ACTIVE DIRECTORY

SEMINAR REPORT
ON

ACTIVE DIRECTORY



BY
SONALE PAVAN M.
T.Y. Information Technology

REG No-2004BIT058




GUIDE
Mr.G.K. PAKLE









CERTIFICATE


This is to certify that Mr. Pavan M. Sonale successfully Completed his Seminar on Active Directory . In partial fulfillment of third year of degree course in Information Technology, in the academic year 2007-2008


Date:


Dr.R.C.Thool Mr.. G.K.Pakle
Head, Information Technology Seminar Guide SGGSIE&T, Nanded SGGSIE&T, Nanded












ACKNOWLEGMENT



I take this opportunity to express deep sense of gratitude and sincere thanks for the invaluable guidance that I have received at the worthy hands of my Guide Prof. M.R. Pakle

I express my sincere thanks to our H.O.D. Prof. R.C. Thool for permitting me to present this seminar and also to the entire staff member who have helped me directly or indirectly.

I also express my thanks to my friends for their underlying support shown during the preparation of this seminar.












Sonale Pavan M
T.Y.(InformationTechnology)
SGGSIE&T,NANDED





ABSTRACT
The term "directory" has received a lot of attention in computing environments in the past several years. As computing environments have become larger and more complex, with many offering Internet access and even network resources through an intranet, the task of managing the many resources the network has to offer has become more and more complex for network administrators — and the user's task of finding those resources has become just as difficult. The need to not only organize information, but make that information easy to manage and locate, has become a serious and complicated issue. By definition, a directory is an information storage location that uses a systematic scheme to organize the information. The Active Directory refers to this systematic scheme as a "namespace." A common example is the telephone book. All information in a telephone book is stored by city/region, last name, then first name(s). By referencing a particular name in a particular city/region, you can find that person's telephone number. The phone book uses a "namespace" in that all names are organized in alphabetical order using the last name and first name of the phone user. If the telephone book did not follow a namespace — in other words, if some names listed were by first name, some by last, some by nicknames, and some by address — you would never find what you needed. So, a directory organizes information using a namespace so you can find more information about the people or things listed in the directory. Although Windows NT offered directory services through third party software, the Active Directory in Windows 2000 is Microsoft's new answer to directory services. The Active Directory is a powerful tool that allows multiple sites, domains, and even the Internet to fully integrate together. The Active Directory's purpose is to organize information about real network objects, such as users, shares, printers, applications, and so forth, so that users can find the resources they need. Through the Active Directory, users do not have to keep track of which server holds which resource, or where a particular printer resides. The Active Directory lists the information, is completely searchable, and provides a standard folder interface to users so they can find what they need on the network. From an administrator's point of view, the Active Directory provides you with a simple, hierarchical design that you can administer from a single location.
Active Directory Provide information about objects, organize these objects for easy retrieval and access, allows access by end users and administrators, allows the administrator to set security up for the directory, manage all n/w elements (e.g. computers, groups, users, domains, security), AD also enable us to locate & access resource
Active Directory uses some of the Object Oriented approach.As this approach is powerful. So, it makes active directory as possible as powerful and easy to handle.

INTRODUCTION:
An active directory is a directory structure used on Microsoft Windows based computers and servers to store information and data about networks and domains. It is primarily used for online information and was originally created in 1996 and first used with Windows 2000.
An active directory (sometimes referred to as an AD) does a variety of functions including the ability to provide information on objects, helps organize these objects for easy retrieval and access, allows access by end users and administrators and allows the administrator to set security up for the directory.
An active directory can be defined as a hierarchical structure and this structure is usually broken up into three main categories, the resources which might include hardware such as printers, services for end users such as web email servers and objects which are the main functions of the domain and network.
It is interesting to note the framework for the objects. Remember that an object can be a piece of hardware such as a printer, end user or security settings set by the administrator. These objects can hold other objects within their file structure. All objects have an ID, usually an object name (folder name). In addition to these objects being able to hold other objects, every object has its own attributes which allows it to be characterized by the information which it contains. Most IT professionals call these setting or characterizations schemas.
Depending on the type of schema created for a folder, will ultimately determine how these objects are used. For instance, some objects with certain schemas can not be deleted, they can only be deactivated. Others types of schemas with certain attributes can be deleted entirely. For instance, a user object can be deleted, but the administrator object can not be deleted.
When understanding active directories, it is important to know the framework that objects can be viewed at. In fact, an active directory can be viewed at either one of three levels, these levels are called forests, trees or domains. The highest structure is called the forest because you can see all objects included within the active directory.
Within the Forest structure are trees, these structures usually hold one or more domains, going further down the structure of an active directory are single domains. To put the forest, trees and domains into perspective, consider the following example.

A large organization has many dozens of users and processes. The forest might be the entire network of end users and specific computers at a set location. Within this forest directory are now trees that hold information on specific objects such as domain controllers, program data, system, etc. Within these objects are even more objects which can then be controlled and categorized.
DIRECTORY SERVICE:
Active Directory is a full-featured directory service. But what is a directory service? Well, a directory service is actually a combination of two things – a directory, and services that make the directory useful. Simply, a directory is a store of information, similar to other directories, such as a telephone book. A directory can store a variety of useful information relating to users, groups, computers, printers, shared folders, and so forth – we call these objects. A directory also stores information about objects, or properties of objects – we call these attributes. For example, attributes stored in a directory for a particular user object would be the user’s manager, phone numbers, address information, logon name, password, the groups they are a part of, and more.
To make a directory useful, we have services interact with the directory. For example, we can use the directory as a store or information against which users are authenticated, or as the place we query to find information about an object. For example, I could query a directory to show me all the color printers in the Frankfurt office, the phone number of Bob in the Delhi office, or a list all of the users accounts whose first name starts with the letter ‘G’. In Windows 2000, Active Directory is responsible for creating and organizing not only these smaller objects, but also larger objects – like domains, organizational units, and sites. In order to fully comprehend what Active Directory is all about, we need to take an initial look at a number of concepts. A deeper discussion on Active Directory will be covered once we get to the AD Implementation and Administration portion of the series
HEIRARCHY OF AD (OBJECT VIEW)
The structure of the Active Directory is a hierarchy, and before installing and implementing the Active Directory, you must have a firm understanding of the structure as well as the components that make up the Active Directory. You will use this hierarchy design to build the Active Directory infrastructure for your organization, so it is important that you have a firm grasp of their meaning and place in the hierarchy before you begin planning. The following sections explore the components in the hierarchy structure. Object An Active Directory object represents a physical object of some kind on the network. Common Active Directory objects are users, groups, printers, shared folders, applications, databases, contacts, and so forth. Each of these objects represents something "tangible." Each object is defined by a set of "attributes." An attribute is a quality that helps define the actual object. For example, a user object could have attributes of a username, actual name, and email address. Attributes for each kind of object are defined in the Active Directory. The attributes define the object itself and allow users to search for the particular object
Organizational Unit An organizational unit (OU) is like a file folder in a filing cabinet. The OU is designed to hold objects (or even other OUs). It contains attributes like an object, but has no functionality on its own. As with a file folder, its purpose is to hold other objects. As the name implies, an OU helps you "organize" your directory structure. For example, you could have an accounting OU that contains other OUs, such as Accounting Group A and Accounting Group B, and inside those OUs can reside objects that belong, such as users, groups, computers, printers, etc OUs also serve as securities and administrative boundaries and can be used to replace domains in multiple Window NT domain networks.
Domain By definition, a domain is a logical grouping of users and computers. A domain typically resides in a localized geographic location, but this is not always the case. In reality, a domain is more than a logical grouping — it is actually a security boundary in a Windows 2000 or NT network. You can think of a network with multiple domains as being like a residential neighborhood. All of the homes make up the neighborhood, but each home is a security boundary that holds certain objects inside and keeps others out. Each domain can have its own security policies and can establish trust relationships with other domains. The Active Directory is made up of one or more domains. Domains contain a schema, which is a set of object class instances. The schema determines how objects are defined with the Active Directory. The schema itself resides within the Active Directory and can be dynamically changed. You can learn more about the Active Directory schema in Chapter 18.
Tree The hierarchy structure of the domain, organizational units, and objects is called a tree. The objects within the tree are referred to as endpoints, while the OUs in the tree structure are nodes. In terms of a physical tree, you can think of the branches as OUs or containers and the leaves as objects — an object is the natural endpoint of the node within the tree.
Domain Trees A domain tree exists when several domains are linked by trust relationships and share a common schema, configuration, and global catalog. Trust relationships in Windows 2000 are based on the Kerberos security protocol. Kerberos trusts are transitive. In other words, if domain 1 trusts domain 2 and domain 2 trusts domain 3, then domain 1 trusts domain 3A domain tree also shares a contiguous namespace . A contiguous namespace follows the same naming DNS hierarchy within the domain tree. For example, if the root domain is smithfin.com and domain A and domain B exist in a domain tree, the contiguous namespace for the two would be domaina.smithfin.com and domainb.smithfin.com. If domain A resides in smithfindal.com and domain B resides in the smithfin.com root, then the two would not share a contiguous name space.
Forest A forest is one or more trees that do not share a contiguous name space. The trees in the forest do share a common schema, configuration, and global catalog, but the trees do not share a contiguous name space. All trees in the forest trust each other through Kerberos transitive trusts. In actuality, the forest does not have a distinct name, but the trees are viewed as a hierarchy of trust relationships. The tree at the top of the hierarchy normally refers to the tree. For example, corp.com, production.corp.com, and mgmt.corp.com form a forest with corp.com serving as the forest root.
Site A site is not actually considered a part of the Active Directory hierarchy, but is configured in the Active Directory for replication purposes. A site is defined as a geographical location in a network containing Active Directory servers with a well-connected TCP/IP subnet. Well-connected means that the network connection is highly reliable and fast to other subnets in the network. Administrators use the Active Directory to configure replication between sites. Users do not have to be aware of site configuration. As far as the Active Directory is concerned, users only see domains.
TRUST
Server uses trust to determine wheather access is allowed or not
Active Directory uses two types of trust:
n Transitive: Two objects are able to access each others domains and trees that means user is allowed accessed to another tree or domain,
n Non transitive (one way transitive) :One object can access trees & domain of other but other domain does not allow access to the domain & trees of first. E.g. admin-->user
GOALS
Two primary goals are
n USER
User should access resource throughout the domain using a single login
n ADMINISTRATOR
Administrator should be able to centrally manage both users & resources
DESIGN GOALS OF THE ACTIVE DIRECTORY The Active Directory's design goals are simple, yet very powerful, allowing Active Directory to provide the desired functionality in virtually any computing environment. The following list describes the major features and goals of the Active Directory technology.
Scalable — The Active Directory is highly scalable, which means it can function in small networking environments or global corporations. The Active Directory supports multiple stores, which are wide groupings of objects, and can hold more than one million objects per store.
Extensible — The Active Directory is "extensible," which means it can be customized to meet the needs of an organization.
Secure — The Active Directory is integrated with Windows 2000 security, allowing administrators to control access to objects.
Seamless — The Active Directory is seamlessly integrated with the local network and the intranet/Internet.
Open Standards — The Active Directory is based on open communication standards, which allow integration and communication with other directory services, such as Novell's NDS.
Backwards Compatible — Although Windows 2000 operating systems make the most use of the Active Directory, the Active Directory is backwards compatible for earlier versions of Windows operating systems. This feature allows implementation of the Active Directory to be taken one step at a time.
INTERACTION BETWEEN CLIENT AND SERVER
If a client wants to access a service or a resource, it does so using the resource’s Active Directory name. To locate the resource, the client sends a standard DNS query to a dynamic DNS server by parsing the Active Directory name and sending the DNS part of the name as a query to the dynamic DNS server.
The dynamic DNS server provides the network address of the domain controller responsible for the name. This is similar to the way static DNS currently operates — it provides an IP address in response to a name query.
The client receives the domain controller’s address and uses it to make an LDAP query to the domain controller. The LDAP query finds the address of the system that has the resource or service that the client requires.
The domain controller responds with the requested information. The client accepts this information.
The client uses the protocols and standards that the resource or service requires and interacts with the server providing the resource.








AD COMPONENT:
Security is integrated with Active Directory through logon authentication and access control to objects in the directory. With a single network logon, administrators can manage directory data and organization throughout their network, and authorized network users can access resources anywhere on the network. Policy-based administration eases the management of even the most complex network. For more information about Active Directory security,

1) A set of rules, the schema, that defines the classes of objects and attributes contained in the directory, the constraints and limits on instances of these objects, and the format of their names.
2) A global catalog that contains information about every object in the directory. This allows users and administrators to find directory information regardless of which domain in the directory actually contains the data.
3) A query and index mechanism, so that objects and their properties can be published and found by network users or applications.
4) A replication service that distributes directory data across a network. All domain controllers in a domain participate in replication and contain a complete copy of all directory information for their domain. Any change to directory data is replicated to all domain controllers in the domain.
5) Support for Active Directory client software, which makes many features on Microsoft® Windows® 2000 Professional or Windows XP Professional available to computers running Windows 95, Windows 98, and Windows NT® Server 4.0. To client computers not running Active Directory client software, the directory will appear like a Windows NT directory.
DISADVANTAGEOUS OF X.500
· Lack of directory interoperability.

Many directory services simply do not operate with each other. A historical example is the original X.500 directory that did not support LDAP. Even today, some products that implement a directory do not support LDAP or other widely used protocols.

· Lack of choice.
Some vendors ship solutions that are certified to work with only a limited subset of the directory services that are in use today. A customer of these vendors may be forced, for support reasons, to implement a directory service that is not already used in that customer’s organization.

· Lack of coordination.
In some cases, groups that are isolated from one another in an organization install different business solutions. This can result in the deployment of multiple directory technologies.

· Lack of security interoperability.
Business solutions seldom allow the use of identity credentials that are stored in a directory service but that are not associated with those specific solutions. This means, once again, deploying even more directory services to act as the secure credential stores for each individual business solution.
Many organizations are only now starting to come to grips with the hidden costs that are associated with the proliferation of multiple directory technologies. These costs include the following:

· Increased security risk.
As business solutions that rely on directories proliferate, it becomes increasingly challenging to ensure that these solutions integrate effectively with business processes. As employees, partners, contractors, or customers initiate or change their relationships with an organization, it is crucial that their access to VPN, PKI, NOS, or other business solutions is initiated or changed immediately. When management overhead causes slow initiation, productivity is affected. On the other hand, when changes are not quickly reflected in the various directories, a security risk develops, which could allow an unauthorized individual to have access to the network.

· High cost of ownership.
Every business solution that is based on a different directory technology requires the following:
1 A staff that is trained on that directory technology
2 Different operational and administrative procedures
3 Maintenance of additional software licenses and separate support agreements

· Increased cost of success.
Some directory technologies are licensed according to the number of objects that are created in the directories. This means that licensing and maintenance costs start spiraling upward as a business solution becomes more and more successful. Today, this situation affects organizations planning to deploy extranet access management solutions that are intended to service millions of customers.

· Lack of business process integration.
Directory information can be volatile. As users move from one group to another, change office locations or telephone numbers, and change names or job titles, their information must be updated in the directory. If this information is relied on by other business solutions that have different directories, the other directories must also be updated. Without an automated process to make these changes, data becomes stale and unsynchronized across identity stores.

BENEFITS OF AD IN APPLICATION MODE:

Active Directory Application Mode is an expanded capability of Active Directory for deployment as a lightweight directory service, allowing the rapid implementation of directory services for directory-enabled applications. Active Directory Application Mode provides all of the benefits in the following sections.
Rich and Extensible Store

Active Directory Application Mode supports a flexible and extensible schema. You can easily customize the schema using tools such as the ldifde command-line tool, the ADAM Schema snap-in, and the ADAM ADSI Edit snap-in, which are similar to their familiar Active Directory counterparts. Each ADAM instance running on the same computer can have a different schema.
A single ADAM instance can host multiple data partitions, so that you can define storage, distribution, and replication scope of the data in the partitions. The ADAM directory store provides a flexible namespace, supporting both DNS-style and X.500-style distinguished names.
The result is faster directory deployments that require less planning related to schema or naming conventions.

Replication
Active Directory Application Mode uses the same multimaster replication model that Active Directory uses, which ensures that replicated data can be modified on any ADAM instance that participates in a replica set, not just on one primary source. ADAM replication uses the same site model that Active Directory uses, and it offers such features as compressed intersite replication that you can schedule. You can manage replication with familiar tools, such as the repadmin command-line tool.
In Active Directory, replication of application data is intermingled with replication of changes to NOS data. If you are an enterprise directory administrator, you usually determine the overall replication schedule of the NOS directory to find the best schedule for the needs of all applications. With Active Directory Application Mode, you can set the replication schedule of each ADAM instance to fit the needs of specific applications.
In addition, you can replicate application data among multiple ADAM instances. You can run ADAM instances on servers that are members of an Active Directory domain, servers that are members of different domains in an Active Directory forest, or computers that are members of workgroups.
Setup and Removal
Setup for Active Directory Application Mode uses the familiar Windows-based installer. Minimal user input is required, and you can easily script the setup process. This is beneficial for unattended, silent installations that are part of a vendor application installation. You can also use the Active Directory Application Mode Setup Wizard to create a new ADAM instance or to create a replica of an existing instance.
In addition, Active Directory Application Mode provides a clean uninstall process that deletes the following:

· Instances that you select
· All associated files that contain configuration data
· The associated partition
The ease of ADAM setup, installation, and removal saves time for administrators and makes it very easy to move ADAM from testing to deployment.
Multiple Instance Support
Multiple ADAM instances can run concurrently on a single server, and each instance can be configured independently of other instances and isolated from other instances running on the same computer. Each ADAM instance is identified by a unique name and port.
Multiple instance support for ADAM provides significant benefits in the enterprise, such as server consolidation, line-of-business application development, and incremental upgrades to an enterprise suite of applications. In smaller organizations, you can use multiple instance support to configure each instance for the specific requirements of different applications. You can also query different data stores on the same computer.

Backup and Restore
Active Directory Application Mode is integrated with the backup and restore capabilities that are provided by the Windows operating system. Every ADAM instance is backed up through a configurable, automated, online process that provides immediate access to critical data. ADAM implements online backup and offline restore using the Backup utility.

Tool Support
Because Active Directory Application Mode is a mode of Active Directory, the administration experience is very similar, and ADAM uses tools that are based on familiar Active Directory tools. ADAM administration tools are installed by the Active Directory Application Mode Setup Wizard. You can use the following tools to manage ADAM:

· Ldp (Ldp.exe) permits LDAP operations to be performed against ADAM. Ldp is part of the support tools for the Windows 2000 Server family and the Windows Server 2003 family, and it uses a graphical user interface (GUI).

· The ADAM ADSI Edit snap-in is based on the familiar ADSI Edit tool. You can use ADAM ADSI Edit to view all objects in the directory (including schema and configuration information), modify objects, and set access control lists (ACLs) on objects.

· You can use familiar tools, such as PerfMon, to monitor network and system performance with ADAM. You can collect data from each ADAM instance in counter and trace logs, and you can customize performance viewing capabilities with Microsoft Management Console (MMC).

· You can use the command-line tools dsmgmt and dsdbutil (which is similar to ntdsutil) to perform database maintenance, manage and control single master operations, remove unwanted metadata, and create directory partitions.
With Active Directory Application Mode, you save training time and money, because you can maintain ADAM with tools that are very similar to the tools that you use to maintain Active Directory.

Security
Active Directory Application Mode takes advantage of the security model of the Windows operating system. You can allow and control access to objects inside ADAM, just as you can with Active Directory.
Active Directory Application Mode supports LDAP authentication for Active Directory and local Windows security principals. In addition, you can create user accounts in ADAM so that applications rely on the directory service to handle authentication while the applications handle authorization. In such cases, ADAM provides authentication solely through the LDAP simple bind mechanism.
Authorization to directory objects through ADAM is based on the existing ACL model in Windows. You can use this access control mechanism to secure detailed access to any object in each ADAM instance. This access control mechanism is based on security descriptors for security principals that already exist in the Windows security infrastructure. Applications can extend this access control mechanism to use their own framework for authorization, while using the directory service to provide authentication.


Managing Active Directory from the command line:

The following command-line tools can be used to manage Active Directory.

Dsadd:
Add users, groups, computers, contacts, and organizational units to Active Directory.
Dsmod:
Modify an existing object of a specific type in the directory. The types of objects that can be modified are: users, groups, computers, servers, contacts, and organizational units.
Dsrm:
Remove objects of the specified type from Active Directory.
Dsmove:
Rename an object without moving it in the directory tree, or move an object from its current location in the directory to a new location within a single domain controller. (For cross-domain moves, use the Movetree command-line tool.)
Dsquery:
Query and find a list of objects in the directory using specified search criteria. Use in a generic mode to query for any type of object or in a specialized mode to query for for selected object types. The specific types of objects that can be queried through this command are: computers, contacts, subnets, groups, organizational units, sites, servers and users.
Dsget:
Display selected attributes of specific object types in Active Directory. Attributes of the following object types can be viewed: computers, contacts, subnets, groups, organizational units, servers, sites, and users.
LDIFDE:
Ceate, modify, and delete directory objects. This tool can also be used to extend the schema, export Active Directory user and group information to other applications or services, and populate Active Directory with data from other directory services.
Ntdsutil:
General purpose Active Directory management tool. Use Ntdsutil to perform database maintenance of Active Directory, to manage single master operations, and remove metadata left behind by domain controllers that were removed from the network without being properly uninstalled.
HYENAS PRODUCT:
Hyena provides full support for Active Directory (AD) Organizational Units, directory searching, universal groups, management of object properties, security auditing, and other AD mixed and native mode features. Due to Hyena's ease-of-use, most AD environments can be managed more efficiently and quickly using Hyena's AD management functions. Hyena has numerous features that you won't find in the standard built-in Microsoft administration tools.
Hyena is the only product that supports customizable Active Directory queries at every object level. Define your own queries, or use any of the predefined queries to display custom "views" of exactly what directory attributes you want to see for organizational units, users, groups, or computers. Hyena's queries can also contain a customized LDAP filter, if desired, for the ultimate in server-side AD filtering and query performance.
With Hyena, you can access and view any AD attribute, including, the employee ID and user photo attributes. Moreover, you can add your own custom AD attributes for managing users.
Hyena's Filtering Toolbar provides for powerful object filtering when browsing the contents of any OU, including traversing into sub-OUs.
.



FIG (A): HYENAS FILTERING TOOLBAR


HYENAS TREE WINDOW:
Hyena adds a new Windows 2000 domain object class. When a Windows 2000 domain is expanded in Hyena's tree window, additional sub-objects are displayed, specifically: Containers/OUs, All Users, All Groups, Global Groups, Local Groups, and Universal Groups objects. All management of the display of Active Directory objects are handled entirely by LDAP queries to Active Directory. Organizational Units (OUs) are fully supported, both for browsing OU contents, as well as for creating new users, groups, contacts, and computer objects directly into an OU. A powerful Find feature is available for any OU, allowing selectable criteria for finding and filtering AD information. OU properties are also available, including full support for management of Group Policy Object (GPO) information.




FIG(B):HYENAS TREE WINDOW

EXTENSIVE EDITING:
Hyena includes an extensive ADSIedit-like capability to manage any Active Directory attribute for one or more directory objects. But unlike ADSI-Edit, Hyena's AD attribute management dialogs are easy to use and understand. Plus, you can define your own attribute sets to be used over and over and visually see what the values are before and after making any changes. Hyena supports the use of the standard shell property pages for management of many Active Directory objects, providing for full MMC-like functionality, while still providing Hyena's legendary ease-of-use and navigation. Hyena also supports the display of the shell context menu for most directory objects, providing access to popular Microsoft functions such as Exchange Tasks for email-enabled objects, as well as 3rd-party shell extensions. Active Directory administrators know how difficult it can be to keep track of delegated security rights. Hyena makes keeping track of this much easier with Active Directory Security Listing views : Just select one or more AD objects, right click, and select List Directory Security. Its that simple.
Hyena provides access to the standard Microsoft Active Directory 'Find' dialog, but adds two important features: The selection criteria can be saved for future or external use, and the objects that are found can be returned to Hyena for further management tasks. Hyena supports management of Exchange 5.5 and 200x mailboxes: mailbox creation, deletion, and property modification can all be easily controlled in Hyena's powerful GUI.
As always, Hyena's output window, including any Active Directory displays, can be easily exported or integrated into Hyena's built-in Microsoft Access database.

ACTIVE DIRECTORY NETWORK MANAGER:
Active Directory Network Manager provides a comprehensive solution to network administration by providing the following tools:
Onscreen Search Module
Integrated onscreen searches of any Active Directory field
Sort through account information with column sorts
Administration Module
View users in a common table without having to browse through Organizational Units to find user accounts
Perform common administrative tasks such as resetting passwords, disabling accounts and editing information
Perform edit tasks on multiple users for any Active Directory field
Security Management Module
Displays who is logged on to each workstation in your domain
Displays how long a user has been logged on to a workstation
Displays when a user account was last used
Displays when a computer account was last used
Software Management Module
Displays what software is installed on your workstations
Combines with Onscreen Search to determine which computers are running certain software to help manage licensing
Integration Module
Integrate your active directory with other network systems using http.



CACHED CONNECTION IN ADNM:
The following issues are the benefits in ADNM:
Viewing Last Login Times
The major reason most IT professionals use ADNM is to gather authoratative last login information. Last login information is spread out over the domain controllers on your network. When the user John Smith logs in to his computer, he could be authenticating against domain controller A, however, domain controller B will not know that this account has just logged in and so will display an older last login time. In order to gather an authoratative last login time, an application must query all domain controllers on the network and only display the latest last login time it finds for a user. ADNM is one of the few applications that will give you an authoratative last login time for your users. Account Cleanup
Knowing when accounts were last used can help you delete unneeded accounts and prevents hackers from using them to access your network. There are major security benefits to using ADNM to cleanup your Active Directory accounts. Viewing Current Logins
The second reason IT professionals use ADNM is to view current logins on their network. ADNM also reports which user is logged in to which computer(s) and the duration which they have been logged in. This is also a major security feature. If a student has left themself logged on to a computer in your computer lab, they could be running malicious software. The login duration would immediatly notify you of this fact so you can take proper action such as shutting down the computer.
Cached Connections
Another huge feature that ADNM provides you is cached connections. When you close ADNM, it quickly writes all of your Active Directory to a data file on your computer. The next time you start ADNM, it will load this data from the file instead of connecting to your Active Directory. The advantage is that you have a cached copy of your domain in less than a few seconds whereas it takes considerably longer to connected to your Active Directory to download this data. To determine if you are viewing a cached connection, take a look at the bottom right corner of ADNM. You will see something similar to figure 2 shown below with either a cached connection indicator, or a live connection. Either way, ADNM will also show you a timestamp of when it was last refreshed.






FIG(C):CACHED CONNECTION INDICATOR

Working with Cached Connections
ADNM will start up using cached connections by default. When you need to perform some action such as deleting an account or resetting a password, ADNM will move seamlessly into a live connection. There will be a brief delay when this happens as ADNM establishes the connection with the server. You will see a notification in the progress panel of ADNM that it is logging in while this happens. At this point, you will be looking at cached data, but will have a live connection to your Active Directory. After this live connection is established, all future actions will use it to connect to your Active Directory so you will not have to wait a second time for the connection to establish. This is the case unless you are idle for so long that this connection times out and ADNM must reconnect this connection. Refreshing the Data
If you are working off cached data/a cached connection, you can switch to a live connection and download the latest data from your Active Directory by clicking on the refresh button, or by clicking on the Action menu, then clicking on the Refresh menu. At this point you will see the icon in the bottom right corner change to a lock meaning you have a live connection to the domain controller.

Browsing the Active Directory

Explorer View
The explorer tab in ADNM has a similar interface to Active Directory Users and Computers that Microsoft provides. You can browse through a tree of your folders and organizational units on the left side. The right side of the explorer tab shows the contents of those folders and ou's. Users View
The user tab of ADNM shows all users in your Active Directory no matter where those users are located in your Active Directory. This is probably the tab you will visit most to disable/enable user accounts, reset password etc. You do not have to go browsing through the explorer tree to find a user, it is in this table, just scroll down until you find the user. Computers View
The computer tab of ADNM shows all computers on your network. It will show you both servers and workstations in your Active Directory. Searching
On both the Users and Computers tabs, we have included an inline search utility. If you have used Active Directory Users and Computers much you probably have noticed how cumbersome the search is. With ADNM, your search results display at the top of the tab so you don't have to leave your main window to search. We will have a tutorial dedicated to this feature later on, but wanted to point out this powerful tool. Changing Views
We have provided views that we believe will aid network administrators the most, however there is too much information in Active Directory to display on one screen, so we have created different views of the data that you can switch to. At the bottom left of ADNM, you have a number of buttons with different view names on them (see Figure 3). Click on these buttons and different fields will appear in the table. For instance, if you want to view the contact information for your users, and the table will populate with values for address, city, state, zip, postal code, telephone number, etc.


FIG: AD VIEW IN ADNM



FIG:THREE PRIMARY VIEW OF AD


Editing Views
You can add/remove fields from any view to customize ADNM to fit your needs. To do this, select the view you wish to customize, then click on the "Options" tab. In the options tab select if you will be editing the current Explorer View, User View or Computer View. At this point the table on the right will contain the currently visible fields and all available fields (see Figure 4). Use the Add and Remove buttons between these two tables to add/remove fields to your view. The user/computer/object name will always appear in the view so you know what objects you are looking at, therefore you will not need to add this field. When you are finished adding/removing fields, click the "Apply Columns" button at the top of this tab.


Editing Other Settings
The general section of the Options tab has a number of different settings that can optimize your connection to your Active Directory. Here you can specify if you would like to connect to secondary domain controllers, if you would like to query computers on your network for software/user auditing, and how many fields you would like to retrieve from ADNM. If you find that ADNM runs slow with your setup, you might want to consider disabling some of these options to get better performance.


ACTIVE DIRECTORY FUNCTIONS:
· MULTIPLE MASTER DESIGN :
Windows 2000 Domains work using a multiple master design with restricted master operations on a master domain controller. This was done to distribute the load on domain controllers but there are some operations that can only be done on a single or "master" controller.
· FLEXIBLE SINGLE MASTER OPERATION:
There are a set of Flexible Single Master Operations (FSMO) which can only be done on a single controller. An administrator determines which operations must be done on the master controller. These operations are all set up on the master controller by default and can be transferred later. FSMO operations types include:
Schema Master –
Makes changes to the database schema. Applications may remotely connect to the schema master.
Domain Naming Master –
Adds or removes domains to or from the forest.
PDC Emulator –
When Active Directory is in mixed mode, the computer Active Directory is on acts as a Windows NT PDC. The first server that becomes a Windows 2000 domain controller takes the role of PDC emulator by default. Functions pewrformed by the PDC emulator:
User account changes and password changes.
SAM directory replication requests.
Domain master browser requests.
Authentication requests.
The NTLM protocol is used by the PDC emulator to contact non-Windows 2000 clients and servers for exchange of authentication information. When contacting Windows 2000 servers , the Windows 2000 protocol is used.
Relative ID Master (RID Master) –
All objects have a Security Identifier (SID) and a domain SID. The RID assigns relative IDs to each domain controller.
Infrastructure Master –
Updates group membership information when users from other domains are moved or renamed. If you transfer this function, it should not be transferred to the domain controller that is the global catalog server. If this is done, the Infrastructure Master will not function.
AD File Storage
Database file –
Stored in SystemRoot\NTDS\ntds.dit, it holds all AD objects and attributes. Contains these tables:
Object table - Has a row for each object in AD.
Link table - Stores inter object relationship information.
Schema table - Has a list of all objects and their attributes.
Log file –
The following files are stored in the System Rootdirectory in the NTDS folder.
Checkpoint log files - Holds pointers to transaction logs that have been committed to the AD database. The file name is edb.chk.
Transaction log files - Stores transactions that are either commited or are about to be committed to the AD database. The file name is edb.log. If more than one log file is used the log file name is edbhhhhhh.log where "hhhhhh" is a hexadecimal based number.
Patch files - Manages data while backups are done. These files have the file extension ".pat".
Reserve log files - Reserves hard drive space for transaction log files. The files names are res1.log and res2.log.
Garbage collection
Active Directory performs garbage collection. Deleted AD objects are are tagged with a tombstone rather than being immediately removed. The toumbstone lifetime attribute (default of 60 days) defines how long the tombstoned object will remain in the database until it is deleted.



BIBLIOGRAPHY:
“A Business Case Study of ACTIVE DIRECTORY” - Carolyn A. Kenwood July 2003.

“Application Mode byDan Dinicolo” -Dan Dinicolo July2003

Hyenas main product by webmaster@systemtools.com.

“Features of Active Directory” -William R. Stanek

“Management of AD From Command Line” -Daniel Petri



http://www.sendmail.org/

www.2000trainers.com

http://www.microsoft.com/windowsserver2003/default.mspx

http://logicdevelopment.net/ADNMEvaluate.php

williamstanek@aol.com

www.petryknowledge.com






















New features for Active Directory

Directory service backup reminders.
A new event message, event ID 2089, provides the backup status of each directory partition that a domain controller stores, including application directory partitions and Active Directory Application Mode (ADAM) partitions. If halfway through the tombstone lifetime a partition has not been backed up, this event is logged in the Directory Service event log and continues daily until the partition is backed up.

Added replication security and fewer replication errors.
Replication metadata for domain controllers from which Active Directory has been removed is no longer retained by default, although a waiting period can be configured. This change improves replication security and eliminates replication error messages that are caused by failed attempts to replicate with decommissioned domain controllers. For more information about preserving replication metadata

Install from Media improvement for installing DNS servers.
Install from Media improvements make it easier to create a new domain controller that is a DNS server by providing a new option to include application directory partitions in the backup media that is used to install the new domain controller. This option eliminates the requirement for replication of the DomainDNSZones and ForestDNSZones application directory partitions before the DNS server is operational.

Enhancements for replication and DNS testing.
The Dcdiag.exe command-line tool, which is available in Windows Support Tools, provides new reporting on the overall health of replication with respect to Active Directory security. This test provides a summary of results, along with detailed information for each domain controller that is tested and a diagnosis of any security errors. Dcdiag.exe also has new Domain Name System (DNS) tests for connectivity, service availability, forwarders and root hints, delegation, dynamic update, locator record registrations, external name resolution, and enterprise infrastructure. These tests can be performed on one domain controller or on all domain controllers in a forest.

Support for running domain controllers in virtual machines.
On a single physical server that is running Windows Server 2003 and Microsoft Virtual Server 2005, you can install multiple Windows Server 2003 or Windows 2000 Server domain controllers in separate virtual machines. This platform is well suited for test environments. By using virtual machines, you can effectively host multiple domains, multiple domain controllers for the same domain, or even multiple forests on one physical server that is running a single operating system. Windows Server 2003 SP1 also provides protection against directory corruption that can result from improper backup and restore of domain controller images.

Operations master health and status reporting.
If an operation that requires a domain controller that holds an operations master role (also known as flexible single-master operations (FSMO)) cannot be performed, events are now logged in the Directory Service event log. Events identify role holders that do not exist, exist but are not available, or are available but have not replicated recently with the contacting domain controller

Extended storage of deleted objects.
The default period that a copy of a deleted object is retained in Active Directory, called the tombstone lifetime, is extended from 60 days to 180 days. Longer tombstone lifetime decreases the chance that a deleted object remains in the local directory of a disconnected domain controller beyond the time when the object is permanently deleted from online domain controllers. The tombstone lifetime is not changed automatically when you upgrade to Windows Server 2003 with SP1, but you can change the tombstone lifetime manually after the upgrade. New forests that are installed with Windows Server 2003 with SP1 have a default tombstone lifetime of 180 days.

Improved domain controller name resolution.
In response to DNS name resolution failures that may be encountered during location of replication partners and global catalog servers, domain controllers running Windows Server 2003 with SP1 request other variations of the server name that might be registered, which results in fewer failures due to DNS delays and misconfiguration.

Improved server metadata removal.
The Ntdsutil.exe command-line tool for managing the Active Directory database has new functionality that makes it easier to remove domain controller metadata. Preliminary steps, such as connecting to a server, domain, and site, are no longer required. You simply specify the server to remove. You can also specify the server on which to perform the deletion. Metadata removal is now more comprehensive: in addition to Active Directory replication metadata, the tool now removes File replication service (FRS) metadata and operations master metadata. If an operations master role is assigned to the server that is being removed, the tool attempts to transfer the role to an appropriate domain controller.

Improved security to protect confidential attributes.
To prevent Read access to confidential attributes, such as a Social Security number, while allowing Read access to other object attributes, you can designate specific attributes as confidential by setting a search flag on the respective attributeSchema object. By default, only domain administrators have Read access to confidential attributes, but this access can be delegated.


Retention of SID history on tombstones.
The sIDHistory attribute has been added to the set of attributes that are retained on an object tombstone when the object is deleted. If a tombstoned object is reactivated (undeleted), the sIDHistory attribute is now restored with the object
Adprep.exe improvements for Windows 2000 Server upgrades. The Adprep tool has been improved to reduce the impact of FRS synchronization that results from updating SYSVOL files during upgrade. Adprep is used to upgrade the Windows 2000 Server schema to the Windows Server 2003 schema and to update some forest- and domain-specific configuration, including SYSVOL, that is required for a Windows Server 2003 domain controller to be operational. The tool now allows performing SYSVOL operations in a separate step when the domain is prepared for upgrade. A new switch, /gpprep, has been added to accommodate the SYSVOL updates, which can be performed at a convenient time following the upgrade. The adprep /domainprep command, which formerly performed both directory and SYSVOL updates, now updates only the directory. Adprep also now detects third-party schema extensions that block an upgrade, identifies the blocking extensions, and recommends fixes. Microsoft Exchange schema objects are also detected so that the Exchange schema can be prepared appropriately to accommodate inetOrgPerson naming.

Improved authoritative restore.
The authoritative restore option in Ntdsutil now locates backlinks for all objects that are authoritatively restored, including links that were created before implementation of the Windows Server 2003 or Windows Server 2003 interim forest functional level, in which linked-value replication (LVR) functionality was introduced. For example, suppose that a user object is restored and the user belongs to group G1, which was created before the forest functional level was raised, and the user also belongs to group G2, which was created after the forest functional level was raised. During authoritative restore of the user object, the member attribute of G2 is updated, but not the member attribute of G1. Ntdsutil now creates a text file that identifies the authoritatively restored objects and uses this file to create an LDAP Data Interchange Format (LDIF) file that can be used to restore all backlinks for pre-LVR groups in this domain. In the example, when this LDIF file is run after authoritative restore, the restored user is added to group G1. A new option in authoritative restore also allows you to generate an LDIF file that you can use to restore links in other domains in which a restored object has backlinks.






The features listed below are mainly intended for windows server 2003.These are as:

The following list summarizes the Active Directory features that are available by default on any domain controller running Windows Server 2003.

Multiple selection of user objects.
Modify common attributes of multiple user objects at one time.
Drag-and-drop functionality.
Move Active Directory objects from container to container by dragging one or more objects to a desired location in the domain hierarchy. You can also add objects to group membership lists by dragging one or more objects (including other group objects) to the target group.

Efficient search capabilities.
Search functionality is object-oriented and provides an efficient search that minimizes network traffic associated with browsing objects.

Saved queries.
Save commonly used search parameters for reuse in Active Directory Users and Computers.

Active Directory command-line tools.
Run new directory service commands for administration scenarios.

InetOrgPerson class.
The inetOrgPerson class has been added to the base schema as a security principal and can be used in the same manner as the user class. The userPassword attribute can also be used to set the account password.

Application directory partitions.
Configure the replication scope for application-specific data among domain controllers. For example, you can control the replication scope of Domain Name System (DNS) zone data stored in Active Directory so that only specific domain controllers in the forest participate in DNS zone replication.

Ability to add additional domain controllers using backup media.
Reduce the time it takes to add an additional domain controller in an existing domain by using backup media.

Universal group membership caching.
Prevent the need to locate a global catalog across a WAN when logging on by storing universal group membership information on an authenticating domain controller.
Secure LDAP traffic.
Active Directory administrative tools sign and encrypt all LDAP traffic by default. Signing LDAP traffic guarantees that the packaged data comes from a known source and that it has not been tampered with.

Active Directory quotas.
Quotas can be specified in Active Directory to control the number of objects a user, group, or computer can own in a given directory partition. Domain Administrators and Enterprise Administrators are exempt from quotas.