Exchange Geek's Weblog

I'm a Geek!

Archive for May, 2008

Active Directory Name Space Structure (Incomplete)

Posted by Milind Naphade on 01/05/2008

Its been quite a long time now since I published my last post explaining the Typeful names and all other Active Directory. I and my team were working on a mail archiving solution for few days and were hell busy to determine the requirements as well the suitability of the product for our environment. Finally, GFI MailArchiver is setup and has started functioning now. Good software! Provides fantastic features and integration with exchange though does not touch the exchange configuration at all.
There is a lot to elaborate about every topic we come up but the main stream of the series will get disturbed. Back to the main objective lets come back to the Active Directory Series once again. Today we will try to understand the Active Directory Namespace Structure.
Till this time we have become familiar with generic LDAP terms and acronyms. We need to understand what we need to store in Active Directory. At the best of my knowledge I can distinguish the the things into following three categories.

Information about network security entities. This includes users, computers, and groups along with applications such as group policies, DNS, RAS, COM and so forth.
Information about the Active Directory mechanisms. This includes replication, network services, permissions, and user interface displays.
Information about the Active Directory schema. This includes objects that define the classes and attributes in Active Directory.

While implementing the concept of Active Directory to the real world scenario Microsoft had to think of way to structure this imformation in a way that has to compatible with LDAP retaining the backward compatibilty with classic Windows NT. In Windows NT the information about the security entities are stored in SAM and SECURITY database in registry.Microsoft calls the contents of the SAM database a domain. Because the only way to control access to the SAM is to control access to the entries in the SAM, a domain defines a security boundary as well as a management boundary.
The SAM databases in classic NT domains cannot be combined. To get a common security boundary, the domains must be knitted together using trust relationships. When one domain trusts another, members of the trust-ed domain can be used as security entities in the trust-ing domain. The underlying authentication mechanism, NT LanMan Challenge Response, supports this trust relationship by permitting passthrough authentication of users from trusted domains.
There is a lot to write down about the AD namespace structure yet but again the time restriction is there. I will post few more thing on my blog next time which will cover up more detailed discussion of Active Directory Namesspace structure. And they will be;
Active Directory Naming Contexts
Domain Naming Context
Schema Naming Context
Applcation Naming Context
Configuration Naming Context and few more things. I hope till then I will finish up all my pending things and will be able write down some more interesting stuff about it.

Posted in Active Directory Series | Comments Off on Active Directory Name Space Structure (Incomplete)