Next generation Windows NT Directory Services provide the fine-grained administration structure that allows for decentralized administration without compromising security. Because each domain is a security boundary, multiple security boundaries are possible. With this design administrators in Domain A are not automatically administrators in Domain B. The container hierarchy is important because, today, the scope of administration is the domain, and the administrator of a domain has authority over every object and service within that domain. The next generation Directory Services grant privileges to users based on the specific functions they must perform within a given scope. Administrative scope can include an entire Domain, a subtree of OUs within a Domain, or even a single OU.
With next generation Directory Services, very large structures of users can be created in which each user can potentially access all of the information stored in the directory, but the security boundaries remain clear. Security boundaries can also be much smaller than domains. For example, when a user account is created, it is associated with a particular domain, but it can be put into an organizational unit. Permission to create users in an organizational unit can be delegated, allowing someone to create users, or other directory objects, only in that one place. They would have rights only within that organizational unit, and OU hierarchies can be created. Next generation Directory Services introduce many very specific permissions, all of which can be delegated and restricted as to scope.
Extending the
Directory Services Via an Extensible Schema
To provide administrators with the power to create their own directory object types, Next generation Windows NT Directory Services are extensible through a schema mechanism. If a user has an important piece of information that they want to publish in the directory, they can create a whole new object type and publish it. For example, a wholesale distributor might want to create a warehouse object to put in its directory, with information that is specific to that business. New object classes can be defined and instances added. The directory services themselves define a wide variety of classes. For example, next generation Windows NT Directory Services provide standard objects for Domain, OU, User, Group, Machine, Volume, and PrintQueue, as well as a rich set of "connection point" objects used by Winsock, RPC, and DCOM services to publish their binding information.
The Global Catalog
Figure 6: The Global Catalog.
All objects stored in next generation Windows NT Directory Services have entries in the Global Catalog (GC), a service that contains directory information from all of the source domains in the tree. Designed for extreme performance, the GC allows users to easily find an object, regardless of where it is in the tree, while searching by selected attributes. As a result, many common queries can be resolved from the GC without requiring a lookup in the source domain. The global view may contain any type of object, for example, Users, Services, or Machines. A typical use of the global view would be to provide a global address book for purposes of mail or any mail-enabled application.
MultiMaster Replication
The manner in which a directory stores information directly determines the performance and scalability of that directory service. Directory services must handle a very large number of queries compared to the number of updates. Typically the ratio is 99% query and 1% update. For this reason replicated storage is important. By creating multiple replicas of the directory and keeping them consistent, the number of queries that can be handled with no performance degradation is increased.
Next generation Windows NT Directory Services offer multimaster replication. Some directory services use a master-slave approach to do updates: all of the updates must be made to the master copy of the directory, and these are then replicated to the slave copies. This is adequate for a directory with a small number of copies and an environment where all of the changes can be applied centrally, but this approach does not scale beyond small-sized, or address the needs of decentralized organizations.
Because next generation Windows NT Directory Services offer multimaster replication, individual changes made in one copy of the directory are automatically replicated to all other appropriate copies of the directory, whether connected via point-to-point or store-and-forward links.
For urgent changes, such as disabling a user account or changing a password, push replication is used, which means that after a change is made on one copy of the directory, the machine holding that copy pushes the change to its partners.
Some directory services use time stamps to track updates. In a master-slave directory where all updates are made centrally, this is adequate, but in a multimaster replicating directory using time stamps is inadvisable. Unless time is perfectly synchronized among all copies of the directory, there is a chance for data loss or directory corruption. Next generation Windows NT Directory Services do not depend upon time stamps for detecting updates. Instead, they use Update Sequence Numbers (USNs).
Updates can be tracked because any time a user writes something into an object in the directory, it gets an update sequence number (USN), which is held per machine, and incremented any time a change is made to that object. If a user on one machine updates a user record, the current value for the update sequence number on that machine is incremented, and then written into the object along with the change and a unique signature of the first machine that wrote that change. The object also carries a USN for each property. When a property is updated, the proper USN is advanced.
Non-urgent changes are monitored and the replication partners of one machine ask for all of its changes greater than the last USN received. The source machine will then search through the directory and find each object whose update sequence numbers are greater than the one presented by the partner machine.
Property changes are reconciled individually; when a change is replicated, only properties with a higher USN are updated. In the case of a collision, where one property has been updated by two different machines, the one with the later time stamp wins. This use of time stamp is simply as an arbitrary "tie breaker," so time synchronization is unimportant. Per-property reconciliation keeps the chance of collisions to a minimum.
Enabling Massive Scalability
Microsoft recognizes that not all businesses are the same size and that there isn't much value in a directory in which the small business suffers at the low end, and the large business suffers at the high end. This is why next generation Windows NT Directory Services were designed to work very well on just a single computer or scale to hundreds or thousands of machines to serve a vast enterprise.
Windows NT 4.0 scales quite well up to at least 100,000 users but next generation Windows NT Directory Services can scale up to millions of users (10 million total objects) in a single domain, and even larger numbers in a domain tree. The administrative granularity of next generation Windows NT Directory Services allows small domains to be created that are easy to administer and lets organizations reach the size of very large corporations with just a difference in degree and not in kind. Such large enterprises would not be administered any differently than smaller businesses—they would just have more administrators.
Scaling is enabled by creating one copy of the directory store for each domain which only holds the objects that apply to that domain. If multiple domains are related, they can be built into a tree. Within this tree, each domain has its own copy of the directory store, with its own objects, and the ability to find all the other copies in the tree of the directory store.
Rather than creating a single copy of the directory that gets bigger and bigger, next generation Windows NT Directory Services create a tree made up of little pieces of the directory, each of which has information in it that allows it to find all the other pieces. Next generation Windows NT Directory Services break the directory into pieces so that the part of the directory someone uses most often is closest to them. Other users in other locations might want to use that same part of the directory, and would also have a copy close to them. All replicas of that part of the directory are kept synchronized. If a record in any copy is modified, the change is propagated to the other copy. This allows next Generation Windows NT Directory Services to scale up to many millions of users in a tree.
Support for
Volatile Objects and Properties
The architecture of next generation Windows NT Directory Services support the addition of objects and properties that are volatile, that is, frequently changing or short-lived. This type of information is not usually stored in traditional directories, because the information loses its accuracy before directory replication can propagate it. Next generation Windows NT Directory Services provide a mechanism to transparently link alternate information stores into the directories. Volatile objects and properties are stored in separate storage with different replication characteristics while preserving a common user view of all objects, both static and volatile.
Distributed Security