17
RES1.LOG and RES2.LOG

• Placeholder files
• Reserve disk space
• If domain controller runs out of free disk space,
  uses reserved space from files
• Prevents updates from being lost due to
  insufficient disk space
• Each reserve 10 MB of disk space on this drive.
  Allows extra room for log files if all no other
  disk space is available when the Active Directory
  database grows.

18
TEMP.EDB

• Temporary storage space
• Hold large transactions while they are in process
• Used during maintenance operations

19
LDAP

• Primary protocol used to work with objects in
  Active Directory
• Vital to understand how to use LDAP naming paths

20
LDAP (continued)

• Distinguished Name (DN)
• Every object in Active Directory has unique name
• Describes exactly where the object is located in
  the object hierarchy
• Made up of
• Name of the object
• All of parent objects above it in hierarchy

21
LDAP (continued)

• Relative Distinguished Name (RDN)
• Identifies object within its container
• Contains only name of object
• Acronyms for object names
• DC (Domain Component)
• Part of a domain name
• OU (Organizational Unit)
• Name of an organizational unit
• CN (Common Name)
• Name of most objects

22
LDAP (continued)

• Name example
• Lori Thompson located in dev.supercorp.net domain
  in Research organizational unit
• DN CNLori Thompson,OUResearch,DCdev,DCsuperco
  rp,DCnet
• RDN CNLori Thompson

23
Active Directory Schema

• All available objects and attributes
• Sets out exactly
• What kind of objects are represented
• What properties or attributes are required or
  optional
• What types of values are acceptable
• Tool needed to modify the schema is not available
  by default

24
Naming

• Every object class and attribute in the schema
  must have
• Unique common name
• LDAP display name
• Object Identifier (OID)

25
Common Name Rules

• Start name with registered DNS name of company
• Separate each level of DNS name with hyphens (-)
  instead of periods
• Add another hyphen (-) at end of companys name
• Enter current year
• Follow year with another hyphen (-)

26
Common Name Rules (continued)

• Choose product-specific prefix
• Must be unique within company
• Identifies product or application of class or
  attribute
• Should begin with uppercase letter with
  additional letters using capitalization of your
  choice
• Follow product-specific prefix with hyphen (-)
• Enter name of class or attribute separated by
  hyphens

27
LDAP Display Name Rules

• Start with common name already created for class
  or attribute
• Make first character of product-specific prefix
  lowercase
• Characters following first character may be
  uppercase or lowercase

28
LDAP Display Name Rules (continued)

• Make every character in class or attribute part
  of name that is preceded by a hyphen (-)
  uppercase
• Remove all hyphens (-) after product-specific
  prefix

29
Example common names and LDAP display names
30
OID

• OID space must be obtained separately
• Not part of registered DNS domain name
• Two primary ways to obtain an OID space
• Through Microsoft
• International Standards Organization (ISO)

31
Object Classes

• Definition of each type of object
• Like a template from which objects are created
• Inheritance
• Class Types
• Structural classes
• Abstract classes
• Auxiliary classes
• 88 classes

32
Object Classes (continued)

• Possible superiors
• Controls which types of objects new object can be
  instantiated or moved under
• Example user object cannot be created (or moved)
  under a printer object

33
Attributes

• Schema contains list of all possible attributes
• Class is assigned both mandatory and optional
  attributes
• Object is sum of its attributes
• Syntaxes
• Defines data type attribute can store

34
Common Syntaxes
35
Common Syntaxes (continued)
36
Indexes

• Similar in concept to index in back of book
• Store values (in order) for all objects that have
  a given attribute
• Speed up queries
• Slow down creation of objects and updating of
  attributes
• Choose attributes that have highly unique values

37
Active Directory Partitions

• Database divided into groups called partitions,
  or naming contexts
• Used to manage replication
• Partitions
• Schema partition
• Domain partition
• Configuration partition
• Application partition

38
Active Directory Partitions (continued)

• ADSI Edit
• Included with Windows Server 2003 Support Tools
• Used to view and modify objects in various Active
  Directory partitions

39
Active Directory Partitions (continued)
40
Schema

• Stores schema
• Contains definitions of all classes and
  attributes in entire forest
• Replicated to all domain controllers in forest
• Content is the same throughout forest

41
Configuration

• Stores information about replication topology
  used in forest
• Specifies how domain controller determines with
  which other specific partners it replicates
• Found on all domain controllers
• Same throughout forest

42
Domain

• Contains users, computers, groups, and
  organizational units created in Windows domain
• Replicated to all domain controllers in domain
• Large amount of data
• Usually partition that changes most frequently

43
Application

• Cannot contain security principals
• Can be replicated to many different domains in
  forest
• Without necessarily being included on all domain
  controllers
• Used when developer wants to store information in
  Active Directory