What you will learn in this module:

• Overview of Active Directory components
• Active Directory naming standards
• Choose when to implement a domain or an OU
• Understand about the roles of servers
• Global Catalogue
• Trusts

What is a Directory?

The term 'Directory' means a container for some sort of information, for example a telephone directory contains telephone numbers and other addressing information.

Windows NT's directory, also called the SAM (or Security Accounts Manager database) contained user, group and machine accounts. This was a single master database, which essentially means that the database can be edited at one machine only : The Primary Domain Controller, or PDC. This database is replicated to Backup Domain Controllers (or BDCs) on a scheduled and regular basis. The BDCs maintain a read only copy of the directory.

By contrast, Windows 2000 has a multi-master Directory service. Domain Controllers are neither Primary, nor backup, but simply controllers. Changes can be made to any instance of the database, and the replication process handles this transparently.

In Windows NT, the domain was the unit of administration, a geographic and replication boundary. This presented designers with problems, and typically more domains were created than was required simply to address limitations in the NT Directory structure.

In Windows 2000, the Domain can be all those things, too. But it is also possible to delegate administration within a domain to other containers called OUs. A domain need not be an administrative boundary. Replication is handled between sites, and a site is a geographic area. Therefore, the domain is now longer a geographic or replication boundary.

The Windows 2000 Directory Service simplifies things for the network designer by allowing a greater degree of flexibility. In this Unit we will look more closely at Active Directory, covering planning and design issues; implementation and maintenance and troubleshooting.

Domains



The domain is the basic building block of our Windows 2000 Enterprise network.

By default, it functions as an administrative boundary, replication boundary and geographic boundary. A domain consists of a least one domain controller, and this machine will typically be the first on the network. Any Windows 2000 server machine can be promoted to domain controller (DC) at any time using the DCPROMO command.

Multiple Domains

Trees



In Windows 2000, once you have created a domain, other domains can be linked to it to create an Enterprise network simply by defining the relationship between them.

In the graphic above, once the comsurf.co.uk domain had been created, the Glasgow.comsurf.co.uk domain could be created, defining the latter as a child domain of the former.

Once the first relationship had been defined, then subsequent domains could be added. For example, sales.glasgow.comsurf.co.uk is a sub-domain of Glasgow, which in turn is a sub domain of comsurf.

Trust relationships bind these domains together. The trusts in Windows 2000 are Kerberos two way transitive trusts. This means that the trust between glasgow and comsurf is in both directions, so that user accounts in either domain have the potential ability to access resources in the other domain.

Sales trusts glasgow and glasgow trusts comsurf (and vice versa). In Windows 2000, this also means that sales trusts comsurf, and comsurf trusts sales - because the trusts are transitive.

As you add domains, and establish their parental relationships (thereby creating trusts), you are building a domain tree. A domain tree is a group of domains with a contiguous namespace. In this case all domains share a common root.

Forests



As the Enterprise network grows, it may be desirable to create more than one tree. In this situation, you will have built at least the root and first domain of one tree.

As you add your next domain, you indicate that it has no appropriate parent within the current tree, and that you are adding a new tree.

This will create a forest of trees. A forest of trees shares a common root, a common schema but has a non-contiguous name space.

This arrangement is typical only for very large organisations, and is desirable because a certain degree of inter-operability is required, but most administrative function needs to be kept separate.

A trust relationship binds the top level domains together, so that comsurf trusts bootkamp and vice versa. Because the trust is a two way transitive link, then all sub domains trusts all other sub domains within the forest - so once again, a user account anywhere in the forest could be granted access to a resource anywhere else in the forest.