Structuring the Active Directory

An old saying warns us, 'A stitch in time saves nine,' and the basic premise underlying the statement still holds true: A bit of extra work in the planning stages of any job is the best way to save yourself trouble and embarrassment later. Planning a network is no different, and when you are setting up your new Active Directory, you should resist the urge to simply start adding users and other objects immediately. The Windows Server 2003 Active Directory is very forgiving of this-moving objects from place to place is extremely easy. Still, why make an account and move it, when you can just wait a bit and put it in the right place to start with?

object

Every element of the network-from people to machines-is represented in the Active Directory by an object. These objects each represent one specific element of the network and have their own properties and configuration elements.

admin access

Rights that require membership in the Administrators group.

rights

A right is different from a permission. Rights allow you to do a task, whereas permissions concern a particular resource. For instance, in order to access a particular file, a user must have the right to log on to the network and must also have permission to use that particular file.

You should have two organizational elements in place before adding other objects: organizational units and groups. These objects will be created based on an analysis of the network, its resources, and its users, and will provide the foundation on which all other permissions rest. If you find yourself upgrading from an NT 4 domain, you may find your hands a bit tied in this, since groups and users will already exist. In such a case, you will have even more planning to do because you will need to decide what to do with the existing objects.

Organizational Units

An organizational unit, as shown in Chapter 13, 'Windows Server 2003 Active Directory,' provides a way of organizing resources logically within the domain. Your first step in doing this is to identify any groups or resources within your organization that need to be kept separate from other areas.

Good examples of areas that are often given their own organizational units are accounting and personnel departments. Rather than allow all administrators of the domain to have admin access to accounting and personnel resources, you may find it preferable to assign a specific user the role of personnel administrator or accounting administrator. To do this, you create organizational units, and then create users and assign them administrative rights.

A real-world example of this is shown in the following exercise.

Tip 

Remember that you can divide a domain in two ways-physically and logically. A physical division uses sites and site links. It is generally used to control traffic over WAN links. A logical division uses organizational units, and is used to organize users and break up administrative authority.

start sidebar
Test It Out: Designing a Directory

A company with 400 employees wishes to upgrade its NT 4 network and is planning on completely redesigning its domain structure for use with the Active Directory. The company has four locations: Los Angeles, Chicago, New York, and a Fargo headquarters. Fargo has 175 users, and each of the branches has about 75. There are four major divisions within the company as well: manufacturing, personnel, accounting, and sales. Each division is active at all sites.

  1. How many Windows Server 2003 domains would you recommend?

  2. Would you use organizational units? If so, would you make them geographic or administrative?

  3. How would you break up administrative control?

Answer: Any of a number of options may be acceptable, but one answer is closest to the spirit of how the Active Directory is intended to be configured. This option would create only a single domain with four organizational units based on company departments. There is no reason why the domain would have to be split up, and organizational units based on the company divisions will provide administrative separation between the divisions.

To create a new organizational unit, open Active Directory Users and Computers, which is located in the Windows Server 2003 Administrative Tools group. Right-click the domain in which you wish to create the new organizational unit and select New → Organizational Unit. You will be asked to supply a name for the new container. When you have finished, the new name will appear under the domain and will be ready to have resources such as printers, computers, and even groups added to it.

end sidebar

Active Directory Users and Computers

This tool, found in the Administrative Tools, enables you to manage users, groups, and other elements of the Active Directory. Based on the Microsoft Management Console model, it replaces the User Manager for Domains tool of NT 4.

container

Any object in the directory into which other objects can be placed. Objects that do not have this capability are called leaf objects.




MCSA. MCSE 2003 JumpStart. Computer and Network Basics
MCSA/MCSE 2003 JumpStart
ISBN: 078214277X
EAN: 2147483647
Year: 2003
Pages: 203
Authors: Lisa Donald

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net