Learn AD in 15 Minutes a Week: Domains, Organizational Units and the Global Catalog

By ServerWatch Staff (Send Email)
Posted May 13, 2002


by Jason Zandri
www.2000trainers.com

Welcome to the fourth installment of Learn Active Directory Design and Administration in 15 Minutes a Week, a weekly series aimed at current IT professionals preparing to write the new Windows Active Directory Design and Administration exams (70-219 and 70-217 respectively), as well as newcomers to the field who are trying to get a solid grasp on this new and emerging directory service from Microsoft. This week the topic is Active Directory Domains, Organizational Units and the Global Catalog.

Jason Zandri's latest article in the Learn Active Directory Design and Administration in 15 Minutes a Week continues the topic of Active Directory Logical Architecture and specifically covers Domains, Organizational Units, and the Global Catalog.

Active Directory Logical Architecture

As you make preparations for the installation of your first Windows 2000 Domain Controller into your environment, whether that be a pristine forest or into an existing domain, you need to have a solid understanding of all of the different parts that make up the Windows 2000 Active Directory.

Domains

Windows 2000 Domains are the core unit of the logical structure in Active Directory, and the structure of the domain can be such that it is made up of one or more domains. Windows 2000 domains can span more than one physical location as well.

All network objects exist within a domain, and each domain stores information only about the objects it contains.

By definition, a Windows 2000 domain is an administrator-defined logical grouping of computer systems, servers and other hardware which share a common directory database.

Windows 2000 domains must have a unique name within the Active Directory forest.

Windows 2000 domains provide access to domain user accounts, domain security group accounts and domain distribution group accounts maintained by the domain administrator, or other system administrators, as appointed by the domain or enterprise administrators through delegation of authority.

A domain is also a security boundary.

Objects in the Active Directory have a Security Descriptor that stores information about the objects owner and the groups to which the owner belongs.

The discretionary access control list (DACL) of the object lists the security principals (users, groups, and computers) that have access to the object and their level of access.

The system access control list (SACL) lists the security principals that should trigger (if any) audit events when accessing the list.

The discretionary access control list for an object specifies the list of users and groups that are authorized to access the object and also what levels of access they have. The kinds of access that can be assigned to an object (or denied) depend on the object type. (You cannot assign the manage documents access right to a file server as this right is assigned to printers only.)

The discretionary access control list for an object consists of a list of access control entries (ACEs) which can apply to a class of objects, an object, or an attribute of an object. Each access control entry specifies the security identifier (SID) of the security principal to which the ACE applies, as well as the level of access to the object permitted for the security principal.

[NOTES FROM THE FIELD] - In plain English this means your user account (SID) can access a specific file on a file server or print to a printer (object), because the permissions that are set for the object (the access control entries - ACEs - in the discretionary access control list for the object) allow you the right to read the file or print to the printer.

In Windows 2000 domains, objects include files, folders, shares, printers, and other Active Directory objects. All security policies and settings do not cross from one domain to another, and the domain administrator has absolute rights to set permissions and policies only within that specific domain (unless they are specifically granted administrative control in other domains or are also members of the Enterprise Administrators group).

[NOTES FROM THE FIELD] - Much of this information is an Exam Requirement for both the 70-217 AND the 70-219 exams. Some would argue it is more so for the 217 and I would agree, but if you do not have the underpinnings from the Administration pieces of 70-217, you'll be hard pressed to pull off the Design requirements for 70-219

Domains are also units of replication. Domain controllers for the domain contain a replica of Active Directory and can receive changes to information in Active Directory and replicate these changes to all of the other domain controllers in the domain.

Page 1 of 2


Comment and Contribute

Your name/nickname

Your email

(Maximum characters: 1200). You have characters left.