A Primer to Active Directory: Microsoft's System Information Repository - Page 2

 By Hallett German
Page 2 of 3   |  Back to Page 1
Print Article


An Active Directory container is an object repository that includes objects. Once a container is defined, it can be used for defining the scope replication and access control, including access policies. Containers and the objects within them are hierarchically organized. For example:

My Directory for The Mythical Company
       Garfield Lemay 
Or in AD vernacular:
       Cn=Garfield lemay  (other attributes left out like uid, sn, etc.)
The above directory has four containers: People, Groups, Applications, and Other. All directory entries for this company must reside in one of these containers. Container names typically start with ou= (or organization unit) -- a concept inherited from LDAP/X.500.

Active Directory's performance is heavily dependent on network topology. A site is a logical group of network subnets with fast and dependable connectivity. The connection between two sites is called the site link. Using site links optimizes Active Directory network traffic. Traffic on site links is usually reserved for directory replication and queries.

Domains are logical hierarchical groupings of containers. Administration, security policies, and replication do not span domains. If administration delegation needs to be done, it must be assigned at the OU level. Site structure is not always directly related to domain structure -- there may be multiple sites per domain and multiple domains per site.

Domain Controllers
The Domain Controllers (DCs) are one or more Windows 2000 servers managing the Active Directory function for a given domain. Each controller contains the entire directory for one domain and only that domain. This means that domain controllers are multi-mastered. Domain Controllers manage the network logon process, directory searches, and other domain operations.

Domain Trees
Domain Trees are logical hierarchical groupings of domains forming a contiguous namespace. All domains in the tree have the same schema, domain controller, global catalog, and two-way transitive trust relationship. You can have multiple trees that form disjoint namespaces (i.e. non-sharing) and that support a centralized or decentralized set of domains. The first domain created in the domain tree is the domain root.

Page 3: Forests

This article was originally published on Jun 12, 2003
Get the Latest Scoop with Networking Update Newsletter