Learn AD in 15 Minutes a Week: Domains, Organizational Units and the Global Catalog Page 2
Organizational units (OU) are container objects that Active
Directory designers and system administrators will use to organize objects
within a domain. An OU can contain objects such as user accounts, groups,
computers, printers, applications, file shares, and other OUs from the same
domain. The OU hierarchy within a domain is independent of the OU hierarchy
structure of other domains.
You can use OUs to group objects into a logical hierarchy that best suits the needs of your organization. There are two main design considerations of this.
The Network administrative model is based with network-specific administrative responsibilities in mind. For example, one administrator or group of administrators might be responsible for all of the user accounts in a domain, another might be responsible for all of the printers and print servers, another might be responsible for all of the desktop systems and the last might be responsible for all of the laptop systems in a given domain. In this case, you might want to create one OU for user accounts, one where the printers and the print servers are lumped together (or possibly in two separate ones, depending on your needs), a third OU for desktop systems and another OU for the laptop computers. The administrator in charge (it may be a Domain Administrator or an Enterprise Administrator) would then delegate the responsibility of the OU to the proper person and assign them the rights they would need.
The Organizational structure based on departmental or geographical boundaries is based with site, location and department administrative responsibilities in mind. If there are administrators at specific locations, such as field offices where they are responsible for all of the laptops, desktops and print servers that serve that field office, then the OU structure that is often used is based on a City, State Site, etc.
Likewise, if a person in Human Resources is responsible for all of the laptops, desktops and print servers that serve Human Resources and there is a counterpart in the Engineering department and the Sales department, then the OU structure that is normally deployed is based on departments within a specific location or perhaps all the different locations, depending on the reach of the department based administrator.
The OU hierarchy within a domain is independent of the OU hierarchy structure of other domains and each domain can implement its own OU hierarchy.
[NOTES FROM THE FIELD] - As a domain or enterprise administrator, you can delegate administrative control over the objects within Organizational Units by assigning specific permissions for the OU and the objects that the OU contains to specific users and groups. These permissions are not all or nothing. You can assign the maximum permissions to the object (full control) or set specific limitations as you see fit based on administrative needs.
The Global Catalog
The global catalog is the central repository of information
about all objects in the residing domain. It also contains a partial replica for
all object attributes contained in the directory of every domain in the forest.
The attributes most frequently used in queries are stored in the global catalog
by default. This is to insure that the global catalog contains the information
necessary to determine the location of any object in the directory.
The first domain controller in the forest is a global catalog server and is created automatically when DCPROMO is run.
You can configure other domain controllers to be global
catalog servers other than the default one installed or in addition to it.
When designating additional global catalog servers, best practices dictate that you should take your network structure into consideration by calculating how much replication and query traffic it can handle.
More than one global catalog server, especially in a large enterprise or in any enterprise that has many remote sites, will provide for quicker responses to user inquiries, as well as redundancy. It is recommended that every major site in your enterprise have at least one global catalog server whenever possible.
The global catalog enables network logon by providing universal group membership information to a domain controller when a logon process is initiated as well as finding directory information anywhere in the forest.
Because global catalog servers contain information about
objects in the residing domain as well as a partial replica for all object
attributes contained in the directory of every domain in the forest, object
queries do not produce unnecessary query traffic across the network because they
can be resolved by the local global catalog server.
The global catalog provides universal group membership information for the logon accounts to the domain controller processing the user logon information. If for some reason there are no global catalog servers available when users try to log on to the network, the user will only able to log on to the local computer, provided there is a locally cached profile or a local account to log on with.
[NOTES FROM THE FIELD] - Domain Administrators are able to log on to the network regardless of whether a global catalog server is available or not.
Well, that wraps up the first section of my Windows 2000 Active Directory Logical Architecture article. I hope you found it informative and will return for the next installment.
If you have any questions, comments or even constructive criticism, please feel free to drop me a note.
I want to write good, solid technical articles that appeal to a large range of readers and skill levels and I can only be sure of that through your feedback.
Next week, I plan to continue with an overview of the Lightweight Directory Access Protocol (LDAP)
Until then, best of luck in your studies.
IT Solutions Builder TOP IT RESOURCES TO MOVE YOUR BUSINESS FORWARD
Which topic are you interested in?
What is your company size?
What is your job title?
What is your job function?
Searching our resource database to find your matches...