Active Directory  «Prev  Next»
Lesson 5 Logical structure of Active Directory
Objective Understand the structural areas of Active Directory.

Logical Structure Active Directory

The logical structure of Active Directory is flexible and provides a method for designing a directory hierarchy that makes sense to both its users and those who manage it. In Windows, locating objects was based on knowing their physical locations on servers. With Windows 2000, the Directory provides a logical hierarchy, independent of physical location. You can create an organizational unit and place all printers into it, for instance, regardless of to which computers they are physically attached. At its most basic, Active Directory contains objects and attributes, all of which are hierarchically arranged, so that you can view your directory's contents with ease. But in order to use and administer Active Directory with competence, you will need to know its logical structure in detail and the different layers of its content pool.

Structure of Active Directory

The principal areas of Active Directory's structure include:
  1. Domains [1]
  2. Organizational units [2]
  3. Trees [3]
  4. Forests [4]
Here you can see their relationship to one another.

This is the structure of Active Directory. The figure above describes the principal areas of Active Directory's structure which includes
1)Domains , 2)Organizational units, 3) Trees and 4) Forests.

The basic unit of organization and security in Active Directory is the domain. The following series of images below gives you a closer view of these organizational areas and their relative place within Active Directory. The areas of Active Directory may proliferate easily, but they will always be organized in a visibly recognizable and readable way.

1) The domain is the principal unit of organization
1) The domain is the principal unit of organization

2) Within a domain, objects can be organized into logical containers called organization units, or OUs
2) Within a domain, objects can be organized into logical containers called organization units, or OUs

3) You can create more than one domain. Multiple domains can form a domain tree, and multiple trees can form a forest.
3) You can create more than one domain. Multiple domains can form a domain tree, and multiple trees can form a forest.

4)The root domain is always created first . It becomes the parent domain to child domains that are added directly below it.
4) The root domain is always created first. It becomes the parent domain to child domains that are added directly below it.

5) Each domain in a tree is assigned a name using the hierarchical Domain Naming System, or DNS
5) Each domain in a tree is assigned a name using the hierarchical Domain Naming System, or DNS

6)As other domains are joined to the tree, the name of the child is added to the parent's name reflecting their relationship.
6) As other domains are joined to the tree, the name of the child is added to the parent's name, reflecting their relationship.

7) Tree model of multiple domains can be extended to create a forest of trees for organizations that need to maintain separate organizational structures, such as a company that needs distinct public identities for its subsidiaries.
7) Tree model of multiple domains can be extended to create a forest of trees for organizations that need to maintain separate organizational structures, such as a company that needs distinct public identities for its subsidiaries.

Question: How can I have Multiple Active Directory Domains as a principal organizational unit?
You cannot have multiple Active Directory domains as a principal organizational unit (OU). An OU is a container for objects in a domain, and each object can only belong to one domain. If you need to manage objects from multiple domains, you can create a forest. A forest is a collection of one or more domains that share a common schema, configuration, and global catalog. You can then create OUs in the forest that contain objects from multiple domains. For example, you could create an OU called "Finance" that contains users and computers from both the "Contoso.com" domain and the "Fabrikam.com" domain. This would allow you to manage all of the finance-related objects in both domains from a single location.
Here are the steps on how to create a forest:
  1. Install Active Directory Domain Services (AD DS) on a server in each domain that you want to include in the forest.
  2. Promote one of the domain controllers to a forest root domain controller.
  3. In the Active Directory Users and Computers console, create a new forest.
  4. Add the other domain controllers to the forest.
  5. Create OUs in the forest to organize the objects from the different domains.

Domain Controllers maintain a Distributed Database

In an Active Directory (AD) environment, domain controllers (DCs) within a particular domain receive and replicate changes through a process known as multi-master replication. This model allows any domain controller to receive updates for objects within the Active Directory database, and then replicate those changes to all other domain controllers within the domain to ensure consistency and reliability of the data. The replication process is governed by the following key components and mechanisms:
  1. Replication Topology: Active Directory uses a replication topology to determine the most efficient paths for replication traffic. This topology is dynamically generated and maintained by the Knowledge Consistency Checker (KCC). The KCC creates replication connections between domain controllers, forming a site topology that optimizes replication traffic within and between sites to minimize bandwidth usage and replication latency.
  2. Change Notification: When changes are made to objects in the Active Directory database on a domain controller, the DC notifies its replication partners of the changes. This notification prompts the partner DCs to initiate a replication request, ensuring that updates are propagated throughout the domain in a timely manner.
  3. Update Sequence Numbers (USNs): Each change made to an object on a domain controller is tagged with a unique Update Sequence Number (USN). The USN is used to track changes and ensure that only updates that have not been replicated are sent to a partner DC, avoiding replication of data that has already been synchronized.
  4. Attribute-Level Replication: Active Directory replicates at the attribute level, not the object level. This means that only the attributes of an object that have changed are replicated, rather than the entire object. This granular level of replication reduces the amount of data that needs to be transmitted, improving efficiency.
  5. Urgent Replication: Certain critical changes, such as changes to account lockout policies or changes made by the domain administrator, trigger urgent replication. This ensures that important changes are propagated to all DCs in the domain as quickly as possible, regardless of the scheduled replication interval.
  6. Replication Scheduling: Replication between domain controllers can be scheduled to control when replication traffic occurs. This is particularly useful in environments with domain controllers located across different sites connected by limited bandwidth links, allowing administrators to schedule replication during off-peak hours to minimize impact on network performance.
  7. Conflict Resolution: In the event that conflicting changes are made to the same object attribute on different domain controllers before replication occurs, Active Directory employs a "last writer wins" conflict resolution mechanism, where the change with the highest USN (indicating the most recent change) is applied across the domain.

Active Directory's replication technology is designed to be both robust and efficient, ensuring that all domain controllers within a domain maintain a consistent and up-to-date view of the directory, even in complex, distributed environments. This replication process is fundamental to the reliability, integrity, and performance of the Active Directory service.
Domains are units of replication. In addition, all of the domain controllers in a particular domain can receive changes and replicate those changes to all other domain controllers in the domain. Each domain in Active Directory is identified by a (DNS) Domain Name System domain name and requires one or
Question: One or more domains that share a common schema and global catalog are referred to as a forest. The first domain in a forest is referred to as the forest root domain. If multiple domains in the forest have contiguous DNS domain names, then the structure is referred to as a domain tree. A single domain can span multiple physical locations or sites and can contain millions of objects. Site structure and domain structure are separate and flexible. Furthermore, a single domain can span multiple geographical sites, and a single site can include users and computers belonging to multiple domains.
In the next lesson, you will learn more about the function and purpose of domains.


Azure Active Directory
[1] Domain: The basic administrative unit in a Windows 2000 network. domain is a collection of computers defined by an administrator that share a common directory database. It's important because objects are maintained in a domain. Within a domain, objects can be organized into logical containers called organizational units (OUs), as shown above.
[2] organizational units: An organizational unit (OU) is a container object that you use to organize objects within a domain. An OU contains objects, such as user accounts, groups, computers, printers, and other OUs. Furthermore, domains can be multiplied into groups of domains, called trees.
[3] Trees: A tree is a collection of domains that share a contiguous namespace and into collections of domains, called forests.
[4] Forests: Two or more domain trees which do not share a contiguous namespace can be joined in a forest. Domains within a forest share two-way transitive trust relationships and share a common schema and global catalog.

SEMrush Software