Understanding Active Directory (AD)
This article gives an overview of the key concepts used in Active Directory. In simple terms, Active Directory (AD) is about managing resources.
AD can be understood as having a logical model and a physical model. The logical model is to model an organisation and its computer resources, while the physical model is used to implement an Active Directory solution that meets functional and nonfunctional requirements, such as performance. This information is stored in a hierarchical manner.
Logical model
Objects
The Active directory logical model is based around objects. In particular, users, printers, groups, and computers.These are examples of object classes. These objects contain attributes, such as the user's name.
Organisational units
Organisational units (OUs) are logical containers used to store resources (users, computers, groups, and other OUs). Administrative authority can be delegated to OUs. OUs are typically mapped against business departments, functions or geographic locations.
Domains
A domain is a logical grouping of network elements (computers, users, printers, etc). They serve as an administrative or security scope, under which groups and users can be controlled.
Each domain uses its own security policy, which can be derived from other higher-level domains. Group policies can be defined at the domain level. Example group policies include password policies and access to resources.
Domains can have relationships with other domains. They are structured in a tree-like structure: parent-child. This is called a domain tree.
Trust relationships can be established so that users in a trusted domain can use resources in the trusting domain.
Domains also form a scope for replication, allowing for decentralisation of administration and management of network traffic.
Forests
A forest is used group domain trees. In a forest, each tree uses the same schema, global catalog, and configuration information. Trusts are established between the top level domains in trees in the forest.
So the Active Directory logical model goes like this: objects into OUs into domains into trees, into forests.
Schemas
Active Directory provides a schema for its objects, which can be extended to meet business needs. The schema defines the object classes (such as User), and attributes that can be used.
It also provides an Access control list - based security mechanism for controlling access to and usage of resources.
Physical model
Active directory topology design is based around organisational needs and technical constraints especially those around network capacity.
Sites
Sites are used as groupings of IP subnets. Typically site topology is designed around the geographic location of the subnets in a domain, with the type of network link between them being a configuration element.
Sites are used to store topology information, expressed as computer and connection objects.
Domain controllers
Domain controllers send and receive replication traffic.
LDAP defines a naming standard.
Replication
Domain controller replication
Active Directory copies updates between Domain Controllers in a forest through a replication service.
File Replication
Active Directory provides a file replication service (FRS), used to replicate files between domain controllers. The files it replicates are those in the SYSVOL folder, and also Distributed File System (DFS) shared folders. FRS replicates files using the same replication topology as standard AD replication.