A Primer to Active Directory: Microsoft's System Information Repository - Page 3

 By Hallett German
Page 3 of 3   |  Back to Page 1
Print Article

Forests are logical hierarchical groupings of domain trees and are the highest level of directory structure. Forests have a common schema, a global catalog, Kerberos trusts to provide an area of absolute trust, and ideally their own corresponding site configuration.

The first domain created in the forest is called the forest root and is also where the forest name is specified. All domain trees in a forest share the same forest root. Two-way transitive trusts are established at the domain root level across domain trees. Each forest is its own disjoint namespace. Typically only one exists in a company directory unless the company is very large or complex.

One way to ensure that forests can be part of a larger global directory is to create a tight coupling between Active Directory and DNS domains. In fact, they must share identical names. The example below shows a possible domain tree namespace:

      OU=product lines
Here we can see how the DNS domain of tonight.com would be stored by Active Directory. Note that DC stands for Domain Component and not Domain Controller.

Multiple Forests
There may be times when you want to create multiple forests for some special situations -- for example, when multiple groups want to control their own schema; when multiple groups want to limit who they can trust; or when multiple organizations are responsible for user, network, or peripheral management. Be careful, as introducing multiple forests can increase the level of complexity and administrative overhead.

Global Catalogs
Domain Controllers often contain global catalogs (GCs) for desktop administration. GCs may be found at the site, domain, and organization unit levels and are always created for the first domain in a forest (the domain root). They contain the entire directory for its domain and a partial directory of other domains in that forest. Because of this cross-connectivity feature, they can quickly find any object in the forest and also provide account information when a user tries to log on to the network via the domain controller.

This tutorial has offered only a small taste of the powerful concepts and utilities built into Active Directory. It is a potent tool for managing large networks of systems across WANs and LANs, but it can be complex to understand and administer. Once you have a good understanding of the inner workings, you will be able to create a robust and flexible architecture that will address your company's needs now and in the future.

With the basics for AD down, the next step is to gain more in-depth knowledge. The resources listed below provide a wealth of information on intermediate and advanced Active Directory topics.

Additional Resources
Official Microsoft Active Directory homepage. Lots of great information and software utilities.

Active Directory Operations Guide. "In the trenches" advice to get you started administering Active Directory. There are many other planning and deploying guides on the Microsoft AD web site as well.

Provides Microsoft and non-Microsoft ADSI links.

Step-by-step guides for performing many Active Directory operations.

Windows Server 2003 resources including Active Directory.

news://microsoft.public.security -- Security issues across Microsoft products.
news://microsoft.public.win2000.active_directory - General and technical Active Directory questions.

Beth Cohen is president of Luth Computer Specialists, Inc., a consulting practice specializing in IT infrastructure for smaller companies. She has been in the trenches supporting company IT infrastructure for over 20 years in a number of different fields including architecture, construction, engineering, software, telecommunications, and research. She is currently writing a book about IT for the small enterprise and pursuing an Information Age MBA from Bentley College.

Hallett German is an IT consultant who is experienced in implementing stable IT infrastructures with an emphasis on electronic messaging and directories. He is the founder of the Northeast SAS Users Group and former President of the REXX Language Association. He is the author of three books on scripting languages. He is currently seeking challenging opportunities that will expand his directory, networking, and security skills.

» See All Articles by Columnists Beth Cohen and Hallett German

This article was originally published on Jun 12, 2003
Get the Latest Scoop with Networking Update Newsletter