Describing Active Directory Components
There are many components that make up Active Directory, and it is critical that you understand these components and the concepts surrounding them. In later chapters, you will learn how and why to create these components.
This chapter describes some of the most critical components in Active Directory, as well as Microsoft's recommendations for their use. These components need to be thought out beforehand, as they can have a serious impact on the function and performance of your Active Directory. Some of these components include
- DNS and the domain namespace
- Domains
- Forests
- Trees
- Sites
Domain Namespace
Active Directory in Windows 2000 utilizes the Domain Naming Service (DNS) standard for naming objects.
All hosts on a TCP/IP-based network must have a valid and unique IP address. An IP address is a 32-bit binary number. It is represented using dotted decimal notation, such as 192.168.0.1. As you can imagine, most humans cannot remember many IP addresses.
DNS was implemented to make the TCP/IP networking world more user friendly. DNS allows user-friendly names to be mapped to IP addresses. For example, instead of trying to remember 192.168.0.1, a DNS mapping (known as a resource record) could be created stating that COMPUTER1 maps to 192.168.0.1. The user only needs to know about COMPUTER1, not 192.168.0.1.
Another benefit of DNS is that IP addresses can and do change. The IP address of COMPUTER1 could change to 192.168.0.37. In this case, the DNS record for COMPUTER1 would be updated from 192.168.0.1 to 192.168.0.37. The users and applications would still be looking for the host name COMPUTER1 and thus would not need to be notified of the change.
DNS is a hierarchical naming system and a distributed database. As you can see in Figure 3.1, DNS looks much like an inverted tree. The root of the tree (aptly named "root") is represented by a period. The root signifies the beginning of the domain namespace. A domain namespace, in either Active Directory or DNS, defines an area with boundaries in which any object contained within must adhere to the domain-naming standard. Objects or hosts that do not adhere to the domain-naming standard will not be considered to be part of the domain namespace. As a result, they might not be able to properly access information provided by DNS. For example, when clients attempt to access Active Directory to perform logons or look up directory information, they use their domain name to determine their location within Active Directory. If they are misconfigured, the operation will fail.
Domains are branches off of the root. Figure 3.1 represents the Internet Domain Namespace, where directories below the root are the main Internet categories, such as COM, NET, and ORG. Domains can contain hosts, such as computers and servers, and also subdomains. On the Internet, these subdomains are companies and organizations, such as microsoft.com, compaq.com, npr.org, and pbs.org.
Figure 3.1 The Internet domain namespace.
The Active Directory domain hierarchy uses the same rules and procedures as DNS to resolve domain and computer names.
For example, an organization named Help and Learn, Inc. is beginning to plan its implementation of Active Directory. They have two regional divisions in their organization, called East (representing the East Coast of the United States) and West (representing the West Coast). Their plan calls for the use of helpandlearn.com as their domain namespace. All objects within Help and Learn, Inc.'s Active Directory structure would be within this namespace. The East and West regions could be implemented as subdomains in Active Directory. They would be named east.helpandlearn.com and west.helpandlearn.com. A computer object named LAPTOP1 located in the east subdomain would have the Active Directory name laptop1.east.helpandlearn.com.
Possible DNS Names
There are two very important rules when it comes to naming objects in DNS:
A child domain can have only one parent domain. For example: If the domain public is a child of microsoft.com, it cannot be a child of msn.com. Looking at the FQDN of the domain, it becomes apparent: public.microsoft.com is not the same domain as public.msn.com.
Two children of the same parent must have different names. For example: If two domains are created under the same parent domain, their names must be different due to the hierarchical DNS structure. Look at the following FQDNs: public.microsoft.com and private.microsoft.com. You cannot rename the private domain to public because public already exists.
A DNS name consists of different portions separated by periods (.). Each portion represents a domain or subdomain in the namespace. This is known as an FQDN (fully qualified domain name).
As in the previous example, a computer named LAPTOP1 in the East subdomain of Help and Learn, Inc. would have a fully qualified domain name (FQDN) of laptop1.east. helpandlearn.com.
Reading an FQDN from right to left, one can understand the DNS hierarchy. com is the root domain; helpandlearn is a subdomain of com; east is a subdomain of helpandlearn, and so on. Each domain and subdomain in the hierarchy contains its own portion of the DNS namespace.
A host's name can also be resolved by using its relative name. The relative name is simply the host name without the DNS hierarchy. To resolve a relative host name, the requester must be located in the same domain.
Back to the example, LAPTOP1 is the relative name of laptop1.east.helpandlearn.com. To query DNS for LAPTOP1 using its relative name only, the requester would need to be a member of the east domain.
Internal Versus External Namespace
If an organization that is implementing Active Directory requires Internet connectivity, the organization would need to register their root domain name with one of the Internet naming registrars. Once a unique domain name is registered (and thus a DNS namespace created), the Active Directory namespace is implemented as one or more subdomains of the Internet root domain (see Figure 3.2).
Figure 3.2 Utilizing an external namespace.
If an organization does not require Internet connectivity, the organization can opt to utilize an internal DNS namespace. But it must be noted that Active Directory does require DNS. Active Directory uses DNS to locate servers and services within the directory. If the organization opts for an internal DNS namespace, they must still design and install the internal DNS infrastructure, including servers, domains, and so on (see Figure 3.3). It is also strongly recommended that the organization still registers its internal and external domain namespace in case of future changes.
Figure 3.3 Utilizing an internal namespace.
Overcoming Name Limitations
One of the most difficult tasks faced by an organization looking to register an Internet domain name is name availability. Many names have been registered and it may really take some creativity to find the name you want or a name that even makes sense.
An organization can register their domain name themselves or through their Internet Service Provider (ISP). If they are registering the domain name themselves, they can use one of several Internet registrars, such as Network Solutions (http://www.networksolutions.com). Network Solutions provides a simple Web-based form where you can enter the desired domain name. It will search the database to determine whether the domain name is available. If it is, you can proceed to register the name. If it is not, you will be presented with a number of optional domain names (see Figure 3.4).
Of course an organization should also consult its legal department to verify that the domain name is not infringing on any other copyrights or trademarks.
Figure 3.4 Registering a domain name using Network Solutions.