Active Directory is an extensible and scalable directory service that enables you to efficiently manage network resources. As an administrator, you’ll need to be very familiar with how Active Directory technology works, and that’s exactly what this chapter is about. If you haven’t worked with Active Directory technology before, one thing you’ll note immediately is that the technology is fairly advanced and has many features. To help manage this complex technology, I’ll start with an overview of Active Directory and then explore its components.
On This Page
Introducing Active Directory Service
Active Directory directory service is the heart of Microsoft Windows 2000. Just about every administrative task you’ll perform will affect Active Directory in some way. Active Directory technology is based on standard Internet protocols and has a design that helps you clearly define the structure of your network.
Active Directory and DNS
Active Directory uses the Domain Name System (DNS). DNS is a standard Internet service that organizes groups of computers into domains. Unlike Windows NT 4.0 domains that have a flat structure, DNS domains are organized into a hierarchical structure. The DNS domain hierarchy is defined on an Internet-wide basis and the different levels within the hierarchy identify computers, organizational domains, and top-level domains. DNS is also used to map host names, such as microsoft.com, to numeric Transmission Control Protocol/Internet Protocol (TCP/IP) addresses, such as 192.168.19.2. Through DNS an Active Directory domain hierarchy can also be defined on an Internet-wide basis, or the domain hierarchy can be separate and private.
When you refer to computer resources in this type of domain, you use the fully qualified host name, such as zeta.microsoft.com. Here, zeta represents the name of an individual computer, webatwork represents the organizational domain and com is the top-level domain. Top-level domains are at the root of the DNS hierarchy and are therefore also called root domains. These domains are organized geographically, by using two-letter country/region codes, such as CA for Canada; by organization type, such as com for commercial organizations; and by function, such as shop for online stores.
Normal domains, such as microsoft.com, are also referred to as parent domains. They have this name because they’re the parents of an organizational structure. Parent domains can be divided into subdomains, which can be used for different offices, divisions, or geographic locations. For example, the fully qualified host name for a computer at Microsoft’s Seattle office could be designated as jacob.seattle.microsoft.com. Here, jacob is the computer name, seattle is the subdomain, and microsoft.com is the parent domain. Another term for a subdomain is a child domain.
As you can see, DNS is an integral part of Active Directory technology—so much so, in fact, that you must configure DNS on the network before you can install Active Directory. Working with DNS is covered in Chapter 19. Once you configure DNS, you can install Active Directory by running the Active Directory Installation Wizard (click Start, click Run, type dcpromo in the Open field, and then click OK). If there isn’t an existing domain, the wizard helps you create a domain and configure Active Directory in a new domain. The wizard can also help you add child domains to existing domain structures.
Note: In the rest of this chapter I’ll often use the terms directory and domains to refer to Active Directory and Active Directory domains, respectively. The exception is when I need to distinguish Active Directory structures from DNS or Windows NT structures.
Getting Started with Active Directory
Active Directory directory service provides both logical and physical structures for network components. Logical structures are
- Domains A group of computers that share a common directory database.
- Domain trees One or more domains that share a contiguous namespace.
- Domain forests One or more domain trees that share common directory information.
- Organization units A subgroup of domains that often mirrors the business or functional structure of the company.
Physical structures are
- Subnets A network group with a specific IP address range and network mask.
- Sites One or more subnets; they’re used to configure directory access and replication.
Working with Domain Structures
Logical structures help you organize directory objects and manage network accounts and shared resources. Logical structures include domain forests, domain trees, domains, and organizational units. Sites and subnets, on the other hand, are physical structures that help you map the physical network structure. Physical structures serve to facilitate network communication and to set physical boundaries around network resources.
An Active Directory domain is simply a group of computers that share a common directory database. Active Directory domain names must be unique. For example, you can’t have two microsoft.com domains, but you could have a microsoft.com parent domain with seattle.microsoft.com and ny.microsoft.com child domains. If the domain is part of a private network, the name assigned to a new domain must not conflict with any existing domain name on the private network. If the domain is part of the global Internet, the name assigned to a new domain must not conflict with any existing domain name throughout the Internet. To ensure uniqueness on the Internet, you must register the parent domain name before using it. Domain registration can be handled through InterNIC (http://www.internic.net) or any designated registrar.
Each domain has its own security policies and trust relationships with other domains. Domains can also span more than one physical location, which means a domain could consist of multiple sites and those sites could have multiple subnets. Within a domain’s directory database, you’ll find objects defining accounts for users, groups, and computers as well as shared resources, such as printers and folders.
Note: User and group accounts are discussed in Chapter 7. Computer accounts and the various types of computers used in Windows 2000 domains are discussed in “Working with Active Directory Domains” in this chapter.
Understanding Domain Forests and Domain Trees
Each Active Directory domain has a DNS domain name, such as microsoft.com. When one or more domains share the same directory data, they are referred to as a forest. The domain names within this forest can be discontiguous or contiguous in the DNS naming hierarchy.
When domains have a contiguous naming structure, they’re said to be in the same domain tree. An example of a domain tree is shown in Figure 5-1. In this example, the root domain msnbc.com has two child domains—seattle.msnbc.com and ny.msnbc.com. These domains in turn have subdomains. All the domains are part of the same tree because they have the same root domain.
If the domains in a forest have discontiguous DNS names, they form separate domain trees within the forest. As shown in Figure 5-2, a domain forest can have one or more domain trees. In this example, the msnbc.com and microsoft.com domains form the roots of separate domain trees in the same forest.
You access domain structures in Active Directory Domains And Trusts, which is shown in Figure 5-3. Active Directory Domains And Trusts is a snap-in for the Microsoft Management Console (MMC) and can also be accessed on the Administrative Tools menu. You’ll find separate entries for each root domain. In the figure, the active domain is microsoft.com.
Understanding Organizational Units
Organizational units are subgroups within domains that often mirror an organization’s functional or business structure. You can also think of organizational units as logical containers into which you can place accounts, shared re sources, and other organizational units. For example, you could create organizational units named HumanResources, IT, Engineering, and Marketing for the microsoft.com domain. You could later expand this scheme to include child units. Child organizational units for Marketing could include OnlineSales, ChannelSales, and PrintSales.
Objects placed in an organizational unit can only come from the parent domain. For example, organizational units associated with seattle.microsoft.com contain objects for this domain only. You can’t add objects from ny.microsoft.com to these containers, but you could create separate organizational units to mirror the business structure of seattle.microsoft.com.
Organizational units are very helpful in organizing the objects around the business or functional structure of the organization. Still, this isn’t the only reason to use organizational units. Other reasons to use organizational units are
- Organizational units allow you to assign a group policy to a small set of resources in a domain without applying this policy to the entire domain. This helps you set and manage group policies at the appropriate level in the company.
- Organizational units create smaller, more manageable views of directory objects in a domain. This helps you manage resources more efficiently.
- Organizational units allow you to delegate authority and to easily control administrative access to domain resources. This helps you control the scope of administrator privileges in the domain. You could grant user A administrative authority for one organizational unit and not for others. Meanwhile, you could grant user B administrative authority for all organizational units in the domain.
Organizational units are represented as folders in Active Directory Users And Computers. See Figure 5-4. This utility is a snap-in for the MMC and can also be accessed on the Administrative Tools menu.
Understanding Sites and Subnets
A site is a group of computers in one or more IP subnets. You use sites to map the physical structure of your network. Sites mappings are independent from logical domain structures, and because of this there’s no necessary relationship between a network’s physical structure and its logical domain structure. With Active Directory, you can create multiple sites within a single domain or create a single site that serves multiple domains. There is also no connection between the IP address ranges used by a site and the domain namespace.
You can think of a subnet as a group of network addresses. Unlike sites, which can have multiple IP address ranges, subnets have a specific IP address range and network mask. Subnet names are shown in the form network/bits-masks, such as 192.168.19.9/32. Here, the network address 192.168.19.0 and network mask 255.255.255. are combined to create the subnet name 192.168.19.9/32.
Note: Don’t worry, you don’t need to know how to create a subnet name. In most cases, you enter the network address and the network mask and then Windows 2000 generates the subnet name for you.
Computers are assigned to sites based on their location in a subnet or a set of subnets. If computers in subnets can communicate efficiently with each other over the network, they’re said to be well connected. Ideally, sites consist of subnets and computers that are all well connected. If the subnets and computers aren’t well connected, you may need to set up multiple sites. Being well connected gives sites several advantages:
- When clients log on to a domain, the authentication process first searches for domain controllers that are in the same site as the client. This means local domain controllers are used first, if possible, which localizes network traffic and can speed up the authentication process.
- Directory information is replicated more frequently within sites than between sites. This reduces the network traffic load caused by replication while ensuring that local domain controllers get up-to-date information quickly. You can also customize how directory information is replicated using site links. For example, you could designate a bridgehead server to handle replication between sites. This places the bulk of the intersite replication burden on a specific server rather than on any available server in a site.
Sites and subnets are accessed through Active Directory Sites And Services, as shown in Figure 5-5. Since this is a snap-in for the MMC, you can add it to any updateable console. You can access Active Directory Sites And Services on the Administrative Tools menu as well.