Active Directory – Basics
Active Directory Terminology and explanations
Workgroup – A workgroup is basically one or more computers on a Windows network (LAN) that are not joined to a domain.
Domain – A domain is a collection of objects that share the same database
Active Directory Domain Services – Active Directory Domain Services (AD DS) is a service that is integrated into the Windows Server operating system but is not automatically installed by default.
Site – Sites represent the physical structure or topology of your network. By definition, a site is a collection of well-connected subnets. In many cases branch offices are created as a site.
Replication – Active Directory is designed as a multimaster replication system. This means you can perform a change, for example, creating user Joe on domain controller A or domain controller B, and this change is replicated to the domain controller where you didn’t create the user. Of course, you can create, modify, and delete objects, and every change will replicate to each domain controller in the same site within 15 seconds (intersite) and to domain controllers in different sites in as little as 15 minutes (180 minutes by default). Active Directory calculates its best replication path according to an advanced algorithm so that every domain controller receives the latest updates.
Objects – In short, everything within Active Directory is an object. As an example, user Joe is an object. If you change his first name, you will change a property of Joe that is saved in an attribute called First Name. Also, if you create a computer account, then the groups, organizational units, sites, IP subnets, and so on are objects with properties.
Schema – The schema holds the classes for the objects you create. You can imagine the schema as a bunch of templates that you will use if you create user Joe. Active Directory needs to know what the user will look like, for example which properties it has, such as first name and last name. This is provided by the schema.
Group Policy – As previously explained, group policies are needed to configure settings for users and computers. They are very handy because you can configure one or more settings in one group policy and apply these settings to one or more users or computers by linking the GPO to the respective OU. You can link GPOs to sites, domains, and OUs.
Organizational Units – Organizational units, as the name implies, are used to organize objects in Active Directory, mainly users and computer objects. An OU is just a kind of a container that contains similar objects. There are two main reasons for organizing things in Active Directory.
The first reason is to link Group Policy objects (GPO) and the second is that you need an OU for delegation of control.
Default Domain Policy – The Default Domain Policy is created as soon you create your first domain. This policy contains settings for users and computers that will apply to the entire domain. It is important to understand that this policy is essential for you environment and should not be deleted. You can modify this policy, but we don’t recommend it. If you need to apply custom settings to the domain, you should create a new policy on the domain level and store your custom settings in your newly created policy.
Default Domain Controllers Policy – The Default Domain Controllers Policy is also a very important policy that is linked to the Domain Controllers container in your Active Directory. The settings configured in the Default Domain Controllers Policy are specific configurations that apply only to the domain controllers. If you promote a member server to a domain controller, this server is automatically placed into the Domain Controllers container. There are very few cases where you need to touch this policy.
Forest – A forest is a single instance of Active Directory. Within a forest you can have one or multiple domains that share the same schema. If you set up a single domain controller, you are basically creating the smallest forest possible. It is also called a single-domain forest. A forest is also referred as a security boundary in which users, computers, and other objects are accessible.
Global Catalog – A global catalog contains information about each object in every domain in a multidomain Active Directory forest. The global catalog is stored on domain controllers that have been enabled as global catalog servers, and its data is distributed through ActiveDirectory replication. There is only one global catalog within a forest but multiple copies of it.
Trust – A trust is a connection between domains to access their resources, such as servers or applications. For example, this could be used if some users need to access fi le shares or intranet information in the opposite domain. If you install a domain and child domains, Active Directory automatically creates a transitive trust. This way you can access objects from the root domain in the child domains, and vice versa. If you need access to resources in another forest, you could create some form of trust to connect both forests.
Tree – If you build one or more domains within the same forest that have contiguous namespace and/or share the same schema, you create a tree. A contiguous namespace is a domain that shares the same root domain name. For example, the root domain is bigfi rm.com and a possible contiguous namespace is marketing.bigfi rm.com. An Active Directory tree is acollection of domains that are built in a transitive trust hierarchy.
SYSVOL – The SYSVOL shared folder is used to share information, such as scripts and elements of Group Policy objects between domain controllers. SYSVOL and the Active Directory database and log fi les must be placed on an NTFS formatted drive.
