Wednesday, May 21, 2008

Windows Server 2008 Active Directory Domain Services Objects and Concepts

First it's important to learn that you can divide AD DS components into two "states of being"—physical components, which include domain controllers, sites, and subnets; and logical components, which include forests, trees, domains, and organizational units. Physical and logical components of AD DS don't necessarily have to correlate with each other: for example, a domain controller can be a member of a forest based in Rome, while actually sitting in a machine room in Chicago.

Keep that frame of reference in mind. Now, before diving in any further, let me introduce a few common terms:


A directory is a single repository for information about users and resources within an organization. Active Directory is a type of directory that holds the properties and contact information for a variety of resources within a network so that users and administrators alike can find them with ease.


A domain is a collection of objects within the directory that forms a management boundary. Multiple domains can exist within a forest (defined later in this list), each with its own collection of objects and organizational units (also defined later in this list). Domains are named using the industry-standard DNS protocol, covered in detail in the previous chapter.

Domain controller

A domain controller holds the security information and directory object database for a particular domain and is responsible for authenticating objects within their sphere of control. Multiple domain controllers can be associated with a given domain, and each domain controller holds certain roles within the directory, although for all intents and purposes all domain controllers within a domain are "equal" in power. This is unlike the primary and backup labels assigned to domain controllers in Windows NT.


A forest is the largest logical container within AD DS and encompasses all domains within its purview, all linked together via transitive trusts that are constructed automatically. This way, all domains in a particular forest automatically trust all other domains within the forest.

Organizational unit

An organizational unit (OU) is a container with objects (discussed next) contained within it. You can arrange OUs in a hierarchical, tree-like fashion and design them in a structure that best fits your organization for boundary delineation or ease of administration.


Within AD DS, an object is anything that can be part of the directory—that is, an object can be a user, a group, a shared folder, a printer, a contact, and even an OU. Objects are unique physical "things" within your directory and you can manage them directly.


The schema in AD DS is the actual structure of the database—the "fields," to use a not-quite-applicable analogy. The different types of information stored in AD DS are referred to as attributes. AD DS's schema also supports a standard set of classes, or types of objects. Classes describe an object and the associated properties that are required to create an instance of the object. For example, user objects are "instances" of the user class; computer objects are "instances" of the computer class; and so on. Think of classes as guideline templates describing different types of objects.


A site is a collection of computers that are in distinct geographical locations—or at least are connected via a permanent, adequate-speed network link. Sites are generally used to determine how domain controllers are kept up-to-date; AD DS will select its methodology for distributing those updates (a process called replication) based on how you configure a site to keep traffic over an expensive WAN link down to a minimum.


A tree is simply a collection of domains that begins at a single root and branches out into peripheral, "child" domains. Trees can be linked together within forests as well, and trees also share an unbroken DNS namespace—that is, hasselltech.local and america.hasselltech.local are part of the same tree, but and hasselltech.local are not.


A trust in terms of AD DS is a secure method of communicating between domains, trees, and forests. Much like they worked in Windows NT, trusts allow users in one AD DS domain to authenticate to other domain controllers within another, distinct domain within the directory. Trusts can be one-way (A to B only, not B to A), transitive (A trusts B and B trusts C, so A trusts C), or cross-linked (A to C and B to D).

*.* Source of Information : O'Reilly Windows Server 2008: The Definitive Guide

No comments: