An Overview of Active Directory
February 21, 2000 / Windows 2000 Ready / Zubair Ahmad
Microsoft is touting several Windows 2000 (Win2K) selling points, and Active
Directory (AD) is definitely one of them. The big deal about AD is that it lets
you easily locate network resources across your enterprise. To fully understand
AD, you need a good book and lots of hands-on experience with a Win2K network
environment. But for now, let's take an introductory look at AD and its components.
What Is AD?
AD is Microsoft's version of directory services, a feature that stores information
about network resources. Directory services offer a consistent method for administrators
to manage and secure resources and centrally organize and control access to
network resources. AD supports several industry standard protocols and APIs,
including DHCP, DNS, Kerberos 5, LDAP, and X.509 certificates.
AD objects (e.g., users, computers, and printers) are the most basic component
of AD. AD containers are objects that can contain other containers, such as
Organizational Units (OU), which I'll explain later. Each object has one or
more attributes, also known as properties. For example, a user object has dozens
of attributes, such as a first name, last name, and a pager number. A printer
object has attributes such as the printer's location and memory. AD is a database
of these objects that lets you perform very specific queries to locate the objects.
For example, I can query I can query for a laser printer that can print and
staple double-sided, 11x17 paper in full color at 1200dpi and can print at least
12 ppm.
AD Structure
AD's main components, which you use to design the hierarchy and to optimize
network traffic, are its logical structure and its physical structure. The logical
structure, which simply organizes network resources, consists of OUs, domains,
trees, and forests. The logical structure helps you design a network hierarchy
that suits your organizational needs. You use the physical structure, which
consists of sites and domain controllers, to manage and optimize network traffic
by customizing the network configuration.
Logical structure.
The core component of AD's logical structure is the domain. A domain is a unit
of replication-all domain controllers in a domain replicate information to each
other and contain a complete copy of directory information for their domain.
Domains also act as security boundaries. Domain administrators have complete
access and control of their domains only. To administer another domain, an administrator
has to attain explicit permissions.
One component of AD's logical structure are the OUs. You use OUs to organize
objects within a domain and to delegate authority to individuals or groups who
need to manage those objects. For example, if the finance department wants to
manage its own resources, you can create an OU container called Finance, create
objects (e.g., users, computers, printers) within that container, and assign
someone from the finance department to manage these resources (known as delegating
the authority). You can also move existing objects between OUs. Don't confuse
OUs with groups; groups have no relationship to OUs and have a completely different
functionality.
Because AD is scalable, you can create additional domains as your network grows.
AD supports more than a million objects per domain (Compaq has successfully
tested AD domains with up to 16 million objects). The first Win2K domain in
your network creates a root of a new tree, which is one or more AD domains that
share a contiguous namespace. If, for example, I create a root of a domain tree
and name it win2000mag.com, all other domains that I add to the tree will share
the win2000mag.com namespace. The name of the child domain combines with the
parent's domain name. For example, if I add two child domains under the root
called Sales and Marketing, their fully qualified domain names will become sales.win2000mag.com
and marketing.win2000mag.com, as Figure 1 shows. All domains in a tree link
automatically with a bidirectional transitive trust relationship. Because Sales
trusts the root domain, which in turns trusts the Marketing domain, Sales and
Marketing trust each other.
We can extend the logical structure of AD further with forests. A forest is
one or more trees that don't share a contiguous namespace. We can have two trees
in a forest representing two namespaces in one organization, as Figure 2 shows.
Such a forest will share a common configuration (e.g., information about domains,
computers, and trust relationships), schema (e.g., classes and attributes),
and a Global Catalog.
Physical structure.
AD's physical structure
consists of sites and domain controllers. A site, which is one or more well-connected
IP subnets, controls replication traffic between domain controllers and lets
users authenticate with a domain controller within their site. This functionality
helps you optimize network traffic and logon authentication in large enterprises.
A domain controller, which is a Win2K server running AD, contains a complete
replica of the domain database. In Win2K, no single domain controller acts as
a master domain controller. All domain controllers use a multimaster replication
model and are peers.
Global Catalog Server
As I mentioned earlier, AD lets users easily locate AD objects. So how do users
locate these objects? They use LDAP to query a Global Catalog server, which
is a domain controller that contains information about all AD objects and a
subset of their attributes. Think of a Global Catalog server as an index of
AD. Just as you would use an index to locate information about a topic (e.g.,
planets) in an encyclopedia, you can use the Global Catalog to determine the
location of an object (e.g., a printer) in AD. Because the Global Catalog server
indexes the entire forest, you can locate objects all across your forest regardless
of their location. You typically place Global Catalog servers at each site,
but the placement of these servers might vary depending on your AD architecture.
Global Catalog servers also provide universal group information to domain controllers
during the user logon process. If a Global Catalog server isn't accessible,
a network user won't be able to log on. Once logged on to the network, a user
with the right permissions can access resources anywhere within a Win2K forest.
Before users can find network resources, such as shared folders and printers,
you have to publish the resources in AD