Lesson 1: Active Directory Overview

Previous page
Table of content
Next page

Active Directory provides a method for designing a directory structure that meets the specfic needs of various types of organizations. This lesson introduces the use of objects in Active Directory and the function of each of its components.

After this lesson, you will be able to

  • Explain the purpose of object attributes and the schema in Active Directory
  • Identify the components of Active Directory
  • Describe the function of Active Directory components

Estimated lesson time: 30 minutes

Active Directory Objects

Active Directory stores information about network resources, as well as all the services that make the information available and useful. The resources stored in the directory, such as user data, printers, servers, databases, groups, computers, and security policies, are known as objects.

An object is a distinct named set of attributes that represents a network resource. Object attributes are characteristics of objects in the directory. For example, the attributes of a user account might include the user's first and last names, department, and e-mail address (see Figure 16.1).

Figure 16.1 Active Directory objects and attributes

In Active Directory, you can organize objects into classes, which are logical groupings of objects. Examples of object classes are those representing user accounts, groups, computers, domains, or organizational units (OUs).

NOTE

Some objects, known as containers, can contain other objects. For example, a domain is a container object that can contain information about users, computers, and other objects.

The Active Directory schema defines objects that can be stored in Active Directory.

Active Directory Schema

The Active Directory schema is the list that defines the kinds of objects and the types of information about those objects that can be stored in Active Directory. The definitions are themselves stored as objects so that Active Directory can manage the schema objects with the same object management operations used for managing the rest of the objects in Active Directory.

There are two types of definitions in the schema: attributes and classes. Attributes and classes are also referred to as schema objects or metadata.

Attributes are defined separately from classes. Each attribute is defined only once and can be used in multiple classes. For example, the Description attribute is used in many classes, but is defined once in the schema, assuring consistency.

Classes, also referred to as object classes, describe the possible Active Directory objects that can be created. Each class is a collection of attributes. When you create an object, the attributes store the information that describes the object. The User class, for example, is composed of many attributes, including Network Address, Home Directory, and so on. Every object in Active Directory is an instance of an object class.

A set of basic classes and attributes is included in Active Directory. Experienced developers and network administrators may dynamically extend the schema by defining new classes and attributes for existing classes. For example, if you need to provide information about users not currently defined in the schema, you must extend the schema for the Users class. However, extending the schema is an advanced operation with possible serious consequences. Because a schema cannot be deleted but only deactivated, and a schema is automatically replicated, you must plan and prepare before extending the schema.

Active Directory Components

Active Directory uses components to build a directory structure that meets the needs of your organization. The logical structures of your organization are represented by the following Active Directory components: domains, organizational units, trees, and forests. The physical structure of your organization is represented by the following Active Directory components: sites (physical subnets) and domain controllers. Active Directory completely separates the logical structure from the physical structure of your organization.

Logical Structures

In Active Directory, you organize resources in a logical structure that mirrors the logical structure of your organization. Grouping resources logically enables you to find a resource by its name rather than by its physical location. Because you group resources logically, Active Directory makes the network's physical structure transparent to users. Figure 16.2 illustrates the relationship of the Active Directory components.

Figure 16.2 Resources organized in a logical hierarchical structure

Domains

The core unit of logical structure in Active Directory is the domain, which can store millions of objects. Objects stored in a domain are those considered "interesting" to the network. "Interesting" objects are items the networked community members need to do their jobs: printers, documents, e-mail addresses, databases, users, distributed components, and other resources. All network objects exist within a domain, and each domain stores information only about the objects it contains. Active Directory is made up of one or more domains. A domain can span more than one physical location.

Grouping objects into one or more domains allows your network to reflect your company's organization. Domains share these characteristics:

  • All network objects exist within a domain, and each domain stores information only about the objects that it contains. Theoretically, a domain directory can contain up to 10 million objects, but one million objects per domain is a more practical number.
  • A domain is a security boundary. Access control lists (ACLs) control access to domain objects. ACLs contain the permissions associated with objects that control which users can gain access to an object and what type of access users can gain to the objects. In Windows 2000, objects include files, folders, shares, printers, and other Active Directory objects. All security policies and settings—such as administrative rights, security policies, and ACLs—do not cross from one domain to another. The domain administrator has absolute rights to set policies only within that domain.

Organizational Units

An OU is a container used to organize objects within a domain into logical administrative groups that mirror your organization's functional or business structure. An OU can contain objects such as user accounts, groups, computers, printers, applications, file shares, and other OUs from the same domain. The OU hierarchy within a domain is independent of the OU hierarchy structure of other domains—each domain can implement its own OU hierarchy.

OUs can provide a means for handling administrative tasks, as they are the smallest grouping to which you can delegate administrative authority. Using OUs provide you with a way to delegate administration of users and resources.

In Figure 16.3, the domain.com domain for a particular organization contains three OUs: US, ORDERS, and DISP. In the summer months, the number of orders taken for shipping at the company increases, and management has requested the addition of a subadministrator for the Orders department. The subadministrator must only have the capability to create user accounts and provide users with access to Orders department files and shared printers. Rather than creating another domain, the request can be met by assigning the subadministrator the appropriate permissions within the ORDERS OU.

Figure 16.3 Using an organizational unit to handle administrative tasks

If the subadministrator is later required to create user accounts in the US, ORDERS, and DISP OUs, the appropriate permissions could be granted separately within each OU. However, a more efficient method would be to assign permissions once in the US OU and allow them to be inherited by the ORDERS and DISP OUs. By default, all child objects (ORDERS and DISP) within Active Directory inherit permissions from their parents (US). Granting permissions at a higher level and using inheritance capabilities can reduce administrative tasks.

Trees

A tree is a grouping or hierarchical arrangement of one or more Windows 2000 domains that you create by adding one or more child domains to an existing parent domain. Domains in a tree share a contiguous namespace and a hierarchical naming structure. Namespaces are covered in detail in Lesson 2 of this chapter. Trees share the following characteristics:

  • Following Domain Name System (DNS) standards, the domain name of a child domain is the relative name of that child domain appended with the name of the parent domain. In Figure 16.4, microsoft.com is the parent domain and us.microsoft.com and uk.microsoft.com are its child domains. The child domain of uk.microsoft.com is sls.uk.microsoft.com.
  • All domains within a single tree share a common schema, which is a formal definition of all object types that you can store in an Active Directory deployment.
  • All domains within a single tree share a common global catalog, which is the central repository of information about objects in a tree. The global catalog is covered in detail in Lesson 2 of this chapter.

Figure 16.4 A domain tree

By creating a hierarchy of domains in a tree, you can retain security and allow for administration within an OU or within a single domain of a tree. Permissions can flow down the tree when permissions are granted to the user on an OU basis. This tree structure easily accommodates organizational changes.

Forests

A forest is a grouping or hierarchical arrangement of one or more separate, completely independent domain trees. Forests have the following characteristics:

  • All trees in a forest share a common schema.
  • Trees in a forest have different naming structures, according to their domains.
  • All domains in a forest share a common global catalog.
  • Domains in a forest operate independently, but the forest enables communication across the entire organization.
  • Implicit two-way transitive trusts exist between domains and domain trees.

In Figure 16.5, the trees microsoft.com and msn.com form a forest. The namespace is contiguous only within each tree.

Figure 16.5 A forest of trees

Physical Structure

The physical components of Active Directory are sites and domain controllers. You use these components to develop a directory structure that mirrors the physical structure of your organization.

Sites

A site is a combination of one or more Internet Protocol (IP) subnets connected by a highly reliable and fast link to localize as much network traffic as possible. Typically, a site has the same boundaries as a local area network (LAN). When you group subnets on your network, you should combine only those subnets that have fast, cheap, and reliable network connections with one another. "Fast" network connections are at least 512 kilobits per second (Kbps). An available bandwidth of 128 Kbps and higher is sufficient.

With Active Directory, sites are not part of the namespace. When you browse the logical namespace, you see computers and users grouped into domains and OUs, not sites. Sites contain only computer objects and connection objects used to configure replication between sites.

NOTE

A single domain can span multiple geographical sites, and a single site can include user accounts and computers belonging to multiple domains.

Domain Controllers

A domain controller is a computer running Windows 2000 Server that stores a replica of the domain directory (local domain database). Because a domain can contain one or more domain controllers, all domain controllers in a domain have a complete replica of the domain's portion of the directory.

The following list describes the functions of domain controllers:

  • Each domain controller stores a complete copy of all Active Directory information for that domain, manages changes to that information, and replicates those changes to other domain controllers in the same domain.
  • Domain controllers in a domain automatically replicate all objects in the domain to each other. When you perform an action that causes an update to Active Directory, you are actually making the change at one of the domain controllers. That domain controller then replicates the change to all other domain controllers within the domain. You can control replication of traffic between domain controllers in the network by specifying how often replication occurs and the amount of data that Windows 2000 replicates at one time.
  • Domain controllers immediately replicate certain important updates, such as the disabling of a user account.
  • Active Directory uses multimaster replication, in which no one domain controller is the master domain controller. Instead, all domain controllers within a domain are peers, and each domain controller contains a copy of the directory database that can be written to. Domain controllers may hold different information for short periods of time until all domain controllers have synchronized changes to Active Directory.
  • Having more than one domain controller in a domain provides fault tolerance. If one domain controller is offline, another domain controller can provide all required functions, such as recording changes to Active Directory.
  • Domain controllers manage all aspects of users' domain interaction, such as locating Active Directory objects and validating user logon attempts.

Lesson Summary

In this lesson you learned that an object is a distinct named set of attributes that represents a network resource in Active Directory. Objects' attributes describe the characteristics of a specific resource in the directory. In Active Directory, you can organize objects in classes, which are logical groupings of objects. You also learned that the Active Directory schema contains a formal definition of the contents and structure of Active Directory, including all attributes and object classes.

You also learned that Active Directory offers you a method for designing a directory structure to meet the needs of your organization's business structure and operations. Active Directory completely separates the logical structure of the domain hierarchy from the physical structure.

In Active Directory, grouping resources logically enables you to find a resource by its name rather than by its physical location. The core unit of logical structure in Active Directory is the domain, which stores information only about the objects that it contains. An OU is a container used to organize objects within a domain into logical administrative groups. A tree is a grouping or hierarchical arrangement of one or more Windows 2000 domains that share a contiguous namespace. A forest is a grouping or hierarchical arrangement of one or more trees.

The physical structure of Active Directory is based on sites and domain controllers. A site is a combination of one or more IP subnets connected by a high-speed link. A domain controller is a computer running Windows 2000 Server that stores a replica of the domain directory.


Previous page
Table of content
Next page
MCSE Training Kit(c) Microsoft Windows 2000 Accelerated 2000
MCSE Training Kit(c) Microsoft Windows 2000 Accelerated 2000
ISBN: N/A
EAN: N/A
Year: 2004
Pages: 244
BUY ON AMAZON
The New Solution Selling: The Revolutionary Sales Process That Is Changing the Way People Sell [NEW SOLUTION SELLING 2/E]
GO! with Microsoft Office 2003 Brief (2nd Edition)
AutoCAD 2005 and AutoCAD LT 2005. No Experience Required
Visual Studio Tools for Office(c) Using C# with Excel, Word, Outlook, and InfoPath
Extending and Embedding PHP
Comparing, Designing, and Deploying VPNs
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy