Active Directory to the Rescue

Active Directory solves many of the inherent limitations of Windows NT domains

by creating a distributed directory database that keeps track of every conceivable
type of network object.

Active Directory is a comprehensive directory management system that tracks just

about everything worth tracking in a Windows network, including users, comput-
ers, files, folders, applications, and much more. Much of your job as a network
administrator involves working with Active Directory, so it’s vital that you have a
basic understanding of how it works.

One of the most important differences between Active Directory and NT domains
is that Active Directory isn’t servercentric. In other words, Active Directory isn’t
tied to a specific server computer, the way a Windows NT domain is. Although
Active Directory still uses domains and domain controllers, these concepts are
much more flexible in Active Directory than they are in Windows NT.

Another important difference between Active Directory and NT domains is that

Active Directory uses the same naming scheme that’s used on the Internet:
Domain Name System (DNS). Thus, an Active Directory domain might have a
name like sales.mycompany.com.

Understanding How Active Directory

Is Structured
Like all directories, Active Directory is essentially a database management system.
The Active Directory database is where the individual objects tracked by the direc-
tory are stored. Active Directory uses a hierarchical database model, which groups
items in a treelike structure.

The terms object, organizational unit, domain, tree, and forest are used to describe the
way Active Directory organizes its data. The following sections explain the mean-
ing of these important Active Directory terms.

Objects
The basic unit of data in Active Directory is called an object. Active Directory can
store information about many kinds of objects. The objects you work with most
are users, groups, computers, and printers.

440 BOOK 6 Implementing Windows Server 2016

 Figure 3-1 shows the Active Directory Manager displaying a list of built-in objects
that come preconfigured with Windows Server 2016. To get to this management
tool, choose Start  ➪  Administrative Tools  ➪  Active Directory Users and Computers.
Then click the Builtin node to show the built-in objects.

FIGURE 3-1: 
Objects ­displayed
by the Active
Directory
­Manager console.

Objects have descriptive characteristics called properties or attributes. You can call

Configuring Active
up the properties of an object by double-clicking the object in the management
console.

Directory
Domains
A domain is the basic unit for grouping related objects in Active Directory. Typi-
cally, domains correspond to departments in a company. A company with separate
Accounting, Manufacturing, and Sales departments might have domains named
(you guessed it) Accounting, Manufacturing, and Sales. Or the domains may
correspond to geographical locations. A company with offices in Detroit, Dallas,
and Denver might have domains named det, dal, and den.

Note that because Active Directory domains use DNS naming conventions, you
can create subdomains that are considered to be child domains. You should
always create the top-level domain for your entire network before you create
any other domain. If your company is named Nimbus Brooms, and you’ve reg-
istered NimbusBroom.com as your domain name, you should create a top-level
domain named NimbusBroom.com before you create any other domains. Then you
can create subdomains such as Accounting.NimbusBroom.com, Manufacturing.
NimbusBroom.com, and Sales.NimbusBroom.com.

CHAPTER 3 Configuring Active Directory 441

 If you have Microsoft Visio, you can use it to draw diagrams for your Active
Directory domain structure. Visio includes several templates that provide cool
­
icons for various types of Active Directory objects. Figure  3-2 shows a diagram
that shows an Active Directory with four domains created with Visio.

FIGURE 3-2: 
Domains for
a company
with three
­departments.

Note that these domains have little to do with the physical structure of your net-
work. In Windows NT, domains usually are related to the network’s physical
structure.

Every domain must have at least one domain controller, which is a server that’s
responsible for the domain. Unlike a Windows NT PDC, however, an Active
­Directory domain controller doesn’t have unique authority over its domain. In
fact, a domain can have two or more domain controllers that share administrative
duties. A feature called replication works hard at keeping all the domain control-
lers in sync.

Organizational units
Many domains have too many objects to manage together in a single group. For-
tunately, Active Directory lets you create one or more organizational units, also
known as OUs. OUs let you organize objects within a domain, without the extra
work and inefficiency of creating additional domains.

One reason to create OUs within a domain is to assign administrative rights to

each OU of different users. Then these users can perform routine administrative
tasks such as creating new user accounts or resetting passwords.

Suppose that the domain for the Denver office, named den, houses the Accounting
and Legal departments. Rather than create separate domains for these depart-
ments, you could create organizational units for the departments.

442 BOOK 6 Implementing Windows Server 2016

 Trees
A tree is a set of Active Directory names that share a namespace. The domains
NimbusBroom.com, Accounting.NimbusBroom.com, Manufacturing.NimbusBroom.
com, and Sales.NimbusBroom.com make up a tree that’s derived from a common
root domain, NimbusBroom.com.

The domains that make up a tree are related to one another through transitive trusts.
In a transitive trust, if DomainA trusts DomainB and DomainB trusts DomainC,
DomainA automatically trusts DomainC.

Note that a single domain all by itself is still considered to be a tree.

Forests
As its name suggests, a forest is a collection of trees. In other words, a forest is a
collection of one or more domain trees that do not share a common parent domain.

Suppose that Nimbus Brooms acquires Tracorum Technical Enterprises, which

already has its own root domain named TracorumTech.com, with several subdo-
mains of its own. You can create a forest from these two domain trees so that the
domains can trust each other. Figure 3-3 shows this forest.

Configuring Active
Directory
FIGURE 3-3: 
A forest with
two trees.

The key to Active Directory forests is a database called the global catalog. The
global  catalog is sort of a superdirectory that contains information about all
the objects in a forest, regardless of the domain. If a user account can’t be found
in the current domain, the global catalog is searched for the account. The global
catalog provides a reference to the domain in which the account is defined.

CHAPTER 3 Configuring Active Directory 443