Working with Domain Structures

Logical structures help you organize directory objects and manage network accounts and shared resources. Logical structures include domain forests, domain trees, domains, and organizational units. Sites and subnets, on the other hand, are physical structures that help you map the physical network structure. Physical structures serve to facilitate network communication and to set physical boundaries around network resources.

Understanding Domains

An Active Directory domain is simply a group of computers that share a common directory database. Active Directory domain names must be unique. For example, you can't have two microsoft.com domains, but you could have a microsoft.com parent domain with seattle.microsoft.com and ny.microsoft.com child domains. If the domain is part of a private network, the name assigned to a new domain must not conflict with any existing domain name on the private network. If the domain is part of the global Internet, the name assigned to a new domain must not conflict with any existing domain name throughout the Internet. To ensure uniqueness on the Internet, you must register the parent domain name before using it. Domain registration can be handled through any designated registrar. A current list of designated registrars can be found at InterNIC (http://www.internic.net).

Each domain has its own security policies and trust relationships with other domains. Domains can also span more than one physical location, which means a domain could consist of multiple sites and those sites could have multiple subnets. Within a domain's directory database, you'll find objects defining accounts for users, groups, and computers as well as shared resources, such as printers and folders.

Domain functions are limited and controlled by the domain functional level. Four domain functional levels are available:

• Windows 2000 mixed

  Supports domain controllers running Windows NT 4.0, Windows 2000, and Windows Server 2003

• Windows 2000 native

  Supports domain controllers running Windows 2000 and Windows Server 2003

• Windows Server 2003 interim

  Supports domain controllers running Windows NT 4.0 and Windows Server 2003

• Windows Server 2003

  Supports domain controllers running Windows Server 2003

For a further discussion of domain functional levels, see the section of this chapter entitled "Using Windows NT and Windows 2000 Domains with Active Directory."

Understanding Domain Forests and Domain Trees

Each Active Directory domain has a DNS domain name, such as microsoft.com. When one or more domains share the same directory data, they're referred to as a forest . The domain names within this forest can be discontiguous or contiguous in the DNS naming hierarchy.

When domains have a contiguous naming structure, they're said to be in the same domain tree . An example of a domain tree is shown in Figure 6-1. In this example, the root domain msnbc.com has two child domains ”seattle.msnbc.com and ny.msnbc.com. These domains in turn have subdomains. All the domains are part of the same tree because they have the same root domain.

If the domains in a forest have discontiguous DNS names, they form separate domain trees within the forest. As shown in Figure 6-2, a domain forest can have one or more domain trees. In this example, the msnbc.com and microsoft.com domains form the roots of separate domain trees in the same forest.

You access domain structures in Active Directory Domains And Trusts, which is shown in Figure 6-3. Active Directory Domains And Trusts is a snap-in for the Microsoft Management Console (MMC), and you can also access it on the Administrative Tools menu. You'll find separate entries for each root domain. In the figure the active domain is adatum.com .

Forest functions are limited and controlled by the forest functional level. Three forest functional levels are available:

• Windows 2000

  Supports domain controllers running Windows NT 4.0, Windows 2000, and Windows Server 2003

• Windows Server 2003 interim

  Supports domain controllers running Windows NT 4.0 and Windows Server 2003

• Windows Server 2003

  Supports domain controllers running Windows Server 2003

Windows Server 2003 mode offers the most current Active Directory features. When all domains within a forest are operating in this mode, you'll get improvements for global catalog replication and improved replication efficiency for Active Directory data, and because link values are replicated, you may see improved intersite replication as well. You'll be able to deactivate schema class objects and attributes, use dynamic auxiliary classes, rename domains, and create one-way, two-way, and transitive forest trusts.

Understanding Organizational Units

Organizational units are subgroups within domains that often mirror an organization's functional or business structure. You can also think of organizational units as logical containers into which you can place accounts, shared resources, and other organizational units. For example, you could create organizational units named HumanResources, IT, Engineering, and Marketing for the microsoft.com domain. You could later expand this scheme to include child units. Child organizational units for Marketing could include OnlineSales, ChannelSales, and PrintSales.

Objects placed in an organizational unit can only come from the parent domain. For example, organizational units associated with seattle.microsoft.com contain objects for this domain only. You can't add objects from ny.microsoft.com to these containers, but you could create separate organizational units to mirror the business structure of seattle.microsoft.com.

Organizational units are very helpful in organizing the objects around the organization's business or functional structure. Still, this isn't the only reason to use organizational units. Other reasons to use organizational units are

• Organizational units allow you to assign a group policy to a small set of resources in a domain without applying this policy to the entire domain. This helps you set and manage group policies at the appropriate level in the company.

• Organizational units create smaller, more manageable views of directory objects in a domain. This helps you manage resources more efficiently .

• Organizational units allow you to delegate authority and to easily control administrative access to domain resources. This helps you control the scope of administrator privileges in the domain. You could grant user A administrative authority for one organizational unit and not for others. Meanwhile, you could grant user B administrative authority for all organizational units in the domain.

Organizational units are represented as folders in Active Directory Users And Computers. See Figure 6-4. This utility is a snap-in for the MMC, and you can also access it on the Administrative Tools menu.

Understanding Sites and Subnets

A site is a group of computers in one or more IP subnets. You use sites to map your network's physical structure. Site mappings are independent from logical domain structures, and because of this there's no necessary relationship between a network's physical structure and its logical domain structure. With Active Directory, you can create multiple sites within a single domain or create a single site that serves multiple domains. There's also no connection between the IP address ranges used by a site and the domain namespace.

You can think of a subnet as a group of network addresses. Unlike sites, which can have multiple IP address ranges, subnets have a specific IP address range and network mask. Subnet names are shown in the form network/bits-masked , such as 192.168.19.0/24. Here, the network address 192.168.19.9 and network mask 255.255.255.0 are combined to create the subnet name 192.168.19.0/24.

Computers are assigned to sites based on their location in a subnet or a set of subnets. If computers in subnets can communicate efficiently with each other over the network, they're said to be well connected . Ideally, sites consist of subnets and computers that are all well connected. If the subnets and computers aren't well connected, you might need to set up multiple sites. Being well connected gives sites several advantages:

• When clients log on to a domain, the authentication process first searches for domain controllers that are in the same site as the client. This means local domain controllers are used first, if possible, which localizes network traffic and can speed up the authentication process.

• Directory information is replicated more frequently within sites than between sites. This reduces the network traffic load caused by replication while ensuring that local domain controllers get up-to-date information quickly. You can also customize how directory information is replicated using site links. For example, you could designate a bridgehead server to handle replication between sites. This places the bulk of the intersite replication burden on a specific server rather than on any available server in a site.

Sites and subnets are accessed through Active Directory Sites And Services, as shown in Figure 6-5. Since this is a snap-in for the MMC, you can add it to any updateable console. You can access Active Directory Sites And Services on the Administrative Tools menu as well.