MCITP 70-640: Active Directory Under The Hood


Uploaded by itfreetraining on 17.10.2011

Transcript:
Hello welcome back to your free training course for Active Directory. All these videos are
free and will get you ready for the 70 640 exam. In this video I will look under the
hood of Active Directory at the protocols and technology that makes it work.
Active Directory is essentially a distributed database. The database is stored on domain
controllers and changes made on these domain controllers are replicated to other domain
controllers. The heart of Active Directory so to speak is the database which is stored
in the ntds.dit file. The choice of file name may seem a little
strange but originally Active Directory was called NT Directory services. When Active
Directory first made its debut in Windows Server 2000 it was referred to as Active Directory
but the choice of filename for the database still remained.
The file itself is a database based on the X 500 standard. The X 500 standard was first
developed back in the late 80’s. The standard itself is hierarchical organization of entries
which is distributed across one or more servers. Let me explain better by giving an example
of Active Directory. In Active Directory you have domains. These
domains contain users and computers. These users and computers can be organised to form
of a hierarchy. Imagine the file system on your hard disk contains folders and files.
The same apply to Active Directory. Active Directory contains folders called organisation
units and in these organization units or OU’s there is users, computers or other Active
Directory objects. The distributed nature of the database allows
copies of the same database to be kept at multiple sites at the same time. Active Directory
is able to expand further by having child domains. These child domains can share resources
with each other and replicate information between each other. This is where the power
of Active Directory comes from. Active Directory is able to keep a database in multiple locations,
replicate the changes between these locations and also have multiple domains sharing the
same resources. Microsoft has borrowed from x 500 directory
service in order to create Active Directory. However in order to access the database you
need another system. The X 500 standard has directory access protocols but due to some
short comings in the protocols when they were developed, most noticeable no network support,
other protocols were developed like the lightweight directory access protocol better known as
LDAP. So essentially you have two systems. The first
is the Active Directory database based on the x 500 standard which contains all the
Active Directory objects. Remember this is essentially the NTDS.DIT file. The
second is LDAP which allows you to access the database. The two systems may confuse
you at first, but to make it easy always think of Active Directory as a simple database and
LDAP as a way of accessing the database. LDAP was first released back in 1993. It provided
a simple way to access X 500 databases like Active Directory. LDAP supported IP based
networking and was adopted by Microsoft to access the Active Directory database. Even
though other systems do exist and the shortcoming of other protocols like networking support
has been addressed, LDAP continues to be used by Microsoft to access the Active Directory
database. So how do you use LDAP to access Active Directory
data? Most times you will use the admin tools provided by Microsoft. In some cases you may
low level tools which require you to understand the syntax that LDAP uses. At first the syntax
LDAP uses may look a bit confusing but it is not too hard to understand once you get
the hang of it. To understand LDAP syntax first consider what syntax you would access
a file on your hard disk. To access a file on the hard disk you would
first put the drive letter like c colin and then slash. This would give you the root of
the hard disk. To access a folder you would simply add the folder like users. To access
a file you would add slash followed by the filename like Joe.doc.
If you think of LDAP accessing a hierarchy of folders and files you will have no problem
understanding the syntax it uses. The first Terminology that LDAP uses is Canonical name
or container name or CN for short. Think of this as the file name in the example or
object in Active Directory. In this case if you wanted to access an object in Active Directory
called John I would use C N equals John. As you can imagine there could be more than
1 object in the database called John so we need to tell LDAP where this object is located.
This is where LDAP syntax may confuse some people because it is in the reverse order
to say a filename and path on a hard disk. Let’s say the object John is located in
an organizational unit called users. If you are confused think of organizational unit
or OU as a folder inside Active Directory. To access this OU, add comma OU equals users.
Now if I were to compare this with accessing a file on the hard disk, I now need to specific
where this object is. In the case of files on the hard drive I added a drive letter,
in the case of LDAP I need to add the domain it is located in. In this case I will use
ITFreeTraining.com. In LDAP syntax I need to add comma D C equals IT Free Training
comma D C equals com. This kind of syntax is called the Distinguished
Name. Every object in Active Directory has a Distinguished Name. The Distinguished Name
identifies the object uniquely inside Active Directory. Just like a file has a full path
and filename to identify it on a hard disk and only that file, LDAP has a distinguished
name to identify only that object in Active Directory.
To go over what we have covered. The heart of Active Directory is the NTDS.dit
file. This file is a database file based on the X 500 standard. In order for computers
and applications to access the objects in this database you need a protocol. The protocol
that Microsoft uses is LDAP. That’s it, the basic technology that makes Active Directory
work. Now that the basics of Active Directory are
covered in the next video I will look at forests and trees. These are used terms used in Active
Directory to describe enterprise wide deployments of Active Directory.
I hope you have enjoyed this free video in our free Active Directory training series.
For more free videos please see are web page or you tube channel. Thanks for watching.