- X.500 and LDAP rather than flat file.
– Blocks: domains, trees, forests, OU’s.  Phyiscal location is represented by including all objects in a given (physical) location in its own site.

- Domain: A logical grouping of computers.  They share a common directory database.  A series of domains can be organized, through trust relationships, into forests and trees.

- Tree: A group of domains that share a namespace.  For example, learnwithharv.com would represent the parent, blog.learnwithharv.com would be a child domain.  On the same level could sit thing.learnwithharv.com.  A child to these domains might be some.thing.learnwithharv.com or my.blog.learnwithharv.com.
Trust relationships in a tree are two-way, transitive relationships, meaning resources are accessible both ways.
(A forest can contain multiple trees, and trees can contain multiple levels of child domains.)

- Forest: A forest would be a group of domain trees that do not share a namespace.  For example, microsoft.com and apple.com.  You may find foobar.microsoft.com and foobar.apple.com as children of their respective domains, however while foobar.apple.com shares a transitive two-way relationship with apple.com, it in no way shares any information with microsoft.com or foobar.microsoft.com, and vice versa. The first domain created in a new Active Directory structure is the forest root domain.

- Organization Unit (OU): I think of OU’s as being like folders.  They can contain objects of various types (users, computers, distribution groups, etc).  They are the smallest type of unit that can be used for organization.  Policies and security can be applied to an OU.  For example, one might create an OU which contains company departments.  The OU name might be Departments.  The objects inside might be groups such as Accounting, Administration, and IT.  Policies and security options or permissions can be set on each of these groups individually, and/or to the entire OU itself.

- Sites: A site is a grouping of resources within a forest by physical location or subnet.  Sites allow for control of replication as well as policy application control.  By that I mean- by grouping things physically within a site, the LAN link can be taken advantage of.  If one has multiple physical locations and multiple DC’s (patience, we’re getting to a DC) at each location, grouping users/computers/etc by Site allows the DC’s to know which computers should be under their direct control and which they should allow the other DC’s to control.  To elaborate further:  pushing out a group policy to 200 machines not physically located in the same office as the DC may not be a good idea.  Grouping by Site allows DC’s to know where they physically site and therefore who they should spend their time serving.

- Domain Controller (DC): This is any server that has an active directory.  All directory objects are that are within the domain, plus the schema and any configuration information for the forest where the domain is located, are located here.  If there are multiple DC’s within a domain, data is shared and kept in sync via replication.

- Global Catalog: Sort of like an index, the global catalog server’s role is to allow domain controllers in other domains to access information or resources from another domain in the same forest.  IE, files, folders, printers, etc.  Universal group membership is also done here, so that someone can be a member of two domains.

- Operations masters:  Specialialized roles.  Only one DC can fulfill any given one of these roles;
– Schema Master: The only writable copy of the AD Schema.  All objects in a forest are held in the schema.
One DC in the forest does this.

- Domain naming master: Ensures that any new domains adhere to the naming conventions for new trees or child domains in existing trees.
One DC in the forest does this.

- PDC emulator: Serves as a primary domain controller for NT 4 client computers authenticating to the domain.
One DC in each domain does this.

- Infrastructure master: updates other domains as to changes in it’s own domain.  This is a middle-man;  it receives and processes changes in the forest received from GC servers and replicates the changes to other DC’s in its domain.
One DC in each domain does this.

- RID master: Assigns SID’s (security ID) to objects in its domain.  Each SID is comprized of a non-unique domain identifier to idenfity which domain the object belongs to, as well as an RID (relative ID) that is unique to each object.  This particular server (RID Master) ensures no two objects have the same RID.  It also serves out pools of RIDS to every DC in its domain.
One DC in each domain does this.

- RODC: Read-Only Domain Controller:  A DC that is read only.  Useful for a branch office where personell don’t necessarily need to make updates.  A good security practise is to use these if possible.  They are perfect to put in place if you simply need authentication and a new on-site DC for purposes of pushing out GPO’s etc over a LAN link.

Originally posted 2009-06-26 00:40:52.