Active Directory Terminology Primer

Critics of the Windows NT platform have often regarded the Windows NT SAM's inability to scale to enterprise requirements as a flaw that has prevented Windows NT from entering the enterprise operating system market. Although there is still debate over the viability of Windows NT as an enterprise computing platform, even the harshest critic will find it difficult to criticize the scalability and attribute-level security found in the Active Directory.

Based on the LDAP Request For Comments (RFCs), the Active Directory provides system architects with a central location to store enterprise information for everything from employee data to configuration of network devices.

Although the Active Directory is indeed based on the LDAP RFCs, Microsoft's use of several terms differ from traditional LDAP nomenclature . Thus, it is essential that you understand the following before you attempt to use ADSI to manipulate the Active Directory:

• Attribute. Attributes are the characteristics of each object and are defined by the schema definitions for each object's class. Attributes can also be referred to as properties of an object; the terms are interchangable.

• Domain. A domain defines the boundaries for security, administration, and replication processes. A domain can run in either native mode (all Windows 2000 domain controllers) or mixed mode (a combination of both Windows NT and Windows 2000 domain controllers). Native mode domains have significant advantages related to group administration, including the ability to nest groups and to create universal groups. Additionally, it is important to note that the first domain established is the root domain, which, at the time of this writing, cannot be renamed .

• Forest. A forest is a collection of trees that do not share a common root domain name . Trees within the same forest share information through automatically established trust relationships. A common use of a forest might be to separate loosely related business entities, while still retaining a common global catalog, configuration, and schema.

• Global catalog. The global catalog is a central repository for frequently used information, derived by creating a partial replica of every object in the directory. Each partial replica object is composed from a specific subset of each full object's attributes. As a result, the global catalog allows a user to quickly search an entire forest for a particular object, and stores information pointing to the actual location of an object in the forest to allow quick navigation to the desired object. As with many of the other terms in this chapter, the global catalog is specific to the Active Directory.

• Globally Unique Identifier (GUID). A GUID is a 128-bit number that is statistically improbable to be anything other than unique within any given namespace. This identifier is used to uniquely and permanently identify objects; it can never be changed even after relocating an object elsewhere in the namespace. Even if an object is renamed, the GUID does not change. This stability enables you to permanently identify an object's association with another object in the directory.

• Object. An object is simply an entry in the directory of a specific class. A group object, for example, is an entry in the directory that has values for all mandatory properties as defined by the schema definition for the group class. Additionally, an object can allow various optional properties to describe the object; these optional properties are also based on the schema definition for the particular object's class. This term is synonymous with entries as defined in the LDAP chapter.

• Organizational unit (OU). An organizational unit is a container used to hold objects in a domain to allow logical groupings of objects along geographical, functional, or administrative boundaries. OUs are especially important to establish delegated administration: it is recommended to delegate rights only at the OU level and allow all child objects to inherit the permissions assigned to their parent container object. Additionally, OUs allow you to eliminate the use of the multiple master user domain model, which is currently found in many large Windows NT implementations .

• Site. A site defines the boundaries of high-speed IP connectivity to help optimize replication traffic and increase the probability of successful authentication. Although stored in the Active Directory, sites are not part of LDAP standard nomenclature.

• Tree. If two domains share the same root name, the hierarchical structure created by such an arrangement is referred to as a tree. Two-way transitive trust relationships are defined automatically between individual domains within a tree. To understand this concept, consider that a company might have individual domains for Engineering, Sales, and Marketing; because all three entities are part of the same root domain name, they establish a tree.

• User principal name (UPN). The UPN is formed by default from the concatenation of the user's logon name and the DNS name of the domain in which the user object resides. This name is one of several methods that can be used to uniquely identify the user object for login or identification purposes. Microsoft chose the structure of the UPN to match that of an Internet email address so that enterprises that have established unique email names for their employees can allow employees to log on using their email aliases.