X.500 is the Open Systems Interconnect (OSI) directory standard. It defines a namespace, an information model, a functional model, and an authentication framework. Additionally, X.500 defines Directory Access Protocol (DAP), an OSI standard protocol for accessing an X.500 directory. DAP is extremely feature rich and carries a lot of overhead. Its clients rarely, if ever, use many of its features. Because DAP is so difficult to implement and requires so much raw power to run, an alternative protocol was created. This new protocol, LDAP, was created to leverage the relatively low overhead of the TCP/IP suite of protocols to access X.500 directories. Remember this: Active Directory is not an X.500 directory. It uses LDAP as the access protocol and supports the X.500 information model without having to host the entire X.500 overhead. X.500 directories accessed with LDAP remain intact and require no changes for LDAP to be successful.

As previously stated, LDAP is the core protocol that enables Windows 2000 to leverage the benefits of X.500 style directories without the X.500 burden. LDAP defines the following components:

One integral piece of Active Directory yet to be mentioned is another old Internet standard, Domain Name System (DNS). By utilizing DNS for name resolution within LDAP queries, Active Directory is able to support working with directory services running on non-Microsoft systems.

Microsoft realizes that good applications need to support several industry standards, so it has built the following support into the native Active Directory implementation:

Microsoft continues to work with standards organizations such as the Internet Engineering Task Force (IETF) to further refine standards with a goal that someday we'll be able to achieve seamless integration of standards-based directory services across the board.

Active Directory support for the DNS standard implementation is huge. It provides a common namespace between the Internet and your internal network. As discussed in the previous section, the support for LDAP and the X.500 functional model provides a common and intuitive query process for retrieving resources from the directory.

Active Directory uses RFC-822 standard naming formats, which are very similar to email addresses, as a "friendly" name. This friendly name can be used for email, printed on a business card, and logged on to the network.

Finally, LDAP URLs and X.500 names allow any client to access data from anywhere providing they work from an LDAP-enabled client and have security clearance. An LDAP URL is in this form:

LDAP://a_server.mycompany.com/CN=joesmith,OU=whitepapers, OU=OpSys,OU=Windows2000,DC=Microsoft,DC=com

Most LDAP URLs are handled by the LDAP-enabled application program and remain unnoticed by users.

Without question, the biggest draw from the development community to Microsoft products is the rich set of Application Programming Interfaces (APIs). APIs provide a standard set of functions to which developers may write code. These functions allow access to Active Directory resources, thereby encouraging the development of application programs and tools that make use of the directory's services. The following sections describe the three major API sets.

ADSI

Active Directory Services Interface (ADSI) is a set of Component Object Model (COM) interfaces that give developers the ability to query and manipulate directory services without knowing specific information about how the directory services are implemented. ADSI is a part of the Open Directory Services Interface (ODSI), which is the Windows Open Systems Architecture (WOSA) standard for manipulating multiple directory services. ADSI objects are available to provide access to Windows 2000, Windows NT 4.0, NetWare 3.x through 5.x, and any other directory service that supports LDAP. It greatly simplifies the development of distributed applications as well as the administration of distributed systems because it abstracts the capabilities of directory services from different network providers and provides a single common set of APIs for managing distributed network resources. Figure 1.2 illustrates how clients and servers currently access directory services through proprietary API calls. Figure 1.3 introduces ADSI as a means of abstracting multiple directory services interfaces and representing them to the developer, administrator, or user in a standard set of COM objects.

Figure 1.2. Heterogeneous directories and their corresponding proprietary API interfaces.

Figure 1.3. Heterogeneous directories abstracted by the ADSI and represented as a common set of objects.

The ADSI objects are designed to meet the needs of not only developers using traditional C and C++ but also the network administrator and the end-user. The following list highlights the intended usage of ADSI for the three groups.

• Developers. . This area is what systems engineers and consultants would refer to as "hard core" developing. Developers use a compiled language such as C++ to write distributed applications to manage network resources, print queues, and more.

• System Administrators. . This area of usage would include scripts written in an interpreted language, such as VBScript. System administrators would be able to develop small and minimally complicated script applets they could utilize over and over again. Common operations for this would be in the area of adding a large number of users to the directory and adding them to specific security groups.

• Users. . Users would even have the ability to develop simple scripts that could query Active Directory with the help of a COM object. This query may yield such information as the number of print jobs in a queue for a specific group of users.

Active Directory provides easy-to-use, yet powerful administration tools. These tools present objects in a hierarchical organization to the administrator, which gives him the ability to effectively model large organizations. The graphical user interface features a highly anticipated drag and drop control console tool. This tool is most useful in the restructuring of Active Directory domain objects using a process called pruning and grafting. To prune is to cut and to graft is to paste. If you, for example, create a large number of objects in the wrong place in the directory and need to move them to another area, you would utilize this process.

Sitting at the core of Active Directory is the schema. The schema defines classes, attributes, and attribute syntax (rules) for all Active Directory objects. When you right-click on an Active Directory object, such as the user object in Figure 1.4, you'll see several of the standard user object attributes, such as first name, last name, and so on.

Figure 1.4. Tiffany J. Archer user object displaying the standard user object attributes.

Active Directory provides an installable interface to the schema through the Microsoft Management Console (MMC). From this interface (shown in Figure 1.5), on a domain controller specified as the Schema Master, an administrator may extend the schema to include additional objects and object attributes after modification of the schema has been enabled.

Suppose, for example, a company develops an application that utilizes an employee's Social Security number. The schema by default does not provide an attribute for the Social Security number, so the administrator would need to add it to and associate it with the user object class. We'll cover the schema and modification policies in more detail in Chapter 13, "Developing a Schema Modification Plan." For now, just understand that the schema may be extended to include custom attributes.

Figure 1.5. The Active Directory schema, displayed in the Microsoft Management Console, may be extended to include additional classes and attributes.

To enable for all domains the ability to locate objects across an entire Active Directory forest, special servers called global catalog servers maintain partial directory information from all domains in a forest. The global catalog servers provide users with quick returns on Active Directory queries. Global catalog servers contain a replica of all objects in each domain in the forest, but only a specific sub-set of each object's attributes. This "abbreviated catalog" is generated through a special partial replication process. If a global catalog server cannot satisfy a query within its partial replica, it forwards the request to the source domain's full database replica for fulfillment.

Active Directory is a true distributed database. Instead of having a single primary domain controller and several backup domain controllers, such as previous versions of Windows NT, Windows 2000 implements Active Directory domain controllers as equals.

It is estimated that 99 percent of the activity to which Active Directory must respond is query (read) activity. The remaining 1 percent is update (write) activity. This fact is highly responsible for the need to distribute databases. Creating multiple replicas of the directory and keeping them consistent significantly increases the number of queries that can be processed with little or no performance degradation. This disbursement and synchronization of Active Directory information is known as multi-master replication.

Microsoft generally does a pretty good job of providing a smooth transition from one platform to another, and that doesn't change with Windows 2000, although it does require quite a bit more planning! Active Directory operates in mixed mode by default. Mixed-mode (as opposed to native-mode) domains are domains in which Active Directory domain controllers may exist simultaneously with down-level Windows NT 3.51 and Windows NT 4.0 domain controllers. In this situation, Active Directory domain controllers work and act just like down-level domain controllers. We'll discuss upgrade design considerations in various chapters in Part IV, "Designing a Directory Service Architecture."

Interoperability is an extremely broad topic, especially when it is used in reference to Microsoft products. This section focuses on Active Directory interoperability with Novell NetWare and Microsoft Exchange, and then takes a look at future interoperability endeavors.

Remember Microsoft Exchange 4.0? Do you see any similarities between the Exchange directory and Active Directory? The Exchange 4.0 directory structure and its extensible storage engine (ESE) provide the foundation for Active Directory. The ESE provides the following two benefits that Microsoft was able to capitalize on in migrating it to a general-purpose directory service:

Active Directory supports multiple stores (the directory database) and each store is capable of reaching sizes up to 17TB, which is millions of objects per store.

Domain Name System (DNS) is an Internet standard name resolution service that maps fully qualified domain names (FQDNs) to IP addresses. The Windows 2000 implementation of DNS includes some major enhancements over the traditional DNS, which enable it to become the core name resolution backbone on both sides of the corporate firewall. The following list outlines these major enhancements:

Windows 2000 implements a distributed security model based on the MIT Kerberos v5 authentication protocol. Kerberos is used for distributed security within a tree, and incorporates the native Windows 2000 Access Control Lists (ACLs) for both public and private key security. Active Directory replaces the registry as the store for the security system and manages user accounts, domains, and group accounts as a trusted component within the Local Security Authority (LSA).

For objects that do not have Kerberos credentials, Active Directory supports the use of X.509 v3 public key certificates. In this scenario, an outsider such as a subcontractor would be granted secure access to specific internal information. The X.509 v3 specifications require certificates be issued by a trusted certificate authority, such as Verisign.

Microsoft recommends that you do an incremental in-place upgrade. Through this process, you can slowly and methodically upgrade servers to Windows 2000, while maintaining all the functionality of your underlying Windows NT networks. This process is also transparent to client computers, which may continue logging on to the domain as they always have.

The following steps contain the generalized high-level, step-by-step processes recommended for the migration to Windows 2000. These steps are not detailed and should not be referenced during an actual migration. Derivations of each of these steps can be applied to all four migration processes. They are presented to give you exposure to the high level processes you can expect to perform during migration.

The following steps highlight the general steps you might take to migrate a single Windows NT domain to Windows 2000:

The single domain model is by far the most simplistic domain model to migrate to Windows 2000. There are always options to split the single domain into multiple child domains of a single parent, but this is not recommended unless the business direction requires it. Be sure to develop and stick with a migration plan and an Active Directory design that best fits the needs of your company. In Figure 1.6, SingleDom, Inc., a company utilizing the single domain model, performs an upgrade to Windows 2000 and Active Directory. Notice the offline area. It is a key part of ensuring that you'll have the ability to recover from disaster during the upgrade process.

Figure 1.6. Migration of the Windows NT single domain model to Active Directory.

The single master domain model presents a few options for the migration process. Depending on the business model, administrative model, and infrastructure of the company, the migration team may decide to collapse resource domains and utilize a single Active Directory domain model. The removal of resource domains can greatly reduce administrative overhead and lead to a more manageable network. The most notable reason for implementing Windows NT single master domain models centers around the limitations of the SAM database size of 40MB. This reason is no longer valid in Windows 2000 and you should consider collapsing the resource domains into Windows 2000 organizational units (OUs). The same scenario applies if resource domains were created to delegate administrative control. On the other hand, if you find the creation of resource domains falls into one of the following categories, then you would want to keep them as child domains of your master domain.

It is very important to identify the necessity of resource domains during the planning phase of your migration. You do not want to collapse a resource domain if the reason for its existence falls one of the categories within the preceding list. In Figure 1.7, MasterDom, Inc., a company utilizing a single master domain model with two resource domains, decided to collapse the resource domains into OUs of masterdom.com.

Figure 1.7. Migration of the Windows NT single master domain model to Active Directory.

In a multiple master (multi-master) domain model, two or more master account databases exist on the network and provide the account base for one or more resource domains each. Each master domain trusts all other master domains, and each resource domain trusts all master domains. However, the master domains do not trust the resource domains. This scenario presents some additional challenges to the migration team. The best solution for migrating the multi-master model is to create a brand new phantom top-level root domain (company.com) and upgrade all master domain PDCs to child domains of the phantom root domain (master1.company. com) and (master2.company.com).

The resource domains should collapse to organizational units in the domain from which they were resources. Alternatively, one of the master domains could be selected to be the root of the Windows 2000 domain tree, and all other master domains could become child domains of it. This would probably create some tension between administrative teams in competing for that top-level domain spot since security can filter down from the top. Figure 1.8 depicts a company utilizing the multiple master domain model that chose to use a phantom top-level root domain in its migration.

Anyone who's been in the Windows NT world for any length of time undoubtedly has heard other names for the complete trust model—names that cannot be mentioned in this book. Active Directory can ease the pain and suffering administrators often go through when they are responsible for a complete trust model. Migrating a complete trust model to Windows 2000 would enable a company to design a much more streamlined and manageable architecture.

Figure 1.8. Migration of the Windows NT multiple master domain model to Active Directory.

There are a few approaches to consider for this migration process, and the one you choose should match your business objectives and administrative structure. First, as with the multi-master model, consider creating a phantom top-level domain. This domain would do little more than provide the namespace for the rest of the directory. You could then migrate all domains to Windows 2000 as child domains of the phantom domain. This approach is the most attractive, again, because all account domains are treated as equals. This approach does not scale well, however, if administrative control needs to be centralized. The other approach is to structure the existing domains around your organizational and administrative hierarchy. For example, if in your complete trust model you have a specific domain for your corporate office, you may want to make that your top-level domain. All other domains would fall under it in a hierarchical tree. This would give the corporate office the opportunity to gain administrative control over all domains in the tree, but would also create opportunity for domain-level administration. This is referred to as a hybrid administration model. Figure 1.9 shows how a company using a complete trust model might implement Windows 2000 and Active Directory. In this figure, domain1 was the focal point of corporate control and so was used as the top-level Active Directory domain.

Microsoft includes an updated NetWare Migration Tool with Windows 2000. The Directory Service Migration Tool can be used to migrate NetWare 3.x, 4.x, and 5.x Bindery, and NDS based objects as well as volume data to Windows 2000. The tool is designed to work in a three-step process:

Figure 1.9. Migration of the Windows NT complete trust domain model to Active Directory.

One of the problems with previous versions of the Netware Migration utility was that there wasn't much you could do with the NetWare structural information—that is, information from NDS or the Bindery basically came across as is, and then you had to go back and spend numerous hours reconfiguring it to fit your needs. The Directory Service Migration Tool introduces the concept of modeling directory data before you perform a migration. This powerful feature allows you to perform operations on data, such as modifying object data to fit your needs. For example, you can create, delete, and move objects, or add users to groups. You can also define options for setting passwords.

After you have modeled your data to fit your needs, you can perform an operation called configuring a view to Active Directory. This operation shows the source (NetWare) and destination (Active Directory) containers for your modeled objects. At this point you can commit your modeled data to Active Directory, which will create all the objects based on your view in Active Directory. Once this operation finishes, it is a good practice to use the Windows 2000 Directory Management Tools to verify successful directory migration.

Finally, you can migrate NetWare volumes to Windows 2000 using the Directory Service Migration Tool. You can migrate files, security attributes, and volume objects using a wizard-based utility.