LSAs 2 - 3: Active Directory Structure¶
The Active Directory (AD) structure is hierarchical, with distinct layers that organize how data and resources are managed across a network. The highest level is the Forest, followed by Trees, Domains, and the individual Objects within those domains. Each layer in the hierarchy serves a specific purpose and allows organizations to scale, manage resources efficiently, and maintain secure access control.
Let’s take a closer look at the components that make up the AD structure:
LSA 3: Identify Forests and Trees¶
1. Forest¶
-
Definition: The Forest is the top-level container in the Active Directory structure. It represents the entire AD infrastructure and consists of one or more Trees. A forest is essentially a logical boundary for managing directory data, where all the domain trees within the forest share common configurations, directory schema, and a global catalog.
-
Key Characteristics:
- Schema: The forest defines a shared directory schema, which dictates the types of objects that can exist in the directory (like users, computers, printers, etc.) and the attributes these objects can have.
- Global Catalog: The forest includes a global catalog that acts as a central index. It stores references to all objects in the forest, allowing for quicker searches and facilitating cross-domain object lookups.
-
Unified Administration: Within a forest, administrators can manage domains, users, and groups centrally. Forests allow for trust relationships across multiple domains and support features like Group Policy, Single Sign-On (SSO), and replication across multiple domain controllers.
-
Example: In a large organization, the forest could represent the entire network infrastructure, which might span multiple geographic locations or business units.
2. Trees¶
-
Definition: A Tree is a logical grouping of domains that share a common namespace. A tree is structured in a hierarchy, and it begins with a root domain (the first domain in the tree) and can include child domains that inherit part of the namespace from the root domain.
-
Key Characteristics:
- Namespace: The namespace within a tree is contiguous, meaning that child domains within a tree share a portion of the parent domain's name. This ensures a hierarchical naming structure that is organized and easy to manage.
- Domain Relationships: Domains within a tree are trusted by default. This means that users in one domain can access resources in other domains within the same tree, provided appropriate permissions are set.
-
Domain Name System (DNS): DNS plays an important role in the tree structure, as each domain must have a unique DNS name to avoid conflicts.
-
Example: In a company with separate departments, the root domain might be "company.com," and child domains could include "HR.company.com" or "IT.company.com" as part of a larger tree structure.
LSA 2: Identify Domains¶
3. Domains¶
-
Definition: A Domain is the fundamental unit of Active Directory and is used to group objects (such as users, computers, printers, etc.) and resources under a common administrative boundary. A domain has its own security policies, user rights, and trust relationships.
-
Key Characteristics:
- Root Domain: The first domain created in a tree is called the Root Domain. It serves as the foundational domain for the entire tree. All other domains within the tree are referred to as child domains and are logically connected to the root domain.
- Child Domains: Child domains are created within a tree and inherit part of the namespace from their parent domain. The namespace in child domains is contiguous with the root domain, meaning they follow a hierarchical naming scheme. For example, a root domain called
company.com
could have child domains likesales.company.com
orhr.company.com
. -
Domain Controllers: Each domain has one or more domain controllers (DCs), which are servers responsible for storing the Active Directory database and managing authentication requests, security policies, and user permissions.
-
Example: A company may have a root domain like
example.com
and child domains likenyc.example.com
andla.example.com
, where the child domains correspond to different geographical locations or business units.
4. Objects¶
-
Definition: Objects are the entities stored within an Active Directory domain. They represent various network resources and users that are managed within a domain. Objects can be users, computers, printers, groups, and other network resources that require management.
-
Key Characteristics:
- Attributes: Each object in Active Directory has associated attributes. For example, a user object may have attributes such as
first name
,last name
,email address
, andsecurity group memberships
. These attributes are used to define the properties of the object. - Object Classes: Objects in Active Directory are categorized into object classes, which define the kinds of attributes that can be associated with each object. For example, a user object has a different set of attributes compared to a printer object.
-
Distinguished Names (DN): Each object in AD has a Distinguished Name (DN), a unique identifier used to reference it within the directory. The DN reflects the object's location in the directory's hierarchical structure. For example,
CN=John Doe, OU=Employees, DC=company, DC=com
. -
Example: An object might be a User Object like
CN=John Doe, OU=Sales, DC=company, DC=com
, which represents a user in the sales department of thecompany.com
domain.
Key Takeaways¶
- Hierarchy: The Active Directory structure is hierarchical, starting with the Forest at the top, followed by Trees, Domains, and then individual Objects.
- Scalability: Active Directory allows organizations to scale their infrastructure by adding more domains, trees, and forests as needed, while maintaining control over security and administration.
- Trust Relationships: Domains within the same forest are trusted by default, facilitating resource sharing and authentication across multiple domains and trees.
- Namespace Continuity: Domains within a tree must share a contiguous namespace, ensuring a consistent and organized directory structure.
The ability to organize resources hierarchically in a way that reflects an organization’s structure is one of the most powerful features of Active Directory. It ensures that both administrative control and security policies can be easily managed across a distributed network, regardless of the organization's size or geographical spread.