Chapter 2: Active Directory Terminology and Concepts

This chapter relates to basic Active Directory elements, features, and requirements that will be mentioned repeatedly in the other chapters of the book. You should have a solid understanding of all these concepts and ideas before you go any further. If a term is not clear to you, you can easily find detailed information in other sources. For example, you can use the search function and quickly find an exhaustive description of any term (including its relation to other Active Directory elements) in the Help and Support Center. Thus, it is not necessary to place such information here.

Active Directory Essentials and Components

Let us first consider what essential information is necessary to comprehend in order to deploy and manage both Windows 2000 and Windows .NET domains. (You may skip this section, if you are familiar with Active Directory basics, and go to the new features' description.) The Active Directory elements considered in this section will be addressed later, in subsequent chapters. If you find that you are not completely grasping the meaning of a particular word, just search for it in Help and Support Center. (It would take up too much space to put everything here.)

Logical Organization

The Active Directory service is the foundation for domains managed by domain controllers (that are also called Active Directory servers) running Windows 2000 or/and Windows .NET. A domain is a group of logically linked computers and users who work on them and are united by an idea of centralized management.

All "housekeeping" tasks are performed on domain controllers that hold the Active Directory database which contains information about managed objects such as users, computers, groups, and so on. This information is stored as directory objects of corresponding types. User, group, and computer (and InetOrgPerson—in Windows .NET) objects (so-called accounts) represent security principles that can be granted privileges to perform certain computer-, domain, or forest-wide tasks or permissions for access to shared network resources (such as files, folders, and printers). Thus, a domain client being logged on to the domain once using an account can access all allowed resources without needing to log on repeatedly to each server holding a resource. A domain administrator can change Active Directory objects on any domain controller and, thus, control all options permitted to domain members. Therefore, a domain is a boundary of administrative power.

In short, to deploy an Active Directory domain, you need to first plan it, install domain controller(s), add domain client computers, and create user (and group) accounts. Then you can share resources on domain members and assign necessary privileges and permissions to users (and groups). (All required operations and tools used to perform them will be described in this book in Chapters 3 through Chapter 8. The remaining chapters consider problems that occur during exploitation of Active Directory domains as well as all necessary system utilities.)

An Active Directory domain can contain sets of directory objects that are called organizational units (OU), and that usually contain user or computer accounts. Each OU can have its own administrator and a Group Policy Object (GPO)(s) linked to OU object. The group policy technology is intended for centralized configuration of user environment and computer system settings. GPOs can be local or linked to site, domain, or OU objects.

Active Directory domains form a forest (a forest can comprise one or more domains), where all domains are linked by two-way, transitive trusts. Trusts allow users logged on to a domain to access resources located in any location in the forest, or to have privileges in any domain. Administrator-created trusts can be established with foreign Active Directory forests or Windows NT 4.0 domains.

Physical Organization

The entire Active Directory database is logically divided into directory partitions, which are units of replication (i.e., each partition is replicated independently, although the replication mechanisms, such as scheduled replication or notification procedure, may affect all partitions). Since Active Directory is a distributed network database, any domain controller holds a replica of the entire database.

Each replica counts at least three partitions: the Schema and Configuration partitions that are shared by all domains in a forest and stored on every domain controller; and domain partition that contains objects of a specific domain and is stored on domain controllers that belong to that domain. Each forest has one more partition called Global Catalog (GC), which contains a limited set of attributes of all Active Directory objects. GC allows users to quickly find any directory object in the forest. GC is a part of the Active Directory database and can be stored on any domain controller.

Active Directory can take into account the fact that a large enterprise network (a forest) usually contains a number of subnets linked by fast and slow channels. A set of subnets connected with fast channels can be referred to as a site. Sites, in turn, are connected with slow (dial-up) channels. By default, all domains are placed in the same Default-First-Site (which can be safely renamed).

Directory partition requirements as well as site infrastructure will determine the replication topology that, by default, is automatically generated by the Knowledge Consistency Checker (KCC) service running on every domain controller. This service manages replication connections between domain controllers depending on which directory partitions they store. Replication is performed in accordance with rules, intervals, and schedules defined for inter- and intra-site replication types.

Active Directory Clients

Pre-Windows 2000 clients (running Windows 9x/ME and Windows NT 4.0) regard an Active Directory domain (operating in any mode or at any functional level) as a Windows NT domain, i.e., they can be authenticated in the domain and access the shared domain resources (see also later the "Domain Modes and Functional Levels" section).

Active Directory Client Extension allows pre-Windows 2000 clients to use some Active Directory features, such as Active Directory Service Interfaces (ADSI), site awareness, DFS fault tolerance, search options, and NTLM version 2 authentication (see the Web or the Help and Support Center for a detailed description). Active Directory Client Extension is available on the Windows 2000 Server CD or the Microsoft website (the links are in Appendix A). Certainly, all of the listed features as well as many others are available on Windows 2000/XP/.NET-based clients.

Active Directory Client Extension does not support some important Active Directory options, such as Group Policy functionality, Kerberos V5 protocol, IPSec and L2TP, nor does it allow users to browse through the Active Directory organizational units (OU) and containers (thus, the only visual options that appear when the extension has been installed on a computer are the For printers and For People commands on the Start | Search menu).