Network Address Management and Directory Service

Created by: Future Atty. Arth Vince U. Malaca CIA, CPA, CCSA, CRMA, CFSA, CGAP, CISA Ph.D, LLB, DBA Atty. Danna Laucil J. Espino CIA, CPA, CGAP, CISA, LLB, Ph.D Dr. Anna Katrina Aberin CIA, CCSA, CRMA, CISA Ph.D Dr. Elysa Obang CIA, CPA, CISA, DBA

Network Address
It serves as a unique identifier for a computer on a network. When set-up correctly, computers can determine the addresses of other computers on the network and use these addresses to send messages to each other.

Example of Network Addresses

Internet Protocol Address (IP Address) Media Access Control (MAC)

Network Address Management

Why do company needs to manage network address?

What is Network Management?

In the early days, network was small and local Network managers job includes
o o o o Installation: attach PCs, printers, etc. to LAN Configuration: NICs, protocol stack, user apps shared printers, etc. Testing: Ping was sufficient to manage network More devices: bridge, router

What is Network Management?

Ongoing maintenance issues
o o o o o How to optimize performance? How to handle failures and network changes? How to extend network capacity? How to account for network usages? How to solve network security issues?

What is Network Management?

Today, networks are larger and more complicated, so more demands on network manager How to monitor and control the network effectively and timely? o Management tools are needed Network-based management tools: use the network to manage the network o To control
Simple Network Management Protocol (SNMP) Management Information Base (MIB) Network Management System (NMS)

o To monitor
Remote Monitor (RMON1)

What is Network Management?

Definition by Saydam (in Journal of Networks and System Management, published in Dec. 1996): Network management includes the deployment, integration and coordination of the hardware, software, and human elements to monitor, test, poll, configure, analyze, evaluate, and control the network and element resources to meet the realtime, operational performance, and Quality of Service requirements at a reasonable cost.

Network Management Vocabulary

managing data entity

managed devices contain managed device managed objects whose

agent data managed device agent data

agent data

network management protocol

agent data managed device

Management Information Base (MIB)

data is gathered into a

managed device

Network management vocabulary

Managed Device
o Devices to be monitored/controlled, e.g., router, switch, hub, bridge, workstation. o A managed device may have several managed objects to be managed o A software (agent) is installed to provide access to information/parameters (data) about the device, which is called Management Information Base (MIB)
o Used by the manager/Admin to do network management o PC, notebook, terminal, etc., installed with a software called Network Management System (NMS) o NMS displays/analyzes data from management agents

Managing Entity

Network management vocabulary

Network Management Protocol
o Runs between the managing entity and the managed devices o The managing entity can query the status of the managed devices and take actions at the devices via its agents o Agents can use the protocol to inform the managing entity of exceptional events o E.g., SNMP: Simple Network Management Protocol

Managing agents located at managed devices are periodically queried by the managing entity through a network management protocol.

Network management example

Mgmt App Mgmt Mgmt Process Protocol Presentation Session Transport Network Data Link Physical Agent Mgmt Process Protocol Presentation Session Transport Network Data Link Physical

Managing Entity

Managed Device

Network management example

To get value of MIB variable from mgmt agent
1. Mgmt app (part of NMS) on managing entity passes request to mgmt process 2. Mgmt process calls network mgmt protocol 3. SNMP constructs Get-Request packet and sent it to the managed device through the network 4. Mgmt agent on managed device receives GetRequest 5. Agent process accesses requested value 6. SNMP constructs Get-Response packet and sent it to managing entity through the network 7. Mgmt process on managing entity receives response 8. Mgmt process passes data to mgmt app

Network Management Overhead

There is overhead in terms of
o CPU cycles to generate and process information/packets o Bandwidth usage for sending request and receiving responses

A tradeoff between cost and benefit

Additional Network Management

Capabilities
For efficiency, multiple values can be constructed in a single Get-Response packet Can traverse MIB in logical order Mgmt agent can send unsolicited messages Can request info from probes or remote monitors (RMON)
o Monitoring activity (traffic) on a network segment

Implementation Strategy Design

ISO defines five network management categories Network implementation design is like a 6th category Small network: a single LAN Medium network: a few LANs Large network: geographically distributed

Network Implementation Strategy Design

Router

Router Router

Switch Switch

WAN

LAN

LAN

Network Implementation Strategy Design

Category Geographical Distribution 1. 1. 1. 1. Office Subnets LAN Department (many offices) Subnets LAN Division ( many departments) LAN WAN Organization ( many divisions) Local LAN MAN WAN National WAN Global WAN Issues

Network Implementation Strategy Design

Subnets How many Connectivity Bridges Switches Routers Ethernet Wireless Number of receivers 10BASET Location of hub(s) 10BASE2 10BASE5 How many IP addresses Static addresses Addresses supplied by DHCP

Network Implementation Strategy Design

LAN 1.How many 2.Domain names 3.DNS (Domain Name Service) configuration 4.Network address 5.Subnets How many 1.Connectivity Switched Ethernet Router 1.Ethernet 2.Token Ring 3.FDDI (Fiber Distributed Data Network)

MAN (Metropolitan Area Network)

1.Connectivity between LANs FDDI SONET(Synchronous Optical Network) LAN ATM SMDS ( Switched Multi-megabit Data Service) DQDB (Dual Queue Dual Bus) Ethernet

Network Implementation Strategy Design

WAN 1. Connectivity between LANs or MANs PSTN X.25 TI-T3 SONET Frame Relay SMDS ATM Distribution of services

Network Implementation Strategy Design

Bandwidth Requirements 1. 1. 1. Video Bandwidth Constant Time Dependent Bandwidth on Demand Audio Bandwidth Constant Time Dependent Bandwidth on Demand Teleconferencing Bandwidth

Media Requirements

1. 2. 3. 4. 5. 1. 2. 3. 4.

Cable Wireless Microwave Satellite Optical Fiber What is available now Minimum required for the job Technology improvements during next 5 years Required to support expected growth

Technology

Network Implementation Strategy Design

Service Level Agreements (SLA) 1. 2. 3. Specified bandwidth available at any time Specified bandwidth available during specified time periods Bandwidth on demand

Security Requirements

1. 2. 3. 4. 5.

Location of firewalls Firewall capabilities Location of proxy servers Encryption and authentication needs Network Intrusion Detectors (NID)

Budget

1. 2.

To support resources of optimum network To support resources of minimum network

Network Management Categories

CATEGORY Reliability Transmission error rates Dropped packets Link failures METRICS Faults Proactive prevention Detection Location Correction time

Availability Performance

Mean time between failures (MTBF) of network Time to provide a response to the user Processor total use Processor interrupts/sec Processor queue length Transmit packet lengths

Network Management Categories

Throughput Bytes per second that a user can expect to transmit reliably. Guaranteed throughput based on Service Level Agreement (SLA) Packet throughput Ordered packet throughput Link bandwidth Bandwidth on demand Packets/sec Transactions/sec Application software Network devices Services Permanent storage CPU Data Voice Video

Use

Resource Use

Network Management Categories

CATEGORY Policies METRICS Traffic What's Critical How many network control packets Which threshold alarms Alerts on what events What's Non-critical Backup-what and how often Application testing Software upgrades-how often Administration Type of service availability required Security level required Firewall protection requirements Network Intrusion Detection needs Number of Software License requirements User rights requirements and how distributed among which users. Number of redundant systems required Critical alternate paths Automatic responses to user questions about procedures Automatic responses to user questions about network problems Automatic reporting of problems and solutions to users and to a database

Redundancy User Support

ISO Network Management Categories

Performance Management Fault Management Configuration Management Security Management Accounting Management

Performance Management
Concerned with
o Response time o Utilization o Error rates, etc.

Must collect and analyze data

o Number and type of packets o Might also rely on simulations

Performance Management Sub-Categories

Collecting Baseline Utilization Data Setting Notification Thresholds Building Databases Running Network Simulations Latency Measuring link utilization using a probe Counting packets received/transmitted by a specific device Measuring device processor usage Monitoring device queue lengths Monitoring device memory utilization Measuring total response times Measuring utilization and response times at different times of the day Measuring utilization and response times on different days over an extended period Manually graphing or using a network management tool to graph utilization as a function of time to detect trends Preparing trend reports to document projected need for and the cost of network expansion. Having a network management tool poll devices for values of critical parameters and graphing these values as a function of time Setting polling intervals Setting alarms/alerts on those parameters when the threshold is reached or a percentage of it is reached Initiating an action when the threshold is reached such a sending a message to the network manager. Having the network management tool create a database of records containing device name, parameter, threshold and time for off-line analysis. Using the database to extract time dependence of utilization Using the time dependence of parameters to decide when network upgrades will be necessary to maintain performance Using a simulation tool to develop a model of the network Using the models parameters and utilization data to optimize network performance Query/Response time interval

Collecting a History of Utilization Data Capacity Planning

Fault Management
Preventions, detection and isolation of abnormal behavior
o May be caused by malfunction, cable issue, the janitor, etc.

Traffic, trends, connectivity, etc.

o o o o SNMP polls Alarms for automatic fault detection Monitor statistics Timeliness, etc.

Fault Management Sub-categories

Prioritization Device Configuration SNMP Polls Fault Reports Generated Prioritize faults in the order in which they should be addressed Use in-band management packets to learn about important faults Identify which fault events should cause messages to be sent to the manager Identify which devices should be polled and at what intervals Identify which device parameter values should be collected and how often Prioritize which messages should be stored in the managers database Management Station is passive and only receives event notifications Management Station is active and polls for device variable values at required intervals Application periodically requests a service from a service provider Using a cable tester to check that links are not broken Using an application that makes a request of another device that requires a response. The most often application for this is Ping.Exe. It calls the Internet Control Message Protocol ( ICMP) which sends periodic Echo Request messages to a selected device on a TCP/IP network Application on one device makes a request of an application on another device Devices are configured conservatively to minimize chances of dropped packets. Devices are periodically polled to collect network statistics Thresholds configured and alarms generated Text media used for report Audio media used for report A color graphical display used to show down devices Human manager is notified by pager Remote Monitors used Protocol analyzers used Traps sent to Network Management Station Device statistics monitored Graphical trends generated to identify potential faults

Timeliness Required

Physical Connectivity Testing Software Connectivity Testing

Traffic Monitored

Trends

Configuration Management
Device configuration
o May be done locally or remotely

Network configuration
o Sometimes called capacity mgmt o Critical to have sufficient capacity

Desirable to automate as much as possible

o For example, DHCP and DNS

Extensions to SNMP MIB

Configuration Management Subcategories

Configuration (Local) Choice of medium access protocol Choice of correct cabling and connectors Choice of cabling layout Determining the number of physical interfaces on devices Setting device interface parameter values Interrupts I/O Addresses DMA numbers Network layer addresses (e.g. IP, NetWare, etc) Configuration of multiport devices (e.g. hubs, switches and routers) Use of the Windows Registry Comparing current versus stored configurations Checking software environments SNMP service

Configuration (Remote)

From the network management station Disabling device ports Redirecting port forwarding Disabling devices Comparing current versus stored configurations Configuring routing tables Configuring security parameters such as community strings and user names Configuring addresses of management stations to which traps should be sent Verifying integrity of changes

Configuration Management Sub-categories

Configuration (Automated) Using the Dynamic Host Configuration Protocol (DHCP) to configure IP addresses Using Plug and Play enabled NICs for automatic selection of interrupts and I/O addresses Domain Name Services (DNS) addresses Trap messages from agents

Inventory (Manual)

Maintaining records of cable runs and the types of cables used Maintaining device configuration records Creating network database containing for each device: Device types Software environment for each device operating systems utilities drivers applications versions configuration files (.ncf, .ini, .sys) vendor contact information IP address Subnet address
Auto-discovery of devices on the network using an NMS Auto-determination of device configurations using an NMS Creation of a network database Auto-mapping of current devices to produce a network topological map Accessing device statistics using an NMS and the Desktop Management Protocol

Inventory (Automated)

Security Management
Control access to network/resources
o o o o o Authentication: who goes there? Authorization: are you allowed to do that? Firewalls Intrusion detection systems (IDS) Notification of (attempted) breaches, etc.

Critical to always authenticate participants SNMPv1 has very little security SNMPv3 has lots of security built in

Security Management Sub-categories

Applying Basic Techniques Identifying hosts that store sensitive information Management of passwords Assigning user rights and permissions Recording failed logins Setting remote access barrier codes Employing virus scanning Limiting views of the Enterprise network Tracking time and origin of remote accesses to servers Electronic Mail File Transfer Web Browsing Directory Service Remote Login Remote Procedure Call Remote Execution Network Monitors Network Management System Encryption Packet filtering at routers Packet filtering at firewalls Source host authentication Source user authentication Audits of the activity at secure access points Executing security attack programs (Network Intrusion Detection) Detecting and documenting breaches No restrictions - hosts are responsible for securing all access points Limited access - only some hosts can interface with the Public Data Network using a proxy server Queries the configuration database to identify all access points for each device. Reads event logs and notes security-related events. Security Manager shows a security event on the network map. Reports of invalid access point attempts are generated daily for analysis

Identifying Access Methods Used

Using Access Control Methods

Maintenance

Accessing Public Data Networks Using an Automated Security Manager

Accounting Management
Measuring the usage of network resources in order to distribute costs and resources E.g., monitoring the use of a server by users in a specific department and charging the department accordingly

Accounting Management Sub-categories

Gather Network Device Utilization Data

Measure usage of resources by cost center Set quotas to enable fair use of resources Site metering to track adherence to software licensing Set charges based on usage. Measure one of the following Number of transactions Number of packets Number of bytes Set charges on direction of information flow

Bill Users of Network Resources

Use and Accounting Management Tools

Query usage database to measure statistics versus quotas Define network billing domains Implement automatic billing based on usage by users in the domain Enable billing predictions Enable user selection of billing domains on the network map

Reporting

Create historical billings trends Automatic distribution of billing to Cost Centers Project future billings by cost center

Management Tools
Company
Apptitude (HiFn)

Product
Meterware/ Analyzer

URL http://www.hifn.com

Comments
NMS used in this book. Is a complete SNMPv1 tool. It is only available with the book. Apptitude was a leader in SNMP management software and hardware for many years. HiFn develops integrated circuits for encryption. EnterPol is a NMS. CIAgent is an agent. CIAgent is a free download. SNMPv3 Wizard is an agent configuration tool. The company has many other products. The company has been a leader in the SNMP field The Work Group Edition 5.1 is appropriate for small networks It supports SNMPv3, as does the Enterprise edition that provides other capabilities. Cost of the Work Group Edition is $995.00 The company has been a leader in the SNMP field Provides a number of management tools ranging in price from $145 to $1995. The $1995.00 package is Webenabled. The Engineers Edition at $995.00 looks like the most attractive for users of this book in that it contains most of the features of the HiFn Ama;uzer. Net Inspector Lite is $495.00. It looks like a good choice for readers of this book. MG-SOFT provides many other more comprehensive products and products can be enhanced by proxy front-end modules. There are also products that support SNMPv3

SNMP Research Internation al

EnterPol CIAgent SNMPv3 Wizard

http://www.snmp.com/index.html

Castlerock

SnmpC

http://www.castlerock.com/

Solar Winds

Engineers Edition

http://solarwinds.net/

MG-SOFT

Net Inspector Lite

http://www.mg-soft.si/

Management Tools
Triticom LANdecoder SNMP Manager

http://www.triticom.com/

LANdecoder SNMP Manager is a simple, easy to use SNMP Manager for Microsoft Windows environment. With it, you can query and control any SNMP-capable device on your network. It can operate standalone or be integrated with Triticoms LANdecoder 32 V 3.2., a network analyzer. The price of LANdecoder SNMP manager is $995.00

Finisar

Shomiti Surveyor

http://www.finisar-systems.com/

Shomiti Systems is now part of Finisar. The Surveyor product is a comprehensive network hardware manager. A free download is available.

Acterna

Link View Classic 7.2

http://www.acterna.com/

A software based network analyzer at a price of $995.00. Includes a traffic generator. Excellent graphics Also available is Advanced Ethernet Adapter which provides promiscuous capture of packets. Price is then $2700.00.

Management Tools
Company
Network Instrument s Precision Guesswork

Product
Observer 8

URL http://www.netinst.com/html/observer.ht ml http://www.guesswork.com/snmptool.ht ml

Comments
Supports Ethernet, Token Ring, FDDI, GigaBit and Windows 98/ME and NT/2000/XP. Includes capture for protocol analysis. Price is $995.00 Described to be an easy-to-use command-line application that allows you to GET a variable, SET a variable, get the NEXT variable, or even get all the variables. Provides programs for receiving ALERTS, as well as a simple monitoring program that allows you to tell if your hosts are SNMP reachable, IP reachable, or not reachable. Allows you to remotely monitor, gather and change networking information from hosts on your network. Enables you to diagnose existing problems on the network, predict where problems are likely to occur, pinpoint faulty routers and interfaces, and, in general, exert control over your network.

LANwatch32 v6.0

Cisco

Small Network Managemen t LAN Management

http://www.cisco.com/warp/public/cc/pd /wr2k/wrsnms/ http://www.cisco.com/warp/public/cc/pd /wr2k/lnmn/

Cisco produces many network management products. These products seem most appropriate for audience of this book.

Management Tools
3COM Network Supervisor 3.5

http://www.3com.com/products/en_US/ detail.jsp?tab=features&pathtype= purchase&sku=3C15100C

This free package can be downloaded from this site. Other packages are available from this site also.

Computer Associates

Unicenter Network and Systems Manager 3.0

http://www3.ca.com/Solutions/SubSolution.asp? ID=2846

This is the basic network infrastructure management package. There are add-on applications available such as a performance application

Enterasys

NetSight Element Mgr. NetSight Policy Mgr.

http://www.enterasys.com/products/items/NSEM/ http://www.enterasys.com/products/items/NETS IGHT-PM/

Element Manager is the basic network management package. Policy Manager incorporates the business model into the management process

Sunrise Telecom

LAN Explorer

http://www.sunrisetelecom.com/lansoft ware/lanexplorer.shtml

A comprehensive NMS, comparable to Analyzer but also containing packet capture and analysis capabilities. $799.00 per license.

Management Tools
Company
HP

Product
Toptools

URL http://www.hp.com/toptools/prodinfo/ov erview.intro.html

Comments
Toptools is a comprehensive hardware management product. It has many plug-ins for specific hardware. All its features can be integrated into your enterprise management platforms such as hp OpenView Network Node Manager, Microsoft SMS, CA Unicenter TNG, IBM Tivoli Enterprise Management and Tivoli NetView This comprehensive management product also correlates and manages events for systematic management of faults. Monitoring and control functions encompass systems management, network management, and application management, and it can manage software configurations, hardware assets and batch production. It also works at a higher level, addressing the underlying business needs in a business-oriented way, to provide measurable business value. Formerly called Ecoscope, monitors network performance by monitoring protocol and application traffic. Par of a suite called Vantage Real time voice, video and data traffic. Part of the nGenius Suite. Optivity Network Management System is a comprehensive network management solution. Its key features include fault management, performance analysis, reporting, and access level security There are many Patrol products by BGS. Connect SNMP seems the most appropriated for this book. BGS products cover all aspects of network management.

IBM

Tivoli Netview 7.1

http://www.tivoli.com/products/index/ne tview/ http://www.bull.com/

Groupe Bull S. A. EVIOIAN (A Bull Company)

Openmaster SLM

Compuware

Network Vantage

http://www.compuware.com/products/va ntage/networkvantage/ http://www.netscout.com/products/rtm.h tm http://www.nortelnetworks.com/product s/01/optivity/net_mgmt/index.html

NetScout

nGenius Real Time Monitor Optivity 6.0 Network Managemen t System Patrol Connect SNMP

Nortel

BGS

http://www.bgs.com/products/proddocvi ew.cfm?id=7263

Network Management Configuration

LAN 1
WS Agent

Centralized vs distributed Centralized configuration

WS Agent

Node 1

Hub Agent

Probe Agent

NMS

Router Agent

Backbone Node

Router Agent

Probe Agent

WS Agent

Router Agent

Probe Agent

LAN 2 Node 2 Probe = Remote Monitor NMS = Network Management System WS = Workstation

LAN 3 Node 3

 Centralized configuration

Network Management Configuration

o One management station hosts NMS o Remote monitors/probes on LAN segments

Advantage: NMS has complete view Disadvantage: single point of failure

Network Management Configuration

Distributed configuration
LAN 1
Hub Agent WS Agent Probe Agent
NMS

Router Agent

Node 1

NMS

Backbone

WS Agent

Router Agent

Probe Agent

NMS

WS Agent

Router Agent

Probe Agent

NMS

LAN 2

Node 2

LAN 3

Node 3

Probe = Remote Monitor NMS = Network Management System WS = Workstation -------- = In-band or out-of band management communication

Network Management Configuration

Distributed configuration
o Each LAN has its own management station and a simple NMS o One mgmt station/NMS manages the backbone and coordinates local NMSs

Advantage: robust in case of failure Disadvantage: complexity, coordination

Directory Service

Directory Services
A directory service is a database that contains information about all objects on the network. Directory services contain data and metadata. Metadata is information about data. For example: A user account is data. Metadata specifies what information is included in every user account object.

Directory Services
Information within directories is organized hierarchically. This means that there is a strict set of rules as to where certain data is located within the directory based on the properties of that data. Unlike relational databases such as SQL where information is read and written often, information is usually only read from a directory service, but rarely is it input. For example: User account data changes very little once it has been entered.

Early Directory Services

The first directory service was developed at PARC and was called Grapevine.
X.500 was developed as a directory service standard by the ISO and CCITT. Although X.500 was developed as a comprehensive standard, as with the OSI model, it was not widely deployed on realworld LANs. X.500 formed the basis of a standard that is widely deployed known as LDAP.

Some X.500 conventions are used in Active Directory and eDirectory.

LDAP
Stands for Lightweight Directory Access Protocol. LDAP is a scaled-down implementation of the X.500 standard. Active Directory and eDirectory are based on LDAP. Netscapes Directory Server was the first wide implementation of LDAP. It was used primarily for enterprise calendaring and contact management. Netscapes product was not used for network management. Most LDAP directories use a single master method of replication. Changes are made to the master databases and then propagated out to subordinate databases. The disadvantage of this scheme is that it has a single point of failure. Objects within an LDAP directory are referenced using the objects DN (Distinguished Name). The DN consists of the RDN (Relative Distinguished Name) appended with the names of ancestor entries.

LDAP II

RDN of the user object in the figure is cn=ccarpenter. DN of the user object in the figure is cn=ccarpenter,ou=mn,o=emcp,c=us.

Novell eDirectory
eDirectory is a partitioned and loosely replicated directory service.
eDirectory can be used to manage multiple operating systems. The two primary components of eDirectory are database partitions and database replicas.

Partitions are sectioned off according to location. The partition is hosted on a server local to that location. The primary benefit of this is that authentication is localized.

Novell eDirectory
Database replicas are copies of partitions. There are several different types of replicas.
Master replica: First copy of partition. Read-write replica: Can be used to authenticate and make changes to objects. Used for redundancy purposes. Read-only replica: Can be used to locate information, but not to change objects. Subordinate reference: Special replicate automatically created. Used as a pointer to a target replica.

eDirectory
Object country locality organization organizational unit root Description two letter country code city or state top level container in tree container object, used to represent department top level of tree

Container objects are used to organize other objects within the directory. For example: You might place all of the accountant user objects within the accountants organizational unit. In eDirectory, a DN finishes at the organizational level. Objects are separated by periods. An accountant at EMCP with an user account named dmorgan, would have the DN .cn=dmorgan.ou=accountants.o=emcp.

Active Directory
Active Directory is an implementation of LDAP that uses multimaster replication. Active Directory runs on Windows Server 2003 and Windows 2000 Server on special computers known as domain controllers. Active Directory can be used to manage almost every aspect of a Windows Server 2003 network. Active Directory can also be used as a type of phonebook. For example, you could query Active Directory to locate all users located on the 2nd floor of a building. Alternatively you could locate all color printers at a particular location.

Active Directory Components

Domain. All user accounts within a domain share a common password policy. Different password policies require separate domains. Site. Used to represent a single physical location within Active Directory.
Organizational Unit (OU). Can be used to represent organizational hierarchy. OU can contain OU. Group Policy Object (GPO). Collection of policies that can be applied to domains, sites, and OUs.

Forest. Collection of domains with common schema.

Tree. Collection of domains with common namespace.

GPO and Delegation

Control of a particular OU can be delegated.
For example: You could allow a certain user to administer all of the accountants user accounts, without allowing them to administer anyone elses account. GPO can be applied to sites, domains, and OU. GPOs can be used to install software or to configure user environment settings. For example: You could install Microsoft Word at a particular location by creating a GPO that installs word and applying it to that locations site. Alternatively, if you applied that same GPO to the domain, all users would have Word installed. If you applied that GPO to an OU instead, only users within that OU would have word installed.

Active Directory Naming

Active Directory naming is similar to LDAP and eDirectory, though has a slightly different format. A user named Orin Thomas located within the Engineers OU in the melbourne.emcp.com domain of a Windows Server 2003 network would have the DN:
CN=Orin Thomas,OU=Engineers,DC=Melbourne,DC=EMCP,DC=COM

DNs are often used in scripts that query information from the Active Directory database. As an administrator you might right a script that queries the database to determine which users have not logged on to the network in the last six months.

Summary
A directory service is a database that contains information about all objects on the network.
LDAP is a scaled-down implementation of the X.500 standard. eDirectory is a partitioned and loosely replicated directory service. eDirectory partitions are sectioned off according to location. eDirectory database replicas are copies of partitions. Active Directory uses multimaster replication.

Active Directory can be used to manage almost every aspect of a Windows Server 2003 network and as a type of phonebook.