Resouce Guides / Windows 2000 Server / Installation and Configuration / Active Directory

What clients can I use with Active Directory?

As you know, Microsoft's Windows 2000 has a multitude of features to offer the network administrator. The Active Directory (AD) environment provides you with extensive control of both your server's and workstation configuration and performance. If you decide to incorporate or upgrade your servers to Windows 2000, do you know how the migration will impact users on your network? In this article, Brien Posey explores the most important issues your clients will face within the Active Directory environment.

Summary

What is Active Directory?

Everywhere you look, you read about Active Directory. Originally, Windows NT used a database of user and computer accounts called the Security Accounts Manager (SAM). Active Directory builds upon the basic features offered within SAM, but it provides much more flexibility. More importantly, AD uses a standard format that can be accessed by any domain client using Active Directory plug-ins. In addition, any AD-aware application can be customized to interface freely within Active Directory networks, including applications running on other types of operating systems. It simply requires the use of LDAP (Lightweight Directory Access Protocol), a common component of the TCP/IP suite. Each network resource, (user account, computer, printer, and so forth), is an object within the AD database. Each object has its own attributes which you can customize easily and extensively.

Active Directory and its clients

On the server level, only Windows 2000 servers can participate in Active Directory networks. However, at the client level any client workstation that can log into the domain and uses the proper AD-aware code can participate within the AD environment. This is due to the nature of the database. To participate in Active Directory services, a client must be able to interact with the database's objects and attributes.

Client workstations of different capacities can access AD because Microsoft created client extensions for older versions of its operating systems to provide for backward compatibility. This enables you to upgrade your servers while maintaining your existing Windows 9x and Windows NT client environments. These client extensions support the following features:

  • Site awareness capability to log on to the domain controller that is closest to the client in the network
  • Ability to change passwords on any Windows 2000 domain controller instead of the primary domain controller (PDC)
  • Active Directory Services Interface (ADSI)
  • DFS Fault Tolerance Client
  • Active Directory Windows Address Book (WAB) property pages
  • Support for display specifiers that enable rendering of new schema elements stored on the user object in AD
  • NT LAN Manager version 2 authentication

Unfortunately, due to older workstation and operating system capabilities and limits, you won't gain support for the following features:

  • Kerberos
  • Group Policy or IntelliMirror
  • IPSEC or L2TP
  • Service Principal Name (SPN) or mutual authentication

What clients can I use with Active Directory?

A few weeks ago, a friend of mine found himself in an interesting situation. Like many of us, he had bought into all of the media hype and was convinced that he needed to upgrade every server on his network to Windows 2000 ASAP, if not sooner. Of course, my friend is no idiot. He understands that a total network upgrade is a big deal. Therefore, he spent a considerable amount of time analyzing how the upgrade was going to affect every last component that was running on his servers. When the big day finally came, he updated the first server. However, when he got ready to access the server from his workstation to see how the migration went, he realized that he had planned extensively for the server portion of the upgrade but had never even thought about how switching to Windows 2000 would affect the clients. In this article, I'll discuss some of the most important issues that your clients face in an Active Directory (AD) environment.

What is Active Directory?

Active Directory—it's one of the buzzwords that you hear when people discuss cool new networks. Even so, I am amazed by the number of letters I receive from seemingly intelligent people who are too embarrassed to ask their peers what AD is. However, a basic understanding of Active Directory is necessary before we can discuss how clients work with Active Directory.

The predecessor to Active Directory was the Windows NT Security Accounts Manager (SAM). The Security Accounts Manager consisted of a database of user accounts and computer accounts. AD maintains this same basic structure, but builds on it. There are several features available through AD that aren't available through the SAM.

Perhaps the most important difference is that Active Directory is designed to be much more flexible than the SAM. For example, a common myth is that only Windows 2000 clients can take advantage of AD's features. However, nothing could be further from the truth. Active Directory uses a standard format that can be accessed by any domain client that contains AD plug-ins. Likewise, Active Directory is designed to be accessed by applications as well. Any AD-aware application can interface freely with AD. If an application wasn't written specifically for Windows 2000, it can still access Active Directory as long as it is designed to use Lightweight Directory Access Protocol (LDAP), a common component of the TCP/IP suite.

Another major difference is that you can arrange the Active Directory hierarchy in a manner that best suits your organization. As your needs change, the directory can be reorganized with relative ease. As you probably know, there's little, if any, flexibility built in to the SAM.

As with any database, Active Directory contains objects. In Windows 2000, any network resource, be it a user account, a computer, a printer, etc., is considered to be an object within the AD database. As with most databases, these objects have attributes. Windows 2000 comes with a standard set of attributes for each object. For example, if you're looking at a user account object, the object would have attributes such as full name, department, or e-mail address. You can also create custom attributes for each object. For example, you could create an attribute that describes what type of car the user drives or how many kids the user has. Granted, in real life you'd probably have no need for this information within AD (unless you wanted to trim a little off the budget and needed to find out how many users drove expensive cars). The point is that you can customize AD to hold any information you want, no matter what type.

Active Directory and its clients

Now that I've explained a little about what Active Directory is and how it works, you may still be somewhat confused. To clear things up a bit, consider this: On a server level, only Windows 2000 servers can participate in AD. On a client level, however, any client that can log into the domain and that has code that makes it AD-aware can participate in AD.

This statement brings up two logical questions. First, which clients can be made AD-aware, and second, what does it mean to participate in AD?

To answer these questions, consider the first requirement of an Active Directory client. An AD client must be able to log into a Windows NT domain structure. After all, Windows 2000 is nothing more than a fancy extension of the Windows NT operating system. However, just because a client logs into a Windows 2000 domain doesn't mean that it's participating in AD.

After all, there's nothing stopping you from loading up a computer with a copy of Windows 98 and logging into a Windows 2000 domain. Once you log in, you can access any resources that you have rights to. However, by itself, Windows 2000 isn't AD-aware, therefore, the client can't participate in the Active Directory structure. Then, what does it mean to participate in the AD structure?

Earlier I mentioned that AD was nothing more than a database filled with objects and attributes. To participate in AD, the client must be able to interact with these objects and attributes. The Windows 98 client can log into the domain because the Windows 2000 domain structure is backward-compatible with the Windows NT domain structure. Therefore, if a client can log into a Windows NT domain, it can also log into a Windows 2000 domain.

The difference comes into play with the way that the client utilizes AD objects and attributes. For example, suppose that you were logged into an AD environment from a Windows 2000 Professional client. Now, suppose that you needed to print a document in color.

Because Windows 2000 Professional is AD-enabled, you could actually search the AD database to see which printers in your building supported color printing by looking at all of the printer objects and searching through their color attributes. If you needed to do a more comprehensive search, you could even look for a color printer on your floor that was capable of printing a minimum number of pages per minute. All of this advanced searching is possible only because of the way that the Windows 2000 Professional client is able to interact with AD.

A stock Windows 98 client could browse the domain for printers in the usual manner but wouldn't be able to search for specific printer attributes. Obviously, this concept applies to every type of object contained in Active Directory, not just to printers.

If you're running Windows 2000 at the server level, but all of your clients are running Windows 98 or Windows NT, you're probably thinking that Active Directory is very cool, but it would be way too expensive and time-consuming to load Windows 2000 on every workstation. For that matter, some of the workstations may contain inadequate hardware to run Windows 2000, or they may be running software that requires the specific operating system that's currently installed. If such is the case in your organization, all isn't lost. You can install AD client software on Windows 98 to make it AD-enabled with a few limits. Naturally, you'll get the most benefits from AD by using the Windows 2000 Professional client. However, don't panic if you don't want to make the plunge to Windows 2000 Professional yet. You can still get some of the benefits of Active Directory by using Microsoft's new AD Clients for Windows 9x and NT.

Microsoft took a lot of heat from customers during the Windows 2000 Beta cycle because it appeared that Microsoft wouldn't support its existing desktop operating systems with Active Directory. To calm the firestorm, Microsoft created client extensions to older operating systems for customers who wanted to deploy Windows 2000 Server in environments with Windows 9x and Windows NT 4 workstations. Some of the features supported by these clients include:

  • Site awareness capability to log on to the domain controller that is closest to the client in the network.
  • Ability to change passwords on any Windows 2000 domain controller instead of the primary domain controller (PDC).
  • Active Directory Services Interface (ADSI).
  • DFS Fault Tolerance Client, which provides access to Windows 2000 distributed file system fault-tolerant and fail-over file shares specified in AD.
  • Active Directory Windows Address Book (WAB) property pages, which allow users—who have permission—to change properties on user objects (for example, phone number and address) via the user object pages. These pages can be accessed by clicking the Start menu, and then pointing to Search | For People.
  • Support for display specifiers that allow rendering of new schema elements stored on the user object in Active Directory.
  • NT LAN Manager version 2 authentication—Takes advantage of the improved authentication features available in NT LAN Manager version 2.

Even though Microsoft supplies an AD client for Windows 9x and plans on delivering one for Windows NT, they don't provide all of the features that you can get by migrating to Windows 2000 Professional. This is due to architectural differences between Windows 2000 Professional and earlier releases of Windows. Features missing from the Windows 9x and NT AD client include the following:

  • Kerberos support
  • Group Policy or IntelliMirror support
  • IPSEC or L2TP support
  • Service Principal Name (SPN) or mutual authentication

Currently, you'll find the Windows 95 and Windows 98 AD clients on the Windows 2000 CD. If you want to install the AD client on a Windows NT 4 workstation, you'll have to wait until Service Pack 7. Microsoft plans on releasing the AD client for Windows NT 4 at that time.

Conclusion

There's a lot to consider when implementing a Windows 2000 network. In this article, I've explained a few things to watch out for from the often-overlooked client side of the upgrade.

Brien M. Posey is an MCSE who works as a freelance technical writer and as a network engineer for the Department of Defense.

Contact Us | Authors | Subject Index | RSS Feeds

Copyright ©2007 Setup32.com