Active Directory consists of Both physical and logical structures. The Physical structure is made up of the domain tree and the corresponding domain controller, it contains objects such as user accounts, computer accounts, group accounts, organizational units, and printers

Structure of Active Directory:

Active Directory Logical structure consists of the logical objects you create or  (Windows server 2012 R2 creates automatically) for organizational and administrative purposes.

For example, when you install the first windows domain controller, Windows Server 2012 R2 creates the logical forest, domain tree, and the domain at the top level of the domain tree.

When you install additional domain controllers, you can add them to the forest root domain or create a child domain below the forest root domain.

For example, look at the figure below. You will see the forest root domain named serverroompro.com, with two child domains named Boston.serverroompro.com and Texas.serverroompro.com.

Please know that both the Serverrroompro.com domain (The Head Quarters)  and the Texas domain are located in Texas being housed in a single office.

Microsoft recommends that you create a site that contains both (Serverrroompro.com and Texas.serverroompro.com) because they are connected by high-speed networks. A second site should also be created for Boston because the networks in Texas connect to Boston’s networks through a wide area network (WAN) connections.

This is done by Microsoft to reduce the amount of time it takes to manage domain objects. You can delegate administrative rights or permissions at any level with Active Directory.

For example, you can create a new user account and grant it an administrative privilege at the child domain level of  Texas.serverroompro.com domain. These permission enable the user to administer the contents of the domain.

Another example, You can create a user account to which you assign administrative permissions at the forest root domain level  Serverrroompro.com. 

This user could then manage all the objects within the forest root domain and also both child domains. Additionally, you can also assign a user administrative permissions at the organizational unit (OU) level, this will enable the user to administer only the contents of the OU.

 

Leaf Objects

These are objects in Active Directory that have no child objects. They are the most basic components in the ADDS logical structure. Examples are Computer accounts, user accounts, group accounts, printers.

Active Directory Components:

There are two components of Active Directory namely Physical components and logical components.

Physical Components include the following:

  1. Domain Controller
  2. Global Catalog Server
  3. Read-Only Domain Controller (RODC)
  1. Domain controller: These is the server that holds the server role Active Directory Domain Services (ADDS) and store the content if the AD Database. The file contained in the AD Database can be called the data store
  2. Global Catalog Server: This server contains a partial read-only copy of the objects in the forest. This was implemented by Microsoft to make it possible for faster searches of objects in a different domain in the forest.
  3. Read-Only Domain Controller (RODC): These are domain controllers that host a read-only copy of the AD database. RODCs are configured in office locations with low security or in-experienced administrators. In case someone hacks into the server at this location, the hacker won’t be able to change anything in the AD database.

Logical Components include the following:

  1. Domain
  2. Tree
  3. Forest
  4. Site
  5. OU ( Organizational Unit)
  6. Partition
  7. Schema
  1. Domain: A domain is a collection of an administrative defined object that shares a common directory database, security policy and trust relationships with other domains. Domains exist within a forest and share common logical structure, global catalog, directory schema, and directory configuration.
  2. Tree: A tree is a collection of domains that are arranged in hierarchical structures. When you add a domain to a tree, it becomes a child of the tree root domain, and also know that a domain to which a child is joined to is called its parent domain. The name of a child domain is combined with the name of its parent domain to form its own unique DNS name such as boston.serverroompro.com so that each tree has a similar namespace.
  3. Forest: A forest is a complete instance of Active Directory. Each forest acts as a top-level container for all the domain containers for a particular Active Directory instance. A forest can contain one or more domain controller objects, as well as an automatic two-way transitive trust relationship. The name of that domain refers to the forest, such as serverroompro.com. By default, information in the Active Directory is only shared within the forest. So the forest is known as the security boundary for information that is contained in that instance of Active Directory. Simply put, a forest is a collection of domain trees that share ADDS
  4. Site: Sites helps to organize users, groups, and computers based on their geographic location and the speed of their connection. At their most basic, sites are just groups of well-connected IP subnets.
  5. Organizational Unit (OU): These are container objects, that you can use to arrange other objects to support your administrative works. It helps in arranging objects. OU makes it easier to locate and manage your AD objects
  6. Partition: You can create partitions to create logical sections within the Active Directory database. Using partitions enables you to optimize tasks such as replications.
  7. Schema: Lastly, Microsoft uses the schema to define all attributes for each type of object you can create and store in Active Directory. For example, the schema contains attributes of user objects such as the user’s first name, last name, address, group membership, date of birth, etc. The schema is extensible which mean it can be modified or you can insert additional attributes for an object.
  8. so that each tree has a similar namespace.
  9. Forest: A forest is a complete instance of Active Directory. Each forest acts as a top-level container for all the domain containers for a particular Active Directory instance. A forest can contain one or more domain controller objects, as well as an automatic two-way transitive trust relationship. The name of that domain refers to the forest, such as serverroompro.com. By default, information in the Active Directory is only shared within the forest. So the forest is known as the security boundary for information that is contained in that instance of Active Directory. Simply put, a forest is a collection of domain trees that share ADDS
  10. Site: Sites helps to organize users, groups, and computers based on their geographic location and the speed of their connection. At their most basic, sites are just groups of well-connected IP subnets
  11. OU: These are container objects, that you can use to arrange other objects to support your administrative works. It helps in arranging objects. OU makes it easier to locate and manage your AD objects
  12. Partition: You can create partitions to create logical sections within the Active Directory database. Using partitions enables you to optimize tasks such as replications.
  13. Schema: Lastly, Microsoft uses the schema to define all attributes for each type of object you can create and store in Active Directory. For example, the schema contains attributes of user objects such as the user’s first name, last name, address, group membership, date of birth, etc. The schema is extensible which mean it can be modified or you can insert additional attributes for an object.

Posted in IT Security

Related Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

*
*

Recent Comments

No comments to show.