Active Directory Hierarchical Framework

Active Directory Hierarchical Framework

Active Directory is a centralized database that contains user account and security information. In a workgroup, security and management takes place on each computer, with each computer holding information about users and resources. With Active Directory, all computers share the same central database.

The Active Directory structure is a hierarchical framework with the following components:




A domain is an administratively-defined collection of network resources that share a common directory database and security policies. The domain is the basic administrative unit of an Active Directory structure.

Database information is replicated (shared or copied) within a domain.

Security settings are not shared between domains.

Each domain maintains its own set of relationships with other domains.

    Domains are identified using DNS names. The common name is the domain name itself. The distinguished name includes the DNS context or additional

portions of the name.

Depending on the network structure and requirements, the entire network might be represented by a single domain with millions of objects, or the network might require multiple domains.


Within Active Directory, each resource is identified as an object. Common objects include:




Shared folders

You should know the following about objects:

    Each object contains attributes (i.e. information about the object such as a user’s name, phone number, and email address) which is used for locating and securing resources.

    The schema identifies the object classes (the type of objects) that exist in the tree and the attributes (properties) of the object.

Active Directory uses DNS for locating and naming objects.

    Container objects hold or group other objects, either other containers or leaf objects.


Unit (OU)

An organizational unit is like a folder that subdivides and organizes network resources within a domain. An organizational unit:

Is a container object.

Can be used to logically organize network resources.

Simplifies security administration.

You should know the following about OUs:

First-level OUs can be called parents.

Second-level OUs can be called children.

    OUs can contain other OUs or any type of leaf object (e.g. users, computers, and printers).



Like OUs, generic containers are used to organize Active Directory objects. Generic container objects:

Are created by default

Cannot be created, moved, renamed, or deleted

Have very few editable properties

Trees and


Multiple domains are grouped together in the following relationship:

A tree is a group of related domains that share the same contiguous DNS

name space.

    A forest is a collection of related domain trees. The forest establishes the relationship between trees that have different DNS name spaces.

Trees and forests have the following characteristics:

    The forest root domain is the top-level domain in the top tree. It is the first domain created in the Active Directory forest.

The tree root domain is the highest level domain in a tree.

Each domain in the tree that is connected to the tree root domain is called a

child domain.

A domain tree is a group of domains based on the same name space.

Domains in a tree:

o Are connected with a two-way transitive trust.

o Share a common schema.

o Have common global catalogs.



A domain controller is a server that holds a copy of the Active Directory database that can be written to. Replication is the process of copying changes to Active Directory between the domain controllers.

Sites and


Active Directory uses the following two objects to represent the physical structure of the network.

    A subnet represents a physical network segment. Each subnet possesses its own unique network address space.

    A site represents a group of well-connected networks (networks that are connected with high-speed links).

You should know the following about sites and subnets:

    Sites and subnets are used to manage Active Directory replication between locations.

All Active Directory sites contain servers and site links (the connection between two sites that allows replication to occur).

  •     Site links are used by Active Directory to build the most efficient replication topology.
  •    A site differs from a domain in that it represents the physical structure of your network, while a domain represents the logical structure of your organization.
  • Clients are assigned to sites dynamically according to their Internet Protocol

(IP) address and subnet mask.

  • Domain controllers are assigned to sites according to the location of their associated server object in Active Directory.

The Active Directory database resides in a file called NTDS.dit. It is the physical database file in which all directory data is stored. This file consists of three internal tables:

    The data table contains all the information in the Active Directory data store: users, groups, application-specific data, and any other data that is stored in Active Directory after its installation.

    The link table contains data that represents linked attributes, which contain values that refer to other objects in Active Directory.

    The security descriptor (SD) table contains data that represents inherited security descriptors for each object.


3 thoughts on “Active Directory Hierarchical Framework

  1. Pingback: Quick IT

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s