Section 4.1: Directory Service Functionality
4.1.1: Simplified Administration
In Active Directory, resources are organized hierarchically in a logical grouping of servers and other network resources under a single, unique domain name. This domain is the basic unit of replication and security in a Windows Server 2003 network. Each domain includes at least one domain controller, which is a Windows Server 2003 computer that manages user access to a network. This includes log on, authentication, and access to the directory and shared network resources. To simplify administration, any changes you make to any domain controller are replicated to all other domain controllers in the domain. Furthermore, because Active Directory provides a single logon point for access to all network resources, an administrator can log on any computer and administer objects on other computers in the network.
Note: The domain also serves as a security boundary, which ensures that an administrator of a domain has the necessary permissions and rights to perform administration only in that domain. The administrator must be explicitly granted permissions and rights in an additional domain.
The first domain that is created in Windows Server 2003-based network is called the forest root domain. When other domains are created on the network, they added to the root domain to form the tree structure or the forest structure, depending on the domain name requirements. A Two-Way, Transitive Trust relationship
between two domains is extended to all other domains that trust those domains in both directions. This creates complete trust between all domains in an Active Directory domain hierarchy and does not require authentication for user from other domains. This is the default trust relationship in Windows Server 2003
Two-Way, Transitive Trust
Organizational Units
An organizational unit is a container object that you use to group objects together. This allows you to simplify administrative and management tasks. You can also delegate
Active Directory also allows administrators to group objects with similar administrative and security characteristics into
administrative control over objects in an organizational unit by assigning permissions for the organizational unit to one or more users or groups.
Containers and Container Objects
A container, also referred to as a container object, has attributes and is part of the Active Directory name space but does not represent a concrete object. It is a holder of objects and of other containers.
organizational units (OUs). These provide levels of
administrative authority for applying Group Policy settings and delegating administrative control. The latter allows an administrator to delegate administrative duties for certain Active Directory objects to non-administrative users while Group Policy is used to allow administrators to specify Group Policy settings for a site, domain, or organizational unit. Active Directory then enforces these Group Policy settings for all users and computers in the container.
4.1.2: Scalability and Extensibility
Active Directory scales across environments ranging from a single server to a domain of more than one million users. This scaling is made possible through the peer-to-peer directory service relationship that is established between domains. Every domain controller in the tree or forest is provided updated information on Active Directory objects. Consistency across domains is ensured through the automatic replication services. In addition, Active Directory creates tree partitions that comprise small portions of the entire enterprise directory, with every directory tree having sufficient information to locate other objects in the enterprise. This permits the storage for a very large number of objects. As a result, the directory can expand as an organization grows