Active directory components



Simply the directory’s internal structure. It defines the relationships betweens classes of objects, and
the attributes each class of object is allowed to have (eg. a object of class Computer can have
attributes like Name, IP address, etc.) Just like in Object-oriented languages, classes inherit
attributes from higher-level classes. All the domains in a forest share a common schema. It is not
possible to merge multiple forests or schemas. When two companies merge (ie. each has its own AD
forest of domains), the best thing to do is use third-party tools to move objects from one forest into
the other. A less ideal solution is to use non-transitive trust relationships to link the two forests.


NT4 used LMHOSTS file, WINS server, and broadcasts to find other hosts. Windows 2000 rely on the
DNS to locate resources, eg. DCs. To avoid clients from being authenticated by DCs in remote sites,
make sure that DCs for the ad hoc domain are available in each location.

Directory replication

Add DCs in a forest have up-to-date information through the Update Sequence Number (USN) so
only changes are replicated instead of the entire DIT. Three replication naming contexts are used to
replicate domain and AD information between DCs: Domain naming context (DIT changes to DCs
withing one domain), schema naming context (schema information to all DCs within a forest), and
configuration naming context (configuration information such as replication topology to all DCs in a
Distributed File System (DFS)
Clients can be redirected to shared folders at their own site, if available.
Directory Information Tree (DIT)
A replacement for the SAM. Based on MS Jet, the same database engine used by Exchange. The
database is \%systemroot%\ntds\ntds.dit. Its contents is replicated on all the DCs in a domain


NT4 only had local and global groups. W2K offers global and domain local groups, as well universal
groups. Universal groups are available only in W2K DCs running in native mode. Universal groups
can contain global groups and other universal groups from any domain in the forest.


A forest contains either a single domain tree or a set of domain trees that have different
namespaces (eg.,, etc.) but trust each other at the root through Kerberos.
When you install a new DC, you are asked whether it will be a DC in a new forest, or it will be an
additional DC in an existing forest. All domains in a tree share a common schema.
All domain controllers in a domain replicate information to each other. For backward compatibility,
AD domains can still be reached through the familiar 15-character NetBIOS name, but W2K domains
actually live in the DNS, eg. A domain name cannot be changed afterwards without
a lot of work. Likewise, a DC cannot have its name changed; a solution is to have it demoted to non-
DC status (ie. member server) using DCPROMO.EXE, and change its name.
Domain tree
A domain tree lives in a forest, and contains a domain and sub-domains that trust one another and
belong to a continuous namespace.

Organization Units (OU)

A container object used to delegate administrative duties to a sub-group of users in a Win2K domain.
While the domain was the unit of delegation in NT4, it is the OU in Win2K. With OUs, you no longer
need resource domains, as the objects it contained can be moved to an OU after being upgraded.
A set of IP subnets that are connected with high-speed links, ie. a LAN. Grouping servers in a site
offers the benefit of lowering WAN traffic by keeping authentication requests and DC replications in
the local network (intra-site replication), something which was difficult to do with NT4 since it didn’t
have any idea about where DCs where physically located. Site-aware clients use the DNS to find DCs
that live in their subnet. Use the AD Sites & Services applet to define sites manually.
Mixed and native modes
A W2K domain running in mixed mode can contain W2K DCs and NT4 BDCs. A W2K DC running in
native mode only works with other W2K DCs.

Trust relationships

Win2K uses Kerberos as its default authentication protocol, and this means that trusts are transitive.
This means that you do not need to set up a mesh of relationships to have sub-domains trust each
other. Thus, a domain tree is a set of sub-domains that trust each other and that belong to a
continuous namespace (eg.,, and
Global Catalog servers
A Global Catalog is an index of objects in an AD forest, but contains only a subset of each object’s
attributes. Its role is to minimize the time it takes to locate an object that lives in another domain in
the forest. In Exchange 2000, the GC replaces the Global Address List.
At least one GC server is needed in each network for clients to authenticate to the AD domains.
While most domain information are replicated on all the DCs that belong to a domain, AD replicates
the GC to all the DCs that belong to the forest.
The first DC in a domain is automatically designated as a Global Catalog server, but any DC can act
as a GC server. Each GC server has write-access to three directory partitions: domain directory
partition (includes users, computers, etc.), schema directory partition (schema containter, which
includes class and attibutes), and the configuration directory partition (configuration objects for the
entire forest, eg. sites, services, etc.) In addition, each GC server has read-only access to some of
the attributes contained in other directory partitions. Use the AD Sites & Services to manually
specify other DCs to be GC servers. When adding a new domain to a forest, information about this
new domain is added to the GC server in the configuration directory partition, and those data are
replicated onto all other GC servers in the forest. This is precisely because each GC server contains
data about all the domains that live in a forest, that a developed can obtain information about any
object in any domain. If a GC is prompted for a query on the LDAP port (389) and cannot find the
requested information in its domain in the three directory partition, the request is referred to a GC in
a different domain that might have the answer through an LDAP referral. On the other hand, if a GC
server is prompted on port 3268 (default for GC), the search will include all directory partitions in the
forest and will be performed by a single GC instead of prompting a different GC in each domain
Making every DC a GC server uses a lot of networks bandwidth. Each location should have a DC and
GC and only send queries through the WAN if local servers are kaput. Theoratically, GC servers are
not needed in a single-domain forest, but some applications are hard-coded into querying GC
servers no matter what.
Administrative rights can be delegated to sub-domains, ie. Organization Units (OUs). In Win2K, the
OU is the unit of delegation, while it was the domain in NT4.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top