There are several new concepts introduced with Active Directory. It is important that you understand their meaning as applied to Active Directory.
The Active Directory schema defines objects that can be stored in Active Directory. The schema is a list of definitions that determines the kinds of objects and the type of information about those objects that can be stored in Active Directory, as shown earlier in Figure 5.8.
The schema contains two types of definition objects: schema class objects and schema attribute objects. Class objects and attribute objects are defined in separate lists within the schema (see Figure 5.13). Schema class and attribute objects are also referred to as schema objects.
Schema class objects describe the possible Active Directory objects that can be created. Each schema class is a collection of schema attribute objects. For each object class, the schema defines what attributes an instance of the class must have, what additional attributes it can have, and what object class can be a parent of the current object class. Every object in Active Directory is an instance of a schema class object.
Schema attribute objects define the schema class objects with which they are associated. Each schema attribute is defined only once and can be used in multiple schema classes. Because the schema definitions are themselves stored as objects in Active Directory, they can be administered in the same manner as the rest of the objects in Active Directory.
Installing Active Directory on the first domain controller in a network creates a default schema that contains a set of basic schema class attributes. The default schema also contains definitions of objects and properties that Active Directory uses internally to function.
The Active Directory schema is extensible, which means that you can define new directory object types and attributes and new attributes for existing objects. You can extend the schema by using the Schema Manager snap-in or the Active Directory Service Interfaces (ADSI). Only experienced developers or network administrators should dynamically extend the schema by defining new classes and attributes for existing classes.
The schema is implemented and stored within Active Directory itself (in the Global Catalog), and it can be updated dynamically. As a result, an application can extend the schema with new attributes and classes and use the extensions immediately.
Active Directory allows users and administrators to find objects (such as files, printers, or users) in their own domain. However, finding objects outside of the domain and across the enterprise requires a mechanism that allows the domains to act as one entity. A catalog service contains selected information about every object in all domains in the directory, which is useful in performing searches across an enterprise. The catalog service provided by Active Directory services is called the Global Catalog.
The Global Catalog is the central repository of information about objects in a tree or forest, as shown in Figure 5.14. By default, a Global Catalog is created automatically on the first domain controller in the first domain in the forest, and the domain controller containing the Global Catalog is known as the Global Catalog server. Using Active Directory service's multimaster replication, the Global Catalog information is replicated between Global Catalog servers in other domains.
By default, the attributes stored in the Global Catalog are those most frequently used in search operations (such as a user's first and last names, logon name, and so forth) and those necessary to locate a full replica of the object. As a result, you can use the Global Catalog to locate objects anywhere in the network without replication of all domain information between domain controllers.
You can designate additional domain controllers as Global Catalog servers using the Sites and Servers Management snap-in. When considering which domain controllers to designate as Global Catalog servers, base your decision on the ability of your network structure to handle replication and query traffic. The more Global Catalog servers you have, the greater the replication traffic is. However, the availability of additional servers can provide quicker responses to user inquiries. Every major site in your enterprise should have a Global Catalog server.
Active Directory, like all directory services, is primarily a namespace. A namespace is any bounded area in which a name can be resolved. Name resolution is the process of translating a name into some object or information that the name represents. The Active Directory namespace is based on the DNS naming scheme, which allows for interoperability with Internet technologies. An example namespace is shown in Figure 5.15.
Using a common namespace allows you to unify and manage multiple hardware and software environments in your network. There are two types of namespaces:
Every object in Active Directory is identified by a name. Active Directory uses a variety of naming conventions: distinguished names, relative distinguished names, globally unique identifiers, and user principal names.
Every object in Active Directory has a distinguished name (DN), which uniquely identifies an object and contains sufficient information for a client to retrieve the object from the directory. The DN includes the name of the domain that holds the object, as well as the complete path through the container hierarchy to the object.
For example, the following DN identifies the Firstname Lastname user object in the microsoft.com domain (where Firstname and Lastname represent the actual first and last names of a user account):
Table 5.4 describes the attributes in the example.
Table 5.4??Distinguished Name Attributes
DNs must be unique, because Active Directory does not allow duplicate DNs.
Active Directory supports querying by attributes, so you can locate an object even if the exact DN is unknown or has changed. The relative distinguished name (RDN) of an object is the part of the name that is an attribute of the object itself. In the preceding example, the RDN of the Firstname Lastname user object is Firstname Lastname. The RDN of the parent object is Users.
You can have duplicate RDNs for Active Directory objects, but you cannot have two objects with the same RDN in the same OU. For example, if a user account is named Jane Doe, you cannot have another user account called Jane Doe in the same OU. However, objects with duplicate RDNs can exist in separate OUs because they have different DNs (see Figure 5.16).
A globally unique identifier (GUID) is a 128-bit number that is guaranteed to be unique. GUIDs are assigned to objects when they are created. The GUID never changes, even if you move or rename the object. Applications can store the GUID of an object and use it to retrieve that object regardless of its current DN.
User accounts have a "friendly" name, the user principal name (UPN). The UPN is composed of a "shorthand" name for the user account and the DNS name of the tree where the user account object resides. For example, user Firstname Lastname (substitute the first and last names of an actual user) in the microsoft.com tree might have a UPN of FirstnameL@microsoft.com (using the full first name and the first letter of the last name).
Here are some questions to help you determine whether you have learned enough to move on to the next lesson. If you have difficulty answering these questions, review the material in this lesson before beginning the next chapter. The answers are in Appendix A, "Questions and Answers."