Active Directory Components
Various Active Directory components are used to build a directory structure that meets
the needs of your organization. The following Active Directory components represent
logical structures in an organization: domains, organizational units (OUs), trees, and
forests. The following Active Directory components represent physical structures in an organization: sites (physical subnets) and domain controllers. Active Directory completely separates the logical structure from the physical structure.
Logical Structures In Active Directory, you organize resources in a logical structure—a structure that mirrors organizational models—using domains, OUs, trees, and forests. Grouping resources logically allows you to easily find a resource by its name rather than by remembering its physical location. Because you group resources logically, Active Directory makes the network's physical structure transparent to users.
the needs of your organization. The following Active Directory components represent
logical structures in an organization: domains, organizational units (OUs), trees, and
forests. The following Active Directory components represent physical structures in an organization: sites (physical subnets) and domain controllers. Active Directory completely separates the logical structure from the physical structure.
Logical Structures In Active Directory, you organize resources in a logical structure—a structure that mirrors organizational models—using domains, OUs, trees, and forests. Grouping resources logically allows you to easily find a resource by its name rather than by remembering its physical location. Because you group resources logically, Active Directory makes the network's physical structure transparent to users.
trates the relationship of the Active Directory domains, OUs, trees, and forest
Domains The core unit of logical structure in Active Directory is the domain, which can store millions of objects. Objects stored in a domain are those considered vital to the network. These vital objects are items the members of the networked community need in order to do their jobs: printers, documents, e-mail addresses, databases, users,
distributed components, and other resources. All network objects exist within a
domain, and each domain stores information only about the objects it contains. Active
distributed components, and other resources. All network objects exist within a
domain, and each domain stores information only about the objects it contains. Active
Directory is made up of one or more domains. A domain can span more than one
physical location. Domains share the following characteristics:
■ All network objects exist within a domain, and each domain stores information
only about the objects that it contains.
■ A domain is a security boundary. Access to domain objects is governed by access
control lists (ACLs), which contain the permissions associated with the objects.
Such permissions control which users can gain access to an object and what type
of access they can gain. In the Windows Server 2003 family, objects include files,
folders, shares, printers, and other Active Directory objects. None of the security
policies and settings—such as administrative rights, security policies, and ACLs—
can cross from one domain to another. You, as the domain administrator, have
absolute rights to set policies only within your domain.
The domain functional level (known as domain mode in Windows 2000) provides a
way to enable domain-wide Active Directory features within your network environ
ment. Four domain functional levels are available: Windows 2000 mixed (default),
Windows 2000 native, Windows Server 2003 interim, and Windows Server 2003. The
Windows 2000 mixed functional level allows a Windows Server 2003 domain control
ler to interact with domain controllers in the same domain running Windows NT 4,
Windows 2000, or the Windows Server 2003 family. The Windows 2000 native func
tional level allows a Windows Server 2003 domain controller to interact with
domain controllers in the domain running Windows 2000 or Windows Server 2003.
The Windows Server 2003 interim functional level allows a Windows Server 2003 domain
controller to interact with domain controllers in the domain running Windows NT 4 or
Windows Server 2003. The Windows Server 2003 functional level allows a Windows
Server 2003 domain controller to interact only with domain controllers in the domain
running Windows Server 2003. You can raise the functional level of a domain only if the domain controllers in the domain are running the appropriate version of Windows. See Chapter 3, "Administering Active Directory," for details about raising domain functional levels.
As an administrator, you must create a domain structure to reflect your company's organization. See Lesson 3, "Planning the Active Directory Infrastructure Design," to learn the basics of domain design. See Chapter 4, "Installing and Managing Domains, Trees,and Forests," for details about creating domains.
OUs An OU is a container used to organize objects within a domain into a logical
administrative group. OUs provide a means for handling administrative tasks, such as
the administration of users and resources, as they are the smallest scope to which you can delegate administrative authority. An OU can contain objects such as user
accounts, groups, computers, printers, applications, file shares, and other OUs from the same domain. The OU hierarchy within a domain is independent of the OU hierarchy
physical location. Domains share the following characteristics:
■ All network objects exist within a domain, and each domain stores information
only about the objects that it contains.
■ A domain is a security boundary. Access to domain objects is governed by access
control lists (ACLs), which contain the permissions associated with the objects.
Such permissions control which users can gain access to an object and what type
of access they can gain. In the Windows Server 2003 family, objects include files,
folders, shares, printers, and other Active Directory objects. None of the security
policies and settings—such as administrative rights, security policies, and ACLs—
can cross from one domain to another. You, as the domain administrator, have
absolute rights to set policies only within your domain.
The domain functional level (known as domain mode in Windows 2000) provides a
way to enable domain-wide Active Directory features within your network environ
ment. Four domain functional levels are available: Windows 2000 mixed (default),
Windows 2000 native, Windows Server 2003 interim, and Windows Server 2003. The
Windows 2000 mixed functional level allows a Windows Server 2003 domain control
ler to interact with domain controllers in the same domain running Windows NT 4,
Windows 2000, or the Windows Server 2003 family. The Windows 2000 native func
tional level allows a Windows Server 2003 domain controller to interact with
domain controllers in the domain running Windows 2000 or Windows Server 2003.
The Windows Server 2003 interim functional level allows a Windows Server 2003 domain
controller to interact with domain controllers in the domain running Windows NT 4 or
Windows Server 2003. The Windows Server 2003 functional level allows a Windows
Server 2003 domain controller to interact only with domain controllers in the domain
running Windows Server 2003. You can raise the functional level of a domain only if the domain controllers in the domain are running the appropriate version of Windows. See Chapter 3, "Administering Active Directory," for details about raising domain functional levels.
As an administrator, you must create a domain structure to reflect your company's organization. See Lesson 3, "Planning the Active Directory Infrastructure Design," to learn the basics of domain design. See Chapter 4, "Installing and Managing Domains, Trees,and Forests," for details about creating domains.
OUs An OU is a container used to organize objects within a domain into a logical
administrative group. OUs provide a means for handling administrative tasks, such as
the administration of users and resources, as they are the smallest scope to which you can delegate administrative authority. An OU can contain objects such as user
accounts, groups, computers, printers, applications, file shares, and other OUs from the same domain. The OU hierarchy within a domain is independent of the OU hierarchy
No comments:
Post a Comment