Information Technology Reference
In-Depth Information
•
Security
—Fine-grained access controls enable administrators to control access to each
directory object and its properties. Active Directory also supports secure authentication
protocols to maximize compatibility with Internet applications and other systems.
•
Flexibility
—Active Directory is installed with some predefined objects, such as user
accounts and groups, but their properties can be modified, and new objects can be added
for a customized solution.
•
Policy-based administration
—Administrators can define policies to ensure a secure and
consistent environment for users yet maintain the flexibility to apply different sets of rules
for departments, locations, or user classes as needed.
3
As with most things, the best way to understand how Active Directory works is to install it and
start using it, but first, knowing the terms used to describe its structure is helpful. There are two
aspects of Active Directory's structure:
• Physical structure
• Logical structure
Active Directory's Physical Structure
The physical structure consists of sites and servers
configured as domain controllers. An Active Directory
site
is nothing more than a physical loca-
tion in which domain controllers communicate and replicate information regularly. Specifically,
Microsoft defines a site as one or more IP subnets connected by high-speed LAN technology.
A small business with no branch offices or other locations, for example, consists of a single site.
However, a business with a branch office in another part of the city connected to the main office
through a slow WAN link usually has two sites. Typically, each physical location with a domain
controller operating in a common domain connected by a WAN constitutes a site. The main rea-
sons for defining multiple sites are to control the frequency of Active Directory replication and to
assign policies based on physical location. Chapters 4 and 10 discuss sites in more detail.
Another component of the physical structure is a server configured as a domain controller,
which is a computer running Windows Server 2008 with the Active Directory Domain Services
role installed. Although an Active Directory domain can consist of many domain controllers,
each domain controller can service only one domain. Each domain controller contains a full
replica of the objects that make up the domain and is responsible for the following functions:
• Storing a copy of the domain data and replicating changes to that data to all other domain
controllers throughout the domain
• Providing data search and retrieval functions for users attempting to locate objects in the
directory
• Providing authentication and authorization services for users who log on to the domain
and attempt to access network resources
Active Directory's Logical Structure
The logical structure of Active Directory makes
it possible to pattern the directory service's look and feel after the organization in which it runs.
There are four organizing components of Active Directory:
• Organizational units (OUs)
• Domains
• Trees
• Forests
These four components can be thought of as containers and are listed from most specific to
broadest in terms of what they contain. To use a geographical analogy, an OU represents a city,
a domain is the state, a tree is the country, and a forest is the continent.
Search WWH ::
Custom Search