Skip to main content This browser is no longer supported. Show
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support. Understanding the Active Directory Logical Model
In this article
Designing your logical structure for Active Directory Domain Services (AD DS) involves defining the relationships between the containers in your directory. These relationships might be based on administrative requirements, such as delegation of authority, or they might be defined by operational requirements, such as the need to control replication. Before you design your Active Directory logical structure, it is important to understand the Active Directory logical model. AD DS is a distributed database that stores and manages information about network resources as well as application-specific data from directory-enabled applications. AD DS allows administrators to organize elements of a network (such as users, computers, and devices) into a hierarchical containment structure. The top-level container is the forest. Within forests are domains, and within domains are organizational units (OUs). This is called the logical model because it is independent of the physical aspects of the deployment, such as the number of domain controllers required within each domain and network topology. Active Directory forestA forest is a collection of one or more Active Directory domains that share a common logical structure, directory schema (class and attribute definitions), directory configuration (site and replication information), and global catalog (forest-wide search capabilities). Domains in the same forest are automatically linked with two-way, transitive trust relationships. Active Directory domainA domain is a partition in an Active Directory forest. Partitioning data enables organizations to replicate data only to where it is needed. In this way, the directory can scale globally over a network that has limited available bandwidth. In addition, the domain supports a number of other core functions related to administration, including:
Active Directory organizational unitsOUs can be used to form a hierarchy of containers within a domain. OUs are used to group objects for administrative purposes such as the application of Group Policy or delegation of authority. Control (over an OU and the objects within it) is determined by the access control lists (ACLs) on the OU and on the objects in the OU. To facilitate the management of large numbers of objects, AD DS supports the concept of delegation of authority. By means of delegation, owners can transfer full or limited administrative control over objects to other users or groups. Delegation is important because it helps to distribute the management of large numbers of objects across a number of people who are trusted to perform management tasks. FeedbackSubmit and view feedback for Additional resourcesAdditional resourcesIn this articlemnovelo - Fotolia How much do you know about Active Directory? Find out with this Active Directory quiz on the service's basics, structure and capabilities.By
Published: 17 Oct 2018 Administrators need to know the ins and outs of Active Directory to maintain order over the vast resources within their enterprise network. This Active Directory quiz will put your knowledge to the test. Active Directory centralizes the creation, access and management of a wide array of objects, such as users, groups, computers and printers. Each object can be associated with detailed metadata, such as object names, descriptions and attributes. How well do you really know this Windows Server feature? Take this Active Directory quiz to check your knowledge of Active Directory and its application in the enterprise. Dig Deeper on Windows Server OS and management
Cloud Computing
Enterprise Desktop
Virtual Desktop
What is the primary container object that can be used for organizing and managing resources in a domain?Organizational Units (OU) - a container used to organize objects within the domain into logical administrative groups that mirror the function business structure of an organization. Some characteristics: Can contain objects such as user accounts, groups, computers, printers, etc.
What is used to identify all objects in a domain?You can identify the domain object to get by its distinguished name, GUID, Security Identifier (SID), DNS domain name, or NetBIOS name.
What type of Active Directory replication takes place between domain controllers in the same site?Intrasite replication takes place between servers in a site using RPCs, while intersite replication is mail based and takes place over a Directory Replication Connector (DRC) between bridgehead servers in separate sites.
What command will allow you to find and display objects in Active Directory?The dsquery * command can find any type of Active Directory object. For help with the specific parameters and syntax for each type of object, type dsquery ObjectType /? at a command prompt. For example, dsquery computer /?
|