Learn AD in 15 Minutes a Week: Domains, Organizational Units and the Global Catalog Page 2

By ServerWatch Staff (Send Email)
Posted May 14, 2002

Download the authoritative guide: Data Center Guide: Optimizing Your Data Center Strategy

Download the authoritative guide: Cloud Computing: Using the Cloud for Competitive Advantage

Organizational Units

Organizational units (OU) are container objects that Active Directory designers and system administrators will use to organize objects within a domain. An OU can contain objects such as user accounts, groups, computers, printers, applications, file shares, and other OUs from the same domain. The OU hierarchy within a domain is independent of the OU hierarchy structure of other domains.

You can use OUs to group objects into a logical hierarchy that best suits the needs of your organization. There are two main design considerations of this.

The Network administrative model is based with network-specific administrative responsibilities in mind. For example, one administrator or group of administrators might be responsible for all of the user accounts in a domain, another might be responsible for all of the printers and print servers, another might be responsible for all of the desktop systems and the last might be responsible for all of the laptop systems in a given domain. In this case, you might want to create one OU for user accounts, one where the printers and the print servers are lumped together (or possibly in two separate ones, depending on your needs), a third OU for desktop systems and another OU for the laptop computers. The administrator in charge (it may be a Domain Administrator or an Enterprise Administrator) would then delegate the responsibility of the OU to the proper person and assign them the rights they would need.

The Organizational structure based on departmental or geographical boundaries is based with site, location and department administrative responsibilities in mind. If there are administrators at specific locations, such as field offices where they are responsible for all of the laptops, desktops and print servers that serve that field office, then the OU structure that is often used is based on a City, State Site, etc.

Likewise, if a person in Human Resources is responsible for all of the laptops, desktops and print servers that serve Human Resources and there is a counterpart in the Engineering department and the Sales department, then the OU structure that is normally deployed is based on departments within a specific location or perhaps all the different locations, depending on the reach of the department based administrator.

The OU hierarchy within a domain is independent of the OU hierarchy structure of other domains and each domain can implement its own OU hierarchy.

[NOTES FROM THE FIELD] - As a domain or enterprise administrator, you can delegate administrative control over the objects within Organizational Units by assigning specific permissions for the OU and the objects that the OU contains to specific users and groups. These permissions are not all or nothing. You can assign the maximum permissions to the object (full control) or set specific limitations as you see fit based on administrative needs.

The Global Catalog

The global catalog is the central repository of information about all objects in the residing domain. It also contains a partial replica for all object attributes contained in the directory of every domain in the forest. The attributes most frequently used in queries are stored in the global catalog by default. This is to insure that the global catalog contains the information necessary to determine the location of any object in the directory.

The first domain controller in the forest is a global catalog server and is created automatically when DCPROMO is run.

You can configure other domain controllers to be global catalog servers other than the default one installed or in addition to it.

When designating additional global catalog servers, best practices dictate that you should take your network structure into consideration by calculating how much replication and query traffic it can handle.

More than one global catalog server, especially in a large enterprise or in any enterprise that has many remote sites, will provide for quicker responses to user inquiries, as well as redundancy. It is recommended that every major site in your enterprise have at least one global catalog server whenever possible.

The global catalog enables network logon by providing universal group membership information to a domain controller when a logon process is initiated as well as finding directory information anywhere in the forest.

Because global catalog servers contain information about objects in the residing domain as well as a partial replica for all object attributes contained in the directory of every domain in the forest, object queries do not produce unnecessary query traffic across the network because they can be resolved by the local global catalog server.

The global catalog provides universal group membership information for the logon accounts to the domain controller processing the user logon information. If for some reason there are no global catalog servers available when users try to log on to the network, the user will only able to log on to the local computer, provided there is a locally cached profile or a local account to log on with.

[NOTES FROM THE FIELD] - Domain Administrators are able to log on to the network regardless of whether a global catalog server is available or not.

Well, that wraps up the first section of my Windows 2000 Active Directory Logical Architecture article. I hope you found it informative and will return for the next installment.

If you have any questions, comments or even constructive criticism, please feel free to drop me a note.

I want to write good, solid technical articles that appeal to a large range of readers and skill levels and I can only be sure of that through your feedback.

Next week, I plan to continue with an overview of the Lightweight Directory Access Protocol (LDAP)

Until then, best of luck in your studies.

"Absolute anonymity isn't practical, or possible, in real life or on the internet."

Jason Zandri


Page 2 of 2

Thanks for your registration, follow us on our social networks to keep up-to-date