The most basic of all DNS services provide the ability for a client system to send a query to the DNS server, asking it to return the IP address of a host system. This type of resolution is referred to as forward name resolution. DNS provides this functionality by hosting resource records that specify the IP address for each of the host systems within the DNS namespace. The namespace is referred to within the DNS server as the zone. For instance, if your DNS namespace is zygort.lcl, and you have a server named APFS01 with an IP address of 192.168.29.75, your zone name would be zygort.lcl and the server would have a resource record that tied the name APFS01 to IP address 192.168.29.75. When a client sent a query to the DNS server looking for APFS01.zygort.lcl, the DNS server would reply to the query with a response containing the IP address.

This is the most fundamental purpose of DNS, and probably the most utilized function—finding an IP address when a client sends a query. There is another resolution type known as reverse name resolution. Reverse name resolution allows a client to query for a host name when it knows the IP address of the system in question. This works in much the same way as the caller ID system on your telephone. When you receive a phone call, the phone number corresponds to a “friendly” name that you may recognize. Since it is much easier to remember names than a long numbers, this makes it much easier for you to determine exactly who is calling. If a name is not associated with the phone number, then only the phone number will appear. There are several programs and utilities that use reverse name resolution, and you may find it beneficial to make sure you have the correct information included within the zone.

DNS servers will resolve queries within the zones that are configured on them. You can have more than one zone on a server, and the server will accept and respond to queries for records in those zones. When a client sends a query for a zone that is not hosted on the DNS server, the DNS server has to perform additional tasks to respond correctly to the client. The DNS server will search all the way to the top of the DNS hierarchy, known as the root, for help. These root DNS servers are listed within the Root Hints tab of the DNS server’s properties page. The DNS server will send a query of its own to one of these root servers, asking for resolution. The root servers will refer the DNS server to the appropriate TLD DNS server. The DNS server will then query the TLD DNS server for assistance. The TLD server will refer the DNS server to the appropriate second-level domain DNS server. This process will continue until a DNS server with the resource record resolves the request, either with a successful lookup or a failed one.

There are problems that can be encountered with the typical DNS resolution methods. First off, not every namespace is accessible from the Internet. Our zygort.lcl is a prime example of that. If you were to perform a lookup on a server name within that namespace using conventional DNS methods, the lookup would fail. There needs to be another method of resolving the DNS queries for these zones. The other problem lies with companies that do not want their DNS servers to query outside of their organization. Because DNS servers look to the root of the Internet as the de facto starting point for name resolution, in this case you need a way to keep them from doing so. New options have been introduced to address these issues.

Windows 2000 DNS servers introduced forwarders to the Microsoft DNS world. Using forwarders, you can specify another DNS server that will attempt to resolve queries when the local DNS server cannot. By default, a DNS server will use the DNS servers that are configured within the Root Hints tab of the DNS server’s properties page. If your DNS server cannot reach the root servers or if you want to control the servers that perform the iterative queries from your organization, you can enter the server’s IP address within the Forwarders tab on the properties sheet for the DNS server. Once configured, the queries that cannot be resolved by the DNS server will be sent to the first DNS server listed in the Forwarders tab. Sometimes when you define a forwarder, the DNS server identified as the forwarder will have to take on the task of resolving all the queries outside of the DNS server’s zones. This can be a considerable amount of traffic. Another problem occurs when the forwarder does not have the ability to query for certain zones. Windows Server 2003 introduced another method of forwarding: conditional forwarding. Using conditional forwarding, you can specify a DNS server that will be used to resolve queries based on the domain name in question. For example, if a user needs to resolve an address for zygort.local and if a conditional forwarder is created for the zygort.local domain, the DNS server will send a recursive query to the server specified within the forwarder setting

For more information on conditional forwarding, see the TechNet article 304991 at
http://support.microsoft.com/default.aspx?kbid=304491&product=winsvr2003.

Another item to note: if a DNS server is configured as the root server for the organization, you cannot configure it to forward requests to another DNS server. If you have a DNS server configured to forward requests to another DNS server, simply delete the root zone from the DNS server, which is specified by the dot (.). In the case of a Windows 2003 or Windows 2008 server, the root zone is designated by.(root. Once the root zone is deleted, you can enter external root servers into the root hints and can configure forwarders. This “root zone” behavior does not occur within a Windows Server 2008 DNS server when you promote the first domain controller. This doesn’t mean that you need let Dcpromo install the DNS service; you could configure the DNS zone first and then promote the domain controller. Doing so will allow you to configure the zone the way you want and then allow the domain controller to register. There are other considerations to take into account if you create the zone first when promoting the first domain controller for your forest, and we will discuss those options later in the chapter. First and foremost, if you create the zone manually, make sure that you configure the zone for dynamic updates; otherwise you will receive an error message stating the domain is not configured.

Source of Information : Sybex Mastering Active Directory for Windows Server 2008

When implementing Active Directory within your environment, DNS is required. Active Directory cannot exist without it. The two entities are like trains and railroad tracks. The train’s engines are mighty-powerful machines that can pull thousands of tons of equipment, but without the tracks, they cannot move. If the tracks are not aligned correctly, the train may derail. If the tracks are not switched in the right direction, the train will not arrive at the correct destination.

If you haven’t immersed yourself in the finer details of DNS, now is the time. If you think you understand how DNS works, you should still review all of the new options that have been added to the DNS service in Windows Server 2003 (including R2) and Windows Server 2008. Where Windows 2000 added some fancy new features into the Microsoft DNS world (such as support for dynamic updates and service locator [SRV] records), Windows Server 2003 upped the ante even more with support for stub zones and the ability to use application directory partitions for Active Directory–integrated zones.

As we mentioned previously, you are not required to use Microsoft’s implementation of DNS; UNIX BIND (Berkeley Internet Name Domain) DNS will work just fine as long as it meets certain criteria. As a matter of fact, several companies are already invested deeply in a BIND DNS solution and are not about to completely restructure with a new DNS implementation. As the old saying goes, don’t fix what isn’t broken. We will look at using BIND within your.

Looking at the correlation between your Active Directory and DNS, you will find the two share the same zone-naming conventions. If your Active Directory domain name is zygort.lcl, the DNS namespace will also be zygort.lcl. Notice that the top-level domain (TLD) name for DNS, in this case lcl, does not have an equivalent domain within Active Directory. That is because, for most companies, the top-level domain is not unique and is not owned by the company. Take for instance a company that is using widgets.com as its Active Directory namespace. The TLD used in this case (com) is owned by the Internet Corporation for Assigned Names and Numbers (ICANN) and is shared by hundreds of thousands of Internet-based websites. When designing Active Directory, the designers decided to make sure that the root of the Active Directory forest could be unique; they required the domain names to take on two domain components: the company’s DNS domain and the TLD that it resides under.

As a domain controller comes online, part of its startup routine is to attempt registration of the SRV records that identify the services that are running on the domain controller. The only requirement for a DNS server to work with Active Directory is that the DNS server support SRV records. It does not matter to Active Directory clients if the records are entered manually by an administrator or automatically by the domain controller itself; all that matters is that the records are correct. If the SRV records are not listed within the zone or are entered incorrectly, the client will not be able to locate the domain controller. If the SRV records are correctly listed within the DNS zone, the host name of the server that is providing the service is returned to the client. The client will then query the DNS server for the A record (hostname record) of the domain controller to resolve the IP address.

Source of Information : Sybex Mastering Active Directory for Windows Server 2008

Active Directory Lightweight Directory Services
Active Directory Lightweight Directory Services (AD LDS) allows administrators to create small versions of Active Directory that run as non–operating system services. Because AD LDS does not run as an operating system service, it does not require deployment on a domain controller. Any workstation or server can host an instance, or multiple instances, of AD LDS. Instead of building a domain controller so that developers have an Active Directory database to work with, you could create an instance of AD LDS on their workstations for them to test against. You could also use it as a repository for data used by a customer-relations management program or an address book directory. If you need a directory to hold data instead of a database, you may want to consider using AD LDS.

One of the biggest benefits of using AD LDS is its administrative benefits. Because AD LDS is a user version of Active Directory, anyone familiar with how to manage objects within Active Directory should be at ease when working with objects in AD LDS. And as in Active Directory, you can control your replication scope and the systems with which you replicate objects. If you have three systems that need to host the directory, you can specify that the AD LDS partitions be hosted on those systems. Until the release of Exchange 2007, developers were more interested in AD LDS than were most administrators. For developers, the possibilities provided by AD LDS are limited only by imagination. If an application’s primary use of data is reading that data and performing queries against that data rather than making mass changes, AD LDS should fit the bill.

Exchange 2007 introduced a new Exchange server role, the Edge Transport role. An Edge Transport server is not a member of your Active Directory domain and usually sits in your demilitarized zone (DMZ). Among other functions of the Edge Transport role, you can configure AD LDS in the DMZ to help facilitate the Active Directory account lookups.


Active Directory Federation Services
Many organizations are partnering with businesses to efficiently deliver products and services. As businesses form these alliances, there needs to be a secure method of authenticating users from the partners’ organizations. Part of the challenge to allowing authentication into your network is the security needed to maintain the connection between partners while keeping hostile entities at bay. In the past, this was possible with several tools and utilities, none of which appeared to work well with each other.
Active Directory Federation Services (AD FS) extends Active Directory to the Internet while guaranteeing the authenticity of the accounts attempting to authenticate. Using this technology will not only enable organizations to work with partner organizations more efficiently; it will also allow interoperability with a with range of applications and platforms, such as Netegrity, Oblix, and RSA, as well as leverage client systems that can utilize Simple Object Access Protocol (SOAP)–based command sets. When using AD FS, an organization can allow users that exist within separate forests, as well as among partner organizations, to have access to the organization’s web applications and use a single sign-on. AD FS is based on the Web Services (WS-*) architecture that is being developed with the cooperation of several companies, including IBM and Microsoft.


Active Directory Rights Management Services
Microsoft released Windows Rights Management Services (RMS) a few years ago. Windows Server 2008 introduces a pretty significant update to this product and has changed the name to Active Directory Rights Management Services (AD RMS).


Active Directory Certificate Services
The Active Directory Certificate Services (AD CS) allow you to create and manage certificates used in environments that employ public-key technologies. AD CS allows you to associate the identity of a person, device, or service to a private key.

AD CS is not a new technology, but it is new to the Active Directory family. One of the biggest changes is the addition of Cryptography API: Next Generation (CNG). CNG allows administrators to use custom algorithms with Active Directory, with Secure Sockets Layer (SSL), and with Internet Protocol Security (IPSec). This is accomplished by using the U.S. government’s Suite B cryptographic algorithms. Enhancements such as Online Certificate Status Protocol support, Network Device Enrollment Service, web enrollment, restricted enrollment agent.

Source of Information : Sybex Mastering Active Directory for Windows Server 2008

With the release of Windows Server 2008 and the inclusion of several enhancements to AD, Microsoft has decided to realign all of its “identity” technologies under the Active Directory umbrella. Some items have simply been renamed; other technologies have been moved into the Active Directory Family. With all of these changes, and in typical Microsoft fashion, there are some new names to get familiar with. (These new technologies are discussed in subsequent subsections.)

• The Active Directory that we’ve all grown to know and love is now known as Active Directory Domain Services (AD DS). AD DS stores all information about resources on the network, such as users, computers, and other devices.

• Active Directory Lightweight Directory Services (AD LDS) is the latest version of Active Directory Application Mode (ADAM).

• Active Directory Federation Services (AD FS) provides Web single sign-on (SSO) technologies to authenticate users to multiple web applications in a single session.

•Active Directory Rights Management Services (AD RMS) is an information-protection technology that works with RMS-enabled applications to protect and secure information from unauthorized use online and offline, inside and outside of the environment.

• Active Directory Certificate Services (AD CS) allows the mapping of users and resources to a private key to help secure identity in a Public Key Infrastructure (PKI) based environment.


Along with renaming and restructuring these technologies, Microsoft (MS) also updated all of the existing Active Directory technologies. Following are some of the major updates to Active Directory:

• Read -only domain controllers (RODCs) allow organizations to easily deploy a domain controller in locations where physical security cannot be guaranteed.

• Windows Server Core has introduced a new edition of Windows Server titled “Server Core”. Server Core is a Windows 2008 server that is command line–driven and does not possess a GUI.

Source of Information : Sybex Mastering Active Directory for Windows Server 2008

When you break it down, Active Directory is a type of database, but one built as a “directory.” The difference between a relational database and a directory is that the former is optimized for updating, while the latter is optimized for reading. In this manner, Active Directory was developed with the understanding that the objects contained within the directory would not be changing often, but would be used for users, computers and administrators to control, manage, and discover the organization’s resources.

One of Active Directory's most basic functions is that it provides a centralized repository for user account information. When an administrator creates a user account, the account information is held on a domain controller within the domain in which the user resides. All of the domain controllers within the domain will receive an identical copy of the user account so that the user is able to authenticate using any domain controller in the domain.

Any changes to the user account are made on one of the domain controllers and then sent to every other domain controller within the domain. This transfer of data is called replication. Replication of information can be a burden on the network, especially in environments with several thousand users, groups, computers, and other objects. To alleviate the replication burden on the network, Active Directory replicates only the attributes that have been changed, and not the entire object.

To get a good understanding of how Active Directory works, you must first understand what the schema is and the role it plays in the directory service. The following section will outline the major roles of the schema.


Schema
The schema (i.e., a structured framework or plan) acts as the building blocks of Active Directory, much like DNA molecules are the building blocks for our bodies. Just as our DNA holds all of the information necessary to build our leg, ears, hair, ear hair, etc., the schema holds all of the information needed to create users, groups, computers, and so on within Active Directory. The schema defines how each attribute can be used and the properties associated with the attribute. Take, for instance, a child’s toy that we have grown up with: LEGOs. When you first take a look at LEGO bricks, you see hundreds of tiny pieces that really don’t seem to represent anything. Some are short, some are long, and some are special shapes. These are the individual pieces, or building blocks, that will go into creating the buildings, cars, airplanes, and dioramas.

The Active Directory schema is pretty much the same thing. If you look within the Active Directory Schema snap-in you will see hundreds of entries that are used when creating objects within Active Directory. As you expand the Active Directory Schema section of the tool, you will see the window that contains classes and attributes. The entries known as attributes allow you to create new objects or modify existing objects within your directory. To add the Active Directory Schema snap-in to a Microsoft Management Console (MMC), you will first need to register the dynamic link library. To do so, open the Run line or use a command prompt on the domain controller and type in regsvr32 schmmgmt.dll.


Attributes
To standardize Active Directory, the schema defines the attributes that can be used when creating objects. Unlike our LEGO bricks, however, these attributes are defined only once and can be used for any object. Defining the attribute once and using it for multiple objects allows for a standardized approach of defining objects, especially when searching for the attribute. Take the name attribute, for example; whenever an object uses the Name attribute you know that the name has to be at least one character in length and cannot exceed 255 characters. You would know this because of the syntax and rules that are applied to the attribute. There is a lot of information within this page, but right now we are interested only in the Syntax and Range area. Notice that the attribute is a Unicode string that has to be at least one character in length and cannot exceed 255 characters. Each attribute within the schema is defined in such a manner, although the syntax for each of the attributes could be different.

The properties for Bad-Pwd-Count are another attribute that makes up a user object. Notice that the X.500 Object Identifier (OID) is different from that of the name attribute.
Each attribute within the schema has to have a unique OID. These are registered and maintained by the Internet Assigned Numbers Authority (IANA). Once assigned, the OID should not be used by any other attribute. Within Active Directory, the default attributes are already assigned OIDs, and those OIDs are protected in a way that will not allow another application to overwrite them. New attributes will need to be assigned an OID. If you are adding an attribute for use in an object, you should register it with the IANA to safeguard the attribute and to make sure that it does not step on any other attributes. Registration is free, and as long as your OID is unique, you should be issued an OID for your attribute. The attributes that Microsoft uses are all within their own OID range, which starts with 1.2.840.113556. For a complete list of the registered OIDs, visit
http://asn1.elibel.tm.fr/oid/index.htm and perform a search on the OID. If you have registered an OID, it will appear in this database once the entry is added.

Within an attribute’s properties, you will find several check boxes that you can select. Each of them is described in the following list:

Attribute Is Active
You can deactivate attributes that you no longer need within Active Directory. Note that the default attributes cannot be deactivated, nor can attributes that are still in use within an object.

Index This Attribute
If this is an attribute on which you are going to allow searches, you may want to index the attribute to increase the search responsiveness.

Ambiguous Name Resolution (ANR)
When you select this option, you allow a Lightweight Directory Access Protocol (LDAP)–based client to resolve a request when only partial data is available.

Replicate This Attribute to the Global Catalog
Not every attribute needs to reside within the global catalog. The rule of thumb is, if you need to locate an object based on an attribute or if the object’s attribute is needed within another domain, you should add it. Otherwise, to reduce the total size of the domain partition you should not add in any superfluous attributes.

Attribute Is Copied When Duplicating a User
When you copy a user account, several attributes are copied from the original account to the new account. If you want the attribute to copy, select the box. Do note that many attributes are unique to a user, so select this option with care.

Index This Attribute for Containerized Searches
If you select this option, the attribute can be indexed for searches within containers, such as organizational units (OUs), in Active Directory.


Object Classes
An object class is a defined grouping of attributes that make up a unique resource type. One of the most common object classes is the user class. Use the user object class as the template for a user account. When you create a user account, the attributes that are defined for the user object class are used to define the new account. Information that you populate within the Add User wizard or enter within the command line become the properties within the attributes. If we go back for a minute to the LEGO metaphor, you can use some of the brown blocks available to create a roof on a house, some red bricks to make the walls, and tan bricks to make a door.

The clear pieces can be used as windows and the white pieces form the porch. Each of these individual items (the bricks, the color of the bricks, the shape of the bricks, and the placement of the bricks) is considered an attribute. Putting these attributes together forms the object class “house.” When you build your first house, you have built your first object. Subsequent houses will have the same attributes, but you may build the porch with tan pieces instead of white ones. So, when I create a user account for Maria, that user account will have unique values stored within the attributes for her user account. Bob’s user account will be created using identical attributes, but will not have the same values within each attribute. Maria’s phone number may be 555.1234, and Bob’s 555.9876.

Not all of the attributes that make up an object class are shown within the administrative tools. Many of them hide behind the scenes and will rarely, if ever, need to be changed. One such attribute is the user’s Security Identifier or SID. The user’s SID will change when a user is moved from one domain to another, but will not change while the user remains within a domain. The Active Directory Users and Computers management tool does not have the ability to change this attribute. A default set of attribute fields appears within the utilities, and if you decide to make an attribute available for updating, you may need to programmatically add the fields to the utilities.

Attributes are defined as mandatory or optional. Mandatory attributes have to be populated, or the object will not be created. One such attribute is a computer’s name. Optional attributes do not necessarily need to have values. Attributes such as Manager within a user object does not need to be populated, but it is always nice to include that information. The more complete the information, the more useful Active Directory becomes.


The Two Sides of AD
Active Directory has both a logical side and a physical side, and each one plays a very important role. The physical side is made up of the domain controllers and physical locations where the domain controllers reside. When you promote a system to domain controller status, you will usually place that domain controller close to the user population that will use it for authentication and access. Domain controllers need to communicate with one another to share the information they have. The logical side is a little more nebulous; as well as containing the objects that define how the resources are organized and accessed, the logical side contains objects within Active Directory that define how the domain controllers will communicate with one another. Active Directory sites and site links define which domain controllers will replicate directly with each other and which ones will have to communicate indirectly through other domain controllers.
Domains dictate the replication scope. When you create a domain, the domain partition is replicated only to domain controllers from the same domain. The domain partition is not copied to domain controllers outside of the domain. This allows you to partition your directory service and reduce the size of the database file that holds all of the forest’s objects.

Organizational units are used to organize objects for easy administration and to manage those objects easily using group policies. To have efficient administration of resources, you should design your Active Directory with administration in mind. If you are in the process of rolling out Active Directory, be sure to develop a detailed plan for the rollout. Without a good design, Active Directory may not work efficiently for your environment. If your design does not meet the needs of your organization, you may be faced with either suffering through working with an inadequate design or rebuilding your Active Directory infrastructure from the ground up. Neither of these options will sit well with your user base or the management of the company.

Source of Information : Sybex Mastering Active Directory for Windows Server 2008

Active Directory is the database (think of a directory as a collection of information, like a phone book), whereas a domain controller is a single computer or server that controls Active Directory. There are typically multiple domain controllers that host Active Directory. How do you know if you need Active Directory? There are factors that you should address to determine whether you should defer installation of a domain controller. Following are some of the questions you should ask:

Do I want to centrally manage access to resources such as printers, users, and groups?
Do I want to control user accounts from one location?
Do I have applications that rely on Active Directory?

If you answered “yes” to any of these questions, you undoubtedly will want to take advantage of the features that Active Directory provides. Taking each one of the questions into account, you will find that your life as an administrator will be much easier if you use Active Directory over using no directory service whatsoever. The tools that become available when you implement Active Directory will ease your administrative load, although there is an inherent learning curve associated with any new technology.

If you answered “yes” to the last of the three questions just posed, you have no choice but to implement Active Directory. Most of the Active Directory–enabled applications on the market rely on the installation of a full version of Active Directory within your network. There are some Active Directory–enabled applications that can take advantage of using Active Directory Lightweight Directory Services (AD LDS) –based systems.

The first two questions relate to something for which administrators have strived over the years. Having one central location to manage users and resources makes an administrator’s life easier. If you have to continually move from server to server to administer the resources contained on them, you will spend more time tracking down the resources than you would performing your job. If you have to maintain user accounts on several systems, you must make sure you have an efficient method of cataloging the accounts so that you know where they reside.

With Windows 2000 Server, Windows Server 2003, and now Windows Server 2008, you can use Active Directory Domain Services (AD DS) as the central repository for user, group, and computer accounts as well as for shared folders and printers. Having the ability to manage these resources from any domain controller within your domain allows you to greatly reduce your administrative overhead.

Source of Information : Sybex Mastering Active Directory for Windows Server 2008