Learn AD in 15 Minutes a Week: Domains, Organizational Units and the Global Catalog

Tuesday May 14th 2002 by ServerWatch Staff

Jason Zandri's latest article in the Learn Active Directory Design and Administration in 15 Minutes a Week continues the topic of Active Directory Logical Architecture and specifically covers Domains, Organizational Units, and the Global Catalog.

by Jason Zandri

Welcome to the fourth installment of Learn Active Directory Design and Administration in 15 Minutes a Week, a weekly series aimed at current IT professionals preparing to write the new Windows Active Directory Design and Administration exams (70-219 and 70-217 respectively), as well as newcomers to the field who are trying to get a solid grasp on this new and emerging directory service from Microsoft. This week the topic is Active Directory Domains, Organizational Units and the Global Catalog.

Active Directory Logical Architecture

As you make preparations for the installation of your first Windows 2000 Domain Controller into your environment, whether that be a pristine forest or into an existing domain, you need to have a solid understanding of all of the different parts that make up the Windows 2000 Active Directory.


Windows 2000 Domains are the core unit of the logical structure in Active Directory, and the structure of the domain can be such that it is made up of one or more domains. Windows 2000 domains can span more than one physical location as well.

All network objects exist within a domain, and each domain stores information only about the objects it contains.

By definition, a Windows 2000 domain is an administrator-defined logical grouping of computer systems, servers and other hardware which share a common directory database.

Windows 2000 domains must have a unique name within the Active Directory forest.

Windows 2000 domains provide access to domain user accounts, domain security group accounts and domain distribution group accounts maintained by the domain administrator, or other system administrators, as appointed by the domain or enterprise administrators through delegation of authority.

A domain is also a security boundary.

Objects in the Active Directory have a Security Descriptor that stores information about the objects owner and the groups to which the owner belongs.

The discretionary access control list (DACL) of the object lists the security principals (users, groups, and computers) that have access to the object and their level of access.

The system access control list (SACL) lists the security principals that should trigger (if any) audit events when accessing the list.

The discretionary access control list for an object specifies the list of users and groups that are authorized to access the object and also what levels of access they have. The kinds of access that can be assigned to an object (or denied) depend on the object type. (You cannot assign the manage documents access right to a file server as this right is assigned to printers only.)

The discretionary access control list for an object consists of a list of access control entries (ACEs) which can apply to a class of objects, an object, or an attribute of an object. Each access control entry specifies the security identifier (SID) of the security principal to which the ACE applies, as well as the level of access to the object permitted for the security principal.

[NOTES FROM THE FIELD] - In plain English this means your user account (SID) can access a specific file on a file server or print to a printer (object), because the permissions that are set for the object (the access control entries - ACEs - in the discretionary access control list for the object) allow you the right to read the file or print to the printer.

In Windows 2000 domains, objects include files, folders, shares, printers, and other Active Directory objects. All security policies and settings do not cross from one domain to another, and the domain administrator has absolute rights to set permissions and policies only within that specific domain (unless they are specifically granted administrative control in other domains or are also members of the Enterprise Administrators group).

[NOTES FROM THE FIELD] - Much of this information is an Exam Requirement for both the 70-217 AND the 70-219 exams. Some would argue it is more so for the 217 and I would agree, but if you do not have the underpinnings from the Administration pieces of 70-217, you'll be hard pressed to pull off the Design requirements for 70-219

Domains are also units of replication. Domain controllers for the domain contain a replica of Active Directory and can receive changes to information in Active Directory and replicate these changes to all of the other domain controllers in the domain.

Organizational Units

Organizational units (OU) are container objects that Active Directory designers and system administrators will use to organize objects within a domain. An OU can contain objects such as user accounts, groups, computers, printers, applications, file shares, and other OUs from the same domain. The OU hierarchy within a domain is independent of the OU hierarchy structure of other domains.

You can use OUs to group objects into a logical hierarchy that best suits the needs of your organization. There are two main design considerations of this.

The Network administrative model is based with network-specific administrative responsibilities in mind. For example, one administrator or group of administrators might be responsible for all of the user accounts in a domain, another might be responsible for all of the printers and print servers, another might be responsible for all of the desktop systems and the last might be responsible for all of the laptop systems in a given domain. In this case, you might want to create one OU for user accounts, one where the printers and the print servers are lumped together (or possibly in two separate ones, depending on your needs), a third OU for desktop systems and another OU for the laptop computers. The administrator in charge (it may be a Domain Administrator or an Enterprise Administrator) would then delegate the responsibility of the OU to the proper person and assign them the rights they would need.

The Organizational structure based on departmental or geographical boundaries is based with site, location and department administrative responsibilities in mind. If there are administrators at specific locations, such as field offices where they are responsible for all of the laptops, desktops and print servers that serve that field office, then the OU structure that is often used is based on a City, State Site, etc.

Likewise, if a person in Human Resources is responsible for all of the laptops, desktops and print servers that serve Human Resources and there is a counterpart in the Engineering department and the Sales department, then the OU structure that is normally deployed is based on departments within a specific location or perhaps all the different locations, depending on the reach of the department based administrator.

The OU hierarchy within a domain is independent of the OU hierarchy structure of other domains and each domain can implement its own OU hierarchy.

[NOTES FROM THE FIELD] - As a domain or enterprise administrator, you can delegate administrative control over the objects within Organizational Units by assigning specific permissions for the OU and the objects that the OU contains to specific users and groups. These permissions are not all or nothing. You can assign the maximum permissions to the object (full control) or set specific limitations as you see fit based on administrative needs.

The Global Catalog

The global catalog is the central repository of information about all objects in the residing domain. It also contains a partial replica for all object attributes contained in the directory of every domain in the forest. The attributes most frequently used in queries are stored in the global catalog by default. This is to insure that the global catalog contains the information necessary to determine the location of any object in the directory.

The first domain controller in the forest is a global catalog server and is created automatically when DCPROMO is run.

You can configure other domain controllers to be global catalog servers other than the default one installed or in addition to it.

When designating additional global catalog servers, best practices dictate that you should take your network structure into consideration by calculating how much replication and query traffic it can handle.

More than one global catalog server, especially in a large enterprise or in any enterprise that has many remote sites, will provide for quicker responses to user inquiries, as well as redundancy. It is recommended that every major site in your enterprise have at least one global catalog server whenever possible.

The global catalog enables network logon by providing universal group membership information to a domain controller when a logon process is initiated as well as finding directory information anywhere in the forest.

Because global catalog servers contain information about objects in the residing domain as well as a partial replica for all object attributes contained in the directory of every domain in the forest, object queries do not produce unnecessary query traffic across the network because they can be resolved by the local global catalog server.

The global catalog provides universal group membership information for the logon accounts to the domain controller processing the user logon information. If for some reason there are no global catalog servers available when users try to log on to the network, the user will only able to log on to the local computer, provided there is a locally cached profile or a local account to log on with.

[NOTES FROM THE FIELD] - Domain Administrators are able to log on to the network regardless of whether a global catalog server is available or not.

Well, that wraps up the first section of my Windows 2000 Active Directory Logical Architecture article. I hope you found it informative and will return for the next installment.

If you have any questions, comments or even constructive criticism, please feel free to drop me a note.

I want to write good, solid technical articles that appeal to a large range of readers and skill levels and I can only be sure of that through your feedback.

Next week, I plan to continue with an overview of the Lightweight Directory Access Protocol (LDAP)

Until then, best of luck in your studies.

"Absolute anonymity isn't practical, or possible, in real life or on the internet."

Jason Zandri


Mobile Site | Full Site