Up to this point, our Windows Server 2003 server is ready and waiting to strut its stuff on our test network. But, as the old saying goes, a server just isn't a server without that tangy zip of shared printers, folders, and user accounts. But how do we publish all these resources out onto the network for all to see? Or, do we want all to see? Perhaps we want to restrict certain resources so that only particular users may access them. Active directory allows us to do all this, plus a whole lot more. That being said, let's get on to discussing the most basic elements of resource sharing.
The most basic component in the Windows Active Directory layout is called, simply enough, an object . The most basic object of resource sharing is the user ; the user must exist if we are to share anything at all on the server. After all, what good is a server if it has no one with which to share it's information? Users can be assigned access rights, or privileges, to other AD objects. Depending on the user, he/she may be able to view items in a network share (such as a shared folder), or may be denied the ability to print (as is the case with a network printer). A user's most basic components are his username and password . It is with these two parts that the user is able to log in to the Active Directory. Of course, the user may also contain other data, such as first and last name , contact information, user profile information for home folders (we discuss this in a later chapter), and group memberships.
As mentioned previously, users can be granted access rights to other AD objects. Shown here, the user has access to a shared folder:
But what happens when we start to involve multiple users accessing multiple objects? Things start to get a bit more cluttered, as shown here:
The preceding example shows just three sets of three users accessing three network resources. Each user must be assigned access to each network resource, a process that can get very time consuming and tedious . Imagine if we have 300 users, each of which needs access to specific resources! What we need is a way to consolidate multiple users into more logical arrangements.
Enter the group object; the group gives us the ability to consolidate our users to prevent clutter and to provide some organization. Using our example on the previous page, we can add the nine users into three different groups. Once in groups, we don't need to give each and every user access to network resources; instead, we can give the group access to the resource. Imagine the time savings if a group contains hundreds of users! We give the group access to the shared printer, folder, or other network resource, and all members of the group are granted access. An example of how this works is shown here:
|Get Info|| |
In Windows Server 2003, not all groups are created equal. In fact, Microsoft includes three kinds of groups in what it defines as group scope : domain local , global , and universal . Under some circumstances, Microsoft recommends against using domain local groups when assigning access to objects published in the Active Directory, as this can cause some unpredictable results. They are, however, quite useful in inter-domain scenarios (See chapter 5). Global groups can only contain users from the domain in which the group is created. Universal groups can contain users that span multiple domains. However, global groups are much more bandwidth efficient when compared with their universal cousins, and on crowded networks, this can be advantageous. In an AD domain, a special server process running on a domain controller, called the Global Catalog , keeps track of all objects stored in the Active Directory, which then can be replicated to other domain controllers in the domain. Universal groups plus the members within them are kept in the Global Catalog. This can cause excessive network traffic when DCs replicate to each other. Global groups, on the other hand, replicate only the group information, and not the users contained within them. Because of this, less information needs to be replicated, reducing your network's traffic during the replication process. Universal groups are useful in inter-forest scenarios
One last element of Windows Server 2003's Active Directory organizational hierarchy is the organizational unit ( OU ). One of the more complex objects in AD, the OU is a container that houses other AD objects. OUs help bring another level of order to our AD layout. So going back to our example of users one through nine and groups A through C, the users themselves are objects in AD; they are added to groups; the groups, and therefore the users, are granted access to shared printers, folders, and disk drives . The next logical step is to group this whole mass of AD objects into an OU.
Shown here, all users, groups, and shared resources are grouped into one, single OU. This process of designing and implementing Active Directory provides structure.