Active Directory

Active Directory allows administrators to assign enterprise-wide policies, deploy programs to

many computers, and apply critical updates to an entire organization. An Active Directory stores
information and settings relating to an organization in a central, organized, accessible database.
Active Directory networks can vary from a small installation with a few hundred objects, to a
large installation with millions of objects. Active Directory was previewed in 1996, released first
with Windows 2000 ,and saw some revision to extend functionality and improve administration
in Windows Server 2003 .

Structure
Objects
Active Directory is a directory service used to store information about the network resources
across a domain.
An Active Directory (AD) structure is a hierarchical framework of objects. The objects fall into
three broad categories - resources (e.g. printers), services (e.g. e-mail), and users (accounts, or
users and groups). The AD provides information on the objects, organizes the objects, controls
access, and sets security.
Difference between a Domain and a Workgroup :
A domain is a group of computers and devices on a network that are administered as a unit with
common rules and procedures. Within the Internet, domains are defined by the IP address. All
devices sharing a common part of the IP address are said to be in the same domain.
There is no real limit to the amount of computers on a domain, it is common to see domains with
over 2000 computers/devices (Nodes) in it. For networks with that many workstation, you will
need enterprise level software such as SMS, Exchange etc. to effectively manage it. If you are
using Windows XP as an OS... ONLY Windows XP Pro is capable of operating in a Domain
environment. You can mix OS clients on a domain, you can have Macintosh, Windows, Linux,
Unix all under the same domain sharing resources as needed.
A domain usually costs more money to setup because there is more hardware and software
required (Such as a Domain Controller and a Server Level OS) to get it configured properly.
In a domain, all the machines have domain level admin accounts on the local administrator
group. What this means is, you can effectively manage any and all of the computers on the
domain as long as your user account is a member of the Domain Admin group.
Workgroup:
Workgroup computing occurs when all the individuals have computers connected to a network (a
group of two or more computer systems linked together) that allows them to send e-mail to one
another, share data files, and other resources such as printers. Normally, a workgroup is limited
to 10 network devices/computers. Also, both Windows XP Pro and Home can function in a
workgroup environment.

Your typical "out of box" system is setup to be used on a workgroup.

If you want, you can change the network type from workgroup to domain and viceversa.
Machines setup in a Domain environment are much easier to manage than workgroups when it
comes to network resources (Shared Files, Shared Printers, etc.)
Since workgroup machines might have different account names, you really have to know the
admin acccount for each specific machine in order to effectively manage the workgroup.

Global Catalog
The Global Catalog (GC) has two primary functions. First, it acts as a domain controller that
stores object data and manages queries about objects and their most common attributes (called
the Global Catalog Partial Attribute Set, or PAS). Second, it provides data that permits network
logon. In single domain controller environments, the Active Directory and GC reside on the same
server. Where multiple domain controllers exist, as we discuss later, it is often advisable to move
the GC to its own dedicated domain controller. All domain trees have a GC, and must reside on a
domain controller.
NOTE
In the absence of a GC, a user can log on only to the local system. However, a member of the
Domain Administrators group can log on to the network without a GC.
The Global Catalog server stores and replicates an assortment of information, including the
domain forest schema data and configuration data. It can also be seen as a data repository and
engine for rapid object searches. The GC lists all the objects within a domain tree or forest.
However, it differs from the Active Directory in that it is comprised of a partial list of object
attributes. A list of the most requested or common object attributes is contained in the GC in an
abbreviated format that results from partial replication of domain data. By cataloging domain
objects, locating objects can be faster without the need to search the entire source domain.
Clearly, the reason for a dedicated GC is to separate the inquiry process from the updating and
management processes within a directory service.
An object's distinguished name typically provides sufficient data to identify the partition that
holds it. The GC contains a partial copy of every distinguished name namespace on the Active
Directory.
The Global Catalog supports a set of default object attributes that are considered the most
common or the most frequently queried-for example, a user's first and last names. However, for
greater control over the defined attributes for a particular domain, Windows 2000 provides a
means to modify the default settings. The system administrator can utilize the Schema Manager
snap-in to update the attributes included in the Global Catalog replication.
When the first Active Directory is installed, it creates a default Global Catalog. More than one
Global Catalog server can exist, depending on the size of the enterprise, the number of physical
sites, and the quality of network connectivity. Global Catalog servers are added through the Sites
and Servers Management snap-in of the Microsoft Management Console (MMC). Moving the
GC to another domain controller is accomplished by modifying the NTDS Setting Properties in
the Sites and Server Management snap-in.

In selecting a system to become the Global Catalog server, it is important that both capacity and
network connectivity be considered. The system should have sufficient storage capability to
support the management of a million or more objects. The CPU system speed should be
sufficient to permit the processing of a steady flow of queries.

GCs and Sites

Network connectivity to the Global Catalog server must be fast and of high quality because
access to a GC is required for successful network logon. Given that a site is bounded by rapid
and reliable network connectivity, at least one GC domain controller per site is recommended.

Master Operation Roles (FSMO ROLES)

Multimaster domain replication assumes that all domain controllers eventually receive
synchronized Active Directory information. However, there are master domain controller
relationships to handle certain Active Directory information within a domain or forest. The
master roles are defined below:

Domain naming master. This domain controller manages the addition and removal of
domains in the forest. A forest can have only one domain naming master, which can be
transferred to another domain controller through the Active Directory Domains and
Trusts snap-in.

Infrastructure master. The infrastructure master is responsible for managing group and
user references. Expect a delay in changes to user g when they are made across domains.
Updates to other domains are made by the infrastructure master domain controller via a
process called multimaster replication. This master role can be transferred to another
domain controller through the Active Directory Users and Computers snap-in.

PDC Emulator master. In a mixed Windows 2000 and Windows NT environment, the
PDC Emulator master supports the BDCs. Thus, it manages user account and password
changes, and forwards that information to the Windows NT BDC. In a native mode
Windows 2000 environment, the PDC Emulator master receives preference in the
replication of user account passwords. Before a logon fails, it is checked for updated
information. This master role can be transferred to another domain controller through the
Active Directory Users and Computers snap-in.

Relative ID master. A single relative ID master in each domain of a tree manages the
allocation of sequential relative IDs (RIDs) to each of the domain controllers. This makes
all security IDs (SIDs) created in a domain relative to the domain controller. This master
role can be transferred to another domain controller through the Active Directory Users
and Computers snap-in.

Schema master. The schema master controls updates to the domain schema data. There
is one schema master in the entire forest. It can be transferred to another domain
controller through the Active Directory Schema Master snap-in.