Active Directory (AD) comes with its own lexicon of terms, some stemming from its International Standards Organization X.500 Directory Services heritage (which is also shared with other directories, such as Novell’s eDirectory service and Sun Microsystems’ Sun One Directory Server), and others that are exclusive to Microsoft. A high-level understanding of the following terms is critical to following any discussion of AD. (Some of these terms are also graphically illustrated in "Active Directory Cross-Forest Trust".)

Active Directory Data Model

Objects, classes, and attributes. AD is a database of objects, where each object is a specific instance of a particular AD class, such as a user, group, computer, printer, or contact. Each object has many attributes that define it, such as the object’s name or security permissions.

Schema. A schema defines the classes for all objects in the database and the relationships between various classes. Unlike the Windows NT 4.0 directory, which has a fixed schema with only three classes—users, groups, and computers—the AD schema can be extended to add new classes or add new attributes to the default classes. For example, Exchange 2000 changes the AD user class to store information such as users’ e-mail addresses and mailbox servers.

Containers. Containers are special types of objects that, in addition to having attributes, can hold other objects or containers. Analogous to file folders, containers allow objects to be organized and grouped for administrative purposes. For example, an administrator can delegate to a user limited administrative authority over all the objects in a specific container; the user can then perform administrative tasks on one set of objects without being allowed to change others.

Organizational units (OUs). Although the schema predetermines the default AD containers, administrators can create special containers called OUs on an ad hoc basis, and use them to arbitrarily group objects for administration. Organizations can create as many OUs as they need to reflect organizational categories, such as departments or positions. OUs can also be nested within other OUs, allowing them to represent a hierarchy. However, multiple OUs cannot contain the same object, which means that an organization cannot organize the same objects into different OU hierarchies (for instance, it cannot use OUs to organize its AD user objects into both an organizational structure and a job rank structure).

Domain Organization

Domains. A domain is a single database of objects and containers hosted on special Windows servers called domain controllers (DCs). The database may be replicated across multiple domain controllers to provide better performance, scalability, and availability. Since OUs (and other containers) are local to a domain, an OU hierarchy cannot represent an entire enterprise-wide structure if the objects, such as user accounts, are spread over multiple domains. Unlike NT 4.0 domains, AD is not dependent on a single replication master and does not have a 40MB directory size limit. Like NT 4.0 domains, each AD domain has its own groups of administrators, as well as groups that give more limited "operator" rights to the accounts in them (for example, account operators can create new accounts).

Trusts. Users and computers from one domain can access resources, such as files or printers, in another domain—but the domain hosting the resources must "trust" the domain that authenticates the users and computers requesting access. In AD, a trust allows authentication credentials to pass securely between a "trusting" domain controller (belonging to the same domain as the computer from which a user is logging on) to a "trusted" domain controller (in the domain containing the user’s account). Trusts can be one-way (domain A trusts domain B, but B doesn’t trust A) or two-way (domains A and B mutually trust each other). Furthermore, trusts can be "transitive"—if A trusts B and B trusts C, then A also trusts C—or non-transitive, in which multiple trust hops are not supported. NT 4.0 did not support transitive trusts.

Forests. An AD "forest" can be a single domain, but it is more commonly two or more domains linked by transitive trusts into a hierarchy. All domains in the forest have a single consistent schema. The first domain created is called the "root" domain of the forest. A forest is the largest unit of administrative scope and has its own group of administrators, called Enterprise Administrators, who control all the domains in the forest. With the appropriate permissions, any user or computer account from any domain in the forest can be used to access any resource in the same forest. Unlike the limited two-tier domain structure and manually created non-transitive trusts supported by NT 4.0, an AD forest can be as many levels deep as needed, and AD automatically creates and maintains transitive trusts between all parent and child domains in the forest.

Namespaces. Because domains are organized into hierarchies, their names follow a hierarchical naming convention called a "namespace." Namespaces use DNS-style dotted names, in which a domain lower in the hierarchy gets the name of its parent as a suffix. For example, if the root domain for a fictitious company, ABC Limited, was abc.com, a domain for a subsidiary of ABC could be named sub1.abc.com.

Trees. A "tree" is one or more domains in a forest connected in a trust hierarchy and sharing a common root namespace, such as abc.com in the example above. Forests can have multiple trees, each with its own first-level domain. So in the earlier example, a new tree with a different namespace, such as abcus.com, could link with a two-way transitive trust to the abc.com tree. However, the initial root domain always holds special significance and links all other trees into the forest.

(See the illustration "Active Directory Cross-Forest Trust" for a graphical depiction of the relationship between namespaces, trees, and forests.)

Administrative Model

Universal groups. First introduced in Windows 2000, universal groups can contain members from any domain in a forest, and the members can be computers, users, or other groups. Unlike its NT-based predecessors (local and global groups), universal groups can support any conceivable amount of group nesting, which removes many of the complications and impediments to building a logical and flexible group structure.

Group Policy. Similar in concept to the System Policy in NT 4.0 but much more powerful, Group Policy provides groups of settings that can be centrally applied to computer and user settings on Windows 2000 (or higher) computers belonging to the forest. Group Policy can also be used to distribute software. To receive a policy, a user or computer must be in an OU, domain, or site to which the policy is assigned and must be a member of the list of users or groups to which the policy applies.

Replication

Sites. AD also supports network-based divisions called sites, which consist of one or more subnets connected by high-speed connections (e.g., a LAN). Site boundaries are mainly used to route log-on requests to a DC in the same site (whenever possible), and they control how inter-DC replication occurs. The NT 4.0 domain directory had no concept of sites, so it was difficult or impossible to control how log-on and replication traffic used the available network topology and bandwidth.

Global Catalogs (GCs). A DC normally only stores information about the users, groups, and computers native to its domain, but it must be able to authenticate a log-on from a universal group that may contain entities from other domains in the forest. Each domain therefore needs one or more special DCs that keep another read-only database—the Global Catalog—containing a small subset of the attributes of all the users, groups, and computers in the forest. Each GC server replicates with a DC from each domain in the forest to keep its information synchronized.

Back to associated article: Active Directory Improvements Remove Many Migration Roadblocks