How I may help
LinkedIn Profile Email me!
Call me using Skype client on your machine

Reload this page Active Directory for Microsoft Windows 2000

This hopes to be an action-oriented trace through the Active Directory infrastructure associated with Microsoft's Windows 2000—a trace of events from logon rather than mere definitions of fragmented concepts. Better for troubleshooting.

March 19, 2002 Microsoft Active Directory Disaster Recovery
... on Dissimilar Hardware [Q263532]

February 12, 2002 Maintaining Active Directory: Reducing the Directory and Removing Orphaned Objects


Topics this page:

  • Get Certified!
  • Logon Action
  • Sites on Network
  • Global Catalog
  • Domains
  • Groups
  • Schema Objects
  • Architecture
  • Partitions
  • LDAP
  • Security Precautions
  • Forests
  • DNS
  • Permissions
  • Directory Schema
  • Directory Replication
  • Unique Sequence Numbering
  • Your comments???


    Site Map List all pages on this site 
    About this site About this site 
    Go to first topic Go to Bottom of this page

    Related Topics:
    another page on this site Windows 2000 Installation and
    another page on this site Administration 
    another page on this site TCP/IP 
    another page on this site ISO Layers 

    another page on this site Free Training! 
    another page on this site Technical Support 

    Set screen What's The Big Deal?

    Go to Top of this page.
    Previous topic this page
    Next topic this page

    Set screen Get Yourself Certified on MS Directory Services Infrastructure

    'Variations: Squared - Colored Grounds' serigraph by Frank Stella, 1978 Get this framed for your wall!
    Go to Top of this page.
    Previous topic this page
    Next topic this page

    Set screen Active Directory Architecture

      Three critical MMC snap-ins are used to administer Active Directory. They are:

      ItemOrganized aroundStored
      SitesPhysical IP Subnets...
      DomainsLogical AD
      Domain ControllersPhysical servers...
      OUs (Organizational Units)Logical Values in AD
      Global CatalogPhysical server...

      Local account information for each Windows 2000 machine is stored in a SAM database file (just as it did in NT4).

      The SAM database file on a W2K domain controller is used only for directory services restore mode.

      Information on domain accounts (password hashes) are stored in the Active Directory database file on a domain controller located at %systemroot% \ntds\ntds.dit.

    Go to Top of this page.
    Previous topic this page
    Next topic this page

    Set screen Logon Accounts

      When a user logs on...

      Attribute Value Type Usage Scope of Uniqueness
      Using an X.500 attributed naming convention:
      C= (2 character Country Code)
      O= (Organization - up to 64 characters)
      OU= (Organizational Unit - up to 32 characters)
      CN= (Common Name - up to 80 characters) in Users container
      DC=domain1 domain name
      DC=com Domain_root (the root domain which contains the object)
      DN (Domain Name) specifies the complete path to the location of an entry (an object) in a container hierarchy Complete path: Must be unique in its forest because every object in AD has an LDAP DN.
      John Doe RDN (Relative Domain Name) LDAP searches within an identified domain Canonical: Must be unique in
      its own OU, not the entire directory. UPN (User Principal Name) logon name -- Each AD user has one. Contextual: Must be unique within a single domain
      domain1\JohnDoe Downlevel Login Name backward comptibility with NT NetBIOS network stored in a SAM on a DC.

      During logon authentication, the DC locator service responds to user logon attempts by searching for the closest site on the same TCP/IP subnet (LAN segment) as the user.

    Go to Top of this page.
    Previous topic this page
    Next topic this page

    Set screen Sites on Network

      TNQ101-04: Best Practices For Designing An Active Directory Structure by Bill Boyd Sites usually correspond to a common physical (geographical) location on one or more unique TCP subnets (ranges of IP addresses). This is because sites are used to organize LAN and WAN segments to optimize network traffic patterns.

      In BackOffice products such as Microsoft Exchange Server, a site is a logical grouping of servers that can be specified without regard to physical location of the servers themselves. Before Windows 2000, the Microsoft Exchange product used the concept of sites -- servers “well-connected" with each other. Machines within a site are usually connected by a high-speed high-bandwidth (10/100 mbps) LAN rather than a slow-speed (dial-up) WAN.

      Sites exist as server and configuration objects within the Global Catalog. Site configuration objects are used to configure replication paths.

      Sites are NOT part of the logical namespace of domains.

    Go to Top of this page.
    Previous topic this page
    Next topic this page

    Set screen Global Catalog

      User authentication begins with access to a global catalog server. Users are then refered to a domain controller for logon to a domain. The Netlogon service uses a secure channel to pass credentials to a domain controller.

      To designate a DC to be a Global Catalog server, check the "Global Catalog" property setting in the "Active Directory Sites and Services" MMC snap-in.

    • Each global catalog server is part of a physical site for supporting logon authentication and replication.
    • For redundancy and load balancing, each major site should have two or more GCs.
    • The global catalog servers within the same MDT have the same schema of objects. Each Global Catalog contains:
      • a full replica of all objects in the host domain
      • a partial replica (not all attribute values) of objects in other domains in the MDT.


      Fault tolerant Dfs (Distributed File System) does not reference the Global Catalog.

      By default, AD uses ports 445, 389, 88, 123, 135, 3268 for a GC, and 1025 or 1026 for logon and AD replication.

    Go to Top of this page.
    Previous topic this page
    Next topic this page

    Set screen Domains Are Administrative

      A domain is an administrative boundary for security, replication, and authentication.

      Several domains can be joined into trees which share a common schema.

      When a user logs on to any Windows 2000 machine, it sends the domain user account's authentication information to the domain controller specified by the UPN entered by the user.

      A local user account has permission only for the local machine, not the domain.

      Each domain is a container for AD information. Because Windows 2000 enables domains to identify parent-child associations, Domains can now mirror the administrative hierarchy of an organization.

      From Program Files Administrative, use "Active Directory Users and Computers"

    • Each domain must have its own domain controller to store the domain directory containing account information for a domain.
    • Windows 2000 does not use NT4 "Primary" and "Backup" controllers. All domain controllers are equal with the Windows 2000 “multi-master" model.
    • All changes made to one domain controller are replicated to all other domain controllers on its domain.

      tool Dommon.exe Domain Monitor [from the Resource Kit] monitors the status of Replication and Trusts for Domain Controllers within user-selected Domains.

    • To simplify the granting of permissions, users are usually organized into groups to which permissions are assigned.


      Reminder Microsoft does not provide a report that presents who manages a specific user.
    Go to Top of this page.
    Previous topic this page
    Next topic this page
    AD Group in Visio Global Group

    Set screen Groups

      To add, display, or modify global and local groups (Aliases):

        NET GROUP
        (on domain controllers)

      For more information, use command


      Types of groups:
      • Security groups can be granted permissions:
        • container object permissions
        • individual object permissions
        • attribute object permissions

      • Distribution groups cannot be used to grant permissions, only to send email.

      The scope of groups: A G (U) DL P

      • Domain local groups are valid in a single domain.
      • Members of Universal groups can be from any domain. This is available only if Windows 2000 is in native mode.
      • Members of Global groups are from a single domain can access resources in other domains. Permissions are never assigned directly to global groups.

    • In Windows 2000, Global groups can nest other global groups from within their own domain, but they don't appear in the GC.

    • A group can only belong to a single OU.


    Go to Top of this page.
    Previous topic this page
    Next topic this page
    Active Directory Database icon

    Set screen Namespaces: Active Directory Architecture

      The Active DirectoryT service in Microsoft® Windows® 2000 is directory service designed for distributed networking environments. Active Directory lets organizations share and manage information about network resources and users, and it acts as the central authority for network security.

      To export a list of AD objects in Line Delimited format (ldfz), use this utility installed with Windows 2000 Server (not Pro):

        LDFIDE -f Export_file_name
      Q263991 - How to Set a User's Password with Ldifde

      To exports AD contents into Comma Seperated Values (csv):

      Step-by-Step Guide to Bulk Import and Export to Active Directory

    • Each domain controller in a forest holds a copy of the Active Directory database, which is replicated to other domains.

    • The Active Directory database file is named ntds.dit in default folder %systemroot% \Ntds.
    • The Schema.ini file defines AD configurations.

    • Active Directory services are provided from the Directory Service module Ntdsa.dll of the LSA server service that enforces security policies in the Active Directory. The Security Accounts Manager (SAM) enforces policies stored locally.
    • The ESE can theoretically store up to 10 million objects per domain in a Active Directory database up to 17 terabytes.
    • The Directory System Agent (DSA) is the actual process that manages the directory's physical storage.
    • At the top of the namespace is a rootDSE object configuration container which holds the internal logical architecture of the Active Directory.
    • AD defines 4 Naming Contexts: on this page schema, on this page sites, on this page partitions, and on this page services.

    Activewin's excellent Step-by-Step Guide to Managing Active Directory

    Brian Brown's webpage article Windows 2000 tutorial mirrored on academic sites around the world.

    download Microsoft's Active Directory Overview This white paper explains Active Directory and how it benefits organizations that deploy it; this information will be helpful to Microsoft partners proposing Windows 2000 to their customers.

    Go to Top of this page.
    Previous topic this page
    Next topic this page

    Set screen Partitions for Replication

    • The AD database contains 3 Partitions (units of replication):
      • Domain Directory Partition unique to a domain, replicated only within controllers in a single domain.
      • Schema Directory Partition
      • Configuration Directory Partition

      Schema and Configuration partitions are replicated to all DC's Enterprise-wide.

      Situation Strategy
      Users are organized strictly by location Create OU's or domains for each division
      Many employees are involved in inter-company ventures Create a versatile yet logical structure
      Many employees frequently move among different divisions Organize users into a single domain rather than separate domains.
      There is many frequent changes in (temporary) employees Use global groups
      There is few changes among permanent employees Use universal groups



    Go to Top of this page.
    Previous topic this page
    Next topic this page

    Set screen Schema Objects

      Each network resource (computer, drive share, printer, etc.) exists as an object in an Active Directory schema, which is like the data dictionary to a table.

      The default schema provided with Windows 2000 contains 140 classes of __ objects with 850 attributes.

      Each object has distinctly named attribute properties and property values which can be extended and searched. An Attribute definition within AD contains:

      • Object Name
      • Object Identifier
      • Syntax (for its data type: Boolean true/false, text mask, etc.)
      • Optional Range Limits

      Have Some Class

      Objects that share common attributes (such as printers - a type of object) can be grouped into a class. Objects are actual instances of object classes. A class definition in the schema contains:
      • Object Name
      • Object Identifier
      • "May Contain" Attribute
      • "Must Contain" Attribute
      • Parent Classes
      • Auxiliary Classes

      In other words, objects belonging to the same class have the same attributes, but contain different values.

      A child class derived from an existing class inherits the attributes from the existing class.


      Objects within a domain are organized into containers of Organizational Units (OU's) which mirror an organization's departments. This allows for easier delegation of permissions, done by placing objects in an OU and granting permissions to the OU.
    • Objects are also organized logically into administrative organizational groups such as Finance or Sales.

    • User accounts added to a domain are copied to all domain controllers on that same domain.
    • Differences between Schema Masters and Domain Naming Masters. ???
    • The Directory schema defines the universe of objects that can be stored in an entire forest.
    • All domains in a tree must share their Configuration information (such as the replication topology).

      To initialize the first domain and forest ("Default-First-Site-Name" in Sites and Services) use the dcpromo Active Directory Installation Wizard

      1. Create a domain controller
      2. "Create a new domain tree"
      3. Chose "Create a new forest of domain trees" or "Place the new domain tree in an exiting forest"
      4. input the root name of the domain.
    • The default location for the database and log files is %systemroot% \Ntds on the shared system volume %systemroot% \Sysvol
    • New to Windows 2000 is the ability to delegate Authority. Some guidelines for delegation:
      • Delegate at the OU level.
      • Avoid delegation at the attribute level.

    Simplex Munditis, 1962 by Hans Hofman
    © Estate of Hans Hofmann/ Licensed by VAGA, New York, NY for showing at the Santa Barbara Museum of Art

    Go to Top of this page.
    Previous topic this page
    Next topic this page

    Set screen Schema Management

      tool The AD schema is usually viewed using the "Active Directory Schema" MMC, which enable classes to be modified or deactivated.

      tool The "ADSI Edit" MMC from the Windows 2000 Resource Kit views CN and DN information.

      To add a property to a user account using ADSI:

      • Register the dll:
        regsvr32 %systemroot% \system32\schmmgmt.dll
      • Login as user in the "Schema admins" universal group.

      AD Schema Extensibility

      To AD-enable applications such as MS Exchange, Lotus Notes, or Novell Directory Services, Schema Administrators may add to the AD schema using Microsoft's ADSI, a set of API's that expose AD functionality to applications written in C, C++, and other programming languages. ADSI is a part of Microsoft's ODSI, which, in turn, is part of WOSA and Microsoft's COM (Component Object Model).

      How much is the LDAP C API [RFC 1823] used?


    Go to Top of this page.
    Previous topic this page
    Next topic this page

    Set screen Searching with LDAP

      tool Enumprop [from the Resource Kit] enumerates properties such as the /security descriptor or /attributes for objects within a user-supplied LDAP path:
        enumprop /ATTR:objectGuid,objectSid,distinguishedName


    another page on this site LDAP
    Go to Top of this page.
    Previous topic this page
    Next topic this page

    Set screen Security Precautions

    • Rename the default "Administrator" userid.
    • For occassional users, grant network and utility permissions to the built-in Guest account.
    • Set the maximum length of a User name 20 characters
    • Passwords:
      • Ensure passwords contain lower and upper case
      • Set minimum password lengths.
      • Enable password histories
      • Install on machines PASSFILT.DLL and “strongpass.dll” from, which enhances restrictions on passwords even further.
    • Define organizational conventions for:
      • resolving duplicates (add number, dept., middle initial, etc.)
      • time of day for access
      • Password must contain at least a certain length, upper & lower case, a number.
      • Must password change on first login.
      • Time before expiration/warning.
      • Logon to which machines
      • Deny dial-up/VPN access

    • Windows assigns to each object a permanent 128-bit GUID (Guaranteed Unique IDentifier) based on the current time stamp, the network adapter card's MAC Address, etc.
    • Windows 2000 does not use NetBIOS names used by Windows NT 4.

    • When a user logs on, the domain controller returns an access token containing the user SID (Security ID) and group memberships.
    • This token is compared to the ACL (Access Control List) of the resource on a domain.
    • ACL's are populated by Access Control Entries (ACE's).

    • An organization may have several domains for several reasons:
      • Allow for different groupings (alternative organizations)
      • Segment high network traffic into two subnets
      • Enable decentralized IT administration (each with different set of permissions)
    • OU's are nested under another OU to build a hierarchy in a domain. This provides for greater control.

    Go to Top of this page.
    Previous topic this page
    Next topic this page

    Set screen Domain Forests

    • A forest, or multi-tree forest (MTF), is a collection of separate trees. is a collection of trees They usually come about from a corporate acquisition or merger.
    • A domain forest does *not* form a continguous namespace. Each forest has its own (hetereogenious) schema.
    • So, User accounts in one forest are not valid in another forest.


    • A forest can be connected by two-way trust relationships between different root domains which share a common Active Directory. Two-way trusts are transitive -- implicit.

    • Unlike NT4, which requires a two-way trust to be explicitly created to each domain, when Windows 2000 adds a domain to a domain tree, it automatically creates a trust relationship between domains in a forest. This is one of the main benefits from upgrading to Windows 2000.
    • The first domain controller defined in a forest is created with default name “Default-First-Site-Name".
    • It permanently retains the domain-naming master role.
    • This is why Microsoft recommends that the first NT4 server converted to Windows 2000 should be the NT4 PDC.
    • Access between forests are estabalished with one-way explicit trusts between different Active Directory directories.
    • Explicit trusts are not transferable as with transitive trusts.

      'Pine Forest in Snow' by Ansel Adams
    Get this framed on your wall!

    Go to Top of this page.
    Previous topic this page
    Next topic this page

    Set screen DNS (Domain Name System)

    • Each child domain requires a DSN subdomain.
    • Forward DNS lookup query resolves a name to a given IP address.
    • A reverse DNS lookup query resolves an IP address for a given name.

      Each DNS zone database file contains SRV resource records which point to DNS hosts running Active Directory. In Windows 2000 native mode, it can be larger than the 40 MB limit NT4 had.

      They must be registered manually on Windows NT, which does not dynamically update DNS. They are stored in Netlogon.dns files on %systemroot%\System32\Config and read by the DNS MMC and updated by standard DNS zone transfers.

      Active Directory Integrated Zones are replicated through Active Directory to provide fault tolerance for DNS.

    Go to Top of this page.
    Previous topic this page
    Next topic this page

    Set screen Permissions

      Read permission includes viewing the object owner and permissions as well as the object attributes.

      Full Control allows change permissions and assign ownership.

      Do this! To create a domain (as the domain's eadmin -- Enterprise Admin):

    • Non-members of the eaadmin group can pre-create a domain controller:
      1. Open a command-line utility:
      2. NTDSutil
      3. domain management
      4. precreate DC=sales,DC=mycompany,DC=com


    Go to Top of this page.
    Previous topic this page
    Next topic this page

    Set screen Trees

      Domains with a common root name share a contiguous namespace which organize domains into a hierarchical tree.

      • Trees help structure delegation.
      • Trees do not have their own boundary for storage and replication.
      • Trees allow objects from one domain to access resources on another domain.
    • Multiple Domain Trees (MDT's) have a single root domain.

      To implement a new tree in a forest, use the Active Directory Installation Wizard.

      'Oaktree, Sunrise' by Ansel Adams
    Get this framed on your wall!

    Go to Top of this page.
    Previous topic this page
    Next topic this page

    Set screen Directory Replication & Synchronization

      Two methods:
      • Each domain controller replicates domain partition to the next server in its own domain ring using uncompressed RPC (Remote Procedural Calls) protocol over TCP/IP, a synchronous transport. This type of replication occurs every 5 minutes by default.
      • Inter-site replication traffic between sites use dynamically assigned port numbers using compressed asychoronous SMTP email traffic via the IIS5 service and Collaboration Data Objects (CDO v2) interface.

    • In a multi-site topology, a domain controller may be a Bridgehead for contact with adjacent sites.
    • Inter-site Transports topology is controlled by settings for the cost of each link.

      DCs fulfill five Flexible (Floating) Single-Master Operation (FSMO) roles for replication: Roles:

      1. The PDC Emulator (PDC Advertiser) acts as the PDC for down-level BDCs in mixed mode operation. In native mode, it is the first to receive replications and logon requests from other DCs. So, there can only be one of these per domain.
      2. The Relative ID Operations Master administers allocation of Relative ID sequences of the SID. So, there can only be one of these per domain.
      3. The Infrastructure Master administers additions or changes in user/group mappings. So, there can only be one of these per domain.
      4. The Domain Naming Operations Master administers addition or removal of domains in a forest or cross-references to external directory services (such as on Exchange and Novell). So, there can only be one of these per forest.
      5. The Schema Operations Master administers schema updates and changes within its own forest. So, there can only be one of these per forest.

      tool Use NTDSUTIL.exe (the Swiss Army knife) on the domain controller which wants to seize the role.

      tool Use Essentutl.exe to repair the database and to validate the database (integrity check to see if is damaged).

    • For updates, Active Directory uses a multi-master model where all domain controllers are equivalent. All domain controllers perform replication. Categories:
      • Originating (committed) update to
      • Replicated update

      'Old Together' by Shelly Norman Alexander
    Go to Top of this page.
    Previous topic this page
    Next topic this page

    Set screen USN

      The domain controller maintains a sequential Update Sequence Number (USN) counter. When an object is created, it is assigned an Original USN imcremented from the USN counter.
    • To prevent both loss and duplication replication, stamp number for object on each of the other servers in the domain.
    • The Current USN is also assigned to any object when it is changed. View them in "Advanced Features" object properties.

      For Propegation Dampening, each domain controller maintains a table containing the identifying GUID of other domain controllers and two vetors: An Up-to-date vector containing the largest originating USN from each of the otehr domain controllers and a High watermark vector

      For each attribute of each object, the domain controller maintains a Version number and timestamp of when the last update occured.

      Replication Latency = Propegation delay toward Replication Convergence, when all updates have been processed.

    • The Knowledge Consistency Checker automatically (dynamically) generates a replication topology which allows for at least two connections to every domain controller.

    • Synchronization (mapping) between two different schemas (two different implementations of directory services) is done by an agent -- security principal.

    • Perfmon "NTDS" object counters "DRA Inboud/Outbound Bytes Total/Non-compressed/Compressed"


    Go to Top of this page.
    Previous topic this page
    Next topic this page

    Portions ©Copyright 1996-2010 Wilson Mar. All rights reserved. | Privacy Policy |

    How I may help

    Send a message with your email client program

    Your rating of this page:
    Low High

    Your first name:

    Your family name:

    Your location (city, country):

    Your Email address: 

      Top of Page Go to top of page

    Thank you!