Windows 2000's Active Directory Supports Administration

	Windows 2000's Active Directory Supports Administration
(Editor's Note: Although ADSI can make life easier for you today, the full potential won't be realized until the release of Windows 2000 and the Active Directory. To give you a look at some of the Active Directory's key features and architecture, we asked Jan Brandt to give you an overview. Jan is an MCSE, CNE, and NT instructor who has been evaluating the beta releases.) The Active Directory moves administrators from the flat file NT 4.0 SAM with a fixed number of fields to a structure that allows modification to include fields for almost any information. Active Directory supports high granularity in administrative tasks, making it possible to assign rights to administer entire containers, objects, or specific properties of objects. So, a group could be given rights to update address information but not to view confidential data. Under the covers, the Active Directory doesn't rely on NetBIOS, as NT 4.0 does. In fact, NetBIOS isn't necessary for Windows 2000 networks, much to the delight of network administrators everywhere. Dynamic DNS, not WINS, provides the name resolution to access resources and log on to the domain. NT domains remain the basic organizational unit, grouped into a contiguous namespace sharing a common schema, configuration, and global catalog. This contiguous namespace is referred to as a tree. Kerberos and public key authentication systems replace NTLM authentication. These domains are linked by Kerberos trusts, which differ from NT 4.0 trusts in that they are transitive. The global catalog is a partial index of objects in the tree. Users can query this global catalog to locate resources or a domain controller that contains information necessary to authenticate a logon. Another important feature of the Active Directory is multimaster replication, which allows changes to account information on any domain controller, not just on the PDC. Also, each domain controller doesn't have to store the entire account database. This makes it possible to plan account synchronization to accommodate WAN links by organizing domain controllers into sites-defined by IP subnets-which are generally confined to a high-speed LAN. So, changes inside site boundaries can propagate fairly quickly while the administrator can regulate updates across site boundaries-WAN connections-based on the connection's speed and load patterns. You also can search the Active Directory for objects by using the Start menu's Find option. For example, you can search for all laser printers and limit this search by specifying properties or physical locations of the printers. For more information on the Active Directory, download the "Active Directory Technical Summary" white paper at http://www.microsoft.com/ntserver/windowsnt5/techdetails/prodarch/ad_techsummary.asp. —Jan Brandt

(Editor's Note: Although ADSI can make life easier for you today, the full potential won't be realized until the release of Windows 2000 and the Active Directory. To give you a look at some of the Active Directory's key features and architecture, we asked Jan Brandt to give you an overview. Jan is an MCSE, CNE, and NT instructor who has been evaluating the beta releases.)

The Active Directory moves administrators from the flat file NT 4.0 SAM with a fixed number of fields to a structure that allows modification to include fields for almost any information. Active Directory supports high granularity in administrative tasks, making it possible to assign rights to administer entire containers, objects, or specific properties of objects. So, a group could be given rights to update address information but not to view confidential data.

Under the covers, the Active Directory doesn't rely on NetBIOS, as NT 4.0 does. In fact, NetBIOS isn't necessary for Windows 2000 networks, much to the delight of network administrators everywhere. Dynamic DNS, not WINS, provides the name resolution to access resources and log on to the domain. NT domains remain the basic organizational unit, grouped into a contiguous namespace sharing a common schema, configuration, and global catalog. This contiguous namespace is referred to as a tree. Kerberos and public key authentication systems replace NTLM authentication. These domains are linked by Kerberos trusts, which differ from NT 4.0 trusts in that they are transitive. The global catalog is a partial index of objects in the tree. Users can query this global catalog to locate resources or a domain controller that contains information necessary to authenticate a logon.

Another important feature of the Active Directory is multimaster replication, which allows changes to account information on any domain controller, not just on the PDC. Also, each domain controller doesn't have to store the entire account database. This makes it possible to plan account synchronization to accommodate WAN links by organizing domain controllers into sites-defined by IP subnets-which are generally confined to a high-speed LAN. So, changes inside site boundaries can propagate fairly quickly while the administrator can regulate updates across site boundaries-WAN connections-based on the connection's speed and load patterns.

You also can search the Active Directory for objects by using the Start menu's Find option. For example, you can search for all laser printers and limit this search by specifying properties or physical locations of the printers.

For more information on the Active Directory, download the "Active Directory Technical Summary" white paper at http://www.microsoft.com/ntserver/windowsnt5/techdetails/prodarch/ad_techsummary.asp.

—Jan Brandt