14-5Lesson 1 Overview of Active DirectoryActive Directory
ComputersObjectsComp1
AttributesComp2
Computer nameDescriptionComputersComp3Attribute
Usersvalue
First nameJane Doe
Last nameLogon nameUsersJohn Doe
F14us02
Figure 14-2 Each Active Directory object is defined by its attributes.Note Some objects, known as containers, can contain other objects. For example, a domain is a container object.
Organizational Units
Enterprises often have thousands of computers, groups, and users. If you had several
thousand computers in a single list, it would be very difficult to identify all the com-
puters belonging to, say, the Accounting department, or located within the Boston
office. Enterprises need a way to organize these objects. An organizational unit (OU)
is a container used to organize objects within a domain into logical administrative
groups. OUs provide a way to create administrative boundaries within a domain,
allowing you to delegate administrative tasks within the domain. An OU can contain
objects such as user accounts, groups, computers, printers, applications, file shares,
and other OUs (refer to Figure 14-1).
The OU hierarchy within a domain is independent of the OU hierarchy structure of
other domains—each domain can implement its own OU hierarchy. There are no
restrictions on the depth of the OU hierarchy. However, a shallow hierarchy per-
forms better than a deep one, so you should not create an OU hierarchy any deeper
than necessary.
!
Exam Tip You can delegate administrative tasks by assigning permissions to OUs. OUs provide a way to structure the administrative needs of an organization without using exces-sive numbers of domains.
Domains
The core unit of logical structure in Active Directory is the domain. Using domains
allows administrators to divide the network into manageable boundaries. In addition,
administrators from different domains can establish their own security models (includ-
ing password complexity and password-length requirements); security from one
domain can then be isolated so that other domains’ security models are not affected.
Primarily, domains provide a way to logically partition a network along the same
administrative lines as an organization. Organizations that are large enough to have
more than one domain usually have divisions that are responsible for maintaining and
securing their own resources. Grouping objects into one or more domains enables
your network to reflect your company’s organization. Domains share the following
characteristics:
■
All network objects exist within a domain, and each domain stores information
only about the objects that it contains. Theoretically, a domain directory can con-
tain up to 10 million objects, but 1 million objects per domain is a more practical
amount.
■
A domain is a administrative boundary. Access control lists (ACLs) control access
to domain objects. ACLs contain the permissions associated with objects that con-
trol which users can gain access to an object and what type of access users can
gain. In Active Directory, objects include files, folders, shares, printers, and Active
Directory objects. All security policies and settings—such as administrative rights,
security policies, and ACLs—do not cross from one domain to another.
Trees
A tree is a hierarchical arrangement of one or more domains that share a common
schema and a contiguous namespace. In the example shown in Figure 14-3, all the
domains in the tree under the microsoft.com root domain share the namespace
microsoft.com.