70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 4: Active Directory Architecture
2 Objectives Describe the underlying database of Active Directory Describe the Active Directory schema and how it can be extended Describe the different Active Directory partitions and their functions
3 Active Directory Physical Database Storage Layers Provide the directory service Include: Extensible Storage Engine (ESE) Database layer Directory Service Agent (DSA)
4 Active Directory Layers
5 Active Directory Physical Database Storage Extensible Storage Engine: Lowest level Directly responsible for manipulating database All objects stored in nonhierarchical form Rows in database table Database layer: Responsible for providing object-oriented hierarchical view Directory Service Agent: Third layer Responsible for enforcing rules Govern how objects in Active Directory are created and manipulated Only adjacent layers communicate with one another
6 Extensible Storage Engine Active Directory store: Transactional database Transaction Each addition, modification, or deletion Needed data is loaded from disk to memory.
7 Extensible Storage Engine (continued) Example: Viewing properties of a user account ESE loads data user account data form disk to memory. Transaction Operation is logged to hard disk (First thing that happens) Modification transaction performs made to the in- memory copy of data Manipulating in-memory copy of data is faster that going to disk
8 Extensible Storage Engine (continued) AD store can be many gigabytes in size. Storing entire database in memory is not practical because of finite amount of memory available To solve this issue, ESE uses a Least recently used algorithm to write to disk (Data that has not been accessed or modified recently is the first to be written back to disk.) Move data that is no longer needed Write changes back to hard drive When memory is running low System is at a period of low activity
9 Extensible Storage Engine (continued) (In case of driver crashers, UPS failure) Transactions: ESE writes all transactions to log before they are made to in-memory copy Next time domain controller starts, ESE can use transactions recorded in log Reapply changes to copy of data stored on hard disk Called recovering the database Done without user intervention
10 Extensible Storage Engine (continued) Checkpoints: Shorten recovery times Reduce amount of hard drive space logs take up Completed transactions written back to disk Fact that transactions were successfully written is noted ESE only needs to reapply transactions from point of last checkpoint Transactions can be deleted from log Note: Shutdown of domain controller creates a checkpoint in transaction log. When server is started ESE check log, if no checkpoint present, a recovery is performed.
11 Active Directory File Structure Files needed by ESE to maintain Active Directory Store integrity: NTDS.DIT EDB.LOG EDBXXXXX.LOG EDB.CHK RES1.LOG and RES2.LOG TEMP.EDB
12 Active Directory Files
13 NTDS.DIT This is the main AD database. NTDS stands for NT Directory Services. The DIT stands for Directory Information Tree. Stores all objects and their attributes Located in %SYSTEMROOT%\ NTDS folder on domain controllers Made up of three tables: Schema table Data table Link table
14 EDB.LOG This is a transaction log. Any changes made to objects in Active Directory are first saved to a transaction log. During lulls in CPU activity, the database engine commits the transactions into the main Ntds.dit database. This ensures that the database can be recovered in the event of a system crash. Entries that have not been committed to Ntds.dit are kept in memory to improve performance. Transaction log files used by the ESE engine are always 10MB.
15 EDBXXXXX.LOG Auxiliary transaction logs used to store changes if the main Edb.log file gets full before it can be flushed to Ntds.dit. When EDB.LOG is filled, it is renamed to EDBXXXXX.LOG The original Edb.log file is renamed to Edb00001.log, and EdbXXXXX.log is renamed to Edb.log file, and the process starts over again. Excess log files are deleted after they have been committed. Every 12 hours: Garbage-collection process runs Deletes old EDBXXXXX.LOG You may see more than one Edbxxxxx.log file if a busy domain controller has many updates pending.
16 EDB.CHK This is a Checkpoint file It is used by the transaction logging system to mark the point at which updates are transferred from the log files to Ntds.dit. System recovering from failure As transactions are committed, the checkpoint moves forward in the EDB.CHK file. If the system terminates abnormally, the pointer tells the system how far along a given set of commits had progressed before the termination..
17 RES1.LOG and RES2.LOG These are reserve log files. If domain controller runs out of free disk space, uses reserved space from files Prevents updates from being lost due to insufficient disk space The system then puts a dire warning on the screen prompting you to take action to free up disk space quickly before Active Directory gets corrupted. You should never let a volume containing Active Directory files get even close to being full. Important: Include additional free space to store Active Directory database as it grows
18 TEMP.EDB Temporary storage space Hold large transactions while they are in process Used during maintenance operations
19 LDAP When Microsoft decided to replace the clumsy Registry- based account management system in classic NT with a true directory service, rather than devise a proprietary directory service of their own, they chose to adopt LDAP. Lightweight Directory Access Protocol Primary protocols for accessing information directories. Vital to understand how to use LDAP naming paths
20 LDAP (continued) DN (Distinguished Name) Every object in Active Directory has unique name Describes exactly where the object is located in the object hierarchy Made up of: Name of the object All of parent objects above it in hierarchy
21 LDAP (continued) RDN (Relative Distinguished Name) Identifies object within its container Contains only name of object Acronyms for object names: DC (Domain Component) Part of a domain name OU (Organizational Unit) Name of an organizational unit CN (Common Name) Name of most objects
22 LDAP (continued) Name example: Lori Thompson located in dev.supercorp.net domain in Research organizational unit DN: CN=Lori Thompson OU=Research DC=dev, DC=supercorp, DC=net RDN: CN=Lori Thompson
23 Active Directory Schema All available objects and attributes Sets out exactly: What kind of objects are represented What properties or attributes are required or optional What types of values are acceptable Tool needed to modify the schema is not available by default (regsvr32 schmmgmt.dll)
24 Activity 4-1: Registering Active Directory Schema Console Objective: Register the Active Directory Schema snap-in so you can view and modify the schema Follow instructions to register the console
25 Naming Every object class and attribute in the schema must have: Unique common name LDAP display name Object Identifier (OID)
26 Common Name Rules Start name with registered DNS name of company Separate each level of DNS name with hyphens (-) instead of periods Add another hyphen (-) at end of company’s name Enter current year Follow year with another hyphen (-)
27 Common Name Rules (continued) Choose product-specific prefix Must be unique within company Identifies product or application of class or attribute Should begin with uppercase letter with additional letters using capitalization of your choice Follow product-specific prefix with hyphen (-) Enter name of class or attribute separated by hyphens
28 LDAP Display Name Rules Start with common name already created for class or attribute Make first character of product-specific prefix lowercase Characters following first character may be uppercase or lowercase
29 LDAP Display Name Rules (continued) Make every character in class or attribute part of name that is preceded by a hyphen (-) uppercase Remove all hyphens (-) after product-specific prefix
30 Example common names and LDAP display names
31 OID OID space must be obtained separately Not part of registered DNS domain name Two primary ways to obtain an OID space: Through Microsoft International Standards Organization (ISO)
32 Object Classes Definition of each type of object Like a template from which objects are created Inheritance Class Types: Structural classes Abstract classes Auxiliary classes 88 classes
33 Object Classes (continued) Possible superiors Controls which types of objects new object can be instantiated or moved under Example: user object cannot be created (or moved) under a printer object
34 Activity 4-2: Creating a Structural Class Objective: Learn how to extend the Active Directory schema to include additional classes Use Active Directory Schema to create a new class
35 Attributes Schema contains list of all possible attributes Class is assigned both mandatory and optional attributes Object is sum of its attributes Syntaxes Defines data type attribute can store
36 Common Syntaxes
37 Common Syntaxes (continued)
38 Indexes Similar in concept to index in back of book Store values (in order) for all objects that have a given attribute Speed up queries Slow down creation of objects and updating of attributes Choose attributes that have highly unique values
39 Activity 4-4: Adding an Optional Attribute to a Class Objective: Learn how to add additional attributes to a class Use the Schema console to add an attribute to a class
40 Active Directory Partitions Database divided into groups called partitions, or naming contexts Used to manage replication Partitions: Schema partition Domain partition Configuration partition Application partition
41 Active Directory Partitions (continued) ADSI Edit: Included with Windows Server 2003 Support Tools Used to view and modify objects in various Active Directory partitions
42 Active Directory Partitions (continued)
43 Schema Stores schema Contains definitions of all classes and attributes in entire forest Replicated to all domain controllers in forest Content is the same throughout forest
44 Configuration Stores information about replication topology used in forest Specifies how domain controller determines with which other specific partners it replicates Found on all domain controllers Same throughout forest
45 Domain Contains users, computers, groups, and organizational units created in Windows domain Replicated to all domain controllers in domain Large amount of data Usually partition that changes most frequently
46 Application Cannot contain security principals Can be replicated to many different domains in forest Without necessarily being included on all domain controllers Used when developer wants to store information in Active Directory
47 Summary Active Directory is made up of several layers: Extensible Storage Engine (ESE), Database layer Directory Service Agent (DSA) By logging all transactions, ESE can reapply transactions in event of system failure and bring data back to a consistent state
48 Summary (continued) All objects and attributes available in Active Directory are defined in Active Directory schema To effectively manage replication of Active Directory, database is divided into groups called partitions