Active Directory Structure
Terms you'll need to understand:
- Active Directory
- Domain controller
- Organizational unit
- Global catalog
- FSMO roles
- Bridgehead server
Techniques you'll need to master:
Describing the purpose of the Windows 2000 Active Directory global catalog
Identifying the FSMO roles and their basic purposes
Recognizing the different types of trusts including one- and two-way, as well as transitive and nontransitive trusts
Identifying the levels of administrative grouping, including organizational units, domains, trees, and forests
Windows 2000 utilizes a decentralized database in which all security principles such as users, computers, and printers are registered in order to provide centralized access and management of resources within a distributed network environment. This database is referred to as the Active Directory.
This chapter covers the physical and logical structure of Active Directory deployment scenarios, as well as a basic understanding of the uses of each level of grouping in the centralized administration over widely distributed resources.
Active Directory Structure Overview
Users of Windows NT and earlier operating systems may be familiar with the idea of a peer-to-peer network of computers, often referred to as a workgroup. In a workgroup, each computer maintains its own list of users and the access to local resources granted to each. None of the systems in this configuration provide administration over the wholeall act as equals (peers). Although this may work for up to 5 or 10 computers, the problems of administration, configuration, and deployment of systems in larger configurations mandate some form of centralized administration and coordination.
In Windows NT, the concept of the domain was introduced. A domain is a grouping of resources including computers, printers, groups, and users that are maintained in a centralized database of resources located on a supervisory machine called a domain controller (DC). In Windows NT, all updates to this database occurred within one domain controller designated as the primary domain controller (PDC), with all other domain controller servers designated as backup domain controllers (BDCs). The backup domain controllers receive updates to their local copy of the listing from the primary domain controller on a regular schedule.
In order to provide support for larger-scale deployments in which the security principles (such as users) in one domain may be granted access to resources located in another domain, multiple domains can be joined via a connection called a trust. Trusts will be covered in greater detail later in this chapter in the section titled "Trusts."
The limitation of the NT domain system was that all updates to the database had to occur on the primary domain controller, and only then would be propagated out to all backup domain controllers on the next scheduled update cycle. This can cause significant delays before changes are propagated to all remote backup domain controllers, and may prevent changes outright if a network connection to the primary domain controller is unavailable. Additionally, the process may be somewhat bandwidth-intensive if a full-domain synchronization of domain controllers is enacted, as the primary domain controller must update the local copy of the domain database on all backup domain controllers throughout the domain. This can prove to be a serious bottleneck when a deployment is distributed over a large number of servers or a broad geographic area.