Organizational units (OU) are container objects that Active
Directory designers and system administrators will use to organize objects
within a domain. An OU can contain objects such as user accounts, groups,
computers, printers, applications, file shares, and other OUs from the same
domain. The OU hierarchy within a domain is independent of the OU hierarchy
structure of other domains.
You can use OUs to group objects into a
logical hierarchy that best suits the needs of your organization. There are two
main design considerations of this.
The Network administrative model is
based with network-specific administrative responsibilities in mind. For
example, one administrator or group of administrators might be responsible for
all of the user accounts in a domain, another might be responsible for all of
the printers and print servers, another might be responsible for all of the
desktop systems and the last might be responsible for all of the laptop systems
in a given domain. In this case, you might want to create one OU for user
accounts, one where the printers and the print servers are lumped together (or
possibly in two separate ones, depending on your needs), a third OU for desktop
systems and another OU for the laptop computers. The administrator in charge (it
may be a Domain Administrator or an Enterprise Administrator) would then
delegate the responsibility of the OU to the proper person and assign them the
rights they would need.
The Organizational structure based on
departmental or geographical boundaries is based with site, location and
department administrative responsibilities in mind. If there are administrators
at specific locations, such as field offices where they are responsible for all
of the laptops, desktops and print servers that serve that field office, then
the OU structure that is often used is based on a City, State Site, etc.
Likewise, if a person in Human Resources is responsible for all of the
laptops, desktops and print servers that serve Human Resources and there is a
counterpart in the Engineering department and the Sales department, then the OU
structure that is normally deployed is based on departments within a specific
location or perhaps all the different locations, depending on the reach of the
department based administrator.
The OU hierarchy within a domain is
independent of the OU hierarchy structure of other domains and each domain can
implement its own OU hierarchy.
[NOTES FROM THE FIELD] – As a domain or enterprise
administrator, you can delegate administrative control over the objects within
Organizational Units by assigning specific permissions for the OU and the
objects that the OU contains to specific users and groups. These permissions are
not all or nothing. You can assign the maximum permissions to the object (full
control) or set specific limitations as you see fit based on administrative
The Global Catalog
The global catalog is the central repository of information
about all objects in the residing domain. It also contains a partial replica for
all object attributes contained in the directory of every domain in the forest.
The attributes most frequently used in queries are stored in the global catalog
by default. This is to insure that the global catalog contains the information
necessary to determine the location of any object in the directory.
first domain controller in the forest is a global catalog server and is created
automatically when DCPROMO is run.
You can configure other domain controllers to be global
catalog servers other than the default one installed or in addition to it.
When designating additional global catalog servers, best practices
dictate that you should take your network structure into consideration by
calculating how much replication and query traffic it can handle.
than one global catalog server, especially in a large enterprise or in any
enterprise that has many remote sites, will provide for quicker responses to
user inquiries, as well as redundancy. It is recommended that every major site
in your enterprise have at least one global catalog server whenever
The global catalog enables network logon by providing universal
group membership information to a domain controller when a logon process is
initiated as well as finding directory information anywhere in the forest.
Because global catalog servers contain information about
objects in the residing domain as well as a partial replica for all object
attributes contained in the directory of every domain in the forest, object
queries do not produce unnecessary query traffic across the network because they
can be resolved by the local global catalog server.
The global catalog
provides universal group membership information for the logon accounts to the
domain controller processing the user logon information. If for some reason
there are no global catalog servers available when users try to log on to the
network, the user will only able to log on to the local computer, provided there
is a locally cached profile or a local account to log on with.
[NOTES FROM THE FIELD] – Domain
Administrators are able to log on to the network regardless of whether a global
catalog server is available or not.
Well, that wraps up the first section of my Windows 2000
Active Directory Logical Architecture article. I hope you found it informative
and will return for the next installment.
If you have any questions, comments or even constructive
criticism, please feel free to drop me a note.
I want to write good, solid technical articles that appeal to
a large range of readers and skill levels and I can only be sure of that through
Next week, I plan to continue with an overview of the
Lightweight Directory Access Protocol (LDAP)
Until then, best of luck in your studies.
“Absolute anonymity isn’t
practical, or possible, in real life or on the internet.”