• FAQs
• Articles
• Tutorials
• Web Tools
• Reference
• Blog
• Proxy
• Software
• Cell Phones

• Active Directory Articles
• Understanding Active Directory
• Active Directory Management Tools
• Active Directory Objects
• Active Directory replication
• Active Directory Security
• Active Directory Security Principal Accounts
• Active Directory Terminology and Concepts
• Backing Up and Restoring Active Directory
• Configuring and Troubleshooting Active Directory Replication
• Managing Active Directory Performance
• Publishing Resources in Active Directory
• Troubleshooting Active Directory availability
• What is New in Windows Server 2003 Active Directory
• Deploying Software through Group Policy
• Group Policy Terminology and Concepts
• Implementing and Managing Group Policy Objects
• Implementing Folder Redirection using Group Policy
• Planning a Group Policy
• Troubleshooting Group Policy
• Creating and Managing Domain Controllers
• Creating and Managing Forests and Domains
• Forest and Domain Functional Levels
• The Global Catalog Server
• Managing Recipient Objects Address List and Distribution and Administrative Groups
• Operations Master Roles
• Understanding Forests and Domains
• Understanding Group Types and Scopes
• Understanding Organizational Units
• Understanding Trust Relationship
• Articles Menu
• » Windows Server
• » Microsoft Networking
• » Microsoft Security
• » Active Directory
• » Microsoft IIS
• » Microsoft IPSec
• » Microsoft DNS
• » Microsoft DHCP
• » Microsoft WINS
• » Microsoft Filesystems
• » Remote Access
• » Microsoft Exchange
• » Microsoft SMS
• » Microsoft ISA Server
• » Microsoft Biztalk Server
• Main Menu
• » Networking
• » Physical Layer
• » Data Link Layer
• » Network Layer
• » Network Security
• » Wireless Networks
• » VoIP
• » Telephony
• » Mobile Telephony
• » Electronics
• » Radio
• » Television
• » Cryptology
• » Passwords
• » Smart Cards
• » Privacy
• » Malware
• » Vulnerabilities
• » Unix
• » Macintosh
• » Microsoft Windows
• » The Web
• » Web Publishing
• » E-mail
• » Instant Messaging
• » Databases
• » Computer Hardware
• » CPU's
• » Memory
• » Storage
• » Video
• » Audio
• » Multimedia
• » Satellite
• » Java
• » IT Management
• » Science
• » Miscellaneous

Active Directory Terminology and Concepts

Active Directory Data Store (Directory)

The Active Directory data store is the database that holds all the directory information such as information on users, computer, groups, other objects, and information on the objects which users can access. It also includes other network components. Another name used to refer to the Active Directory data store is the directory. The Active Directory data store or directory is stored on the hard disk of the server by means of the Ntds.dit file. The file has to be stored on a drive that is formatted with the NTFS file system. The Ntds.dit file is placed in the Ntds folder in the systemroot. When changes are made to the directory, these changes are saved to the Ntds.dit file. Because all the data in Active Directory is stored in one distributed data store, the availability of data is improved. A centralized data store means less duplication, and also needs less administration.

Because domain controllers are utilized to manage domains, each domain controller within the domain hosts a write copy of the Active Directory directory. This means is that if one domain controller is unavailable; users, computers and programs would still able to still access the Active Directory data store hosted on a different domain controller in the particular domain. When changes are made to the data store on one domain controller, these changes are replicated to the remainder of the domain controllers within the domain. Because of Active Directory replication, domain controllers in a domain remain synchronized with one another. Active Directory replication occurs automatically. Only domain data, configuration data and schema data is replicated.

Information stored in Active Directory is not all placed in the identical location. The different locations wherein data is stored is called directory partitions. The domain partition holds information about the domain such as users, and resources in the domain. The configuration partition contains information on the Active Directory structure such as the configuration of the domains, domain trees and forests. The schema partition stores information on object classes and attributes.

Active Directory Objects

All information on users, groups, computers, servers and security policies in Active Directory are organized and categorized into different Active Directory objects. An Active Directory object can be defined as a group of attributes that represents a resource in the network. Each object has a unique name or unique identifier called a distinguished name. Objects can also contain other objects. These objects are known as containers. In the Active Directory Users and Computers console, the default object types created in a new domain in Active Directory are:

• Domain, Organizational Unit, User, Computer, Contact, Group, Shared Folder and Shared Printer

Active Directory Components

Domains, organizational units (OUs), domain trees and forests are considered logical structures. Sites and domain controllers are considered physical structures.

• Domains are the main logical structure in Active Directory because they contain Active Directory objects. Network objects such as users, printers, shared resources, and more, are all stored in domains. Domains are also security boundaries. Access to objects in the domain is controlled by access control lists (ACLs). You can use the domain functional level to enable additional Active Directory features. You do this by raising the domain functional level of the domain controllers within the domain. In Windows 2000, the domain mode concept was used and not the domain functional level. The domain functional levels that can be specified are Windows 2000 Mixed, Windows 2000 Native, Windows Server 2003 Interim and Windows Server 2003.
• Organizational Unit (OU): An OU is a container that enables you to organize objects such as users, computers and even other OUs in a domain to form a logical administrative group. An OU is the smallest Active Directory component to which you can delegate administrative authority. A domain can have it own unique OU hierarchy.
• Domain Trees: When you group multiple domains into a hierarchical structure by adding child domains to a parent domain, you are basically forming a domain tree. Domains are regarded as being part of the same domain tree when they have a contiguous naming structure. A two-way transitive trust relationship is automatically created between the parent domain and child domains when you create the child domain.
• Forests: A forest is the grouping of multiple domain trees into a hierarchical structure. Domain trees in a forest have a common schema, configuration, and global catalog. Domains within the forest are linked by two-way transitive trust. Through the forest functional level, you can enable additional forest wide Active Directory features. The forest functional levels that can be set are Windows 2000, Windows Server 2003 Interim, and Windows Server 2003.
• Sites: In Active Directory, sites are formed through the grouping of multiple subnets. Sites are typically defined as locations in which network access is highly reliable, fast and not very expensive.
• Domain Controllers (DCs): A domain controller is a server that stores a write copy of Active Directory. They maintain the Active Directory data store. Certain master roles can be assigned to domain controllers within a domain and forest. Domain controllers that are assigned special master roles are called Operations Masters. These domain controllers host a master copy of particular data in Active Directory. They also copy data to the remainder of the domain controllers. There are five different types of master roles that can be defined for domain controllers. Two types of master roles, forestwide master roles, are assigned to one domain controller in a forest. The other three master roles, domainwide master roles, are applied to a domain controller in every domain.
• The Schema Master is a forestwide master role applied to a domain controller that manages all changes in the Active Directory schema.
• The Domain Naming Master is a forestwide master role applied to a domain controller that manages changes to the forest, such as adding and removing a domain. The domain controller serving this role also manages changes to the domain namespace.
• The Relative ID (RID) Master is a domainwide master role applied to a domain controller that creates unique ID numbers for domain controllers and manages the allocation of these numbers.
• The PDC Emulator is a domainwide master role applied to a domain controller that operates like a Windows NT primary domain controller. This role is typically necessary when there are computers in your environment running pre-Windows 2000 and XP operating systems.
• The Infrastructure Master is a domainwide master role applied to a domain controller that manages changes made to group memberships.

Active Directory Schema

The Active Directory schema defines what types of objects can be stored in Active Directory. It also defines what the attributes of these objects are. The schema is defined by the following two types of schema objects or metadata:

• Schema class objects, also known as schema classes: Define the objects that can be created and stored in Active Directory. The schema attributes store information on the schema class object when you create a new class. A schema class is therefore merely a set of schema attribute objects.
• Schema attribute objects, also known as schema attributes: Schema attributes provide information on object classes. The attributes of an object is also called the object's properties.

Although Active Directory includes a large number of object classes, you can create additional object classes if necessary. These additions are known as extensions to the schema. Extensions can only be performed on the domain controller acting the Schema Master role.

The object classes that can be used on access control lists (ACLs) to protect security objects are User, Computer, and Group. These object classes are called security principals. A security principal has a Security Identifier (SID) which is a unique number. A security principal's SID consists of the security principal's domain and a Relative ID (RID). The RID is a unique suffix.

A few other concepts associated with the Active Directory schema are:

• Class Derivations: Set a way for forming new object classes using existing object classes.
• Schema Rules: The Active Directory directory service implements a set of rules into the Active Directory schema that control the manner in which classes and attributes are utilized, and what values classes and attributes can include. Schema rules are organized into Structure Rules, Syntax Rules, and Content Rules
• Structure Rules: The structure rule in Active Directory is that an object class can have only specific classes directly on top of it. These specific classes are called Possible Superiors. Structure rules prevent you from placing an object class in an inappropriate container.
• Syntax Rules: These rules define the types of values and ranges allowed for attributes.
• Content Rules dictate what attributes can be associated with a particular class.

Global Catalog

The global catalog is a central information store on the objects in a forest and domain, and is used to improve performance when searching for objects in Active Directory. The first domain controller installed in a domain is designated as the global catalog server by default. The global catalog server stores a full replica of all objects in its host domain, and a partial replica of objects for the remainder of the domains in the forest. The partial replica contains those objects which are frequently searched for. It is generally recommended to configure a global catalog server for each site in a domain. You can use the Active Directory Sites and Services console to set up additional global catalog servers.

Group Policies and Active Directory

Active Directory enables you to perform policy based administration through Group Policy. Through group policies, you can deploy applications and configure scripts to execute at startup, shutdown, logon, or logoff. You can also implement password security, control certain desktop settings, and redirect folders. When you create new group policies in Active Directory, the policy is stored as Group Policy Objects (GPOs). In Active directory, you can apply a GPO to a domain, site or Organizational Unit.

Active Directory Object Naming Schemes

Each object in the Active Directory data store must have a unique name. Active Directory supports a number of object naming schemes for naming objects:

• Distinguished name (DN): Each object has a DN. The DN uniquely identifies a particular object and uniquely identify where the object is stored. The components that make up the DN of an object are:
• CN - common name
• OU - organizational unit
• DC - domain component
• A canonical name is merely a different manner of depicting the object's DN in a method that is simpler to interpret.
• Relative distinguished name (RDN): The RDN identifies a particular object within a parent container or OU.
• Globally unique identifier (GUID): A GUID is a unique hexadecimal number that is assigned to an object at the time that the object is created. The GUID of an object never changes.
• User principal name (UPN): The UPN is made up of the user account name of the user, and a domain name that identifies the domain that contains the user account.

Active Directory Replication

In Active Directory, replication ensures that any changes made to a domain controller within a domain are replicated to all the other domain controllers in the domain. Active Directory utilizes multimaster replication to replicate changes in the Active Directory data store to the domain controllers. With multimaster replication, domains are considered peers to one another.

With Windows Server 2003, the Knowledge Consistency Checker (KCC) is used to create a replication topology of the forest, to ensure that the changes are replicated efficiently to the domain controllers. A replication topology reflects the physical connections utilized by domain controllers to replicate the Active Directory directory to domain controllers in a site, or in different sites. Intra-site replication occurs when the Active Directory directory is replicated within a site. When replication occurs between sites, it is known inter-site replication. Since the bandwidth between sites are typically slow, information on site link objects is utilized to identify the most favourable link that should be used for moving replication data between sites in Active Directory.

Active Directory Trust Relationships

In Active Directory, when two domains trust each other or a trust relationship exists between the domains, the users and computers in one domain can access resources residing in the other domain. The trust relationships supported in Windows Server 2003 are summarized below:

• Parent/Child trust: A parent/child trust relationship exists between two domains in Active Directory that have a common contiguous DNS namespace, and who belong to the identical forest. This trust relationship is established when a child domain is created in a domain tree.
• Tree Root trust: A tree root trust relationship can be configured between root domains in the same forest. The root domains do not have a common DNS namespace. This trust relationship is established when a new tree root domain is added to a forest.
• Shortcut trust: This trust relationship can be configured between two domains in different domain trees but within the same forest. Shortcut trust is typically utilized to improve user logon times.
• External trust: External trust relationships are created between an Active Directory domain and a Windows NT4 domain.
• Realm trust: A realm trust relationship exists between an Active Directory domain and a non-Windows Kerberos realm.
• Forest trust: Forest trust can be created between two Active Directory forests.

Bookmark Active Directory Terminology and Concepts

Latest Blog Posts

• Acai Berry Spam via MSN

• Obama Seeks Power to Shut Down the Internet

• Help Beta Test Tech-FAQ 2.0!

• Windows 7 Forum

• Boston College: Ability to Use a Command Line is a Sign of Criminal Activity

• Google Hacked?

• Recycle your old phone – Make some money, and save the environment too!

• SourceForge vs. Freshmeat

• Fastest Web Browser: Google Chrome

• New Webmaster Forum