Before we get started covering Active Directory, we’ll lay the foundation with some basics. These
definitions aren’t completely comprehensive but will give you the foundation you need to under-
stand the topics in this chapter. Although there are a lot of terms to grasp, no term is that complex.
We’ll define them here with a short introduction and often expand on them later.
A workgroup is a group of users connected in a local area network (LAN) but
with each computer having its own user accounts. A user who can log onto one computer will
need a different user account to log onto a different computer, which can become a problem.
A single user who needs to access several computers will have several different user accounts,
often with different passwords.
Workgroups are often used in organizations with fewer than 10 computers. As more computers
are added, a decentralized workgroup becomes harder to manage and administer, requiring it
to be promoted to a domain.
When an organization becomes too big for a workgroup, a domain is created by
running the domain controller promotion wizard (DCPromo) on a server and promoting the
server to a domain controller. A domain controller is a server that hosts a copy of Active
Directory Domain Services.
- Active Directory Domain Services
Active Directory Domain Services (AD DS) is used to
provide several services to an organization. At its core, it’s a big database of objects (such as
users, computers, and groups) and is used to centrally organize and manage all the objects
within an organization. A single user would have a single user account in Active Directory
and can use this single account to access multiple computers in the organization. This is often
referred to as single sign-on.
Additional services include the ability to easily search AD DS so that objects can easily be
located, as well as secure authentication using Kerberos.
Copies of Active Directory are kept on domain controllers. It’s very common to have at least two
domain controllers for redundancy purposes in case one goes down. Any changes to Active
Directory are passed to each of the domain controllers using a process called replication.
When any object (such as a user account) is added, deleted, or modified within
Active Directory, the change is sent to all other domain controllers (DCs) in the domain. When
a business is located in a single location, the changes are sent to all other DCs within a minute.
Modifications can be done on any DC. The initial change is sent from the DC where the change
was created to other DCs (designated as replication partners) within 15 seconds. If there are
more than four DCs in the organization, they are automatically organized in a logical circle,
and the change is replicated through the replication circle until all the DCs have the change.
Objects within AD are used to represent real-world items. Common objects are
user objects and computer objects that represent people and their computers. The objects can
be managed and administered using AD DS. For example, to represent a user named Sally,
a user account object is created. Sally can then use this account to log onto the domain and
access domain resources such as files, folders, printers, and email. Although we would often
say that we give Sally permission to access the resources, we actually give Sally’s user object
permission to access the resources. Similarly, a computer account object is created to repre-
sent Sally’s computer. All objects have properties that can be configured such as the user’s
first name, last name, display name, logon name, and password for a user object.
The types of objects and their properties are predefined. You won’t find a kitchen-sink object
in AD DS, and you won’t find a favorite color property for users—at least not by default. All
objects that can be added to AD DS and the properties used to define these objects are specified
in the schema.
The schema is the definition of all the object types that Active Directory can
contain, and it includes a list of properties that can be used to describe the objects. You
can think of the schema as a set of blueprints for each of the objects. Just as a blueprint for
a house can be used to create a house, a schema definition for a user object can be used to
create a user object.
Only objects that are defined by the schema can be added to Active Directory, and these objects
can be described only by properties defined and identified by the schema. It’s common for
the schema to be modified a few times in the lifetime of an Active Directory enterprise. For
example, to install Exchange Server 2007 (for mail), the schema must be modified to accept the
different objects and properties required by Exchange. Modifying the schema is often referred
to as extending the schema.
Organizational units are used to organize objects within Active
Directory. You can think of an OU simply as a container for the objects. By placing the objects
in different containers, they are easier to manage. For example, you can create a Sales OU and
place all the objects representing users and computers in the sales department in the Sales OU.
OUs have two distinct benefits. You can delegate permissions to an OU, and you can link Group
Policy to an OU. As an example, Maria may be responsible for administration for all users and
computers in the sales department. If these objects were placed in the Sales OU, Maria could
be delegated permission to administer the OU, and it would include all the objects in the OU.
Similarly, you can use Group Policy to apply different settings and configurations to all the user
and computer objects in an OU by applying a single Group Policy object to the OU.
Group Policy allows you to configure a setting once and have it apply to
many user and/or computer objects. For example, if you want to ensure all the computers in
the sales department have their firewall enabled, you could place the computers in an OU
and call it Sales, configure a Group Policy object (GPO) that enables the firewall, and link the
policy to the Sales OU. It doesn’t matter if there are five computers in the OU or 5,000; a GPO
will apply the setting to all the computers in the OU.
You can link GPOs to OUs, entire domains, or sites. When linked, a GPO applies to all the
objects within the OU, domain, or site. For example, if you want all users in the entire domain
to have firewalls enabled, instead of linking the GPO to the site, you’d link it to the domain. Two
default GPOs are created when a domain is created: the default domain policy and the default
domain controllers policy.
The default domain policy is a preconfigured GPO that is added
when a domain is created and linked at the domain level. Settings within the default domain
policy apply to all user and computer objects within the domain. This policy starts with some
basic security settings such as requirements for passwords but can be modified as desired.
- Default domain controllers policy
The default domain controller policy is a preconfig-
ured GPO that is added when a domain is created and linked at the Domain Controllers
OU level. The Domain Controllers OU is created when a domain is created, and all domain
controllers are automatically placed in this OU when they are promoted to a DC. Since the
default domain controller policy is linked to the Domain Controllers OU, it applies to all
A site is a group of well-connected computers and is sometimes referred to as a group
of well-connected subnets. Small to medium-sized businesses often operate out of a single
location, and all the computers in this location are connected via a single LAN. This is a site.
If a remote office is created and connected via a slower connection, it could be configured as
a site. The remote office is well connected within the remote office but not well connected to
the main office. Sites are explored in much more depth in Chapter 21.
A forest is a group of one or more domains that share a common Active Directory.
A single forest will have only one schema (only one definition of objects that can be created)
and only one global catalog.
The global catalog (GC) is a listing of all the objects in the entire forest. It is
easily searchable and is often used by different applications to search AD DS for specific objects.
The global catalog is hosted on domain controllers that are designated as GC servers. Since there
is only one GC for a forest and a forest can include multiple domains, it can become quite large.
To limit its size, objects in the GC have only a subset of properties included. For example, a user
account may have 100 properties to describe it, but only about 10 are included in the GC.
A tree is a group of domains with a common namespace. That simply means the two-
part root domain name is common to other domains in the tree. The first domain in the forest
may be called Bigfirm.com. A child domain could be created named sales.bigfirm.com. Notice
the common name (Bigfirm.com). It is possible to create a separate tree within a forest. For
example, another domain could be created named littlefirm.com. It’s not the same namespace,
but since it is in the same forest, it would share a common schema and global catalog.
Note: this is from book Mastering Windows Server® 2008 R2