The logical structure of Active Directory is flexible and provides a method for designing a directory hierarchy that makes sense to both its users and those who manage it.
In Windows NT, locating objects was based on knowing their physical locations on servers. With Windows 2000, the Directory provides a logical hierarchy, independent of physical location. You can create an organizational unit and place all printers into it, for instance, regardless of to which computers they are physically attached.
At its most basic, Active Directory contains objects and attributes, all of which are hierarchically arranged, so that you can view your directory's contents with ease. But in order to use and administer Active Directory with competence, you will need to know its logical structure in detail and the different layers of its content pool.
The principal areas of Active Directory's structure include:
- Organizational units
Here you can see their relationship to one another.
The basic unit of organization and security in Active Directory is the domain.
- Domain: The basic administrative unit in a Windows 2000 network. domain is a collection of computers defined by an administrator that share a common directory database.
It's important because objects are maintained in a domain. Within a domain, objects can be organized into logical containers called organizational units (OUs), as shown above.
- Organizational unit: An organizational unit (OU) is a container object that you use to organize objects within a domain. An OU contains objects, such as user accounts, groups, computers, printers, and other OUs.
Furthermore, domains can be multiplied into groups of domains, called trees,
- Trees: A tree is a collection of domains that share a contiguous namespace and into collections of domains, called forests.
- Forests: Two or more domain trees which do not share a contiguous namespace can be joined in a forest. Domains within a forest share two-way transitive trust relationships and share a common schema and global catalog.
The Slideshow below gives you a closer view of these organizational areas and their relative place within Active Directory.
1) The domain is the principal unit of organization
2) Within a domain, objects can be organized into logical containers called organization units, or OUs
3) You can create more than one domain. Multiple domains can form a domain tree, and multiple trees can form a forest.
4) The root domain is always created first. It becomes the parent domain to child domains that are added directly below it.
5) Each domain in a tree is assigned a name using the hierarchical Domain Naming System, or DNS
6) As other domains are joined to the tree, the name of the child is added to the parent's name, reflecting their relationship.
7) Tree model of multiple domains can be extended to create a forest of trees for organizations that need to maintain separate organizational structures, such as a company that needs distinct public identities for its subsidiaries.
Multiple Domains in Active Directory
As this Slideshow illustrates, the areas of Active Directory may proliferate easily, but they will always be organized in a visibly recognizable and readable way. In the next lesson, you will learn more about the function and purpose of domains.