Microsoft Active Directory

Microsoft Active Directory

+
Search Tips | Advanced Search

Overview

Active Directory is an LDAP Version 3-compliant directory service that is bundled with the Microsoft Windows 2000 OS. Active Directory follows RFC 2247 conventions for naming contexts, meaning that its naming context suffixes map directly to the DNS tree.
Some Active Directory features include:

Centralized management
Group policies
A global catalog
IntelliMirror desktop management and automated software distribution
Multi-master replication
Kerberos authentication
Smart card support
PKI/x.509 certificate support
Attribute-level security

Access the Active Directory console

You can use a Windows Terminal Server client to remotely connect to the host running Active Directory. On Windows XP systems, Windows Terminal Server is installed by default, and is known as "Remote Desktop". On Win2k Pro boxes, Windows Terminal Server is not installed. You'll have to download it from the Microsoft web site at:
http://www.microsoft.com/windowsxp/pro/downloads/rdclientdl.asp

Once connected, login using your Windows domain acct.
To pull up the Active Directory console, click through...
Start | Settings | Control panel | Administrative tools | Active Directory Users and Computers

Naming contexts

Naming contexts are the primary unit of replication. Active Directory always has at least three naming contexts:

The schema
The configuration, which holds the replication topology and metadata
User naming contexts, which are the body of the directory and hold the actual directory objects

Logical elements

Logical elements in Active Directory include...

Domains Logical grouping of computer servers that share common security and user account information. A domain...

Can span multiple physical locations, as it bears no relation to the underlying physical network.
Is completely independent of other domains. Elements in the domain do not depend on other domains for functionality.
Has its own security, which means elements of a domain cannot be under the influence of the security of other domains.

Trees One or more domains that share a contiguous namespace are called a tree. The domains in the tree are linked, from a security standpoint, by implicit Kerberos trusts. These Kerberos trusts are transitive and hierarchical. A tree is usually called by the name of the domain at its root.
Forests When you have two or more trees with non-contiguous namespaces, you have a forest. Forests do not have actual names because they are just a set of cross references and Kerberos trusts, but it is usual to call them by the name of the tree that is at the root of the forest (from a Kerberos security hierarchy standpoint).
Both trees and forests share a common schema, configuration, and global catalog.

Physical elements

Physical elements of Active Directory include...

Sites A site is composed of one or more IP subnets and represents a general physical location.
Domain controllers Computers that host a complete replica of the Active Directory subtree for a domain. Domain controller host names are resolved using standard DNS services. Replication traffic between domain controllers needs to take into consideration network bandwidth.

Data model

The data model of Active Directory is derived from the X.500 model. The three main concepts are...

schema Represents the universe of all possible classes, attributes, and objects. The schema is stored as a set of classes in the database.
classes For each class there may be mandatory attributes, additional attributes, and a list of possible parents (classes). Each class must have an OID that will identify it unambiguously. Each individual or organization that wishes to extend the schema should obtain a root OID from an issuing authority. The OIDs are represented in dotted decimal form, so, for example, every LDAP standard class starts with 2.5.6. This designation means that it is jointly defined by ISO and the ITU (2) as part of the Directory Standard (5) and that it is a class (6). The individual or organization can then manage further branches of its root OID to suit his/her/its needs.
objects Objects are actual instances of the classes. As an analogy, you may think of the classes as tables in a database and the objects as the data in these tables.

Naming conventions

Distinguished Name (DN) Full object name, from the root, such as...
CN=ADuser1 S_ADuser1, CN=Users, DC=itso, DC=ibm, DC=com

...and uses the format defined on RFC 2247. The DN is guaranteed to be unique across the forest.
Relative Distinguished Name (RDN) Portion of the DN that is an attribute of the object itself. In the preceding example, the RDN of the user is "ADuser1 S_ADuser1" and the RDN of the "Users" container is "CN=Users".
User Principal Name (UPN) Easy-to-remember alias for the user, in the form @, and very similar to the user's Internet e-mail address. It is guaranteed to be unique, but only security principals (that means objects that can be used on ACLs such as users and security groups) have UPNs.
Globally Unique Identifier (GUID) Identifier that is statistically guaranteed to be unique for all objects in the database. All objects are identified by their GUIDs for as long as they exist. The GUID is created when the object is created. It never changes, and, when the object is destroyed, its GUID is lost forever.
Security Identifier (SID) Unique identifier assigned to security principals (users and security groups). The object's SID is actually composed of two parts:

Domain SID, common to all objects in a domain.
Relative Identifier (RID), unique within a domain.

The SID is used on all ACLs for authorization (permissions) purposes. The SID's behavior is very similar to the GUID's.

ACLs

All authorization and authentication must come from a higher authority, usually Kerberos. Each object in Active Directory, including the schema objects, has a set of actions that can be performed on it called an ACL. The ACL contains sets of GUIDs and the rights associated with these, so it basically says who can do what on the object.
The ACLs are inherited down a subtree. Therefore, unless the inheritance is explicitly blocked, the ACLs will propagate down from containers to subcontainers and leaf objects. This provides for a somewhat easy form of delegation that functions by assigning ACLs to OUs.
The Directory Services Agent (DSA) manages physical storage of the objects and classes in the directory database, providing for client isolation.

Special roles

Most operations on Active Directory are can read or write to any domain controller, however, a few operations need a "focal point" for greater consistency or performance reasons. These have been divided according to their scope:
Forest-wide roles (at least one per forest)

Global catalog: The global catalog stores a subset of the attributes of all objects in the forest. Those are usually the attributes most used on searches. The careful placement of global catalog servers greatly improves performance, especially if you are using directory-enabled applications. You should have at least one global catalog server on each physical site.
Schema master: The schema master is the focal point for making changes to the schema. Because this is a very infrequent and sensitive operation, Active Directory allows making changes to the schema only through the schema master. There can be only one schema master per forest.
Domain naming master: The domain naming master is responsible for controlling the addition or removal of domains in the forest. There can be only one domain naming master per forest.

Domain-wide roles (at least one per domain)

RID master: RID (after domain SID)
RID master: Responsible for allocating RIDs from the domain's RID pool. (RID is the part of the object's SID located after the domain SID.)
Primary Domain Controller (PDC) Emulator: Services non-Windows 2000 clients for logons and password changes. The emulator also provides preferential replication of passwords on Windows 2000.
Infrastructure Master: Updates group-to-user references when membership changes (for example, user display name).

Active Directory w/WebSphere Application Server 5.1

Security is configured at the cell level.
After configuring a new group and group members, bind roles to security groups in the enterprise application deployed to WAS. after configuring
You don't need to restart the Cell if you make changes to accounts, or add accounts to groups.

Configure the LDAP User Registry in WAS

To configure the LDAP User Registry within WebSphere Application Server, go to...
Console | Security | User Registries | LDAP

...and set...

Server User ID WAS_userid

Server User Password password

Type Active_Directory

Host ADHost.company.net

port 389

Base Distinguished Name OU=Engineering,DC=domainx,DC=net

Bind Distinguished Name CN=bindadmin,OU=Engineering,DC=domainx,DC=net

Bind Password password

Search Timeout default

Reuse Connection on/selected

Ignore Case off/unselected

SSL Enabled off/unselected

SSL Configuration [host]/DefaultSSLSettings

You generally don't need to tweak "Advanced LDAP settings" or "Custom Properties"
Go to WAS system administration and enable console access for the admin groups.

Add Console Groups...

System Administrative Console Groups examples include:
wasadmin (Administrator role)
wasconsole (Monitor role)

Stopping and Starting java processes...

When stopping the DeploymentManager and nodes... You will need to use the was username/pw combo as authentication credentials on the command line.

Setting up groups in the Active Directory

Open the 'Department' Organization Unit.
Note that creating accounts in the 'users' container is problematic.
One syntactic option for creating groups includes...

[environment]-[role]

After creating the group, add users.

Mapping roles to security groups in the application.

When deploying a new application, you can map roles to security groups just like before. They may look a little different since they'll be using the LDAP format...
CN=wsprod1, OU=Department, DN=company, DN=net.

Domains	Logical grouping of computer servers that share common security and user account information. A domain... Can span multiple physical locations, as it bears no relation to the underlying physical network. Is completely independent of other domains. Elements in the domain do not depend on other domains for functionality. Has its own security, which means elements of a domain cannot be under the influence of the security of other domains.
Trees	One or more domains that share a contiguous namespace are called a tree. The domains in the tree are linked, from a security standpoint, by implicit Kerberos trusts. These Kerberos trusts are transitive and hierarchical. A tree is usually called by the name of the domain at its root.
Forests	When you have two or more trees with non-contiguous namespaces, you have a forest. Forests do not have actual names because they are just a set of cross references and Kerberos trusts, but it is usual to call them by the name of the tree that is at the root of the forest (from a Kerberos security hierarchy standpoint). Both trees and forests share a common schema, configuration, and global catalog.

Sites	A site is composed of one or more IP subnets and represents a general physical location.
Domain controllers	Computers that host a complete replica of the Active Directory subtree for a domain. Domain controller host names are resolved using standard DNS services. Replication traffic between domain controllers needs to take into consideration network bandwidth.

schema	Represents the universe of all possible classes, attributes, and objects. The schema is stored as a set of classes in the database.
classes	For each class there may be mandatory attributes, additional attributes, and a list of possible parents (classes). Each class must have an OID that will identify it unambiguously. Each individual or organization that wishes to extend the schema should obtain a root OID from an issuing authority. The OIDs are represented in dotted decimal form, so, for example, every LDAP standard class starts with 2.5.6. This designation means that it is jointly defined by ISO and the ITU (2) as part of the Directory Standard (5) and that it is a class (6). The individual or organization can then manage further branches of its root OID to suit his/her/its needs.
objects	Objects are actual instances of the classes. As an analogy, you may think of the classes as tables in a database and the objects as the data in these tables.

Distinguished Name (DN)	Full object name, from the root, such as... CN=ADuser1 S_ADuser1, CN=Users, DC=itso, DC=ibm, DC=com ...and uses the format defined on RFC 2247. The DN is guaranteed to be unique across the forest.
Relative Distinguished Name (RDN)	Portion of the DN that is an attribute of the object itself. In the preceding example, the RDN of the user is "ADuser1 S_ADuser1" and the RDN of the "Users" container is "CN=Users".
User Principal Name (UPN)	Easy-to-remember alias for the user, in the form @, and very similar to the user's Internet e-mail address. It is guaranteed to be unique, but only security principals (that means objects that can be used on ACLs such as users and security groups) have UPNs.
Globally Unique Identifier (GUID)	Identifier that is statistically guaranteed to be unique for all objects in the database. All objects are identified by their GUIDs for as long as they exist. The GUID is created when the object is created. It never changes, and, when the object is destroyed, its GUID is lost forever.
Security Identifier (SID)	Unique identifier assigned to security principals (users and security groups). The object's SID is actually composed of two parts: Domain SID, common to all objects in a domain. Relative Identifier (RID), unique within a domain. The SID is used on all ACLs for authorization (permissions) purposes. The SID's behavior is very similar to the GUID's.

Global catalog:	The global catalog stores a subset of the attributes of all objects in the forest. Those are usually the attributes most used on searches. The careful placement of global catalog servers greatly improves performance, especially if you are using directory-enabled applications. You should have at least one global catalog server on each physical site.
Schema master:	The schema master is the focal point for making changes to the schema. Because this is a very infrequent and sensitive operation, Active Directory allows making changes to the schema only through the schema master. There can be only one schema master per forest.
Domain naming master:	The domain naming master is responsible for controlling the addition or removal of domains in the forest. There can be only one domain naming master per forest.

RID master:	RID (after domain SID)
RID master:	Responsible for allocating RIDs from the domain's RID pool. (RID is the part of the object's SID located after the domain SID.)
Primary Domain Controller (PDC) Emulator:	Services non-Windows 2000 clients for logons and password changes. The emulator also provides preferential replication of passwords on Windows 2000.
Infrastructure Master:	Updates group-to-user references when membership changes (for example, user display name).

Server User ID	WAS_userid
Server User Password	password
Type	Active_Directory
Host	ADHost.company.net
port	389
Base Distinguished Name	OU=Engineering,DC=domainx,DC=net
Bind Distinguished Name	CN=bindadmin,OU=Engineering,DC=domainx,DC=net
Bind Password	password
Search Timeout	default
Reuse Connection	on/selected
Ignore Case	off/unselected
SSL Enabled	off/unselected
SSL Configuration	[host]/DefaultSSLSettings