Active Directory Logical Structure Background Information
Updated: March 28, 2003
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Before you design your Active Directory logical structure, it is important to understand the Active Directory logical model. Active Directory is a distributed database that stores and manages information about network resources, as well as application-specific data from directory enabled applications. Active Directory allows administrators to organize elements of a network (such as users, computers, devices, and so on) into a hierarchical containment structure. The top-level container is the forest. Within forests are domains, and within domains are organizational units. This is called the logical model because it is independent of the physical aspects of the deployment, such as the number of domain controllers required within each domain and network topology.
Figure 2.2 shows the relationship between forests, domains, and organizational units.
Figure 2.2 Relationship Between Active Directory Forests, Domains, and OUs
Active Directory forest
A forest is a collection of one or more Active Directory domains that share a common logical structure, global catalog, directory schema, and directory configuration, as well as automatic two-way transitive trust relationships. Each forest is a single instance of the directory and defines a security boundary.
Security boundary A boundary that defines a container for which no administrator external to the container can take control away from administrators within the container. For example, a forest is a security boundary. No administrators from outside the forest can control access to information inside the forest unless first given permission to do so by the administrators within the forest. By contrast a domain is not a security boundary because within a forest it is not possible for administrators from one domain to prevent a malicious administrator from another domain from accessing data in their domain.
Active Directory domain
A domain is a partition in an Active Directory forest. Partitioning data enables organizations to replicate data only to where it is needed. In this way, the directory can scale globally over a network that has limited available bandwidth. In addition, the domain supports a number of other core functions related to administration, including:
Network-wide user identity. Domains allow user identities to be created once and referenced on any computer joined to the forest in which the domain is located. Domain controllers that make up a domain are used to store user accounts and user credentials such as passwords or certificates securely.
Authentication. Domain controllers provide authentication services for users and supply additional authorization data, such as user group memberships, which can be used to control access to resources on the network.
Trust relationships. Domains can extend authentication services to users in domains outside their own forest by means of trusts.
Replication. The domain defines a partition of the directory containing sufficient data to provide domain services and replicates it between the domain controllers. In this way, all domain controllers are peers in a domain and are managed as a unit.
Active Directory organizational units
OUs can be used to form a hierarchy of containers within a domain. Organizational units are used to group objects for administrative purposes, such as the application of Group Policies or delegation of authority. Control over an OU and the objects within it is determined by the access control lists (ACLs) on the OU and on the objects in the OU.
Delegation of authority To facilitate the management of large numbers of objects, Active Directory supports the concept of delegation of authority. By means of delegation, owners can transfer full or limited authority over objects to other users or groups. Delegation is important because it helps to distribute the management of large numbers of objects across a number of people trusted to perform management tasks.
Active Directory Logical Structure Design Process
Designing your Active Directory logical structure involves defining the relationships between the containers in your directory. These relationships might be based on administrative requirements, such as delegation of authority, or they might be defined by operational requirements, such as the need to control replication. In general, forests are used as security boundaries, domains are used to control replication, and OUs are used to delegate administration.
Figure 2.3 shows the distribution of users in a fictitious multinational organization. In this example, a single Active Directory forest contains all of the users, computers, devices, and other entities within the organization. The organization started with a domain for their corporate headquarters (Corp) and then, to control replication across the entire world-wide network, the organization created three additional domains (North America, South America, and Europe) as partitions of the forest. To support further delegation, the organization subdivided the North America domain into three OUs: West, Central, and East.
Figure 2.3 Delegation of Administration Within an Organization