Active Directory

on Friday, August 21, 2009

Directory Services & Active Directory
• X.500 Standard came into existence when people realized that lot of the systems that they were implementing needs same things to store enterprise wide data like emailaddresses and personal information.
• Of all the things that X.500 define 3 most important are
o hierarchical metaphor to store objects.
o naming standard to refer to the objects in the directory
o protocol for client to access the directory.
• DAP(Directory Access Protocol) was implemented at Application layer of OSI as implementers of DAP were interested in using it to manage email addresses for OSI message handling application.
• DAP was very complex to implement so LDAP was introduced which was initially just converts the LDAP calls into DAP calls and convert the response from DAP TO LDAP.LDAP works on top of TCP/IP.
• Because of TCP/IP popularity LDAP in itself became a standard.

Active Directory
• Active Directory is Microsoft's directory service and Enterprise Network Operating System(ENOS) for win 2000 server and win server 2003. AD is an integral part of win server product.
• Active Directory cannot be purchased or installed separately.
• Any win server can be promoted to become Active Directory Domain Controller.
• Active Directory serves to store User objects, computer accounts within an organization and many other types of objects.

• The domain is the fundamental organizing concept for objects in Active Directory. A domain defines a directory partition or naming context (discussed shortly) where objects such as users, groups, and computers are stored and organized in a hierarchy. The domain also forms a replication boundary, in that the objects in a domain replicate only with other domain controllers for that domain.
Domain Tree
• A domain tree is a collection of domains organized in a hierarchy and sharing the same DNS namespace. A domain tree also shares a common security relationship through trust relationships.
• A forest is essentially a collection of domain trees that share a common schema, global catalog, and security relationship via trust relationships. We like to say that a forest is an Active Directory. Note that a forest need not contain more than one domain, but may contain many domains that can have complex hierarchical relationships to each other. Forests also do not need to have a contiguous namespace. For example, a forest can include two domain trees, such as "" and "".
Domain Controller
• A domain controller is a Windows server that is specifically designated to provide directory services to a particular domain. Some directory services provided by the domain controller include LDAP access to the directory store, a Kerberos Key Distribution Center (KDC) for Kerberos authentication services, and replication services to synchronize information in the directory with other domain controllers in the domain. A domain controller provides other directory services, such as DNS, but we are primarily interested in LDAP from a programming perspective.
• A domain controller has at least three directory partitions, or naming contexts, that can be searched via LDAP. In addition to the domain partition that contains familiar objects such as users, groups, and computers, a domain controller has a configuration partition and a schema partition. As their names imply, the configuration partition contains configuration information such as replication topology, and the schema partition contains a description of the schema. Note that the configuration and schema partitions are replicated throughout the whole forest, unlike the domain partition, which is replicated only to other domain controllers in its domain.
Global Catalog
• The global catalog provides a mechanism that enables us to search the entire forest at once instead of searching in a specific domain. It exists to solve the problem of "I know the object is in the forest somewhere, but I have no idea which domain it is actually in." The global catalog contains a partial replica of every object in every domain in the forest that includes the data we are most likely to want to use in a search. Global catalog searches are essentially just LDAP searches on a different TCP/IP port. Note that not every domain controller is a global catalog server, although that is certainly possible. We definitely need to have at least one!
Definition of ADAM
• ADAM stands for Active Directory/Application Mode. ADAM is the Microsoft product that provides a stand-alone directory service without any of the network operating system features of Active Directory. Microsoft created ADAM in response to demand from customers for a platform that applications could use to provide simple directory service features without all of the additional features, limitations, and deployment complexity that come with Active Directory. The analogy we like to use is that ADAM is like an empty SQL Server database with an LDAP interface. It doesn't really do anything until you add some schema elements and data to it and write some code to access it.
• ADAM is not a store for Windows user and computer accounts. We cannot log on to Windows with accounts stored in ADAM.
• Let's say we are building a public-facing web site that can hold thousands (or hopefully millions) of accounts for our (hopefully paying) customers. We do not want to use Active Directory, as we do not need all of its features; we simply want a user store. ADAM gives us an alternative to using a traditional relational database such as SQL Server to store these accounts, authenticate our users, and manage the life cycle of their accounts. Because it already has first-class support for things like secure password storage, password policies, account life cycles, and groups, ADAM provides many benefits over SQL out of the box.
• ADAM does not require an additional license beyond the license you purchased for the host operating system.
• ADAM is a great place to store company-wide directory information that we might not want to include inside Active Directory—for example, items such as pictures that can take up a lot of space and consume precious replication bandwidth.
• Now, let's take the same example we just described, but instead of a public-facing web site, we have an extranet scenario with internal users who are stored in Active Directory but external users who are not. Again, we can use ADAM and its pass-through authentication feature to store the external users in ADAM and authenticate both types of users with an LDAP bind. This keeps the application design simple and prevents us from having to duplicate our internal user accounts in a separate directory, reducing the complexity of managing the identity life cycle on our internal accounts.

Naming Contexts
• A naming context is the name of the object that represents the root of a directory tree. Naming contexts are also called directory partitions. Objects in that part of the tree will have a DN based on the name of the naming context. For example, if we have an Active Directory–style naming context called DC=yourdomain,DC=com, then all objects in that part of the tree will have a name such as CN=users,DC=yourdomain,DC=com.
• A directory may define multiple naming contexts that represent different directory trees. Typically, a directory will define a default naming context where the main objects are stored. As previously stated, Active Directory also defines a configuration naming context where configuration about the domain is stored, as well as a schema naming context where the schema objects are stored.
• Another interesting aspect of naming contexts is that they may seem to have overlapping namespaces, but they are not actually part of the same tree. For example, an Active Directory domain such as DC=mydomain,DC=com will also contain a configuration partition, CN=configuration,DC=mydomain, DC=com, and a schema partition, CN=schema,CN=configuration, DC=mydomain,DC=com. Even though the actual names appear to form a hierarchy, the configuration partition cannot be accessed when searching inside the main domain partition and the schema partition cannot be searched from within the configuration partition. They are separate partitions that form their own roots.
Schema Basics
• LDAP schema is composed of object class definitions that describe the types of objects that the directory may hold, along with attribute definitions that describe the data items that class instances may contain.

LDAP Classes
• All LDAP class definitions share some basic characteristics.
Class Name
• The class name indicates the type of an instance of a class in the directory tree. Each object in the tree will have an objectClass attribute with the name of the class of which it is an instance. Because classes use inheritance, this attribute will also include the names of the parent classes.
• The subclass value indicates from which class the class inherits. Only one subclass can be specified. All classes in the schema inherit from a common root. The root of the class tree is the Top class (appropriately named), which is defined to inherit from itself by convention, meaning that it has no parent. Note that the use of the word subclass here is exactly opposite from what objected-oriented programmers are used to saying, but try not to let that throw you.
Possible Superiors
• This attribute indicates which object instance can be created under which object instance. Like CN can be created under OU AND DC.
Auxiliary Classes
• Auxiliary classes define additional attributes and characteristics that a class may contain and that can be shared among classes that have no direct inheritance relationship. For example, in Active Directory, both users and groups are mail recipients and security principals, but both have different inheritance hierarchies. As such, auxiliary classes are similar to interfaces in .NET, Java, and C++. In Windows Server 2003 Active Directory and ADAM, the directory also allows auxiliary classes to be added to specific objects dynamically at runtime.
RDN Attribute ID
• CN is RDN attribute id in CN=Milap Shah. The RDN attribute ID specifies the name of the attribute that is used to create the RDN for the object. For example, if the RDN is CN=Joe, then the RDN attribute ID is CN, which refers to the common name attribute. Note that at present, Active Directory uses only three different RDN attribute IDs: CN, OU, and DC. CN is the most common. Most other LDAP directories, including ADAM, can use a variety of other RDN attribute IDs.
Must Contain Attributes
• Must contain attributes is a list of attributes that instances of the class must contain to be valid. These attributes are supplied by the caller during an LDAP Add operation or are generated by the system automatically. This is exactly like a column in SQL that does not allow nulls.
May Contain Attributes
• Optional attributes
• If you don't specify a value for an optional attribute, You won't have this attribute associated with object instance unlike sql server not null column.
• May contain attributes is a list of attributes that class instances may optionally contain, but are not required by the schema. The vast majority of attributes fall under this category. It is very common for a large percentage of the available attributes for a class not to be populated. Technically, this is semantically different from having a null column value in a row in an SQL database, as an attribute that has no data is said not to exist on the object at all, whereas in SQL, the column for the row still exists but has a null value. However, from a programming perspective, the result is fairly similar. SQL developers who go to great lengths to exclude nulls from table schemas are in for a rude awakening with LDAP.

LDAP Attributes
• Attribute define the type of data stored in the object and whether it is single valued or multivalued.
• Four name attributes.
• displayName
• commonName
• OID(object identifier)
• objectGuid.
• Syntax means datatype.
DN Syntax and Linked Attributes
• linked attributes are used to establish relationships amongst objects.
Single and Multivalued Attributes
• Attributes can be defined to hold single or multiple values. For those used to thinking about data from the perspective of traditional relational databases, this is an important distinction. SQL databases support a single value per column. In SQL, we typically need to normalize our data into separate tables to support similar semantics. Multivalued attributes simply contain a list of values that all share the same syntax.
LDAP API and Basics
• LDAP library DLL name is c:\windows\system32\wldap32.dll.
• TCP port 389 is the standard registered port for normal LDAP and 636 is the standard port for SSL/LDAP.
• Global Catalog is served from 3268 port(3269 for SSL).
• Operations of Concern:
o Init-Gets connection handle with the Server.
o Bind-authenticates the handle and changes the state to authenticated
o When you delete the object it doesn't delete children by default. Also the objects is not immediately deleted. It turns into "tombstone" object which is moved to "Deleted Objects" container.
o Add
o Rename
o Modify
o Compare
o Delete
o Search- find objects in directory.
 Search Root- place in the tree from where to start the search
 Search Scope- Subtree(search entire tree below searchroot) , One-Level(searches immediate children),Base(searches only within the root itself, used for retrieving the attributes from the root object.)
 Search Filter- like where clause.
 AttributeList- specifies which fields to be returned.

• To Connect to GC(Global Catalog):
o DirectoryEntry gc = new DirectoryEntry("GC:");