- A Few Active Directory Basics
- Naming and Name Resolution
- Active Directory Logical Structure
- Physical Structure
- Active Directory Operations
- GC Services
- About This Article
Objects in Active Directory are organized into containers. A container itself is a directory object that holds other objects. The types of containers that Active Directory uses to organize objects are as follows:
Organizational units (OUs)—Items that contain objects for organizing those objects. Objects within an OU can be treated as a collection of objects when Group Policy objects are associated with an OU.
Containers—Items differ from OUs in that, although they are built into Active Directory, they can't have Group Policy objects associated with them. The Users container is an example of a container.
Domains—Containers that also define a security context. This means that Active Directory is written to treat all objects within a domain by the same rules.
Trees—A collection of one or more domains that share a common namespace. Although all domains trust one another, the tree relationship is defined by the namespace that is necessary to support the domain structure. The root domain of abco.com can have two subdomains named backoffice.abco.com and office.abco.com. This relationship between the root domain and the two child domains forms a tree.
Forest—A collection of one or more trees. Trees within the forest share the same Active Directory but are not required to share the same namespace. You can therefore have two organizations, such as wadeware.net and wadeco.net, which are contained in a single Active Directory, share the same configuration, GC, and schema partitions, but have different namespaces.
Global Catalog (GC)—A central source for all directory objects. Not all the attributes from each object are stored in the GC, but there are just enough to make it useful for searching the entire Active Directory. This is because objects replicate among the other DCs within their domain only. Therefore, a user looking for an object in another domain will not be able to find that user's object from his or her DC. Therefore, the user would query the GC server and find the DN for the object. The user could then locate the object in Active Directory.
Trust relationships—Logical links that combine two or more domains into one administrative unit. This allows permissions to be associated from one domain to another because one domain trusts that the other domain has authenticated its users and that these users are who they say they are.
Namespace—The DNS type namespace that represents domains. Active Directory is dependent on DNS and the DNS namespace. This makes it important to design your domain topology in a DNS-friendly way, and to provide clients with reliable DNS services.