Windows 2000/2003 Active Directory Fundamentals

When Microsoft replaced Windows NT4 with Windows 2000 many new features were introduced into the product among them was a feature by the name of Active Directory.

Active Directory represented a major change in how networks would be managed in a Microsoft-centric environment. Under the new AD based structure networks could now be managed much more efficiently than they could under Windows NT4, but as one would expect this power comes at the expense of a steep learning curve. In this document I will discuss the fundamentals of Active Directory that one needs to properly understand this feature.

Before one can start working with AD it is important to first understand some of the structures that make up and form the foundation AD. The structures of Active Directory can be broken down into two major categories one being the logical structures and the other being the physical structures, let’s begin by first looking that the logical structures.

Domain

The foundation of Active Directory is known as the domain which possesses a unique set of characteristics. First, a domain hosts a database of user accounts and other resources that can be centrally managed. Second, a domain will possess one or more servers called Domain Controllers which are responsible for collectively hosting the Active Directory database. Third, a domain represents what is known as a replication boundary which (briefly) means that when a change is made on one domain controller in a domain all other domain controllers are informed of the change and update their own database to match.

Organizational Unit (OU)

Within a domain can exist a number of containers called Organizational Units or OUs as they are commonly called in the slang of network admins. OUs are used by network administrators to organize a network into a model more closely matching your business and/or administrative needs. An OU might be created by a network admin to group all the resources in the company sales department such as folder, printers and users into a single unit named “Sales” for simple management. OUs are used for delegation or the decentralizing of administrative functions, in the previous scenario the domain admin might decide to delegate the task of resetting passwords to a member of the “Sales” OU so they can carry out this task.

Objects

The smallest unit inside of Active Directory is the object which represents any number of possible components on the network from a printer or folder to a user account or computer.

Tree

A Tree represents a series of Active Directory domains that share two characteristics, a two-way trust relationship and a common root domain. A two-way trust relationship allows members of one domain to access the resources of another, if granted access to it. A common root domain is best demonstrated by two domains one named sales.anycorp.com and accounting.anycorp.com, both share a common root domain which, in this case, is anycorp.com

Forest

A forest represents a collection of trees each of which can have their own distinctive root domain (see above) as well as having an automatic transitive trust relationship. A transitive trust relationship represents one of the most important features of Active Directory, basically a transitive trust allows every domain in the forest to access each other’s resources. To illustrate this relationship visualize three domains named A, B and C within the forest, A trusts B and B trusts C since the trusts are transitive A trusts C automatically. Due to the nature of this automatic transitive trust between member domains in a forest a forest is considered a security boundary as one needs to be in the forest to access resources anywhere within it.

In addition to the logical structures of Active Directory there is also a structure that fits under in the category of physical structures, specifically we are referring to the Site.

Site

A site is used to control and regulate the flow of traffic between locations in Active Directory in order to improve network performance. To visualize the importance of sites picture a office in Los Angeles and another in New York both part of the same company, both hosting Active Directory in the same domain. If the two locations are placed into one Active Directory Site the domain controllers in the domain will replicate amongst each other (as per design) to keep up-to-date. In order to prevent this replication from overburdening the links between the offices sites would be used to create an individual site in LA and another in NY. Once the sites were created an admin would create a link inside of AD and schedule how often the replication between sites would occur, therefore preserving bandwidth. Generally, sites are created whenever the actual link between locations is less than 512 Kbps, but depending on the situation the criteria can vary.

Outside the logical and physical structures in Active Directory there is another feature of Active Directory that merits a mention and that is the schema. Simply put the schema is the collection of definitions of each and every object type in Active Directory. Inside the scheme is a collection of classes such as users or computers telling Active Directory how to create a new object of a specified type. To understand classes within the schema take a new user object, a domain admin would use the AD management tools to add a new user, when he did so AD would check the schema for what information needs to be provided to successfully create the new object (i.e. name or office).

Understanding the logical and physical structures that comprise Active Directory are required in order to fully understand how this exciting technology works and what it can do for the admin. If all the information seems a little daunting the tip I usually give my students is to simply think of Active Directory as an administrative tool and keep in mind how they want to take care of and manage their network, keeping this in mind makes the whole process clearer.