What Is Active Directory?

When an OS such as Windows 2000 uses X.500, it bases its domain model on the X.500 structure. Not only is the directory a resource directory (of users, computers, printers, and so on) and an information store of the resources ( names , email addresses, and so on), but it is also the basis of the domain model. (Other OSs, such as NetWare, also use X.500 as the basis of their domain model.)

Microsoft calls its directory service Active Directory. In Active Directory, everything is based on DNS (Domain Name System). For example, in Figure 11.2 the root of Active Directory has two forests ”webwidgetsinc.co.uk for the UK division of Web Widgets Inc. and webwidgetsinc.com for the U.S. division. The root never has a domain name , but forests under the root always do. Each tree under a forest is thus a subdomain. In Figure 11.2, under the webwidgetsinc.co.uk domain (and thus the Web Widgets Inc. UK forest), each tree is named whitby.webwidgetsinc.co.uk for the Whitby division and stockport.webwidgetsinc.co.uk for the Stockport division.

Active Directory domains do not need to know about one another to exist; they can be self-contained or can "trust" other domains if you want to access resources in that domain. Also, resources are allocated to users depending on user groups, and each user group has permissions. In this way you can control what a user can access in your domain.

For example, if Terry works in the Whitby Division, his domain is whitby.webwidgetsinc.co.uk. If Terry belongs to the Administrator group, when he logs into a computer in the whitby.webwidgetsinc.co.uk domain, he has Administrator permissions. However, he doesn't have those permissions in other domains such as stockport.webwidgetsinc.co.uk unless that domain is a trusted domain.

In Active Directory, resources can be allocated to domains (forests) and sub-domains (trees). However, the same rules for trusted domains still apply.

Active Directory differs from X.500 directories in the manner in which users are grouped. In most X.500 directories, users are grouped into OUs. Although it is still possible to do that with Active Directory, users are still listed in the domain model under the subdomain to which they belong. This is because all users log into the subdomain to which they belong, so all users are listed by Active Directory under that subdomain and not under OUs within that subdomain. We will explore this further later in the chapter.

Active Directory Resource Properties

Every Active Directory resource has properties. As an X.500-compliant directory service, Active Directory uses X.500 directory syntax to indicate a resource's properties. If you have used an X.500 directory in the past, you might be familiar with some of these properties. For example, for a user resource, these can be items such as common name, first name, and last name.