An Active Directory forest defines a set of one or more domains that share the same schema, configuration, and global catalog. In addition, all domains participate in two-way transitive trust relationships. Let's pay attention to the terms that are used in the definition of the forest.

• Domain- A domain provides a way to organize and protect objects, such as users and computers, that are part of the same namespace..com are domains. Computers in each domain use the same domain configuration and can be subject to policies and restrictions set by the domain administrator. Using domains simplifies enterprise-wide security.
• Scheme- The Active Directory schema is shared by all domains within the forest. A schema is configuration information that governs the structure and contents of a directory.
• Configuration- The configuration defines the logical structure of the forest, such as the number and configuration of sites within the forest.
• Global Directory- the global catalog can be perceived as a guide for the forest. The global catalog contains information about all objects in the forest, including information about the location of the objects. In addition, the global catalog contains universal group membership information.
• Confidence A trust provides different domains with the ability to work together. Without trust, domains operate as separate entities, i.e. users from domain A will not be able to access resources in domain B. If the trust relationship is established between domains such that domain B trusts domain A, then users from domain A will be able to access domain resources B if they have the appropriate permissions.

There are three main types of trust relationships.

• transitive- transitive trust relationships are created automatically between domains in the same forest. They allow users in any domain to potentially access resources in any other domain in that forest, as long as the users have the appropriate access rights.
• Shortcut is a trust relationship between domains in the same forest that already have a transitive trust relationship. This trust relationship provides faster authentication and verification of access to resources between non-adjacent domains in the forest.
• External- External trusts allow domains from different forests to share resources. Such trusts are not transitive, meaning they only apply to the domains for which they were created.

With the basic terms clear, let's look at the example of a forest. The following is a single forest that contains two domain trees.

The figure shows the four domains aw.net, west.aw.net, east.aw.net, and person.net. The aw.net, west.aw.net, and east.aw.net domains are in the same domain tree because they share the same namespace (aw.net).

The person.net domain is in a different tree because it is not part of the aw.net namespace. Note that within the east.aw.net domain (which is not signed), the OU characters are shown. OU is organizational units(organizational units), which will be considered in the next article.

The arrows in the figure represent transitive trusts that are automatically created when you first set up domains within a forest. Note that the subdomains (east and west) of the aw.net domain are not directly related to the person.net domain. Despite this, they trust the person.net domain.

The reason for the trust is that the child domains trust the aw.net domain. Since the aw.net domain trusts the person.net domain, the aw.net child domains also trust the person.net domain. Knowing this, you can think of Active Directory domains as little children. They unconditionally believe everything that their parents say. If the parent says that the other domain can be trusted, then that's exactly what it is.

But the difference between children and child domains is that child domains always agree and don't question the parent.

Active Directory (AD) is a utility designed for the Microsoft Server operating system. It was originally created as a lightweight algorithm for accessing user directories. Since the version of Windows Server 2008, integration with authorization services has appeared.

Gives you the ability to comply with a group policy that applies the same type of settings and software on all controlled PCs using System Center Configuration Manager.

If in simple words for beginners, this is a server role that allows you to manage all accesses and permissions on the local network from one place

Functions and purposes

Microsoft Active Directory - (the so-called directory) a package of tools that allows you to manipulate users and network data. primary goal Creation - Facilitate the work of system administrators in extensive networks.

Directories contain various information related to users, groups, network devices, file resources - in a word, objects. For example, user attributes that are stored in the directory should be the following: address, login, password, mobile phone number, etc. The directory is used as authentication points, with which you can find the necessary information about the user.

Basic concepts encountered in the course of work

There are a number of specialized concepts that apply when working with AD:

1. The server is the computer that contains all the data.
2. The controller is a server with the AD role that handles requests from people using the domain.
3. An AD domain is a collection of devices united under one unique name that simultaneously use a common directory database.
4. The data store is the part of the directory that is responsible for storing and retrieving data from any domain controller.

How active directories work

The main principles of work are:

• Authorization, with which it becomes possible to use a PC on the network simply by entering a personal password. In this case, all information from the account is transferred.
• security. Active Directory contains user recognition features. For any network object, you can remotely, from one device, set the necessary rights, which will depend on the categories and specific users.
• Network administration from one point. While working with Active Directory, the system administrator does not need to re-configure all PCs if you need to change access rights, for example, to a printer. Changes are made remotely and globally.
• Complete DNS integration. With its help, there is no confusion in AD, all devices are designated in the same way as in the World Wide Web.
• large scale. A collection of servers can be controlled by a single Active Directory.
• Search is made according to various parameters, for example, computer name, login.

Objects and Attributes

Object - a set of attributes, united under its own name, representing a network resource.

Attribute - characteristics of the object in the catalog. For example, these include the user's full name, his login. But the attributes of a PC account can be the name of this computer and its description.

“Employee” is an object that has the attributes “Name”, “Position” and “TabN”.

LDAP container and name

Container is a type of object that can consist of other objects. A domain, for example, may include account objects.

Their main purpose is object ordering by type of signs. Most often, containers are used to group objects with the same attributes.

Almost all containers map to a collection of objects, and resources map to a unique Active Directory object. One of the main types of AD containers is the organization unit, or OU (organizational unit). Objects that are placed in this container belong only to the domain in which they are created.

Lightweight Directory Access Protocol (LDAP) is the basic algorithm for TCP/IP connections. It was created to reduce the amount of nuance during access to directory services. Also, LDAP defines the actions used to query and edit directory data.

Tree and site

A domain tree is a structure, a collection of domains that share a common schema and configuration, form a common namespace and are linked by trust relationships.

A forest of domains is a collection of trees linked together.

Site - a collection of devices in IP subnets, representing the physical model of the network, the planning of which is performed regardless of the logical representation of its construction. Active Directory has the ability to create n sites or combine n domains under one site.

Installing and configuring Active Directory

Now let's go directly to setting up Active Directory using Windows Server 2008 as an example (on other versions, the procedure is identical):

Click on the “OK” button. Note that these values ​​are not required. You can use the IP address and DNS from your network.

• Next, you need to go to the "Start" menu, select "Administrative Tools" and "".
  
• Go to the “Roles” item, select the “ Add Roles”.
  
• Select "Active Directory Domain Services", click "Next" twice, and then "Install".
  
• Wait for the installation to finish.
  
• Open Start Menu -“ Run". Enter dcpromo.exe in the field.
  
• Click "Next".
  
• Select item “ Create a new domain in a new forest” and click “Next” again.
  
• In the next window, enter a name, click "Next".
  
• Choose Compatibility Mode(Windows Server 2008).
  
• In the next window, leave everything as default.
  
• will start configuration windowDNS. Since it was not used on the server before, the delegation was not created.
  
• Select a directory for installation.
  
• After this step, you need to set administration password.

To be secure, the password must meet the following requirements:

After AD completes the component configuration process, you must restart the server.

The configuration is complete, the snap-in and the role are installed in the system. You can install AD only on Windows of the Server family, regular versions, such as 7 or 10, can only allow you to install the management console.

Administration in Active Directory

By default, in Windows Server, the Active Directory Users and Computers console works with the domain to which the computer belongs. You can access computer and user objects in this domain through the console tree or connect to another controller.

The same console tools allow you to view Extra options objects and search for them, you can create new users, groups and change from permissions.

By the way, there is 2 types of groups in Active Directory - security and distribution. Security groups are responsible for delimiting access rights to objects, they can be used as distribution groups.

Distribution groups cannot differentiate rights, but are used primarily to distribute messages on the network.

What is AD Delegation

Delegation itself is transfer of part of the permissions and control from the parent object to the other responsible party.

It is known that each organization has several system administrators in its headquarters. Different tasks should be assigned to different shoulders. In order to apply changes, you must have rights and permissions, which are divided into standard and special. Special - apply to a specific object, while standard - a set of existing permissions that make certain functions available or unavailable.

Establishing Trust Relationships

There are two kinds of trust relationships in AD: "unidirectional" and "bidirectional". In the first case, one domain trusts another, but not vice versa, respectively, the first has access to the resources of the second, and the second does not have access. In the second form, trust is “mutual”. There are also "outgoing" and "incoming" relationships. In outbound, the first domain trusts the second, thus allowing users of the second to use the resources of the first.

During installation, the following procedures should be carried out:

• Verify network connections between controllers.
• Check settings.
• Tune name resolution for external domains.
• Create connection from the trusting domain.
• Create a connection from the side of the controller to which the trust is addressed.
• Check the created one-way relationships.
• If a there is a need in the establishment of bilateral relations - to make the installation.

Global Directory

This is the domain controller that keeps copies of all objects in the forest. It gives users and programs the ability to search for objects in any domain in the current forest using attribute discoverers included in the global catalog.

The Global Catalog (GC) includes a limited set of attributes for every forest object in every domain. It receives data from all domain directory partitions in the forest and replicates it using the standard Active Directory replication process.

The schema determines whether the attribute will be copied. There is a possibility configuring additional features, which will be re-created in the global catalog using the “Active Directory Schema”. To add an attribute to the global catalog, you need to select the replication attribute and use the “Copy” option. This will create a replication of the attribute to the global catalog. Attribute parameter value isMemberOfPartialAttributeSet will become true.

To find out the location global directory, you need to enter on the command line:

Dsquery server –isgc

Data replication in Active Directory

Replication is a copying procedure that is carried out when it is necessary to store equally up-to-date information that exists on any controller.

It is produced without operator intervention. There are the following types of replica content:

• Data replicas are created from all existing domains.
• Data schema replicas. Because the data schema is the same for all objects in the Active Directory forest, its replicas are preserved across all domains.
• configuration data. Shows building copies among controllers. The information applies to all domains in the forest.

The main types of replicas are intra-node and inter-node.

In the first case, after the changes, the system waits, then notifies the partner to create a replica to complete the changes. Even in the absence of changes, the replication process occurs after a certain period of time automatically. After applying breaking changes to directories, replication occurs immediately.

Replication procedure between nodes happens in between minimal load on the network, this avoids information loss.

Because Microsoft Windows Server 2003 and Microsoft Exchange Server 2007 depend on the Active Directory directory service for directory services, you must determine how to integrate Exchange 2007 into your Active Directory structure. Active Directory includes the following logical elements, the combination of which defines the topology of Active Directory:

• One or more domains
• One or more Active Directory sites

Active Directory Forests

Forest represents the outermost boundary of the directory service. The forest operates in the context of continuous security, so that all resources within the forest explicitly trust each other, regardless of their location in the forest. Within each forest, a common directory structure and directory service configuration is used. A forest can consist of one or more domains. There are two types of forest topologies: single forest and multiple forests.

Topology with a single forest

In a single forest topology, Exchange is installed in a single Active Directory forest that spans the entire organization. All user and group accounts and all Exchange configuration data reside in the same forest.

If your organization has a single Active Directory forest, you can install Exchange 2007 in that forest. We recommend that you use the Exchange single forest schema because it offers the most functionality for your email system, and because it provides the simplest administration model. Because all resources are contained in the same forest, one GAL contains all users from the entire forest. This case is shown in the following figure.

The single forest option offers the following benefits:

• The richest set of e-mail system features.
• Simple administration model.
• Taking advantage of the existing Active Directory structure.
• Synchronization of global address lists is not required.

The main disadvantage associated with a single forest is that administrators must determine how to generalize or separate the responsibility for managing Active Directory and Exchange objects.

Topology with multiple forests

While a single forest topology is recommended because it provides the largest set of messaging capabilities, there are various reasons why you might want to implement multiple forests. These reasons may include, for example:

• Having multiple OUs that require messaging services to be isolated.
• The presence of several departments with different requirements for the scheme.
• A merger, acquisition or division that has taken place.

In any case, the only way to establish strict boundaries between OUs is to create a separate Active Directory forest for each OU. When using this Active Directory configuration, the preferred way to implement Exchange is to create an Exchange resource forest. For more information about Exchange resource forests, see "Resource forest topology" later in this topic.

However, there are scenarios where a resource forest might not be possible (for example, mergers or acquisitions, or when multiple forests are already running their own Exchange instances). In these cases, you can implement a cross-forest topology.

Cross forest topology

In a cross-forest topology, a company uses multiple Active Directory forests, each containing an Exchange organization. Unlike a resource forest topology, user accounts are not separate from their mailboxes. Instead, the user account and the corresponding mailbox are in the same forest.

The primary benefit of implementing a cross-forest topology is the ability to isolate data and security boundaries across Exchange organizations. But this topology has the following disadvantages:

• The richest set of messaging functions is not available.
• When you move mailboxes from one forest to another, delegated permissions are not preserved if there is no contact to delegate in the target forest, or if you move the mailbox delegate at the same time.
• While free/busy information can be synchronized across forests to be used for scheduling meetings, you cannot use the free/busy information feature in Microsoft Office Outlook. Open another user's folder to view user calendar data from another forest.
• Because a group from another forest is represented as a contact, you can't view the members of the group. Until a letter is sent to the forest that contains the group represented as a contact, group membership is not expanded.
• Synchronization of directory objects across forests is required, as well as replication of free/busy information. The most commonly used directory synchronization solutions are Microsoft Identity Integration Server (MIIS) 2003 SP2 Service Pack 2 or Identity Integration Feature Pack for Microsoft Windows Server Active Directory Service Pack 2. To exchange free/busy information and calendar data between Exchange organizations from different forests the Exchange 2007 Availability Service can be used.

Resource forest topology

In some cases, Exchange may need to create a separate, dedicated Active Directory forest. For example, there may be a situation where you want to keep an existing Active Directory forest. Or you may want to separate administration of Active Directory objects and Exchange objects. Therefore, it may be necessary to create a separate Active Directory forest dedicated to running Exchange. This single dedicated forest is called resource forest Exchange. In the resource forest model, Exchange is installed in an Active Directory forest separate from the Active Directory forest that contains users, computers, and application servers. This option is commonly used by companies that need a security boundary between Active Directory administration and Exchange administration.

The Exchange resource forest is dedicated to running Exchange and hosting mailboxes. User accounts are contained in one or more forests called account forests. The account forests are separate from the Exchange resource forest. Between the account forest and the forest Exchange resources, a one-way trust relationship is created that allows the Exchange forest to trust the accounts forest so that users from the accounts forest can access mailboxes in the Exchange resource forest. Because an Exchange organization cannot span an Active Directory forest, each mailbox created in the Exchange resource forest must have a corresponding user object in the Exchange resource forest. User objects in the Exchange resource forest are never used to log on a user and have been disabled to prevent their use. Users are usually not even aware of the existence of a duplicate account. Because the account in the Exchange resource forest is disabled and is not used for logon, the real user account in the account forest must be granted the right to log on to the mailbox. Access is granted by including the security identifier (SID) of the user object from the account forest in the attribute msExchMasterAccountSID a disabled user object in the Exchange resource forest.

You may not need directory synchronization if you are using an Exchange resource forest. From the point of view of Exchange and Outlook, all objects listed in a directory service come from a single location, in this case, the directory service that hosts the Exchange forest. However, if there is data associated with GALs in the account forests, synchronization may be required to get the data into the Exchange resource forest for use in the GALs. Additionally, you might want to configure the process so that when you create accounts in the accounts forest in the Exchange resource forest, a disabled mailbox account is created.

An enabled user from the resource forest is associated with a mailbox that is attached to a disabled user in the resource forest. This configuration grants users access to mailboxes located in other forests. This scenario sets up a trust relationship between the resource forest and the accounts forest. You might also need to customize the initialization process so that every time an administrator creates a user in the accounts forest, a disabled mailbox user is created in the Exchange resource forest.

Because all Exchange resources are in the same forest, one global address list will contain all users in the forest. The main benefit of the Exchange dedicated forest scenario is the security boundary between Active Directory administration and Exchange.

There are a number of disadvantages associated with this topology, including the following:

• Implementing a resource forest provides a separation between Exchange and Active Directory administration, but the cost associated with deploying a resource forest may outweigh the need for such a separation.
• Microsoft Windows hosts that will run Exchange will require additional domain controllers and global catalog servers to be installed, which will increase the cost.
• An initialization process is required that reflects changes to Active Directory in Exchange. When you create an object in one forest, you must be sure that the corresponding objects are created in another forest. For example, when you create a user in one forest, ensure that a placeholder is created for that user in the other forest in the other forest. The corresponding objects can be created manually, or this process can be automated.

A variant of the resource forest scenario is multiple forests, one of which hosts Exchange. When using multiple Active Directory forests, your Exchange deployment depends on the degree of autonomy that you plan to maintain across forests. For companies with divisions that require security boundaries (forests) of directory objects but can share Exchange objects, you might consider deploying Exchange in one of the forests and using that forest to host mailboxes from other forests in the company. Because all Exchange resources are in the same forest, one global address list will contain all users from all forests.

This scenario has the following main advantages:

• Using the existing Active Directory structure.
• Using existing domain controllers and global catalog servers.
• Enforce strict security boundaries between forests.

The disadvantages of this scenario include the following features:

• The need for an initialization process that reflects changes to Active Directory in Exchange. For example, you could write a script that creates a new Active Directory user in Forest A that creates a disabled object in Forest B with permissions to access the mailbox.
• The need for forest administrators to determine how to consolidate or separate responsibility for managing Active Directory and Exchange objects.

Active Directory Domains

A domain is a collection of security principals and other objects administered together. Domains are flexible structures. The choice of what goes into the domain is left open and up to the discretion of the administrator. For example, a domain may represent a group of users and computers physically located in one location, or it may represent all users and all computers in many locations in a large geographic area. Due to the consolidation of administration and infrastructure, domains tend to be extended to large geographic regions to reduce the cost of support. But, as the size of the directory service grows, the target directory must be able to access the appropriate resources as efficiently as possible.

Active Directory Sites

Active Directory sites are a logical grouping of securely linked computers in Active Directory. Within an Active Directory site, you can separate client computers to use specific sets or directory resource groups. An Active Directory site is one or more well-connected TCP/IP subnets that allow administrators to configure Active Directory access and required replication. These subnets may or may not match the physical topology.

The figure below shows some of the most common relationships between Active Directory logical definitions and physical locations.

Active Directory Deployment Scenarios

There are four main scenarios for integrating Exchange with Active Directory:

• The only forest
• resource forest
• cross forest
• Mergers and acquisitions

The following table summarizes the benefits of each scenario.

Active Directory Scenario	Description	Why is this script used?
The only forest	Users and their mailboxes are in the same forest.	The richest set of mail system features Simplified Administration Using an Existing Active Directory Structure No need to synchronize with other forests
resource forest	One of the forests is dedicated to running Exchange and hosting Exchange mailboxes. The user accounts associated with mailboxes are contained in one or more separate forests.	Security boundary between Active Directory and Exchange administration Simplified deployment of Exchange in a multi-forest environment Restricting network infrastructure management and user accounts
cross forest	Exchange runs in separate forests, but the email feature is available in other forests as well.	Multiple OUs that require data and service isolation Multiple divisions with different schema requirements Merger, acquisition or division
Mergers and acquisitions	Mergers and acquisitions often involve the coexistence of Exchange organizations prior to their merger. Planning considerations are similar to the multi-forest scenario, with additional migration considerations.	Mergers and Acquisitions are a special case of multiple forest deployments requiring additional attention to migration issues

Active Directory - An extensible and scalable directory service Active Directory (Active Directory) allows you to efficiently manage network resources.
Active Directory is a hierarchically organized repository of data about network objects, providing convenient means for finding and using this data. The computer that runs Active Directory is called a domain controller. Almost all administrative tasks are related to Active Directory.
Active Directory technology is based on standard Internet protocols and helps to clearly define the network structure, in more detail how to deploy an Active Directory domain from scratch, read here ..

Active Directory and DNS

Active Directory uses the domain name system.

Active Directory Administration

Using the Active Directory service, computer accounts are created, they are connected to the domain, and computers, domain controllers, and organizational units (OU) are managed.

Administration and support tools are provided to manage Active Directory. The tools listed below are implemented as MMC (Microsoft Management Console) snap-ins:

• Active Directory - users and computers (Active Directory Users and Computers) allows you to manage users, groups, computers and organizational units (OD);
• Active Directory - domains and trust (Active Directory Domains and Trusts) is used to work with domains, domain trees and domain forests;
• Active Directory - sites and services (Active Directory Sites and Services) allows you to manage sites and subnets;
• The Resultant Set of Policy is used to view the current user or system policy and to schedule policy changes.
• In Microsoft Windows 2003 Server, you can access these snap-ins directly from the Administrative Tools menu.

Another administrative tool - the Active Directory Schema snap-in - allows you to manage and modify the directory schema.

Active Directory Command Line Utilities

To manage Active Directory objects, there are command-line tools that allow you to perform a wide range of administrative tasks:

• DSADD - adds computers, contacts, groups, OPs and users to Active Directory.
• DSGET - Displays the properties of computers, contacts, groups, POs, users, sites, subnets and servers registered in Active Directory.
• DSMOD - changes the properties of computers, contacts, groups, POs, users and servers registered in Active Directory.
• DSMOVE - Moves a single object to a new location within a domain, or renames an object without moving it.
• DSQXJERY - searches for computers, contacts, groups, OPs, users, sites, subnets and servers in Active Directory according to specified criteria.
• DSRM - Removes an object from Active Directory.
• NTDSUTIL - allows you to view site, domain, or server information, manage operations masters, and maintain the Active Directory database.

Any novice user, faced with the abbreviation AD, wonders what is Active Directory? Active Directory is a directory service developed by Microsoft for Windows Domain Networks. Included in most Windows Server operating systems as a set of processes and services. Initially, the service dealt only with domains. However, since Windows Server 2008, AD has become the name for a wide variety of directory-based identity services. This makes Active Directory for beginners more optimal for learning.

Basic Definition

The server that runs Active Directory Domain Services is called a domain controller. It authenticates and authorizes all users and computers in a Windows network domain, assigning and applying a security policy to all PCs, and installing or updating software. For example, when a user logs on to a Windows domain-joined computer, Active Directory verifies the provided password and determines whether the object is a system administrator or a standard user. It also allows you to manage and store information, provides authentication and authorization mechanisms, and provides a framework for deploying other related services: certificate services, federated and lightweight directory services, and rights management.

Active Directory uses LDAP version 2 and 3, Microsoft's version of Kerberos, and DNS.

Active Directory - what is it? In simple words about complex

Tracking network data is a time-consuming task. Even on smaller networks, users tend to have difficulty finding network files and printers. Without some kind of directory, medium to large networks cannot be managed and often have difficulty finding resources.

Previous versions of Microsoft Windows included services to help users and administrators find information. Network Neighborhood is useful in many environments, but the obvious disadvantage is the inconvenient interface and its unpredictability. WINS Manager and Server Manager can be used to view a list of systems, but were not available to end users. Administrators used the User Manager to add and remove data of a completely different type of network object. These applications proved to be ineffective for large networks and begged the question, why in the company Active Directory?

A directory, in the most general sense, is a complete list of objects. A phone book is a type of directory that stores information about people, businesses, and government organizations, andthey usually contain names, addresses, and telephone numbers. wondering Active Directory - what is it, in simple words, we can say that this technology is similar to a directory, but is much more flexible. AD stores information about organizations, sites, systems, users, shares, and any other network object.

Introduction to the basic concepts of Active Directory

Why does an organization need Active Directory? As mentioned in the introduction to Active Directory, the service stores information about network components. The "Active Directory for Beginners" guide says that this is allows clients to find objects in their namespace. This t term (also called console tree) refers to the area in which a network component can be located. For example, the table of contents of a book creates a namespace in which chapters can be mapped to page numbers.

DNS is a console tree that resolves hostnames to IP addresses, such asphonebooks provide a namespace for name resolution for phone numbers. And how does this happen in Active Directory? AD provides a console tree for resolving the names of network objects to the objects themselves andcan resolve a wide variety of objects, including users, systems, and services on the network.

Objects and Attributes

Anything that Active Directory keeps track of is considered an object. You can say in simple words that this in Active Directory is any user, system, resource, or service. The common terms object is used because AD is able to keep track of many elements, and many objects can share common attributes. What does it mean?

Attributes describe objects in Active Directory, for example, all user objects share attributes to store the user's name. This also applies to their descriptions. Systems are also objects, but they have a separate set of attributes that includes hostname, IP address, and location.

The set of attributes available for any particular object type is called a schema. It makes object classes distinct from each other. Schema information is actually stored in Active Directory. That this behavior of the security protocol is very important is the fact that the schema allows administrators to add attributes to object classes and distribute them over the network to all corners of the domain without restarting any domain controllers.

LDAP container and name

A container is a special type of object that is used to organize the operation of a service. It does not represent a physical entity like a user or a system. Instead, it is used to group other elements. Container objects can be nested within other containers.

Every element in AD has a name. These are not the ones you are used to, for example, Ivan or Olga. These are LDAP distinguished names. LDAP distinguished names are tricky, but they allow you to uniquely identify any object within a directory, regardless of its type.

Term tree and website

A term tree is used to describe a set of objects in Active Directory. What's this? In simple terms, this can be explained using a tree association. When containers and objects are combined hierarchically, they tend to form branches - hence the name. A related term is a contiguous subtree, which refers to the unbroken main trunk of a tree.

Continuing the metaphor, the term "forest" describes a collection that is not part of the same namespace, but shares a common schema, configuration, and global catalog. Objects in these structures are available to all users if security allows. Organizations that are divided into multiple domains should group trees into a single forest.

A site is a geographic location defined in Active Directory. Sites correspond to logical IP subnets and as such can be used by applications to find the nearest server on the network. Using site information from Active Directory can significantly reduce WAN traffic.

Active Directory Management

Active Directory snap-in component - Users. This is the most convenient tool for administering Active Directory. It is directly accessible from the Administrative Tools program group in the Start menu. It replaces and enhances the Server Manager and User Manager from Windows NT 4.0.

Safety

Active Directory plays an important role in the future of Windows networking. Administrators must be able to protect their directory from intruders and users while delegating tasks to other administrators. All of this is possible using the Active Directory security model, which associates an access control list (ACL) with every container and object attribute in the directory.

A high level of control allows an administrator to grant individual users and groups different levels of permissions on objects and their properties. They can even add attributes to objects and hide those attributes from certain user groups. For example, you can set an ACL so that only managers can view other users' home phones.

Delegated Administration

A concept new to Windows 2000 Server is delegated administration. This allows you to assign tasks to other users without granting additional access rights. Delegated administration can be assigned through specific objects or contiguous directory subtrees. This is a much more efficient method of granting permissions across networks.

AT destination for someone with all global domain administrator rights, the user can only be granted permissions within a specific subtree. Active Directory supports inheritance, so any new objects inherit their container's ACLs.

The term "trust"

The term "trust" is still used but has different functionality. There is no distinction between unilateral and bilateral trusts. After all, all Active Directory trusts are bidirectional. Moreover, they are all transitive. So, if domain A trusts domain B, and B trusts C, then there is an automatic implicit trust relationship between domain A and domain C.

Audit in Active Directory - what is it in simple terms? This is a security feature that allows you to determine who is trying to access objects, as well as how successful this attempt is.

Using DNS (Domain Name System)

The system, otherwise known as DNS, is essential for any organization connected to the Internet. DNS provides name resolution between common names such as mspress.microsoft.com and raw IP addresses that use network layer components to communicate.

Active Directory makes extensive use of DNS technology for object lookup. This is a significant change from previous Windows operating systems that require NetBIOS names to be resolved by IP addresses and rely on WINS or other NetBIOS name resolution techniques.

Active Directory works best when used with DNS servers running Windows 2000. Microsoft has made it easy for administrators to migrate to Windows 2000 DNS servers by providing migration wizards that guide the administrator through the process.

Other DNS servers may be used. However, in this case, administrators will have to spend more time managing DNS databases. What are the nuances? If you choose not to use Windows 2000 DNS servers, you must ensure that your DNS servers comply with the new DNS Dynamic Update Protocol. Servers rely on dynamically updating their records to find domain controllers. It is not comfortable. After all, eIf dynamic updating is not supported, databases must be updated manually.

Windows domains and internet domains are now fully compatible. For example, a name such as mspress.microsoft.com will identify the Active Directory domain controllers responsible for the domain, so any client with DNS access can find the domain controller.Clients can use DNS resolution to look up any number of services because Active Directory servers publish a list of addresses to DNS using the new dynamic update features. This data is defined as a domain and published through service resource records. SRV RR follow the format service.protocol.domain.

Active Directory servers provide an LDAP service to host an object, and LDAP uses TCP as the underlying transport layer protocol. Therefore, a client that looks up an Active Directory server in the mspress.microsoft.com domain will look up a DNS entry for ldap.tcp.mspress.microsoft.com.

Global Directory

Active Directory provides a global catalog (GC) andprovides a single source to search for any object in the organization's network.

The global catalog is a service in Windows 2000 Server that allows users to find any object that has been granted access. This functionality is far superior to the Find Computer application included with previous versions of Windows. After all, users can search for any object in Active Directory: servers, printers, users, and applications.