Understanding domains in Active Directory Service

To help you plan your Windows 2000 Active Directory Service (ADS) upgrade from Windows NT 3.5, 3.51 or 4.0, this week we will take a look at the architecture of ADS Domains.

In ADS, the concept of "domain" remains. But domains in ADS are then further organized into "trees." Tree is a standard directory services term derived from the branching structure of the organization of objects within the directory. The starting point is called the "root."

ADS trees can be viewed in two ways: as the division of the namespace for the domain tree (this is the physical architecture of the directory); and as the trust relationships between domains or trees (this is the logical architecture of the directory).

In ADS, a domain is a partition - the smallest replicable division of a tree - in the namespace. All domain controllers (DC) in a particular domain contain the entire directory for that domain, with identical databases. Objects are always replicated on the domain level. DCs never replicate objects to domain controllers in different domains. This makes a domain both a naming context and a partition in the namespace, defining the physical architecture of the tree.

An Active Directory tree, then, contains a hierarchy of domains (a new concept: NT 4 domains are all peers, there is no hierarchy) that have trust relationships with each other. Within a domain, you can further implement a hierarchy of organizational units. This creates two levels of hierarchies inside the tree-the hierarchy of the domains and the hierarchies of the organizational units (OU) within the domains. The OU hierarchy inside a domain is independent - each domain can implement its own OU hierarchy.

This two-tiered hierarchical structure allows for a great deal of flexibility in administrating domain trees. For example, an entire domain tree can be owned and administered by a central IT team. The IT team can create the same OUs in all domains -- such as an IT OU where local IT user accounts reside, or a technical support OU for support employees. Additional OUs can be formed to meet users' needs in a particular domain.

In the headquarters domain, a human resources and a finance OU can be created. For a regional office domain, an OU for the office sales team can be created. Administrative rights for these particular OUs can be delegated to specific users or groups so that these users can administer their own areas without involving IT. And because these users have administrative rights only on their own OUs, they can never interfere with IT's global rights and responsibilities.

The flexibility in this logical architecture allows organizations to create an environment that mirrors the business' organization. ADS supports either a centralized or decentralized business model as well as any combination of the two. For example, you can use the domain structure to provide a centralized framework, and then you can use the OU structure within domains to support decentralized operations.

Care in planning your tree design is extremely important! In future newsletters we'll offer advice on planning your Active Directory structure, as well as how to re-organize your NT 4 domain structure for easy migration. In the next newsletter we will take a close look at the various parts of the tree and domain in ADS, a look at replication methods and a primer on ADS naming. Stay tuned!

Virtual Quill is a writing agency serving the computer and networking industries. If your target customer doesn't know your product, doesn't know its uses and doesn't know he needs it, he's not going to buy it. >From books to reviews, marketing to manuals, VQ can help you and your business. Virtual Quill - "words to sell by..." Find out more at www.vquill.com, or by email at info@vquill.com.