Working with Domain Structures

Active Directory provides both logical and physical structures for network components. Logical structures help you organize directory objects and manage network accounts and shared resources. Logical structures include the following:

• Organizational units A subgroup of domains that often mirrors the organization's business or functional structure.
• Domains A group of computers that share a common directory database.
• Domain trees One or more domains that share a contiguous namespace.

Domain forests One or more domain trees that share common directory information.

Physical structures serve to facilitate network communication and to set physical boundaries around network resources. Physical structures that help you map the physical network structure include the following:

• Subnets A network group with a specific Internet Protocol (IP) address range and network mask.
• Sites One or more subnets. Sites are used to configure directory access and -replication.

Understanding Domains

An Active Directory domain is simply a group of computers that share a common directory database. Active Directory domain names must be unique. For example, you can't have two microsoft.com domains, but you could have a microsoft.com parent domain with seattle.microsoft.com and ny.microsoft.com child domains. If the domain is part of a private network, the name assigned to a new domain must not conflict with any existing domain name on the private network. If the domain is part of the global Internet, the name assigned to a new domain must not conflict with any existing domain name throughout the Internet. To ensure uniqueness on the Internet, you must register the parent domain name before using it. You can register a domain through any -designated registrar. You can find a current list of designated registrars at InterNIC (https:// www.internic.net).

Each domain has its own security policies and trust relationships with other domains. Domains can also span more than one physical location, which means that a domain can consist of multiple sites and those sites can have multiple subnets, as shown in Figure 7-1. Within a domain's directory database, you'll find objects defining accounts for users, groups, and computers as well as shared resources such as printers and folders.

Figure 7-1 This network diagram depicts a wide area network (WAN) with multiple sites and subnets.

Note User and group accounts are discussed in Chapter 9, "Understanding User and Group Accounts." Computer accounts and the various types of computers used in Windows Server 2008 domains are discussed in "Working with Active Directory Domains" on page 202.

Domain functions are limited and controlled by the domain functional level. Several domain functional levels are available, including the following:

• Windows 2000 mixed Supports domain controllers running Windows NT 4.0 and later releases of Windows Server. However, you cannot use Windows NT 4.0 domain controllers with Windows Server 2008 and you cannot use Windows Server 2008 domain controllers with Windows NT 4.0 servers.
• Windows 2000 native Supports domain controllers running Windows 2000 and later.
• Windows Server 2003 Supports domain controllers running Windows Server 2003 and Windows Server 2008.
• Windows Server 2008 Supports domain controllers running Windows Server 2008.

For a further discussion of domain functional levels, see "Working with Domain Functional Levels" on page 203.

Understanding Domain Forests and Domain Trees

Each Active Directory domain has a DNS domain name, such as microsoft.com. One or more domains sharing the same directory data are referred to as a forest. The domain names within this forest can be discontiguous or contiguous in the DNS naming -hierarchy.

When domains have a contiguous naming structure, they're said to be in the same domain tree. Figure 7-2 shows an example of a domain tree. In this example the root domain msnbc.com has two child domains—seattle.msnbc.com and ny.msnbc.com. These domains in turn have subdomains. All the domains are part of the same tree because they have the same root domain.

Figure 7-2 Domains in the same tree share a contiguous naming structure.

If the domains in a forest have discontiguous DNS names, they form separate domain trees within the forest. As shown in Figure 7-3, a domain forest can have one or more domain trees. In this example the msnbc.com and microsoft.com domains form the roots of separate domain trees in the same forest.

Figure 7-3 Multiple trees in a forest have discontiguous naming structures.

You access domain structures in Active Directory Domains And Trusts, which is shown in Figure 7-4. Active Directory Domains And Trusts is a snap-in for the Microsoft Management Console (MMC); you can also start it from the Administrative Tools menu. You'll find separate entries for each root domain. In Figure 7-4, the active domain is cpandl.com.

Figure 7-4 Use Active Directory Domains And Trusts to work with domains, domain trees, and domain forests.

Forest functions are limited and controlled by the forest functional level. Several forest functional levels are available, including:

• Windows 2000 Supports domain controllers running Windows NT 4.0 and later releases of Windows Server. However, you cannot use Windows NT 4.0 domain controllers with Windows Server 2008 and you cannot use Windows Server 2008 domain controllers with Windows NT 4.0 servers.
• Windows Server 2003 Supports domain controllers running Windows Server 2003 and Windows Server 2008.
• Windows Server 2008 Supports domain controllers running Windows Server 2008.

The Windows Server 2003 forest functional level offers substantial improvements in Active Directory performance and features over the Windows 2000 forest functional level. When all domains within a forest are operating in this mode, you'll see improvements in global catalog replication and improved replication efficiency for Active Directory data. Because link values are replicated, you might see improved intersite replication as well. You'll be able to deactivate schema class objects and attributes; use dynamic auxiliary classes; rename domains; and create one-way, two-way, and transitive forest trusts.

The Windows Server 2008 forest functional level offers incremental improvements in Active Directory performance and features over the Windows Server 2003 forest functional level. When all domains within a forest are operating in this mode, you'll see improvements in both intersite and intrasite replication throughout the organization. Domain controllers will use DFS replication rather than FRS replication as well. Further, Windows Server 2008 security principals are not created until the PDC emulator operations master in the forest root domain is running Windows Server 2008. This requirement is similar to the Windows Server 2003 requirement.

Understanding Organizational Units

Organizational units are subgroups within domains that often mirror an organization's functional or business structure. You can also think of organizational units as logical containers into which you can place accounts, shared resources, and other organizational units. For example, you could create organizational units named Human-Resources, IT, Engineering, and Marketing for the microsoft.com domain. You could later expand this scheme to include child units. Child organizational units for Marketing could include OnlineSales, ChannelSales, and PrintSales.

Objects placed in an organizational unit can only come from the parent domain. For example, organizational units associated with seattle.microsoft.com can contain objects for this domain only. You can't add objects from ny.microsoft.com to these containers, but you could create separate organizational units to mirror the business structure of seattle.microsoft.com.

Organizational units are very helpful in organizing the objects around the organization's business or functional structure. Still, this isn't the only reason to use organizational units. Other reasons include:

• Organizational units allow you to assign a group policy to a small set of resources in a domain without applying this policy to the entire domain. This helps you set and manage group policies at the appropriate level in the enterprise.
• Organizational units create smaller, more manageable views of directory objects in a domain. This helps you manage resources more efficiently.
• Organizational units allow you to delegate authority and to easily control administrative access to domain resources. This helps you control the scope of administrator privileges in the domain. You could grant user A administrative authority for one organizational unit and not for others. Meanwhile, you could grant user B administrative authority for all organizational units in the domain.

Organizational units are represented as folders in Active Directory Users And Computers, as shown in Figure 7-5. This utility is a snap-in for the MMC, and you can also start it from the Administrative Tools menu.

Figure 7-5 Use Active Directory Users And Computers to manage users, groups, computers, and organizational units.

Understanding Sites and Subnets

A site is a group of computers in one or more IP subnets. You use sites to map your network's physical structure. Site mappings are independent from logical domain structures, so there's no necessary relationship between a network's physical structure and its logical domain structure. With Active Directory you can create multiple sites within a single domain or create a single site that serves multiple domains. The IP address ranges used by a site and the domain namespace also have no connection.

You can think of a subnet as a group of network addresses. Unlike sites, which can have multiple IP address ranges, subnets have a specific IP address range and network mask. Subnet names are shown in the form network/bits-masked, such as 192.168.19.0/24. Here, the network address 192.168.19.9 and network mask 255.255.255.0 are combined to create the subnet name 192.168.19.0/24.

Note Don't worry, you don't need to know how to create a subnet name. In most cases you enter the network address and the network mask and then Windows Server 2008 generates the subnet name for you.

Computers are assigned to sites based on their location in a subnet or a set of subnets. If computers in subnets can communicate efficiently with one another over the network, they're said to be well connected. Ideally, sites consist of subnets and computers that are all well connected. If the subnets and computers aren't well connected, you might need to set up multiple sites. Being well connected gives sites several -advantages:

• When clients log on to a domain, the authentication process first searches for domain controllers that are in the same site as the client. This means that local domain controllers are used first, if possible, which localizes network traffic and can speed up the authentication process.
• Directory information is replicated more frequently within sites than between sites. This reduces the network traffic load caused by replication while ensuring that local domain controllers get up-to-date information quickly. You can also use site links to customize how directory information is replicated between sites. A domain controller designated to perform intersite replication is called a bridgehead server. By designating a bridgehead server to handle replication between sites, you place the bulk of the intersite replication burden on a specific server rather than on any available server in a site.

You access sites and subnets through Active Directory Sites And Services, as shown in Figure 7-6. Because this is a snap-in for the MMC, you can add it to any updateable console. You can also open Active Directory Sites And Services from the Administrative Tools menu.

Figure 7-6 Use Active Directory Sites And Services to manage sites and subnets.

< Back      Next >

© Microsoft. All Rights Reserved.