Introduction to Active Directory
Active Directory Hierarchies
Now that you understand the building blocks of Active Directory, you can start to understand how to build a hierarchy in Active Directory. One of the foundations of design for AD has been a flexibility to allow companies to build a structure which fits into their organization. This flexibility allows organizations of all sizes to use Active Directory to meet their needs.
Domains and OUs
The most basic design of an Active Directory is a single forest, single domain, no Organizational Unit design.
Basic AD Installation
For a small organization, this might be adequate, but almost every organization can benefit from some structure.
Creating multiple domains is not always the best design solution, so Microsoft created organizational units in Active Directory which can be nested to provide hierarchical control of your AD environment. It is a great idea to think about and map out your OU design before committing it into Active Directory.
Typically, companies design their OU trees based on either geographic separation (e.g. Americas, EMEA, PacificRim) or based on organizational design (e.g. Accounting, Marketing, Technology, Sales). There is no incorrect way to design your AD environment, however, consistency should be key. You shouldn’t mix the two design methods and have a top level Americas OU and a top level Sales OU. Doing so makes administration difficult as you won’t know where a particular salesperson’s account is.
Also, remember that OUs allow enterprise administrators to delegate administration responsibility to local teams. Building an effective OU design will allow you to properly delegate authority.
The other reason OUs are used is to apply policies. Policies are rules for security, access, and functionality which can apply to several different containers in Active Directory. Frequently, policies are applied by OU – so though you might separated geographically (and therefore want to set up your structure based solely on geography), it might make more sense to setup your AD by organizational divisions. Why? Because if all of your marketing employees need the same software and settings, you will setup policies based on the department instead of the physical location of the employees.
Domain Trees
Once an organization becomes large and you cannot have the entire AD database replicated everywhere, it might make sense to move to a domain tree. A domain tree allows an organization to become more decentralized as it is more independent than using an OU tree.
Domain-wide policies can be changed per domain in a domain tree which is not possible with only an OU structure. Policies such as minimum and maximum password age, minimum password length, and account lockout are domain-wide policies and cannot be changed on a per-OU basis. By creating multiple domains, administrators can set these policies for each domain.
Domain Tree
In the illustration above, learnthat.com has a domain tree in the Active Directory domain.
Forest of Domain Trees
In more complex environments, a company may use multiple domain trees in a single forest. This might be a large operating company with multiple subsidiaries – each requiring their own domain, for example, ThatNetwork.com is the parent company and subsidiaries might include Learnthat.com, Romancetips.com, Exampractice.com. This structure makes sense if you have different administrative staff for each domain, along with different policies and different security requirements.
You can still setup trusts between the domains to allow users to authenticate for resources in either domain.
Multiple Forests
The last possibility is using multiple forests. This is the less frequent design choice, but can be used with you want an absolute separation for one reason or another. This structure is most often found when companies merge or in the case of acquisitions. In Windows 2003, you can setup forest trusts between forests to allow some access.
Wounderful tutorial. Thak u very much
Very good tutorial, it may help me land a job. I needed a breif overview, before a job interview. Thanks A bunch!
I am really glad to be on this site.Thankyou verymuch and God Bless
I hit a jackpot….Yahooo..
Excellent tuturial. Real helpful to cover on the basics and build the knowledge. Thanks very much.
Am a student of MCITP. Can i down load free material on AD,ADDS,ADFS,LDAP,ADLSet.
a stepping stone i just needed. tx a lot
I found it interesting and informative…Thank you so much..
beautiful tutorial , this is just great it really sets the stage for higher learning.
Thank you so muuuuuch…. this realli realli… helped for ma interview…. God bless… : )
Was a great tutorial, Learnt a lot and indeed its a step forward to get more… Thanks alot
i really got lots of 9ledge from this site . gr888888888888888. God bless u.
very good
very interesting and helpfull.
very nice tutorial
Wonderful! This will help me at my hopefully new job! My only request is that yopu exapnd the section on the actuall interation with AD. THAAANK YOUUU!
Very nice! This will help me in a job intervju tomorrow. Cheers!
Good Job!!.. It’s really help full.
Wonderful tutorial. Very helpful, thanks 🙂
Easy and to the point, good for beginner to get clear picture of AD. Cheers
This really helps a lot. Thanks.
thnks its a great hepled
I thank you a bunch. It gave me a very clear idea about AD. God Bless.
thank u very much for the kind information
Excellent Job Done.
Thanks a lot for providing such useful information.
thank you !!!! very good tutorial
Wow, this is a wonderful tutorial,
Thank you soooo much. !
I am interested in learning Active Direstory. So kindly help me out.
It is very helpful to understand the basic. Thanx a lot.
Is there any way how to get this donwloaded? pls let me knw.. 🙂
nice article
Thank you, This was very informative. Just what I needed to better understand AD
I went through this in an hour! – Stupendous job! – Thanks much.
Superb tutorial… 🙂
A well structured sequential tutorial netwoking and AD services. Bravo Zulu!
Hey,
Is this downloadable in any way? Could really use it in my studys 🙂
Best Regards
awesome!!!!!!!!!!!! Thanks for the detailed information
thanks a lot .explained in a verysimple and lucid way.
good tutorial.
realy the teaching materail ver help full thaks
Thank you very much for briliant tutorial and such a resourceful site. Hats over
It’s helpful but i recommend you add a tutorial on Microsoft Exchange Server 2003 and Designing AD and Network Infrastructure to make it more complete for MCSE.
Thanks alot was really helpful in understanding AD a bit more…
wonderfull tutoriel.thank you very much
Its wonderful doc.. especailly on windows.. i suggest every one to go though it..
it was so wonderful tutorial….gave me a whole brief picture to AD…..in such good summary…thank you so much….hope i do get my 1st level help desk role now …cheers
Good Tutorial. Thanks a lot.
I am a beginner to AD, cause I’m trying to teach myself Windows server 2003 to prepare for Exam 70-290.
So far I am really please with what I’m reading cause it’s making me understand the concept of AD.
Could you please tell me if a CDrom or a DVD exist on this tutorial and how I can get it or is it possible to download or print this tutorial?
Thanks
It really helped thanks alot
Very informative and easy to read. Thank-You! x
God one. Thanks a ton!!!
Excellent work done on this website tutorial.
its brief, concise and hits on the point. I have had gone through couple of tutorials but this tutorial has wiped up all the misconceptions i had before.
Manythanks to all who have done exceptional work hard on this tutorial.
Thanks. this is a well prepared tutorial. easy to understand.
Great, i found it very informatic and it has expand my knowledge of AD.
Really nice. You did a great job. Congrats!
And thank you very much!!!
have some question here? what is the future of active directory in windows server 2003?
Fantabulous!!! Thanks to the mentor. Great Job!
thanks its complete toturial for active directory
Thanks a lot! Really great and easy to understand article!
Fantastic!
really good tutorial for beginners for active directory, thanks
Very Exhaustive tutotrial. A wonderful learning tool. Great Job.
I’m trying to understand Active Directory for an upcoming job interview. While Active Directory is not part of the job requirements, knowing a little more is a positive.
Thanks for this tutorial !
Brilliant tutorial, Thanks
Very good tutorial. Helped me alot to understand the AD.
Great tutorial, needed to update myself with Server 2003 features.. good work!