Information Technology Reference
In-Depth Information
A directory service should be thought of as a tool to help administrators
manage network resources. Like any tool, the better designed it is, the more useful it will be. In
its default configuration, Active Directory is a useful directory service, but its real power is appar-
ent when thought has been put into its design and configuration. In this chapter, you learn that
Active Directory is based on a standard for storing and accessing directory service information,
which makes integrating it with other vendors' systems possible. Knowing that non-Windows sys-
tems might need to access Active Directory information can influence your design decisions.
An efficient Active Directory design that reflects how a business is organized improves the
ease and efficiency of managing a Windows network. Likewise, proper configuration of Active
Directory is paramount to a smoothly running and secure network. This chapter delves into the
architecture of Active Directory with discussion that goes beyond a simple one-domain environ-
ment. You learn more about organizational units (OUs) and domains along with Active
Directory trees and forests. You also learn about Active Directory sites and their importance in
efficient Active Directory design. Your understanding of these concepts will guide you in making
wise decisions as you design and implement an Active Directory infrastructure.
Working with Organizational Units
Before delving into working with OUs, you need to know that Active Directory is based on stan-
dards for defining, storing, and accessing directory service objects. X.500, a suite of protocols
the International Telecommunications Union (ITU) developed, is the basis for the hierarchical
structure of Active Directory information and for how Active Directory objects are named and
stored. Lightweight Directory Access Protocol (LDAP) , created by the Internet Engineering Task
Force (IETF), is based on the X.500 Directory Access Protocol (DAP). DAP required the seldom
used, high-overhead Open Systems Interconnection (OSI) protocol stack for accessing directory
objects. LDAP became a streamlined version of DAP, using the more efficient and widely used
TCP/IP—hence the term lightweight in the protocol's name.
So why is knowledge of LDAP important? You run across references to LDAP periodically
when reading material about Active Directory, and as an administrator, you'll be using tools that
incorporate LDAP definitions and objects, such as ADSI Edit, or running programs that use
LDAP to integrate with Active Directory. In addition, integrating other OSs, such as Linux, into
an Active Directory network requires using LDAP. In fact, you already used a tool that incorpo-
rates LDAP terminology when you ran the DSADD command in Chapter 3. LDAP and its syntax
are covered in more detail when you work with command-line tools in Chapters 5 and 13 and
explore roles such as Active Directory Lightweight Directory Services in Chapter 12. For now,
turn your attention to Active Directory design concepts, starting with OUs.
As you learned in Chapter 3, OUs are the building blocks of the Active Directory structure
in a domain. Thoughtful planning of the OU structure eases managing users and computers and
applying group policies and makes Active Directory a friendlier place for users and technical
staff alike. Here are some benefits of using OUs:
• You can create a familiar hierarchical structure based on the organizational chart that
enables users and administrators to locate network users and resources quickly.
• You can delegate administration of network resources to other IT staff without assigning
more comprehensive administrative permissions.
• You can change the OU structure easily to accommodate corporate reorganizations.
• You can group users and computers for the purposes of assigning administrative and secu-
rity policies with the Group Policy tool.
• You can hide Active Directory objects for confidentiality or security reasons by configuring
access permissions on OUs.
An OU can't be used to assign permissions to objects it contains. Groups,
not OUs, are used for permission assignments and are discussed in more
detail in Chapter 5.
 
Search WWH ::




Custom Search