Active Directory Logical Structure — Part 2


Active Directory Logical Structure – Part 2

 

 

 

 

The most basic components of logical structure of Active directory are

 

a) Leaf objects which do not have any child objects

 

b) Container objects which has child objects.

 

 

The major reason behind these objects is to manage data. The understanding of these logical components helps engineers to

to design active directory and troubleshoot AD efficiently. The logical structure consists of

 

 

Forest:

 

In Active directory Forest holds the top-level container in which it stores all the domain containers. There can be

any number of domains in a forest so any number of domain containers can be stored in Forest container. Domain containers share common

global catalog, schema , directory configuration , logical structure and two way transitive trust.

 

Note : First domain in the forest acts as root domain eg: sai.com.

 

 

Domain:

 

Domain is a container object which holds millions of objects. These objects share common database.As explained in my earlier post every domain has its own datastore, schema and database.

Domain also defines the security policies for the objects and the trust relationship

 

 

Domain Tree :

 

AD provides flexibility of creating child domains under parent domain / root domain which is called as domain tree. eg: test.sai.com

 

 

 

Organizational Unit :

 

A company has 1000 users and all these users share different privliges , administrator have tough time identifying

theh priviliges of user, so with the help of OU he can group the users with similar privilges which makes management easy.

 

OU’s are container objects which helps in arranging different types of objects under it.

 

 

Site Objects:

 

AD replication is achieved by the site objects. They fall into both container object and leaf object. These site objects are top most object to implement

AD replication. The site object stores objects that are used by KCC ( knowledge consistency checker ). Some of the well known objects are

NTDS, subnet objects, connection objects , server objects and site object ( one object per site ) .

 

 

 

 

In order to view , manage , manipulate the above objects, you can

 

a) install the AD

 

b) create a domain

 

c) manage users using Active directory users and computers MMc

 

d) Active directory domains and  trust for managing trust

 

e) Active directory schema MMC

 

Advertisements

Active Directory Logical Structure – Part 1


Active Directory Logical Structure

 

 

Understanding Active directory is just like completing your PHD program. Well I would many administrators would still have the complexity understanding the hierarchy and the placement of the logical structure of AD. So I thought of writing down about the components involved in AD logical structure as we only manipulate the logical structure.

 

            Container

                       

                        Forests

 

                                    Domains

 

                                              Organization Units

 

 

 

 

 

 All the above components are implemented as containers.

 

 

There is a important concept which I would like to emphasize. AD – Service . AD stores the information in the form of an object and then make this object available to users with help of forest and domain structures.

 

Core Components Of AD – logical Structure.

 

The placement of data from the above diagram gives administrator a flexible authentication and authorization of the network devices. Architects should view this model from security perspective with which they can think what devices need to give which authentication .

 

But the above diagram doesn’t give you the physical implementation of the Logical structure.

 

Architects / System engineers only consider about the security and just security. So planning is a vital part of their job , when you drill down the AD / using the AD to its maximum potential you would realize how best you can control devices.

 

n       File sharing

n       Logon permissions

n       Creating different departments with appropriate permissions

n       Device restrictions

n       VPN access

n       PKI

 

One has to understand and implement the above concepts to understand the robustness of AD.

 

 

Active Directory Basics – Part 2


                                    Active Director Basics – Part 2

 

Abstract

Engineers have to understand the major components of active directory with which their life becomes pretty easy. In the upper layer AD is very simple , but when you actually start deploying it or start troubleshooting it , you might find you are lost ! , but when you understand the core components you know where to look in exactly.

I would say Active directory heart is nothing but Data Store , because data store acts as an interface between the schema and the physical directory. It has a two way communication happening between the physical directory and the Schema.

 

 

This data store resides on every domain controller in the forest .There is an internal representation of the Data store , in other words, data store consists of sub components communicating with each other.

 

Simplified Explanation:

In very simplest form to understand the data store , it acts as an firewall which performs allows or denies for the applications. Data store does the same job

 

–It provides a way for applications to communicate to database.

–It provides a way to filter the communications

 

Implementation:

Data store is nothing but a collection of interfaces which are used to provide 2 major tasks for applications / clients

 

a)       Provide interface to communicate to Data store

b)       Provide Access to the physical database using Data store interfaces

c)       Filters the application calls made to the database for data retrieval or data commit

 

 

Interfaces In Data Store:

 

LDAP interface

 

SAM interface

 

ESE interface

 

Replication interface

 

DSA interface

 

 

 

 

Did You Know:

 

DSA (Directory system agent) is the one which does schema related activities. DSA performs the following

 

a)       Enforce the rules

b)       Checks the schema

c)       Enforce datatypes on attributes.

 

 

Example :

 

Application à Data store à database

 

Lower View

 

Application à Uses LDAP à Use DSA for access to Directory à Filters necessary API calls à ESE which communicates directly to database à Physical database.

 

From the above example you can now have a clear understanding of the data flow

 

Hope you have enjoyed this article, look for the next session

 

 

 

 

 

 

Active Directory Basics – Part 1


Active Directory Basics

 

We have to understand the directory structure to get a clear understanding of the Active Directory. Many of us are reluctant to learn AD because it’s just like a pacific ocean to swim. But when you start analyzing the building blocks of AD , you will feel relaxed and then start thinking about Active directory and its implementation.

 

 

Every organization today uses Active directory as centralized repository , all that they use AD to store their data. In a very simplest forms you need to understand ( Just remember DOS J )

 

Directory :  Place where all the data gets stored

 

Objects :    Application uses objects to store data into the directory

 

Schema :   In order to use Object , the object should be defined in the schema without

                  Which you cannot use the object to store data to directory

 

Data Flow

 

Application à Object à Schema à Directory

 

 

 

This directory is viewed as

 

a)       Logical Structure : Exposed to users as Forests and Domains

b)       Physical Structure : Implemented as database residing on each and every Domain

                                       Controller.

 

Communication to the database is not straight forward, we need to have some means to write data to the directory , so Microsoft used Active directory data store as an interface to write data to the directory. This AD Data store is made up on services and files which decide how to handle I/O operation on to the database.

 

 

Data Flow

 

 

Application à Object à AD Data Store à Database

                                                 |

                                          Files and Services