AD Components Overview
In this post, we examine the key concepts that make up Windows Server Active Directory (AD). This is a continuing series here at the blog as we get excited for my 70-742 Identity in Windows Server 2016 to get fired up at CBT Nuggets.
The key element of AD is the domain. This is how we organize the structure in an enterprise. A domain consists of:
- An X.500 (LDAP) based hierarchical structure of containers and objects
- A DNS domain name
- A security service
- A Domain Controller (DC) that is authoritative for the domain (you should have more than one DC!)
Note that you can string domains together in your enterprise to create a domain tree. Perhaps we have cbtnuggetlabs.com as our first domain, then we create eugene.cbtnuggetlabs.com as our next domain. Note that these domains in a tree explicitly trust each other in a transitive way.
What a perfect name for our next component. A forest is a collection of domain trees! The first domain you create is called the forest root domain. This forest root domain could be renamed later on, but it cannot be removed. Once you have multiple domain trees in a forest, trust relationships permit resource sharing.
You can even create forest trust relationships if your forest must access resources in another separate forest.
While it is cool that we can create a forest of multiple domain trees, it is almost always correct to keep things as simple as possible and create a single domain forest.
What most of us think of when we envision AD is Organization Units (OUs). These are containers we create to fill with objects like users and groups and printers and then we assign policy to these units using Group Policy. Do not confuse OUs with another type of container object in AD called – a container. While there are some default containers in Windows Server, we tend to use OUs all the time as we are building our hierarchy.
When you install AD, some default containers and OUs get created for you. For example, there is a Domain Controllers OU.
The Global Catalog (GC)
Need to search a forest for something? The Global Catalog (GC) server comes to the rescue. The attributes you can search on are inside the GC and we call this a partial attribute set (PAS). There are tools you can use to manipulate what attributes make it into the GC.