Structure of the Active Directory

The Active Directory structure in Windows 2000 and Windows Server 2003 differs significantly from the directory structure in Windows NT. But because MCSAs and MCSEs are expected to be familiar with Windows NT, it's important to understand NT's directory structure.

In Windows NT 4, Microsoft used a flat directory model for its domains. The resulting structure was simple and straightforward on small and medium-sized networks, but could become confusing and difficult to manage on an enterprise scale. In NT 4, one machine-the primary domain controller (PDC)-held the only authoritative copy of the domain's directory database. This database, called the SAM, could then be replicated out to other machines functioning as backup domain controllers (BDCs).

flat directory

Used in many simple directory schemes, a structure that does not allow for compartmentalization of resources, users, or other accounts. It also has no hierarchical relation between directory elements.

trust

A trust is configured to allow two Windows domains to share user authentication information and to allow users from one domain to access resources in another domain.

A Windows NT 4 domain was managed as a single entity. As a result, anyone who needed administrative access on one part of the domain would automatically gain administrative access to all other machines that were authenticating to that domain. Splitting up administrative authority or adding large numbers of users required the addition of more domains in the enterprise, which were then connected by trusts to enable them to communicate and share resources.

With the Active Directory, Windows 2000 and Windows Server 2003 avoid these problems by enabling you to use a new set of options: organizational units, domains, trees, and forests are now all part of the administrative mix. Each is explained in the following sections.

Windows 2000 and Windows Server 2003 Domains

The most basic Windows 2000 and Server 2003 security structure is the domain. Domains are independent administrative units, with their own security and administrative policies. All domain controllers within a domain replicate their information to each other automatically. This is known as a multimaster replication model. Any domain controller can receive changes and then replicate these out to other servers in the domain.

replicate

The process by which a machine sends a copy of its databases to another machine. This usually occurs on a scheduled basis.

To allow for an orderly migration from NT 4 to Windows 2000, both 2000 and the Active Directory support communication with existing NT domain structures and security. This is done through the use of a mixed-mode domain model. Then, after all your domains have been upgraded to Windows 2000, you can perform a onetime conversion to native mode. Native-mode domains have additional features that are unavailable to mixed-mode domains, but no longer support NT 4 domain controllers. Below is a Windows 2000 General configuration tab, from which you can switch modes.

Since Windows 2000 and Windows Server 2003 share the same directory services model, the upgrade from Windows 2000 to Windows Server 2003 requires no special configuration.

organizational units (OUs)

Organizational units were new with Windows 2000 and are still used with Windows Server 2003. They are compliant with the X.500 directory. They break the directory into subdivisions and are one of the enhancements that has added administrative depth to the previously flat domain directory structure.

Organizational Units (OUs)

Within the Active Directory, you can categorize the objects in the domain by using organizational units (OUs). This allows for administrative possibilities that were not available under Windows NT's domain model:

Limiting administrative authority within the domain  If your domain has three campuses, you can create an OU for each, and assign a different administrator access to each.

Organizing users by function  OUs can be created for Sales, Accounting, Manufacturing, etc. Users and resources can then be added to these and can be managed as a group. Below, users and resources have been arranged using organizational units.

The beauty of combining Active Directory's capability to support millions of objects and its capability to subdivide domains into organizational units is that a single domain will be all that many companies ever need.

parent domain

The domain from which all other domains in a tree take their name.

namespace

The part of the naming structure occupied by a certain domain or tree. If the domain is foo.com, all machines and sub-domains of foo.com exist within its name-space: www.foo.com, accounting.atlanta .foo.com, etc.

Trees and Forests

Microsoft's use of the words tree and forest can be confusing. You do not, for instance, need a bunch of trees to make a forest. A tree is simply a set of domains that all have a similar DNS naming structure, and a forest consists of all the trees within a single organization.

When the first server is installed in a new domain (foo.com), it becomes a domain controller within that domain and also is the parent domain of a new tree. If you are not entering an existing forest, this tree also becomes the root tree of a new forest. Although you have installed only one server, you now have a domain, a tree, and even a forest.

The real difference between a tree and a forest is not in the numbers. Within a single tree, all the domains must fall under a contiguous namespace. Assume that you have created the domain called foo.com in your New York office, and now want to create additional geographically based domains in Hong Kong, Rome, and Fargo. If you want to allow permissions to flow without the use of trusts (which you will learn about in the next section), you need to put the new domains into the same tree. To do this, the new domains will need to incorporate the existing DNS name.

Trees

Note the two following graphics. In the graphic on the top, notice how the DNS namespaces are in different branches. These, therefore, cannot be in a single tree. In the bottom graphic, the three new domains nest under the foo.com parent domain and share its DNS namespace. They are able to incorporate into the tree.

What all of this means is that if you have a company with four offices, you may want to split up network administration by using four autonomous domains in a tree. As long as the naming structure is not an issue, this is the easiest and most integrated approach to adding domains.

Forests

Forests are similar to trees in that both are ways of connecting domains. Forests are created to connect domains whose naming conventions make them incompatible for use in a single tree, or can also be used to keep two domains distinct from each other.

root tree

The top domain within a newly created namespace. All other domains in the tree must fall within the root tree's namespace.

child domain

A tree created under the namespace of an existing tree.

schema

The set of configuration elements that defines a particular directory. The schema contains information about all objects in the directory.

global catalog

A fast-access copy of the full directory that includes only those objects that are commonly used, such as usernames and logon names.

The first tree you create also becomes the root tree of a new forest. As new domains are added, you have three choices:

• Create the new domain as a child domain in the existing tree. If you simply create the new domain as a child domain, permissions and other configuration information automatically are shared between the domains.

• Create the new domain as a new tree in the existing forest. Configuration data-the schema and global catalog-will be shared, but the domains will be separate administrative entities. To connect two trees, you must use a trust.

• Create the new domain as a new tree in a new forest. This provides the greatest degree of administrative separation and makes interaction between the domains more difficult. No configuration data is shared, and trusts must be set up to share resources between forests.

Users who have seen Microsoft's Exchange will be at an advantage in understanding the Active Directory's forest, because Exchange's structure is similar to that of Windows 2000 and Windows Server 2003. These structures are based on the X.500 directory standard.

Even if you haven't used Exchange, though, thinking of the forest in terms of organization helps to better define it. In most cases, all trees in a single company will be placed into a single forest. Trees will be created based on geographic or administrative need, and additional domains can be added to trees as security or administrative circumstances dictate.

Windows 2000 and Windows Server 2003 Trusts

transitive

Trusts that are transitive allow a domain to act as an intermediary for two other domains. If A trusts B, and B trusts C, there is a physical path between A and C. Even with that physical link, though, directory information will pass from A to C only if B acts as a transitive link.

Like other features of Windows 2000 and Windows Server 2003, trusts have changed. As an MCSE or MCSA, you will need to understand how trusts function in Windows NT and Windows 2000/Windows Server 2003.

In Windows NT 4, Windows 2000, and Windows Server 2003, there are two types of trusts: one-way and two-way. In NT networks, though, a two-way trust was really nothing more than an administrator in domain A manually creating a trust with domain B, and an administrator in domain B then manually creating a trust back to domain A.

One-Way Trusts

Trusts in NT were difficult for a number of reasons, not the least of which was that they were not transitive. Because of this, if five domains all needed to trust each other-referred to as a complete trust-20 trusts needed to be created and maintained. As you might suspect, this could quickly become an administrative nightmare, as shown in the following graphic. (Note that each arrow represents a one-way trust.)

This model is still available in Windows 2000/Windows Server 2003, but is intended only for the purpose of backward compatibility or for short-term or emergency connections between otherwise separate domains. Windows 2000/ Windows Server 2003 one-way trusts, therefore, have similar characteristics to NT trusts. They are configured in each direction separately (if two-way trusting is needed), and the trust that is established is nontransitive. Here is the Trusts tab on a Windows 2000 Server, showing two trusts that have been established with a Windows NT 4 domain. Note how the trust is configured in each direction individually.

Two-Way Trusts

Looking at the preceding example, if you had created five Windows 2000/ Windows Server 2003 domains within a single tree and did not have any remaining Windows NT 4 domains to integrate, you would not need even a single trust to be able to share resources and administration. This saves 20 trusts and endless headaches! If you have to connect to another tree within your forest, you can do this through the Active Directory or through trusts, depending on your preference.

Trusts are necessary in Windows 2000/Windows Server 2003 only when the domains that wish to share resources are not in the same forest. Moreover, in Windows 2000/Windows Server 2003, most trusts are two-way and transitive. In the following graphic, the trusts established between forest A and forest B, and between forest B and forest C, also allow permission and resource flow between forest A and forest C.