ACTIVE DIRECTORY, OSI Model, Networking protocols and Topologies
WHAT IS THE ACTIVE DIRECTORY?
The term "directory" has received a lot of attention in computing environments in the past several years. As computing environments have become larger and more complex, with many offering Internet access and even network resources through an intranet, the task of managing the many resources the network has to offer has become more and more complex for network administrators — and the user's task of finding those resources has become just as difficult. The need to not only organize information, but make that information easy to manage and locate, has become a serious and complicated issue. By definition, a directory is an information storage location that uses a systematic scheme to organize the information. The Active Directory refers to this systematic scheme as a "namespace." A common example is the telephone book. All information in a telephone book is stored by city/region, last name, then first name(s). By referencing a particular name in a particular city/region, you can find that person's telephone number. The phone book uses a "namespace" in that all names are organized in alphabetical order using the last name and first name of the phone user. If the telephone book did not follow a namespace — in other words, if some names listed were by first name, some by last, some by nicknames, and some by address — you would never find what you needed. So, a directory organizes information using a namespace so you can find more information about the people or things listed in the directory. Although Windows NT offered directory services through third party software, the Active Directory in Windows 2000 is Microsoft's new answer to directory services. The Active Directory is a powerful tool that allows multiple sites, domains, and even the Internet to fully integrate together. The Active Directory's purpose is to organize information about real network objects, such as users, shares, printers, applications, and so forth, so that users can find the resources they need. Through the Active Directory, users do not have to keep track of which server holds which resource, or where a particular printer resides. The Active Directory lists the information, is completely searchable, and provides a standard folder interface to users so they can find what they need on the network. From an administrator's point of view, the Active Directory provides you with a simple, hierarchical design that you can administer from a single location.
DESIGN GOALS OF THE ACTIVE DIRECTORY The Active Directory's design goals are simple, yet very powerful, allowing Active Directory to provide the desired functionality in virtually any computing environment. The following list describes the major features and goals of the Active Directory technology. Scalable — The Active Directory is highly scalable, which means it can function in small networking environments or global corporations. The Active Directory supports multiple stores, which are wide groupings of objects, and can hold more than one million objects per store. Extensible — The Active Directory is "extensible," which means it can be customized to meet the needs of an organization. Secure — The Active Directory is integrated with Windows 2000 security, allowing administrators to control access to objects. Seamless — The Active Directory is seamlessly integrated with the local network and the intranet/Internet. Open Standards — The Active Directory is based on open communication standards, which allow integration and communication with other directory services, such as Novell's NDS. Backwards Compatible — Although Windows 2000 operating systems make the most use of the Active Directory, the Active Directory is backwards compatible for earlier versions of Windows operating systems. This feature allows implementation of the Active Directory to be taken one step at a time. ACTIVE DIRECTORY NAMESPACE As mentioned previously, the Active Directory functions through the use of an extensible namespace, and the namespace used in the Active Directory follows the Domain Name System (DNS). DNS is the most widely used directory namespace in the world and it is highly scalable. Each time you use the Internet, you are using DNS. DNS takes a host name, such as www.microsoft.com, and resolves it into a TCP/IP address, such as 188.8.131.52, which is required for communication on TCP/IP networks. Since computers must have the TCP/IP address to communicate, and we need the language-based names to communicate, DNS' job is to resolve the two.
The Active Directory is integrated with DNS and the naming schemes used in the Active Directory are DNS names. The DNS integration allows you to use the same domain name for your network as you would on the Internet. For example, smithfin.com is a valid DNS name and can also be used as a Windows 2000 domain name. With DNS as the locator service in the Active Directory, the local area network becomes more seamless with the Internet and intranet. Smithfin.com can be an Internet name or a local area name. [email protected]
is both an Internet email address and a user name in the local network. This structure allows you to find items on your network in the same manner you find them on the Internet. Windows 2000 also supports Dynamic DNS (DDNS), a new addition to the DNS standard. DDNS can dynamically update a DNS server, which had to be manually performed in the past, with new or changed values. Since name records can be dynamically updated, true Windows 2000 networks no longer need to use Windows Internet Naming Service (WINS).
LDAP IN THE ACTIVE DIRECTORY DNS is the naming scheme used in the Active Directory, and LDAP (Lightweight Directory Access Protocol) is how you access the Active Directory. LDAP is a widely adopted Internet standard used in newsgroups and search engines. Although often misunderstood, LDAP is not a part of the X.500 standard. The X.500 standard is a directory specification that introduced DAP (Directory Access Protocol) to read and modify a directory database. DAP is an extensible protocol in that it can handle directory requests and changes, as well as directory security. However, DAP places much of the processing burden on the client computers and is considered to be a high overhead protocol. LDAP, which is not defined within the X.500 specification, was developed to overcome the weaknesses of DAP. LDAP is an open standard, which means that it can be used by anyone wishing to develop a directory service and is not restricted to X.500 directories like DAP. Also, a major difference is that LDAP is not a client-based service. The service runs on the server and the information is returned to the LDAP enabled client. The Active Directory is not an X.500 directory, but it supports the information model without requiring systems to implement the X.500 overhead. The result is an LDAP based directory that supports high levels of interoperability.
ACTIVE DIRECTORY HIERARCHY The structure of the Active Directory is a hierarchy, and before installing and implementing the Active Directory, you must have a firm understanding of the structure as well as the components that make up the Active Directory. You will use this hierarchy design to build the Active Directory infrastructure for your organization, so it is important that you have a firm grasp of their meaning and place in the hierarchy before you begin planning. The following sections explore the components in the hierarchy structure. We will work with each of these in more detail in later chapters. Object An Active Directory object represents a physical object of some kind on the network. Common Active Directory objects are users, groups, printers, shared folders, applications, databases, contacts, and so forth. Each of these objects represents something "tangible." Each object is defined by a set of "attributes." An attribute is a quality that helps define the actual object. For example, a user object could have attributes of a username, actual name, and email address. Attributes for each kind of object are defined in the Active Directory. The attributes define the object itself and allow users to search for the particular object, as in Figure 1. Organizational Unit An organizational unit (OU) is like a file folder in a filing cabinet. The OU is designed to hold objects (or even other OUs). It contains attributes like an object, but has no functionality on its own. As with a file folder, its purpose is to hold other objects. As the name implies, an OU helps you "organize" your directory structure. For example, you could have an accounting OU that contains other OUs, such as Accounting Group A and Accounting Group B, and inside those OUs can reside objects that belong, such as users, groups, computers, printers, and so forth (Figure 2). OUs also serve as securities and administrative boundaries and can be used to replace domains in multiple Window NT domain networks.
Domain By definition, a domain is a logical grouping of users and computers. A domain typically resides in a localized geographic location, but this is not always the case. In reality, a domain is more than a logical grouping — it is actually a security boundary in a Windows 2000 or NT network. You can think of a network with multiple domains as being like a residential neighborhood. All of the homes make up the neighborhood, but each home is a security boundary that holds certain objects inside and keeps others out. The domain is the same (Figure 3). Each domain can have its own security policies and can establish trust relationships with other domains. The Active Directory is made up of one or more domains. Domains contain a schema, which is a set of object class instances. The schema determines how objects are defined with the Active Directory. The schema itself resides within the Active Directory and can be dynamically changed. You can learn more about the Active Directory schema in Chapter 18. Tree The hierarchy structure of the domain, organizational units, and objects is called a tree. The objects within the tree are referred to as endpoints, while the OUs in the tree structure are nodes. In terms of a physical tree, you can think of the branches as OUs or containers and the leaves as objects — an object is the natural endpoint of the node within the tree. Domain Trees A domain tree exists when several domains are linked by trust relationships and share a common schema, configuration, and global catalog. Trust relationships in Windows 2000 are based on the Kerberos security protocol. Kerberos trusts are transitive. In other words, if domain 1 trusts domain 2 and domain 2 trusts domain 3, then domain 1 trusts domain 3, shown in Figure 4. A domain tree also shares a contiguous namespace (Figure 5). A contiguous namespace follows the same naming DNS hierarchy within the domain tree. For example, if the root domain is smithfin.com and domain A and domain B exist in a domain tree, the contiguous namespace for the two would be domaina.smithfin.com and domainb.smithfin.com. If domain A resides in smithfindal.com and domain B
resides in the smithfin.com root, then the two would not share a contiguous name space. Forest A forest is one or more trees that do not share a contiguous name space. The trees in the forest do share a common schema, configuration, and global catalog, but the trees do not share a contiguous name space. All trees in the forest trust each other through Kerberos transitive trusts. In actuality, the forest does not have a distinct name, but the trees are viewed as a hierarchy of trust relationships. The tree at the top of the hierarchy normally refers to the tree. For example, corp.com, production.corp.com, and mgmt.corp.com form a forest with corp.com serving as the forest root. Site A site is not actually considered a part of the Active Directory hierarchy, but is configured in the Active Directory for replication purposes. A site is defined as a geographical location in a network containing Active Directory servers with a wellconnected TCP/IP subnet. Well-connected means that the network connection is highly reliable and fast to other subnets in the network. Administrators use the Active Directory to configure replication between sites. Users do not have to be aware of site configuration. As far as the Active Directory is concerned, users only see domains. ACTIVE DIRECTORY NAMES In the Active Directory, every object, such as, a user, a group, a computer, a printer, and so forth, has a unique name. There are four kinds of names assigned to each object. First, each object has a distinguished name (DN). The DN is unique from all other objects and contains the full information needed to retrieve the object. The DN contains the domain where the object resides and the path to the object. The DN is made up of these attributes (or qualities):
DomainComponentName (DC) OrganizationalUnitName (OU) CommonName (CN) For example if you wanted to access a document called "Production Flow" that resides in a particular domain, the DN might read: /DC=com/DC=mycompany/OU=prod/CN=documents/CN=Production Flow By using the DN, the Active Directory can begin at the top of the domain and work its way down to the actual folder or document. Next, the Active Directory uses the relative distinguished name (RDN). The RDN is the part of the DN that defines the actual object, called an attribute. This is the CN, or common name. Fortunately, all you need to know to search for objects are common names. You don't have to know or use the DN, and the DN itself is normally hidden from the users. Next, the Active Directory also uses the globally unique identifiers (GUID), which is a 128-bit number unique from all others. The GUID is assigned to an object when it is created in the Active Directory and it never changes. Finally, Active Directory objects can be identified by the user principal names (UPN), which is a short friendly name that looks like an email address, such as [email protected]
. The major point to remember is that the Active Directory provides the DN, RDN, GUID, and UPN for objects to ensure uniqueness, ease of location for LDAP queries, and ease of use for users. You will learn more about these names throughout the book. GLOBAL CATALOG The purpose of LDAP is to allow network users to search and find the objects in the Active Directory they want to use. For this to happen, the Active Directory domain controllers maintain a "global catalog."
The global catalog allows users and applications to find objects in the Active Directory by searching for a particular attribute(s). The global catalog holds a partial "replica" of the objects and their most common attributes. When a user performs a search operation to find a user (or other object), the global catalog is checked to find matches for that request. The global catalog looks for that attribute and returns matches to the user. Data in the global catalog is built and maintained through replication among domain controllers.
Active Directory is a highly scalable and extensible directory service that makes use of DNS as its naming scheme. The Active Directory natively uses LDAP to locate objects within the Active Directory so users can easily locate the information they need. The Active Directory structure is based on a hierarchy that contains objects, organizational units, domains, trees, and forests. The Active Directory also allows you to configure sites and manage site replication. The Active Directory assigns DN, RDN, GUID, and UPN names to ensure uniqueness and ease of location. All of this information is stored in a global catalog
Networking concepts, protocols and topologies
Network protocol Definition: A network protocol defines a "language" of rules and conventions for communication between network devices. A protocol includes formatting rules that specify how data is packaged into messages. It also may include conventions like message acknowledgement or data compression to support reliable and/or highperformance network communication. In networking, the communication language used by computer devices is called the protocol. Yet another way to classify computer networks is by the set of protocols they support. Networks often implement multiple protocols to support specific applications. Popular protocols include TCP/IP, the most common protocol found on the Internet and in home networks. Many protocols exist in computer networking ranging from the high level to the low level. The Internet Protocol family includes IP and all higher-level network protocols built on top of it, such as TCP, UDP, HTTP, and FTP. Modern operating systems include
services or daemons that implement support for a given network protocol. Some protocols, like TCP/IP, have also been implemented in silicon hardware for optimized performance. TCP IP Definition: Transmission Control Protocol (TCP) and Internet Protocol (IP) are two distinct network protocols, technically speaking. TCP and IP are so commonly used together, however, that TCP/IP has become standard terminology to refer to either or both of the protocols. IP corresponds to the Network layer (Layer 3) in the OSI model, whereas TCP corresponds to the Transport layer (Layer 4) in OSI. In other words, the term TCP/IP refers to network communications where the TCP transport is used to deliver data across IP networks. The average person on the Internet works in a predominately TCP/IP environment. Web browsers, for example, use TCP/IP to communicate with Web servers.
Bus, ring, star, and other types of network topology In networking, the term "topology" refers to the layout of connected devices on a network. This article introduces the standard topologies of computer networking. Topology in Network Design One can think of a topology as a network's virtual shape or structure. This shape does not necessarily correspond to the actual physical layout of the devices on the network. For example, the computers on a home LAN may be arranged in a circle in a family room, but it would be highly unlikely to find an actual ring topology there.
Network topologies are categorized into the following basic types: o o o o bus ring star tree
More complex networks can be built as hybrids of two or more of the above basic topologies. Bus Topology Bus networks (not to be confused with the system bus of a computer) use a common backbone to connect all devices. A single cable, the backbone functions as a shared communication medium that devices attach or tap into with an interface connector. A device wanting to communicate with another device on the network sends a broadcast message onto the wire that all other devices see, but only the intended recipient actually accepts and processes the message. Ethernet bus topologies are relatively easy to install and don't require much cabling compared to the alternatives. 10Base-2 ("ThinNet") and 10Base-5 ("ThickNet") both were popular Ethernet cabling options many years ago for bus topologies. However, bus networks work best with a limited number of devices. If more than a few dozen computers are added to a network bus, performance problems will likely result. In addition, if the backbone cable fails, the entire network effectively becomes unusable. Ring Topology In a ring network, every device has exactly two neighbors for communication purposes. All messages travel through a ring in the same direction (either "clockwise" or "counterclockwise"). A failure in any cable or device breaks the loop and can take down the entire network. To implement a ring network, one typically uses FDDI, SONET, or Token Ring technology. Ring topologies are found in some office buildings or school campuses. Star Topology Many home networks use the star topology. A star network features a central connection point called a "hub" that may be a hub, switch or router. Devices typically connect to the hub with Unshielded Twisted Pair (UTP) Ethernet. Compared to the bus topology, a star network generally requires more cable, but a failure in any star network cable will only take down one computer's network access and not the entire LAN. (If the hub fails, however, the entire network also fails.)
Tree Topology Tree topologies integrate multiple star topologies together onto a bus. In its simplest form, only hub devices connect directly to the tree bus, and each hub functions as the "root" of a tree of devices. This bus/star hybrid approach supports future expandability of the network much better than a bus (limited in the number of devices due to the broadcast traffic it generates) or a star (limited by the number of hub connection points) alone. Mesh Topology Mesh topologies involve the concept of routes. Unlike each of the previous topologies, messages sent on a mesh network can take any of several possible paths from source to destination. (Recall that even in a ring, although two cable paths exist, messages can only travel in one direction.) Some WANs, most notably the Internet, employ mesh routing. A mesh network in which every device connects to every other is called a full mesh. As shown in the illustration below, partial mesh networks also exist in which some devices connect only indirectly to others. Summary Topologies remain an important part of network design theory. You can probably build a home or small business network without understanding the difference between a bus design and a star design, but understanding the concepts behind these gives you a deeper understanding of important elements like hubs, broadcasts, and routes.
The standard model for networking protocols and distributed applications is the International Standard Organization's Open System Interconnect (ISO/OSI) model. It defines seven network layers. Short for Open System Interconnection, an ISO standard for worldwide communications that defines a networking framework for implementing protocols in seven layers. Control is passed from one layer to the next, starting at the application layer in one station, proceeding to the bottom layer, over the channel to the next station and back up the hierarchy.
At one time, most vendors agreed to support OSI in one form or another, but OSI was too loosely defined and proprietary standards were too entrenched. Except for the OSI-compliant X.400 and X.500 e-mail and directory standards, which are widely used, what was once thought to become the universal communications standard now serves as the teaching model for all other protocols. Control is passed from one layer to the next, starting at the application layer in one station, proceeding to the bottom layer, over the channel to the next station and back up the hierarchy. Layer 1 - Physical Physical layer defines the cable or physical medium itself, e.g., thinnet, thicknet, unshielded twisted pairs (UTP). All media are functionally equivalent. The main difference is in convenience and cost of installation and maintenance. Converters from one media to another operate at this level. Layer 2 - Data Link Data Link layer defines the format of data on the network. A network data frame, aka packet, includes checksum, source and destination address, and data. The largest packet that can be sent through a data link layer defines the Maximum Transmission Unit (MTU). The data link layer handles the physical and logical connections to the packet's destination, using a network interface. A host connected to an Ethernet would have an Ethernet interface to handle connections to the outside world, and a loopback interface to send packets to itself. Ethernet addresses a host using a unique, 48-bit address called its Ethernet address or Media Access Control (MAC) address. MAC addresses are usually represented as six colon-separated pairs of hex digits, e.g., 8:0:20:11:ac:85. This number is unique and is associated with a particular Ethernet device. Hosts with multiple network interfaces should use the same MAC address on each. The data link layer's protocolspecific header specifies the MAC address of the packet's source and destination. When a packet is sent to all hosts (broadcast), a special MAC address (ff:ff:ff:ff:ff:ff) is used.
Layer 3 - Network NFS uses Internetwork Protocol (IP) as its network layer interface. IP is responsible for routing, directing datagrams from one network to another. The network layer may have to break large datagrams, larger than MTU, into smaller packets and host receiving the packet will have to reassemble the fragmented datagram. The Internetwork Protocol identifies each host with a 32-bit IP address. IP addresses are written as four dot-separated decimal numbers between 0 and 255, e.g., 184.108.40.206. The leading 1-3 bytes of the IP identify the network and the remaining bytes identifies the host on that network. The network portion of the IP is assigned by InterNIC Registration Services, under the contract to the National Science Foundation, and the host portion of the IP is assigned by the local network administrators. For large sites, the first two bytes represents the network portion of the IP, and the third and fourth bytes identify the subnet and host respectively. Even though IP packets are addressed using IP addresses, hardware addresses must be used to actually transport data from one host to another. The Address Resolution Protocol (ARP) is used to map the IP address to it hardware address. Layer 4 - Transport Transport layer subdivides user-buffer into network-buffer sized datagrams and enforces desired transmission control. Two transport protocols, Transmission Control Protocol (TCP) and User Datagram Protocol (UDP), sits at the transport layer. Reliability and speed are the primary difference between these two protocols. TCP establishes connections between two hosts on the network through 'sockets' which are determined by the IP address and port number. TCP keeps track of the packet delivery order and the packets that must be resent. Maintaining this information for each connection makes TCP a stateful protocol. UDP on the other hand provides a low overhead transmission service, but with less error checking. NFS is built on top of UDP because of its speed and statelessness. Statelessness simplifies the crash recovery. Layer 5 - Session The session protocol defines the format of the data sent over the connections. The NFS uses the Remote Procedure Call (RPC) for its session protocol. RPC may be built on either TCP or UDP. Login sessions uses TCP whereas NFS and broadcast use UDP.
Layer 6 - Presentation External Data Representation (XDR) sits at the presentation level. It converts local representation of data to its canonical form and vice versa. The canonical uses a standard byte ordering and structure packing convention, independent of the host. Layer 7 - Application Provides network services to the end-users. Mail, ftp, telnet, DNS, NIS, NFS are examples of network applications. OSI Model Reference Table
Layer Application User Interface
FTP; TFTP; Gateway Used for applications DNS; specifically written to run BOOTP; SNMP;RLOGIN; over the network Allows access to network SMTP; MIME; NFS; TELNET; services that support FINGER; NCP; APPC; AFP; applications; Directly represents the SMB services that directly support user applications Handles network access, flow control and error recovery Example apps are file transfer,e-mail, NetBIOSbased applications
Translates from application to network format and vice-versa All different formats from all sources are made into a common uniform format that the rest of the OSI model can understand Responsible for protocol conversion, character conversion,data encryption / decryption, expanding graphics commands, data compression Sets standards for
different systems to provide seamless communication from multiple protocol stacks Not always implemented in a network protocol Session Syncs and Sessions Establishes, maintains NetBIOS and ends sessions across the network Names Pipes Responsible for name recognition (identification) Mail Slots so only the designated parties can participate in RPC the session Provides synchronization services by planning check points in the data stream => if session fails, only data after the most recent checkpoint need be transmitted Manages who can transmit data at a certain time and for how long Examples are interactive login and file transfer connections, the session would connect and reconnect if there was an interruption; recognize names in sessions and register names in history Transport Packets; Flow control & Errorhandling Additional connection TCP, ARP, RARP; below the session layer Manages the flow control SPX of data between parties across the network NWLink Divides streams of data into chunks or packets; NetBIOS / NetBEUI the transport layer of the receiving computer ATP reassembles the message from packets A train is a good analogy => the data is divided into identical units Provides error-checking to guarantee error-free data delivery, with on losses or duplications Provides acknowledgment Gateway Advanced Cable Tester Brouter Gateway
of successful transmissions; requests retransmission if some packets don’t arrive errorfree Provides flow control and error-handling Network Addressing; Routing Translates logical network IP; ARP; RARP, ICMP; Brouter address and names to RIP; OSFP; their physical address Router (e.g. computername ==> IGMP; MAC address) Frame Relay Responsible for IPX Device o addressing o determining routes NWLink ATM Switch for sending o managing network NetBEUI Advanced Cable problems such as Tester packet switching, OSI data congestion and routing If router can’t send data DDP frame as large as the source computer sends, DECnet the network layer compensates by breaking the data into smaller units. At the receiving end, the network layer reassembles the data Think of this layer stamping the addresses on each train car
Data Link Data frames to bits
Turns packets into raw Logical Link Control Bridge bits 100101 and at the receiving end turns bits Switch error into packets. correction and Handles data frames flow control ISDN Router between the Network and manages link Physical layers control and Intelligent Hub The receiving end defines SAPs packages raw data from NIC the Physical layer into 802.1 OSI Model data frames for delivery Advanced Cable to the Network layer 802.2 Logical Link Tester Responsible for error-free Control transfer of frames to other computer via the Media Access Control Physical Layer communicates with the This layer defines the adapter card methods used to transmit controls the and receive data on the type of media network. It consists of the being used: wiring, the devices use to connect the NIC to the wiring, the signaling 802.3 CSMA/CD involved to transmit / (Ethernet) receive data and the ability to detect signaling 802.4 Token Bus errors on the network (ARCnet) media 802.5 Token Ring 802.12 Priority Demand Repeater Multiplexer Hubs Passive Active TDR Oscilloscope Amplifier
Physical Hardware; Raw bit stream
Transmits raw bit stream IEEE 802 over physical cable Defines cables, cards, and IEEE 802.2 physical aspects Defines NIC attachments ISO 2110 to hardware, how cable is attached to NIC ISDN Defines transfer cable techniques bit stream to to