Previous Page | Next Page

  1. Introduction
  2. Windows 2000 Professional
  3. Windows 2000 Server
  4. Windows 2000 Advanced Server
  5. Windows 2000 Datacenter Server
  6. Application Support
  7. System Operation
  8. Disks and Volumes
  9. Filesystems
  10. Configuration Files
  11. Security
  12. Network Support
  13. Access Management
  14. Processes
  15. AD Structure
  16. AD Objects
  17. AD Object Naming
  18. AD Schema
  19. AD Sites
  20. Domains
  21. AD Functions
  22. AD Replication
  23. DNS
  24. AD Security
  25. AD Installation
  26. AD Configuration
  27. AD Performance
  28. Installation
  29. Installation Options
  30. Unattended Installation
  31. Software Distribution
  32. Remote Installation Service
  33. Language
  34. Accessibility
  35. File Attributes
  37. Distributed File System
  38. Control Panel
  39. Active Directory Tools
  40. Computer Management Console Tools
  41. MMC Tools
  42. Network Tools
  43. Network Monitor
  44. System Performance Monitoring
  45. Tools
  46. Managing Services
  47. Connections
  48. TCP/IP
  49. DHCP
  50. Printing
  51. Routing
  52. IPSec
  53. ICS
  54. Fault Tolerance
  55. Backup
  56. System Failure
  57. Services
  58. Remote Access
  59. WINS
  60. IIS
  61. Certificate Server
  62. Terminal Services
  63. Web Services
  64. Authentication
  65. Accounts
  66. Permissions
  67. Groups
  68. User Rights and Auditing
  69. Auditing
  70. User Profiles
  71. Policies
  72. Group Policies
  73. Miscellaneous
  74. Terms
  75. Credits

Active Directory Functions

Flexible Single Master Operations (FSMO)

Windows 2000 Domains work using a multiple master design with restricted master operations on a master domain controller. This was done to distribute the load on domain controllers but there are some operations that can only be done on a single or "master" controller.

There are a set of Flexible Single Master Operations (FSMO) which can only be done on a single controller. An administrator determines which operations must be done on the master controller. These operations are all set up on the master controller by default and can be transferred later. FSMO operations types include:

  • Schema Master - Makes changes to the database schema. Applications may remotely connect to the schema master.
  • Domain Naming Master - Adds or removes domains to or from the forest.
  • PDC Emulator - When Active Directory is in mixed mode, the computer Active Directory is on acts as a Windows NT PDC. The first server that becomes a Windows 2000 domain controller takes the role of PDC emulator by default. Functions pewrformed by the PDC emulator:
    • User account changes and password changes.
    • SAM directory replication requests.
    • Domain master browser requests.
    • Authentication requests.
    The NTLM protocol is used by the PDC emulator to contact non-Windows 2000 clients and servers for exchange of authentication information. When contacting Windows 2000 servers , the Windows 2000 protocol is used.
  • Relative ID Master (RID Master) - All objects have a Security Identifier (SID) and a domain SID. The RID assigns relative IDs to each domain controller.
  • Infrastructure Master - Updates group membership information when users from other domains are moved or renamed. If you transfer this function, it should not be transferred to the domain controller that is the global catalog server. If this is done, the Infrastructure Master will not function.

An Operation Master performs one or more of the flexible single master operations listed above.

Windows 2000 client Authentication

When operating in mixed mode, the PDC emulator will allow non Windows 2000 clients to use NTLM authentication protocol rather than Kerberos. If a Windows 2000 client cannot find a Windows 2000 domain controller for logon purposes, it will attempt to contact a Windows NT PDC using the NTLM protocol. If the Windows 2000 client successfully logs on using an NT server, group policy objects cannot be loaded.

Global Catalog Server

The Global Catalog Server (GCS) maintains an Active Directory global catalog with information about all objects the forest along with universal groups and group members. It has a copy of all objects in its domain and some objects in other domains. It has a copy of domain local and global groups, but not members of those groups. It provides universal group membership information and allows users to find resources. It is used to search for objects in the forest.

Normally the first domain controller is a global catalog server. The "Active Directory Sites and Services tool: in "Administrative Tools" is used to move the global catalog server or create another one.

A global catalog server must be available or the user cannot logon to the domain unless the user is in the group "Domain Admins".

A Universal group may contain users and groups from any domain in a forest.

Adding more global catalog servers will make searching the forest faster, but more network bandwidth will be required for replication between global catalog servers.

AGDLP rule

AD File Storage

  • Database file - Stored in SystemRoot\NTDS\ntds.dit, it holds all AD objects and attributes. Contains these tables:
    • Object table - Has a row for each object in AD.
    • Link table - Stores inter object relationship information.
    • Schema table - Has a list of all objects and their attributes.
  • Log file - The following files are stored in the System Rootdirectory in the NTDS folder.
    • Checkpoint log files - Holds pointers to transaction logs that have been committed to the AD database. The file name is edb.chk.
    • Transaction log files - Stores transactions that are either commited or are about to be committed to the AD database. The file name is edb.log. If more than one log file is used the log file name is edbhhhhhh.log where "hhhhhh" is a hexadecimal based number.
    • Patch files - Manages data while backups are done. These files have the file extension ".pat".
    • Reserve log files - Reserves hard drive space for transaction log files. The files names are res1.log and res2.log.

Garbage collection

Active Directory performs garbage collection. Deleted AD objects are are tagged with a tombstone rather than being immediately removed. The toumbstone lifetime attribute (default of 60 days) defines how long the tombstoned object will remain in the database until it is deleted.