Jason Zandri's latest article in the Learn Active Directory Design and Administration in 15 Minutes a Week continues the topic of Active Directory Logical Architecture and specifically covers Domains, Organizational Units, and the Global Catalog.
by Jason Zandri
Welcome to the fourth installment of Learn Active Directory Design and Administration in 15 Minutes a Week, a weekly series aimed
at current IT professionals preparing to write the new Windows Active Directory Design and Administration exams (70-219 and 70-217 respectively), as well as newcomers to the field who are trying to get a solid grasp on this new and emerging directory service from Microsoft. This week the topic is Active
Directory Domains, Organizational Units and the Global Catalog.
Active Directory Logical Architecture
As you make preparations for the installation of your first
Windows 2000 Domain Controller into your environment, whether that be a pristine
forest or into an existing domain, you need to have a solid understanding of all
of the different parts that make up the Windows 2000 Active
Windows 2000 Domains are the core unit of the logical
structure in Active Directory, and the structure of the domain can be such that
it is made up of one or more domains. Windows 2000 domains can span more than
one physical location as well.
All network objects exist within a domain, and each domain
stores information only about the objects it contains.
By definition, a
Windows 2000 domain is an administrator-defined logical grouping of computer
systems, servers and other hardware which share a common directory database.
Windows 2000 domains must have a unique name within the Active Directory
Windows 2000 domains provide access to domain user accounts,
domain security group accounts and domain distribution group accounts maintained
by the domain administrator, or other system administrators, as appointed by the
domain or enterprise administrators through delegation of authority.
A domain is also a security boundary.
Objects in the
Active Directory have a Security Descriptor that stores information about the
objects owner and the groups to which the owner belongs.
discretionary access control list (DACL) of the object lists the security
principals (users, groups, and computers) that have access to the object and
their level of access.
The system access control list (SACL) lists the
security principals that should trigger (if any) audit events when accessing the
The discretionary access control list for an object specifies the
list of users and groups that are authorized to access the object and also what
levels of access they have. The kinds of access that can be assigned to an
object (or denied) depend on the object type. (You cannot assign the manage
documents access right to a file server as this right is assigned to printers
The discretionary access control list for an object consists of a
list of access control entries (ACEs) which can apply to a class of objects, an
object, or an attribute of an object. Each access control entry specifies the
security identifier (SID) of the security principal to which the ACE applies, as
well as the level of access to the object permitted for the security principal.
[NOTES FROM THE FIELD] - In plain English this
means your user account (SID) can access a specific file on a file server or
print to a printer (object), because the permissions that are set for the
object (the access control entries - ACEs - in the discretionary access control
list for the object) allow you the right to read the file or print to the
In Windows 2000 domains, objects include files, folders,
shares, printers, and other Active Directory objects. All security policies and
settings do not cross from one domain to another, and the domain administrator
has absolute rights to set permissions and policies only within that specific
domain (unless they are specifically granted administrative control in other
domains or are also members of the Enterprise Administrators group).
[NOTES FROM THE FIELD] - Much of this information
is an Exam Requirement for both the 70-217 AND the 70-219 exams.
Some would argue it is more so for the 217 and I would agree, but if you do not
have the underpinnings from the Administration pieces of 70-217, you'll be hard
pressed to pull off the Design requirements for 70-219
Domains are also units of replication. Domain controllers
for the domain contain a replica of Active Directory and can receive changes to
information in Active Directory and replicate these changes to all of the other
domain controllers in the domain.
Organizational units (OU) are container objects that Active
Directory designers and system administrators will use to organize objects
within a domain. An OU can contain objects such as user accounts, groups,
computers, printers, applications, file shares, and other OUs from the same
domain. The OU hierarchy within a domain is independent of the OU hierarchy
structure of other domains.
You can use OUs to group objects into a
logical hierarchy that best suits the needs of your organization. There are two
main design considerations of this.
The Network administrative model is
based with network-specific administrative responsibilities in mind. For
example, one administrator or group of administrators might be responsible for
all of the user accounts in a domain, another might be responsible for all of
the printers and print servers, another might be responsible for all of the
desktop systems and the last might be responsible for all of the laptop systems
in a given domain. In this case, you might want to create one OU for user
accounts, one where the printers and the print servers are lumped together (or
possibly in two separate ones, depending on your needs), a third OU for desktop
systems and another OU for the laptop computers. The administrator in charge (it
may be a Domain Administrator or an Enterprise Administrator) would then
delegate the responsibility of the OU to the proper person and assign them the
rights they would need.
The Organizational structure based on
departmental or geographical boundaries is based with site, location and
department administrative responsibilities in mind. If there are administrators
at specific locations, such as field offices where they are responsible for all
of the laptops, desktops and print servers that serve that field office, then
the OU structure that is often used is based on a City, State Site, etc.
Likewise, if a person in Human Resources is responsible for all of the
laptops, desktops and print servers that serve Human Resources and there is a
counterpart in the Engineering department and the Sales department, then the OU
structure that is normally deployed is based on departments within a specific
location or perhaps all the different locations, depending on the reach of the
department based administrator.
The OU hierarchy within a domain is
independent of the OU hierarchy structure of other domains and each domain can
implement its own OU hierarchy.
[NOTES FROM THE FIELD] - As a domain or enterprise
administrator, you can delegate administrative control over the objects within
Organizational Units by assigning specific permissions for the OU and the
objects that the OU contains to specific users and groups. These permissions are
not all or nothing. You can assign the maximum permissions to the object (full
control) or set specific limitations as you see fit based on administrative
The Global Catalog
The global catalog is the central repository of information
about all objects in the residing domain. It also contains a partial replica for
all object attributes contained in the directory of every domain in the forest.
The attributes most frequently used in queries are stored in the global catalog
by default. This is to insure that the global catalog contains the information
necessary to determine the location of any object in the directory.
first domain controller in the forest is a global catalog server and is created
automatically when DCPROMO is run.
You can configure other domain controllers to be global
catalog servers other than the default one installed or in addition to it.
When designating additional global catalog servers, best practices
dictate that you should take your network structure into consideration by
calculating how much replication and query traffic it can handle.
than one global catalog server, especially in a large enterprise or in any
enterprise that has many remote sites, will provide for quicker responses to
user inquiries, as well as redundancy. It is recommended that every major site
in your enterprise have at least one global catalog server whenever
The global catalog enables network logon by providing universal
group membership information to a domain controller when a logon process is
initiated as well as finding directory information anywhere in the forest.
Because global catalog servers contain information about
objects in the residing domain as well as a partial replica for all object
attributes contained in the directory of every domain in the forest, object
queries do not produce unnecessary query traffic across the network because they
can be resolved by the local global catalog server.
The global catalog
provides universal group membership information for the logon accounts to the
domain controller processing the user logon information. If for some reason
there are no global catalog servers available when users try to log on to the
network, the user will only able to log on to the local computer, provided there
is a locally cached profile or a local account to log on with.
[NOTES FROM THE FIELD] - Domain
Administrators are able to log on to the network regardless of whether a global
catalog server is available or not.
Well, that wraps up the first section of my Windows 2000
Active Directory Logical Architecture article. I hope you found it informative
and will return for the next installment.
If you have any questions, comments or even constructive
criticism, please feel free to drop me a note.
I want to write good, solid technical articles that appeal to
a large range of readers and skill levels and I can only be sure of that through
Next week, I plan to continue with an overview of the
Lightweight Directory Access Protocol (LDAP)
Until then, best of luck in your studies.
"Absolute anonymity isn't
practical, or possible, in real life or on the internet."