Windows Active Directory
2006-10-10 20:55:53 · 5 answers · asked by santhosh 1 in Computers & Internet ➔ Computer Networking
(m)
A properly designed directory represents a model of the organization it serves, including not only information about computers, users and resources, but also establishing and enforcing security policies, access controls, data flows and much more. That’s why Active Directory sits at the heart of any modern Windows network, and it’s what makes understanding Active Directory techniques so important. This is a subject that anyone could spend years studying, and a decade to master completely. Here, we’ll explain what’s involved in working with Active Directory throughout information system lifecycles.
Understanding Comes First
Before you try to do anything with Active Directory, it’s essential to understand what it is and what it does. By analogy, Active Directory is to a collection of Windows servers (called domain controllers), along with the computers, users and other resources that fall under their control, what the Windows registry is to any individual Windows machine. By definition, Active Directory (AD) is Microsoft’s proprietary directory service and provides an information storage and control system that’s both centralized (there’s only one logical database behind any single given directory tree) and distributed (the system allows multiple copies to exist and keeps them synchronized and coordinated).
The intent of AD is to capture information about and to automate management of user data, security and access controls, and distributed resources of all kinds. AD uses standard directory protocols and services (such as the IP-based LDAP protocol) so that it can work with other directory services, such as Novell Directory Services (NDS) or Sun Directory services (though this is always easier in theory than in actual practice). Active Directory is organized into individual containers called directory trees, which may be further aggregated into directory forests. It’s a complex environment with many tools and utilities involved in its design, maintenance, troubleshooting and so forth.
Key AD features include the following:
Support for the ISO X.500 standard for global directories.
Support for secure, Web-based network operations.
Hierarchical organization with delegation of authority to enable local management of local resources and centralized management of global resources and controls (to a restricted class of domain/directory administrators).
Object-oriented data representation and storage, for easy searching of and access to directory data.
Designed to work with older Windows domain models (such as NT 4.0 domain controllers) and to interoperate with newer implementations (so that AD for Windows 2000 works well with AD for Windows Server 2003, albeit through a restricted logical view).
Before anyone goes to work on AD, some learning and study is highly recommended. Microsoft offers lots of tutorials and educational material through TechNet and applicable product documentation. The company has also published numerous books on AD under the Microsoft Press imprint, and it offers numerous training courses on AD for both Windows 2000 and Windows Server 2003. A plethora of third-party books, courses and other information about AD is also available.
Two Paths to Active Directory Implementation
The best techniques and practices that apply to AD vary according to whether an organization has already implemented AD or whether it seeks to implement (or migrate to) Active Directory for the first time. For those on the migration or first-time-implementation path, some initial design and planning is absolutely essential. For those working in environments where AD is already up and running, assessment and analysis will indicate whether additional design and planning are needed or not. In the sections that follow, we’ll step through a complete collection of categories under which Active Directory techniques and best practices can be organized; these may not apply in all situations, so use your best judgment as you decide on their applicability to your circumstances.
Planning for Active Directory
For many organizations, moving to AD also means migrating to newer versions of Windows—namely, Windows 2000 Server (the first platform to support AD) or Windows Server 2003 (the most current AD implementation available). During this phase of activity, planning falls into multiple categories:
Examining processor, memory, storage and other system requirements for the chosen Windows version, and deciding if existing equipment is suitable or if new equipment must be acquired.
Identifying and piloting migration from earlier Windows environments (typically, Windows NT 4.0) to understand and learn the process before moving into full-scale production. Please note that Microsoft offers numerous migration tools to help administrators preserve and transport such information about systems, users, resources, access controls and so forth as makes sense during such a move. (Search Microsoft.com or TechNet for “Active Directory migration tools” to see what’s available.)
Establishing relationships with IT and other executives to educate them about AD and to explain how building directory services can have political ramifications. (This gets increasingly important as more sites or autonomous operating units fall under a single organizational umbrella.)
Numerous consulting companies specialize in Active Directory-related services and are available to help with all phases of AD activity. Use them if you can’t grow sufficient expertise in your own organization to do things entirely on your own.
Designing an Active Directory
This phase requires that you inventory system and information assets, review (or formulate) security policy and understand the kinds of users, user communities, communications links and access controls your organization requires. This is roughly the same as the assessment phase mentioned later in this story, except it’s always more work to do this for the first time than it is to inspect an existing directory services environment and decide how well it continues to fit current needs and circumstances.
Once the inventory and assessment phases are completed, you’ll need to create a model of your organization that includes information about users, how users fit into various organizational operating units or job roles, how desktops and servers fit into information processing and delivery needs and how other resources fit into the overall picture. This brief description can’t really tally the amount of work that needs to be done, nor the levels of approval and management buy-in that are necessary, but this phase often takes three months or longer to complete and usually involves a team of professionals. This is also the point at which security policy is mapped into AD Group Policy Objects and where controls for local and remote network access must be formulated.
Implementing Active Directory
If a pilot migration has succeeded, a real migration will get underway, followed by adding all the data that AD requires that Windows NT domains never dreamed existed. Many organizations choose to implement AD piecemeal and create organizational units, each with its own directory context, so that entire multi-site networks don’t have to make the switch all in one go. Experience teaches that the more complex and far-flung the organization, the more sense incremental directory implementation makes. This is particularly true when not all sites or organizations have trained, directory-savvy IT staff on site and must rely on headquarters staff or experts housed in other locations. This is also the final step in the first-time process, so that IT professionals working in existing AD environments may not need to tackle them any time soon (but they should be aware of them and their importance to effective, well-honed AD implementations). Testing and evaluation as each piece of the total AD implementation is completed is highly recommended, as are regular piecewise reviews of directory synchronization and locations for global catalog servers at each step along the way.
Be aware also that Microsoft has created a collection of development tools and interfaces known collectively as the Active Directory Services Interface (ADSI), intended to permit organizations (and software developers) to create “directory-aware” applications. To the extent that organizations want to make the most of AD, they may choose to re-engineer key line-of-business or mission-critical systems and applications to take advantage of the added capabilities ADSI can support. If this elective is chosen, normal best software engineering practices will also come into play, particularly during beta test and final deployment stages.
Assessing Active Directory
To some extent, this phase can be considered the point where implementation stops and maintenance begins. Certainly, it’s also the stage through which most IT professionals must pass to familiarize themselves with their organization’s AD structure, organization and operations. But beyond mere understanding and familiarity, the real goal of assessment is to compare the current implementation to current organizational needs and realities and to decide if that implementation needs changes or enhancements to better reflect those needs and realities or to better meet access or performance requirements. Microsoft and various third parties offer lots of tools designed to help with AD assessments and to profile current implementations at a considerable level of detail. These can be extraordinarily helpful in conducting this phase (as can help from qualified experts or consultants who specialize in AD—in fact, when outside help is contracted for most first-time AD implementations, the job isn’t over until a post-implementation assessment and follow-up occurs, if ongoing support isn’t also part of the deal). This regimen should also include (or take cognizance of) regularly scheduled security and system audits (which normally occur at least once a year, or more often as mandated by organization policy).
Tuning and Maintaining Active Directory
As a result of an assessment, or simply to keep AD implementations secure and up-to-date, routine, scheduled updates and tweaks are key to making the most of an AD environment. Activities here range from performing security scans and vulnerability assessments, to applying relevant Microsoft security updates, hotfixes or Service Packs, to checking replication and synchronization performance, error logs and so forth. As it is a fundamental principle of lifecycle management, assessment, tuning and maintenance will be where IT professionals spend most of their time and effort working with AD in the long run. It’s also the case that changing information requirements may occasionally require additional data to be incorporated into directory databases (for example, to include PDA access profiles for sales force members newly required to carry them or smart card data for security personnel newly required to use two-factor authentication for system audit logs).
The Keys to the Kingdom Hang on Active Directory
It’s certainly the case that in modern, well-run Windows networks, the importance of AD is hard to overstate. That’s why savvy IT professionals will learn as much about AD as they can, to help them make the best use of its manifold and multifaceted capabilities. It’s certainly possible to assert that nobody can consider themselves truly expert on Windows nowadays unless they have a good working knowledge of AD and how to approach its proper planning, design, implementation and maintenance.
2006-10-10 21:33:14 · answer #1 · answered by mallimalar_2000 7 · 2⤊ 0⤋
Active Directory stores and retrieves information from a wide variety of applications and services. So that it can store and replicate data from a potentially infinite variety of sources, Active Directory standardizes how data is stored in the directory. By standardizing how data is stored, the directory service can retrieve, update, and replicate data while ensuring that the integrity of the data is maintained.
The directory service uses objects as units of storage. All objects are defined in the schema. Each time that the directory handles data, the directory queries the schema for an appropriate object definition. Based on the object definition in the schema, the directory creates the object and stores the data.
2006-10-11 03:59:25 · answer #2 · answered by midnightlydy 6 · 1⤊ 0⤋
ADS Application Development Solutions [AT&T] +
Application Development System +
Automatic Distribution System
ADSC Address Status Changed +
Adobe Document Structuring Conventions
ADSI Active Directory Service Interface [Microsoft] +
Analog Display Services Interface
2006-10-11 04:01:35 · answer #3 · answered by tricky_tauraus 1 · 0⤊ 1⤋
ADS may refer to:
Active Defense Systems
Active Denial System
Active Directory Service
Advance Direction Sign
Advanced Design System
Advanced Distributed Simulation
Advantage Database Server
advertisement
Aerial Delivery Sling
After dinner speech
Air Data System
Airforce Delta Storm, a video game
Aitken's double star catalogue
Alcohol and Drug Services
Alcohol Dependence Scale
Alternate data stream
Alternative Delivery System
American Depositary Shares
Annotation Data Set
Anti de Sitter space
Applet Development Server
Applicant Data System
Approved Destination Status
Archaeology Data Service
Ardrossan Harbour railway station, United Kingdom, from its National Rail code
Area Detection System
Astrophysics Data System from NASA
Attention Deficit Syndrome, or Attention-deficit hyperactivity disorder
Autographed Document Signed
Automated Deployment Services
Automatic Dependent Surveillance
Auxiliary Data Store
2006-10-11 04:01:52 · answer #4 · answered by shiva 3 · 0⤊ 1⤋
OMG. You're so smart!
2006-10-11 03:57:55 · answer #5 · answered by Anonymous · 0⤊ 0⤋