Active
directory (AD) is a centralized database used in windows servers to store
objects like users, computers etc. This active directory database is named as
NTDS.DIT, usually located in c:\windows\NTDS\ntds.dit or as per your choice
during setup. For better replication and administration, AD is divided in to 5
partitions as shown in the figure.
1. Schema Partition: The schema partition
holds the blueprint or layout for every object that can be created in the AD.
It has the classes refers to object model and attributes associated with each
object. E.g. user object has attributes like first name, last name, designation
etc. No matter how large our AD grows, there will be only one schema. Schema
will be replicated to all domain controllers. If your schema becomes corrupted,
your AD will be corrupted.
2. Configuration Partition: It contains
the configuration information for the entire forest like domains, domain
controllers, sites etc. Configuration container is used by AD to control the
replication process. Like schema, there will be only one configuration
container and that will be replicated to all domain controllers.
3. Domain Partition: It contains the user
objects, computer objects, group policy objects belongs to a particular domain.
So there will be one domain container per domain. If you have multi domain AD
structure, you will have separate domain container for each domain.
4. Application Partition: If we have any
AD aware applications such as AD integrated DNS, Exchange or AD DFS, they use
this partition to store data. There will be one application partition per
application and will be replicated to domain controllers integrated with that
application.
5. Global Catalog Partition: It stores
all objects from all domains. It is mainly used to search objects in a forest.
When we install AD by default there will be one global catalog server (GC) and
as per your choice you can setup other domain controllers as GC. It will
replicated only between GC servers.
Logical components of AD
Domain: The
first component that makes an AD is the Domain. A domain is a replication
boundary for a group of computers, users etc. They share a common schema,
configuration, global catalog and domain partition. The domain partition
replicates only within this boundary.
Tree: A tree
is a collection of active directory domains that share a common contiguous name
space. They share a common schema, configuration and global catalog. Child
domain connected to the parent domain via a two way transitive trust. The first
domain in a tree is called as tree root.
Forest: A
forest is a collection of trees that share common schema, configuration and
global catalog. But the second tree can use a different name space than the
first one. By default the first domain created in a forest is referred as the
forest root domain.
Usually most
of the companies have single domain forest, unless they have different security
requirement or name space requirement. A single domain is also the part of tree
and forest.
Physical components of AD
Domain
Controller: The server into which we setup AD (ntds.dit) is called as Domain controller
(DC). There can be more than one DC for single domain. Each DC have a writable
copy of database with some exception (FSMO roles) that we will discuss later.
It is used for the authentication and authorization.
Global Catalog
server: It maintains the global catalog database.
Site: A site
is defined as one or more well connected, high speed, reliable IP subnet. e.g. If we have two offices in different
geographical location, we can define each location as a site to control the
logon traffic and replication traffic.
Active Directory Objects
User:
Represents an individual.
Group:
Grouping of user accounts for management purpose.
Organizational
Unit (OU): OU is container to which you can add users, groups and computers. You
can add OUs into an OU in hierarchical manner to represent the business
structure. It is used to functionally
divide the users and to assign group policies. Also you can sub divide the
administration on OU basis.
Printer
Contact: used
to represent external users for the purpose of email. They don’t have any
permissions.
Published share
Inetorgperson:
It allows to interact with other directory services such as novell, Unix etc.
No comments:
Post a Comment