Windows 2000 Active Directory Implementation at UNL

Twenty-First Century Networking for UNL

Windows 2000 is the forthcoming release of the Windows NT platform. It includes many enhancements over previous versions, one of the more important of which is called Active Directory.

Currently, there are over 500 NT domains or workgroups on campus. Within each domain resources can be shared easily. However, access to resources located in another domain can be very difficult. This is because each domain has its own security, and must be manually linked to another domain in order for users to access needed resources. Active Directory provides a solution to this problem.

Active Directory expands the current domain structure to allow for Parent and Child domains (also called Forests and Trees). Users in one branch of a tree can be granted access to resources in another branch with considerably less difficulty. While Active Directory is somewhat scalable, proper planning will help avoid potential problems.

WINS

One of the basic building blocks of Windows networking is the ability to associate a name with an address. This is similar to being able to visit a web site using a name (www.unl.edu) instead of an IP address (129.93.1.25). While this service was sufficient for smaller networks, as the number of computers on the network increase, the ability to find specific computers diminishes. This is due to the nature of communications protocols used. To expand the reach of Windows networking, Microsoft expanded name mapping to the TCP/IP protocol, which is more suited for large networks. In NT 4, the service that mapped names to IP numbers was called Windows Internet Name Service, or WINS.

Active Directory is the next revision of this function. Where WINS just kept track of names and corresponding IP address of Windows computers, Active Directory tracks much more information and also includes information on other network resources, such as printers.

DNS & DHCP

Two vital components to Active Directory are Domain Name Service, DNS, and Dynamic Host Configuration Protocol or DHCP. These protocols have existed for some time, but Active Directory expands on them and changes the way these services interact.

Every user connected to the network has a physical address which is encoded on the network adapter installed in the computer. If a user wants to be connected to the Internet, they also need a TCP/IP address. While this address can be configured manually, DHCP will do this automatically. This has a quite a few advantages:

• No long strings of numbers to remember
• Easier diagnosis of network problems
• Ability to plug a laptop in anywhere on campus without having to do any reconfiguration

A computer configured to use DHCP will send out a request when the computer is started. This request is forwarded to the campus DHCP server. The server will assign the computer the first available address from the pool of address available for that building. The server then notifies the requesting computer what it's IP address, along with other vital network parameters such as WINS servers, DNS servers, and Gateway address.

When the computer has received all the above information (or the information was entered manually), it will now have the ability to "resolve" host names into IP addresses. DNS is the service that is used to resolve Internet hostnames into the IP numbers that your computer needs to actually reach the target computer. WINS is used to resolve Windows 95/98/NT/2000 computer names into IP addresses. While this is somewhat optional for computers located close together, contacting computers located in other buildings may be impossible without WINS.

Although Active Directory promises to solve many of the Windows NT Domain syncronization issues, it does pose some problems of its own. At the core of this is DNS/DHCP.

Currently, when a computer broadcasts a DHCP request, the DHCP server responds and will update the DNS server. This works the same whether a client is using a Windows machine, a Macintosh, or UNIX box. Clients cannot update the DNS tables directly because of potential security issues. This also prevents duplicate hostnames, since all names are assigned by the DNS server and no duplicates are allowed in the tables.

Active Directory stores directory information in the DNS tables. Any time a change is made, these tables need to be updated. This requires the client computers have access to the DNS table, or the information needs to be entered manually each time. The logistics of manual entry are not cost-effective, making that impractical.

If client computers are given direct access to the DNS table, the DNS server can no longer guarantee unique addresses. In the summer of 1999 when the DNS server at UNL was upgraded, dynamic updates were allowed by default. Until this was turned off, some computers chose the name www.unl.edu. This meant anyone trying to reach the UNL homepage might get routed to these other computers instead. Turning off dynamic updating was the solution, and the problem has not resurfaced.

Another problem with dynamic updates involves cnames. Cnames are also referred to as aliases. They allow one computer to have many names, such as cse.unl.edu and www.cse.unl.edu. Both addresses route you to the same computer, one is the actual hostname, the other is a cname. When a computer using DHCP writes to the DNS server, it checks for potential duplicate hostnames, but does not check cnames. This is a bug which will most likely be corrected in later service packs, but is severe enough to prevent Active Directory implementation right now.

Another issue with Active Directory is that it is currently a Microsoft-only solution. Macintosh and UNIX machines cannot currently interface with the Active Directory, and cannot support the dynamic updates of DNS. This means that if Active Directory were implemented, it might potentially disconnect Macintosh and UNIX users from the network. There is a significant installation base of Macintosh and UNIX machines on campus, and it is not reasonable to expect all of them to be converted to the Windows OS just to implement Active Directory.

Solutions

A committee has been formed to resolve Active Directory issues and to plan the structure of the directory tree. Currently, Active Directory can not be implemented without seriously affecting the ability of many users on campus to utilize computing resources such as the Internet and Lotus Notes.

If you have installed or will be installing Windows 2000, please note that the only feature that will not work is Active Directory. A computer running Windows 2000 Server or Professional can join an existing domain, or create an NT-compatible domain with no problem.

If you have any questions regarding Active Directory or Windows 2000, please contact: pmenard@unl.edu.