Active Directory provides a method for designing a directory structure that meets the needs of your organization. This lesson introduces the use of objects in Active Directory and the function of each of its components.
After this lesson, you will be able to
Estimated lesson time: 30 minutes
A directory stores information related to the network resources to facilitate locating and managing these resources. A directory service is a network service that identifies all resources on a network and makes them accessible to users and applications. A directory service differs from a directory in that it is both the source of the information and the service making the information available to users.
Active Directory is the directory service included in Windows 2000 Server. Active Directory includes the directory, which stores information about network resources, as well as all the services that make the information available and useful. The information about user data, printers, servers, databases, groups, computers, and security policies stored in the directory, is organized into objects.
An object is a distinct named set of attributes that represents a network resource. Object attributes are characteristics of objects in the directory. For example, the attributes of a user account might include the user's first name, last name, and logon name, while the attributes of a computer account may include the computer name and description (see Figure 1.1).
Figure 1.1 Active Directory objects and attributes
Some objects, known as containers, can contain other objects. For example, a domain is a container object that can contain users, computers, and other objects. In Figure 1.1, the Users folder is a container that contains users.
The Active Directory schema defines objects that can be stored in Active Directory. The schema is a list of definitions that determines the kinds of objects and the types of information about those objects that can be stored in Active Directory. Because the schema definitions are themselves stored as objects, they can be administered in the same manner as the rest of the objects in Active Directory.
The schema contains two types of definition objects: schema class objects and schema attribute objects. As shown in Figure 1.2, class objects and attribute objects are defined in separate lists within the schema. Schema class and attribute objects are also referred to as schema objects or metadata.
Schema class objects describe the possible Active Directory objects that can be created. A schema class object functions as a template for creating new Active Directory objects. Each schema class is a collection of schema attribute objects. When you create a schema class, the schema attributes store the information that describes the object. The User class, for example, is composed of many schema attributes, including Network Address, Home Directory, and so on. Every object in Active Directory is an instance of a schema class object.
Schema attribute objects define the schema class objects with which they are associated. Each schema attribute is defined only once and can be used in multiple schema classes. For example, the Description attribute is used in many schema classes but is defined only once in the schema, ensuring consistency.
Figure 1.2 Schema class and attribute objects
A set of basic schema classes and attributes is shipped with Windows 2000 Server. Experienced developers and network administrators may dynamically extend the schema by defining new classes and attributes for existing classes. For example, if you need to provide information about users not currently defined in the schema, you must extend the schema for the User class. However, extending the schema is an advanced operation with possibly serious consequences. Because schemas cannot be deleted, but only deactivated, and a schema is automatically replicated, you must plan and prepare carefully before extending the schema. Schema extension is discussed in Chapter 3, "Creating a Forest Plan."
Active Directory uses components to build a directory structure that meets the needs of your organization. The logical structures of your organization are represented by the following Active Directory components: domains, organizational units, trees, and forests. The physical structure of your organization is represented by the following Active Directory components: sites (physical subnets) and domain controllers. Active Directory completely separates the logical structure from the physical structure.
In addition to the components that represent the logical and physical structures of your organization, Active Directory automatically builds the global catalog on the first domain controller in a forest. The global catalog serves as the central repository of selected information about objects in a tree or forest.
In Active Directory, you organize resources in a logical structure that mirrors the logical structure of your organization. Grouping resources logically allows you to find a resource by its name rather than by its physical location. Because you group resources logically, Active Directory makes the network's physical structure transparent to users. Figure 1.3 illustrates the relationships of the Active Directory components.
Figure 1.3 Resources organized in a logical structure
The core unit of logical structure in Active Directory is the domain, which can store millions of objects. Objects stored in a domain are those vital to the network. These vital objects are items the networked community needs to do its job: printers, documents, e-mail addresses, databases, users, distributed components, and other resources. All network objects exist within a domain, and each domain stores information only about the objects it contains. Active Directory is made up of one or more domains. A domain can span more than one physical location. Domains share these characteristics:
Grouping objects into one or more domains allows your network to reflect your company's organization. See Chapter 4, "Creating a Domain Plan," to read about domain design.
An organizational unit (OU) is a container used to organize objects within a domain into a logical administrative group. This organization typically mirrors your organization's functional or business structure. An OU can contain objects such as user accounts, groups, computers, printers, applications, file shares, and other OUs from the same domain. The OU hierarchy within a domain is independent of the OU hierarchy structure of other domains—each domain can implement its own OU hierarchy. By adding OUs to other OUs, or nesting, you can provide administrative control in a hierarchical fashion. See Chapter 5, "Creating an Organizational Unit Plan," to read about OU design.
OUs provide a means for handling administrative tasks, such as the administration of users and resources, as they are the smallest scope to which you can delegate administrative authority. See Chapter 5, "Creating an Organizational Unit Plan," to read about planning for delegation.
In Figure 1.4, the microsoft.com domain mirrors the organization of a shipping company and contains three OUs: US, Orders, and Disp, where the last two are nested within the US OU. In the summer months, the number of orders taken for shipping increases and management has requested the addition of a subadministrator for the Orders department. The subadministrator must have permission only to create user accounts and provide users with access to Orders department files and shared printers. Rather than creating another domain, the request can be met by assigning the subadministrator the appropriate permissions within the Orders OU.
If the subadministrator was later required to create user accounts in the US, Orders, and Disp OUs, you could grant the administrator the appropriate permissions separately within each OU. However, because the Orders and Disp OUs are nested in the US OU, a more efficient method is to assign permissions once in the US OU and allow them to be inherited by the Orders and Disp OUs. By default, all child objects (the Orders and Disp OUs) within Active Directory inherit permissions from their parents (the US OU). Granting permissions at a higher level and using inheritance capabilities can reduce administrative tasks.
Figure 1.4 Using an organizational unit to handle administrative tasks
A tree is a grouping or hierarchical arrangement of one or more Windows 2000 domains that you create by adding one or more child domains to an existing parent domain. Domains in a tree share a contiguous namespace and a hierarchical naming structure. Namespaces are covered in detail in the next lesson. Trees share these characteristics:
Figure 1.5 A domain tree
By creating a hierarchy of domains in a tree, you can retain security and allow for administration within an OU or within a single domain of a tree. The tree structure easily accommodates organizational changes. Chapter 3, "Creating a Forest Plan," discusses tree design.
A forest is a grouping or hierarchical arrangement of one or more separate, completely independent domain trees. As such, forests have the following characteristics:
In Figure 1.6, microsoft.com and msn.com form a forest. The namespace is contiguous only within each tree.
Figure 1.6 A forest of trees
Forest design is discussed in detail in Chapter 3, "Creating a Forest Plan."
The physical components of Active Directory are sites and domain controllers. You will use these components to develop a directory structure that mirrors the physical structure of your organization.
A site is a combination of one or more Internet Protocol (IP) subnets connected by a highly reliable and fast link to localize as much network traffic as possible. Typically, a site has the same boundaries as a local area network (LAN). When you group subnets on your network, you should combine only subnets that have fast, cheap, and reliable network connections with one another. "Fast" network connections are at least 512 kilobits per second (Kbps). An available bandwidth of 128 Kbps and higher is sufficient.
With Active Directory, sites are not part of the namespace. When you browse the logical namespace, you see computers and users grouped into domains and OUs, not sites. Sites contain only computer objects and connection objects used to configure replication between sites. A single domain can span one or multiple geographical sites, and a single site can include user accounts and computers belonging to multiple domains. See Chapter 6, "Creating a Site Topology Plan," to read about site design.
A domain controller is a computer running Windows 2000 Server that stores a replica of the domain directory (local domain database). Because a domain can contain one or more domain controllers, each domain controller in a domain has a complete replica of the domain's portion of the directory.
The following list describes the functions of domain controllers:
There are two domain modes: mixed mode and native mode. Mixed mode allows a Windows 2000 domain controller to interact with any domain controllers in the domain that are running previous versions of Windows NT. Native mode does not allow any domain controllers in the domain to run previous versions of Windows NT.
In general, there should be one domain controller for each domain in each site for authentication purposes. However, authentication requirements for your organization determine the number of domain controllers and their location. Chapter 6, "Creating a Site Topology Plan," discusses the placement of domain controllers.
Active Directory allows users and administrators to find objects, such as files, printers, or users, in their own domain. However, finding objects outside of the domain and across the enterprise requires a mechanism that allows the domains to act as one entity. A catalog service contains selected information about every object in all domains in the directory, which is useful in performing searches across an enterprise. The catalog service provided by Active Directory services is called the global catalog.
The global catalog is the central repository of information about objects in a tree or forest. By default, a global catalog is created automatically on the initial domain controller in the first domain in the forest, known as the global catalog server. Using Active Directory services multimaster replication, the global catalog information is replicated between global catalog servers in other domains. It stores a full replica of all object attributes in the directory for its host domain and a partial replica of all object attributes contained in the directory for every domain in the forest. The partial replica stores attributes most frequently used in search operations (such as a user's first and last names, logon name, and so on). Attributes are marked or unmarked for replication in the global catalog when they are defined in the Active Directory schema. Object attributes replicated to the global catalog inherit the same permissions as in source domains, ensuring that data in the global catalog is secure.
The global catalog performs two key directory roles:
When a user logs on to the network, the global catalog provides universal group membership information for the account to the domain controller processing the user logon information. If there is only one domain controller in a domain, the domain controller holds the global catalog. If there are multiple domain controllers in the network, one domain controller is configured to hold the global catalog. If a global catalog is not available when a user initiates a network logon process, the user is able to log on only to the local computer.
If a user is a member of the Domain Admins group, he or she is able to log on to the network even when the global catalog is not available.
The global catalog is designed to respond to user and programmatic queries about objects anywhere in the domain tree or forest with maximum speed and minimum network traffic. Because a single global catalog contains information about all objects in all domains in the forest, a query about an object that is not contained in the local domain can be resolved by a global catalog server in the domain in which the query is initiated. Thus, finding information in the directory does not produce unnecessary query traffic across domain boundaries.
A query is a specific request made by a user to the global catalog in order to retrieve, modify, or delete Active Directory data. The following steps, illustrated in Figure 1.7, describe the query process:
Figure 1.7 The query process
You can configure any domain controller or designate additional domain controllers as global catalog servers. When considering which domain controllers to designate as global catalog servers, base your decision on the ability of your network structure to handle replication and query traffic. The availability of additional servers can provide quicker responses to user inquiries, as well as redundancy. Therefore, it is recommended that every major site in your enterprise have at least one global catalog server. See Chapter 6, "Creating a Site Topology Plan," to read about placing global catalog servers.
In this lesson you learned that an object is a distinct named set of attributes that represents a network resource in Active Directory. Object attributes are characteristics of objects in the directory. The Active Directory schema is a list of definitions that determines the kinds of objects and the types of information about those objects that can be stored in an Active Directory forest. Because the schema definitions are stored as objects, they can be administered in the same manner as the rest of the objects in Active Directory. There are two types of definition objects in the schema: schema class objects and schema attribute objects.
You also learned that Active Directory offers you a method for designing a directory structure to reflect your organization's business structure and operations. Active Directory completely separates the logical structure of the domain hierarchy from the physical structure.
In Active Directory, grouping resources logically enables you to find a resource by its name rather than by its physical location. The core unit of logical structure in Active Directory is the domain, which stores information only about the objects that it contains. An OU is a container used to organize objects within a domain into logical administrative groups. A tree is a grouping or hierarchical arrangement of one or more Windows 2000 domains, and a forest is a grouping or hierarchical arrangement of one or more trees.
The physical structure of Active Directory is based on sites and domain controllers. A site is a combination of one or more IP subnets connected by a high-speed link. A domain controller is a computer running Windows 2000 Server that stores a replica of the domain directory.
Finally, you learned that the global catalog is a service and a physical storage location that contains a replica of selected attributes for every object in Active Directory. You can use the global catalog to locate objects anywhere in the network without replication of all domain information between domain controllers.