Skip to main content
This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Understanding the Active Directory Logical Model
- Article
- 07/29/2021
- 2 minutes to read
In this article
Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
Designing your logical structure for Active Directory Domain Services (AD DS) involves defining the relationships between the containers in your directory. These relationships might be based on administrative requirements, such as delegation of authority, or they might be defined by operational requirements, such as the need to control replication.
Before you design your Active Directory logical structure, it is important to understand the Active Directory logical model. AD DS is a distributed database that stores and manages information about network resources as well as application-specific data from directory-enabled applications. AD DS allows administrators to organize elements of a network (such as users, computers, and devices) into a hierarchical containment structure. The top-level container is the forest. Within forests are domains, and within domains are organizational units (OUs). This is called the logical model because it is independent of the physical aspects of the deployment, such as the number of domain controllers required within each domain and network topology.
Active Directory forest
A forest is a collection of one or more Active Directory domains that share a common logical structure, directory schema (class and attribute definitions), directory configuration (site and replication information), and global catalog (forest-wide search capabilities). Domains in the same forest are automatically linked with two-way, transitive trust relationships.
Active Directory domain
A domain is a partition in an Active Directory forest. Partitioning data enables organizations to replicate data only to where it is needed. In this way, the directory can scale globally over a network that has limited available bandwidth. In addition, the domain supports a number of other core functions related to administration, including:
Network-wide user identity. Domains allow user identities to be created once and referenced on any computer joined to the forest in which the domain is located. Domain controllers that make up a domain are used to store user accounts and user credentials (such as passwords or certificates) securely.
Authentication. Domain controllers provide authentication services for users and supply additional authorization data such as user group memberships, which can be used to control access to resources on the network.
Trust relationships. Domains can extend authentication services to users in domains outside their own forest by means of trusts.
Replication. The domain defines a partition of the directory that contains sufficient data to provide domain services and then replicates it between the domain controllers. In this way, all domain controllers are peers in a domain and are managed as a unit.
Active Directory organizational units
OUs can be used to form a hierarchy of containers within a domain. OUs are used to group objects for administrative purposes such as the application of Group Policy or delegation of authority. Control (over an OU and the objects within it) is determined by the access control lists (ACLs) on the OU and on the objects in the OU. To facilitate the management of large numbers of objects, AD DS supports the concept of delegation of authority. By means of delegation, owners can transfer full or limited administrative control over objects to other users or groups. Delegation is important because it helps to distribute the management of large numbers of objects across a number of people who are trusted to perform management tasks.
Feedback
Submit and view feedback for
Additional resources
Additional resources
In this article
mnovelo - Fotolia
How much do you know about Active Directory? Find out with this Active Directory quiz on the service's basics, structure and capabilities.
By
- Stephen J. Bigelow,
Published: 17 Oct 2018
Administrators need to know the ins and outs of Active Directory to maintain order over the vast resources within their enterprise network. This Active Directory quiz will put your knowledge to the test.
Active Directory centralizes the creation, access and management of a wide array of objects, such as users, groups, computers and printers. Each object can be associated with detailed metadata, such as object names, descriptions and attributes.
How well do you really know this Windows Server feature? Take this Active Directory quiz to check your knowledge of Active Directory and its application in the enterprise.
Dig Deeper on Windows Server OS and management
-
Active Directory tree
By: Rahul Awati
-
Active Directory Domain Services (AD DS)
By: Ben Lutkevich
-
active directory
By: Wesley Chai
-
Azure AD Premium P1 vs. P2: Which is right for you?
By: Adam Fowler
- Cloud Computing
- Enterprise Desktop
- Virtual Desktop
Cloud Computing
- AWS rolls out new EC2 instances at re:Invent 2022
The wrong instance type can affect workload performance and even increase costs. This year at re:Invent, AWS released new EC2 ...
- Amazon, Google, Microsoft, Oracle win JWCC contract
The Department of Defense Joint Warfighting Cloud Capability contract allows DOD departments to acquire cloud services and ...
-
HPE GreenLake for Private Cloud updates boost hybrid clouds
HPE continues investing in GreenLake for private and hybrid clouds as demand for those services increases. Meanwhile, competition...
Enterprise Desktop
- The enterprise endpoint device market heading into 2023
Modern enterprise organizations have numerous options to choose from on the endpoint market. Learn about some of the main ...
-
How to monitor Windows files and which tools to use
Monitoring files on Windows systems is critical to detect suspicious activities, but there are so many files and folders to keep ...
-
How will Microsoft Loop affect the Microsoft 365 service
While Microsoft Loop is not yet generally available, Microsoft has released details about how Loop can connect users and projects...
Virtual Desktop
- How to fix a remote desktop microphone that's not working
Hybrid work can create new technical issues for employees, and a remote desktop microphone not working is one frustrating ...
-
Enabling and supporting webcam use on remote desktops
When IT teams manage employees using remote desktops, they should make sure they can set up and troubleshoot peripheral devices, ...
-
Automating testing and delivery for virtual apps and desktops
One of the many tasks that come with maintaining a virtual environment is the testing and delivery of virtual apps and desktops. ...