As networks become more complex, they can become more difficult to manage. Windows NT 4.0 introduced the concept of domains to enhance an administrator’s ability to manage the users and computers in a network. The domain concept has been enhanced and expanded considerably in Windows 2000 and Windows Server 2003 to address security concerns of organizations, including the following concerns:
-
Organizations that have acquired subsidiaries with significantly different administrative and security requirements.
-
International organizations that want to divide up administrative and security responsibilities along national or regional boundaries.
-
Rapidly growing organizations that want to unify security and administrative responsibilities across disparate business units.
Active Directory in Microsoft Windows Server 2003 enables organizations to simplify user and resource management; support directory-enabled programs; and create a scalable, secure, and manageable infrastructure. A well-designed Active Directory logical structure provides the following benefits:
-
Centralized management of Windows networks that contain large numbers of objects
-
A consolidated domain structure and reduced hardware and administration costs
-
The supporting framework for Group Policy–based user, data, and software management
-
The ability to delegate administrative control over resources
-
Integration with services such as Microsoft® Exchange 2000 Server, a PKI, and domain-based distributed file system (DFS)
Achieving these results requires careful planning of the following elements:
-
Domains. An administrative unit in a computer network that groups a number of capabilities for management convenience, including network-wide user identity, authentication, trust relationships, policy administration, and replication.
-
Forests. One or more Active Directory domains that share a schema and global catalog. Each forest is a single instance of the directory and defines a security boundary.
-
Organizational units. Active Directory containers where you can place users, groups, computers, and other organizational units. You can use organizational units to create containers within a domain to represent the hierarchical and logical structures within your organization.
The way that you plan your domains, forests, and organizational units plays a critical role in defining your network’s security boundaries. The relationship might sometimes be based on administrative requirements; at other times, the relationship might be defined by operational requirements such as controlling replication. Additionally, if you have multiple forests, you need to plan the logical trust relationships between forests that allows pass-through authentication.
Domains, Forests, and Organizational Units
Active Directory is a distributed database that stores and manages information about network resources. The way that you organize Active Directory determines how well you can manage network resources and distribute administrative responsibilities.
Active Directory allows administrators to organize elements of a network (such as users, computers, and devices) into a hierarchical, tree-like structure based on containers. The top-level Active Directory container is the forest. Forests include domains, and domains include organizational units. Administrative ownership and control in Active Directory containers are organized in the following ways:
-
The default administrative owner of a forest is the Domain Admins group of the forest root domain. The Domain Admins group of the forest root controls the membership of the Enterprise Admins and Schema Admins groups. By default, the Enterprise Admins and Schema Admins groups have control over forest-wide configuration settings, which also makes them service administrators.
-
The default administrator of a domain is the Domain Admins group of the domain. Because the Domain Admins control domain controllers, they are also service administrators. All non-root Domain Admins in a forest are peers, regardless of their domain’s position in the naming hierarchy.
-
Control over an organizational unit and the objects within it is determined by the ACLs on the organizational unit and on the objects in the organizational unit. Users and groups that have control over objects in organizational units are data administrators.
To facilitate the management of large numbers of objects, Active Directory supports administrative delegation at the container level. If administrative control is the priority for your organization, base your logical structure design on forests and organizational units. Forests and organizational units are used to control the delegation of authority throughout the directory. Many organizations consolidate divisions into a single forest to enhance their users’ ability to collaborate and to reduce costs.
If you choose to organize Active Directory according to geographic location, you must apply a domain model to your logical design. Domains let you control where information is replicated and let you partition data so that it can be stored where it is used most frequently. A well-designed domain model prevents unnecessary replication and promotes more efficient use of available bandwidth between remote locations.
To determine the number of forests that your organization requires, identify the isolation requirements for each division of the organization that will be using the directory service. Consider the following elements:
-
Generally, a single forest deployment isolates data from parties outside the organization. If your organization includes more than one IT group, the only way to achieve isolation in a single forest environment is to select one IT group to act as the administrators of the forest, and then make the other IT groups in the organization relinquish control of the directory.
-
If divisions of your organization require that you isolate data from the rest of the organization, you must deploy multiple forests. For example, you might need multiple forests if legal or contractual obligations require that your organization guarantees the security of data for a particular project.
-
If your organization includes multiple divisions with separate IT groups, each IT group might prefer to manage its own forest; however, your business needs might require resource sharing between divisions. You can deploy multiple forests, each of which is managed by an individual IT group, and then establish external trusts between the forests to facilitate collaboration. In this type of environment, be careful to avoid granting administrative access to users in other forests.
Trusts
If your organization includes more than one forest, you must enable the forests to allow authentication and resource sharing. You can do this by establishing trust relationships between some or all of the domains in the forests. The types of trust relationships that you can establish depend on the versions of the operating system that are running in each forest:
-
Authentication between Windows Server 2003 forests. When all domains in two forests trust each other and must authenticate users, establish a forest trust between the forests. When only some of the domains in two Windows Server 2003 forests trust each other, establish one-way or two-way external trusts between the domains that require interforest authentication.
-
Authentication between Windows Server 2003 and Windows 2000 forests. It is not possible to establish transitive forest trusts between Windows Server 2003 and Windows 2000 forests. To enable authentication with Windows 2000 forests, establish one-way or two-way external trusts between the domains that need to share resources.
-
Authentication between Windows Server 2003 and Windows NT 4.0 forests. It is not possible to establish transitive forest trusts between Windows Server 2003 and Windows NT 4.0 domains. Establish one-way or two-way external trusts between the domains that need to share resources.
For more information about designing Active Directory forests, see "Designing the Active Directory Logical Structure" in this book. For more information about implementing trusts between forests, see "Designing an Authentication Strategy" in this book.