active directory

Introduction:
An active directory is a directory structure used on Microsoft Windows based computers and servers to store information and data about networks and domains. It is primarily used for online information and was originally created in 1996 and first used with Windows 2000.
An active directory (sometimes referred to as an AD) does a variety of functions including the ability to provide information on objects, helps organize these objects for easy retrieval and access, allows access by end users and administrators and allows the administrator to set security up for the directory.
An active directory can be defined as a hierarchical structure and this structure is usually broken up into three main categories, the resources which might include hardware such as printers, services for end users such as web email servers and objects which are the main functions of the domain and network.
It is interesting to note the framework for the objects. Remember that an object can be a piece of hardware such as a printer, end user or security settings set by the administrator. These objects can hold other objects within their file structure. All objects have an ID, usually an object name (folder name). In addition to these objects being able to hold other objects, every object has its own attributes which allows it to be characterized by the information which it contains. Most IT professionals call these setting or characterizations schemas.
Depending on the type of schema created for a folder, will ultimately determine how these objects are used. For instance, some objects with certain schemas can not be deleted, they can only be deactivated. Others types of schemas with certain attributes can be deleted entirely. For instance, a user object can be deleted, but the administrator object can not be deleted.
When understanding active directories, it is important to know the framework that objects can be viewed at. In fact, an active directory can be viewed at either one of three levels, these levels are called forests, trees or domains. The highest structure is called the forest because you can see all objects included within the active directory.
Within the Forest structure are trees, these structures usually hold one or more domains, going further down the structure of an active directory are single domains. To put the forest, trees and domains into perspective, consider the following example.

A large organization has many dozens of users and processes. The forest might be the entire network of end users and specific computers at a set location. Within this forest directory are now trees that hold information on specific objects such as domain controllers, program data, system, etc. Within these objects are even more objects which can then be controlled and categorized.
DIRECTORY SERVICE:
Active Directory is a full-featured directory service. But what is a directory service? Well, a directory service is actually a combination of two things – a directory, and services that make the directory useful. Simply, a directory is a store of information, similar to other directories, such as a telephone book. A directory can store a variety of useful information relating to users, groups, computers, printers, shared folders, and so forth – we call these objects. A directory also stores information about objects, or properties of objects – we call these attributes. For example, attributes stored in a directory for a particular user object would be the user’s manager, phone numbers, address information, logon name, password, the groups they are a part of, and more.
To make a directory useful, we have services interact with the directory. For example, we can use the directory as a store or information against which users are authenticated, or as the place we query to find information about an object. For example, I could query a directory to show me all the color printers in the Frankfurt office, the phone number of Bob in the Delhi office, or a list all of the users accounts whose first name starts with the letter ‘G’. In Windows 2000, Active Directory is responsible for creating and organizing not only these smaller objects, but also larger objects – like domains, organizational units, and sites. In order to fully comprehend what Active Directory is all about, we need to take an initial look at a number of concepts. A deeper discussion on Active Directory will be covered once we get to the AD Implementation and Administration portion of the series
HEIRARCHY OF AD (OBJECT VIEW)
The structure of the Active Directory is a hierarchy, and before installing and implementing the Active Directory, you must have a firm understanding of the structure as well as the components that make up the Active Directory. You will use this hierarchy design to build the Active Directory infrastructure for your organization, so it is important that you have a firm grasp of their meaning and place in the hierarchy before you begin planning. The following sections explore the components in the hierarchy structure. Object An Active Directory object represents a physical object of some kind on the network. Common Active Directory objects are users, groups, printers, shared folders, applications, databases, contacts, and so forth. Each of these objects represents something "tangible." Each object is defined by a set of "attributes." An attribute is a quality that helps define the actual object. For example, a user object could have attributes of a username, actual name, and email address. Attributes for each kind of object are defined in the Active Directory. The attributes define the object itself and allow users to search for the particular object
Organizational Unit An organizational unit (OU) is like a file folder in a filing cabinet. The OU is designed to hold objects (or even other OUs). It contains attributes like an object, but has no functionality on its own. As with a file folder, its purpose is to hold other objects. As the name implies, an OU helps you "organize" your directory structure. For example, you could have an accounting OU that contains other OUs, such as Accounting Group A and Accounting Group B, and inside those OUs can reside objects that belong, such as users, groups, computers, printers, etc OUs also serve as securities and administrative boundaries and can be used to replace domains in multiple Window NT domain networks.
Domain By definition, a domain is a logical grouping of users and computers. A domain typically resides in a localized geographic location, but this is not always the case. In reality, a domain is more than a logical grouping — it is actually a security boundary in a Windows 2000 or NT network. You can think of a network with multiple domains as being like a residential neighborhood. All of the homes make up the neighborhood, but each home is a security boundary that holds certain objects inside and keeps others out. Each domain can have its own security policies and can establish trust relationships with other domains. The Active Directory is made up of one or more domains. Domains contain a schema, which is a set of object class instances. The schema determines how objects are defined with the Active Directory. The schema itself resides within the Active Directory and can be dynamically changed. You can learn more about the Active Directory schema in Chapter 18.
Tree The hierarchy structure of the domain, organizational units, and objects is called a tree. The objects within the tree are referred to as endpoints, while the OUs in the tree structure are nodes. In terms of a physical tree, you can think of the branches as OUs or containers and the leaves as objects — an object is the natural endpoint of the node within the tree.
Domain Trees A domain tree exists when several domains are linked by trust relationships and share a common schema, configuration, and global catalog. Trust relationships in Windows 2000 are based on the Kerberos security protocol. Kerberos trusts are transitive. In other words, if domain 1 trusts domain 2 and domain 2 trusts domain 3, then domain 1 trusts domain 3A domain tree also shares a contiguous namespace . A contiguous namespace follows the same naming DNS hierarchy within the domain tree. For example, if the root domain is smithfin.com and domain A and domain B exist in a domain tree, the contiguous namespace for the two would be domaina.smithfin.com and domainb.smithfin.com. If domain A resides in smithfindal.com and domain B resides in the smithfin.com root, then the two would not share a contiguous name space.
Forest A forest is one or more trees that do not share a contiguous name space. The trees in the forest do share a common schema, configuration, and global catalog, but the trees do not share a contiguous name space. All trees in the forest trust each other through Kerberos transitive trusts. In actuality, the forest does not have a distinct name, but the trees are viewed as a hierarchy of trust relationships. The tree at the top of the hierarchy normally refers to the tree. For example, corp.com, production.corp.com, and mgmt.corp.com form a forest with corp.com serving as the forest root.
Site A site is not actually considered a part of the Active Directory hierarchy, but is configured in the Active Directory for replication purposes. A site is defined as a geographical location in a network containing Active Directory servers with a well-connected TCP/IP subnet. Well-connected means that the network connection is highly reliable and fast to other subnets in the network. Administrators use the Active Directory to configure replication between sites. Users do not have to be aware of site configuration. As far as the Active Directory is concerned, users only see domains.
TRUST
Server uses trust to determine wheather access is allowed or not
Active Directory uses two types of trust:
n Transitive: Two objects are able to access each others domains and trees that means user is allowed accessed to another tree or domain,
n Non transitive (one way transitive) :One object can access trees & domain of other but other domain does not allow access to the domain & trees of first. E.g. admin-->user
GOALS
Two primary goals are
n USER
User should access resource throughout the domain using a single login
n ADMINISTRATOR
Administrator should be able to centrally manage both users & resources
DESIGN GOALS OF THE ACTIVE DIRECTORY
The Active Directory's design goals are simple, yet very powerful, allowing Active Directory to provide the desired functionality in virtually any computing environment. The following list describes the major features and goals of the Active Directory technology.
Scalable — The Active Directory is highly scalable, which means it can function in small networking environments or global corporations. The Active Directory supports multiple stores, which are wide groupings of objects, and can hold more than one million objects per store.
Extensible — The Active Directory is "extensible," which means it can be customized to meet the needs of an organization.
Secure — The Active Directory is integrated with Windows 2000 security, allowing administrators to control access to objects.
Seamless — The Active Directory is seamlessly integrated with the local network and the intranet/Internet.
Open Standards — The Active Directory is based on open communication standards, which allow integration and communication with other directory services, such as Novell's NDS.
Backwards Compatible — Although Windows 2000 operating systems make the most use of the Active Directory, the Active Directory is backwards compatible for earlier versions of Windows operating systems. This feature allows implementation of the Active Directory to be taken one step at a time.