Exam 70-297 – The Logical A.D. Structure Part II

For those of you who have worked with Windows NT and Windows 2000, you are probably familiar with the concept of domains. Domains are the core unit of an Active Directory structure and serve two main purposes: they establish security boundaries within a forest and also serve as a unit of replication.

Domains provide the means of establishing security boundaries within a forest. They ensure that administrators only have the rights to perform administrative tasks and manage resources within their own domain. The only way for an administrator to perform administrative tasks and manage resources in another domain is if they are explicitly granted the necessary rights and permissions to do so.

Each domain within a forest has its own local domain database. All domain controllers within the domain maintain a full working replica of the database. Any changes made to the database are replicated to all other domain controllers within the domain. The local domain database is not replicated to domain controllers in other domains although specific attributes for all objects in every domain are replicated to the Global Catalog server.

One of the first things most people do when they are managing objects of any kind is to look for ways to group them based on common attributes or common needs. Organization Units (OU) are containers objects used to logically organize objects within a domain for administrative purposes. OUs can contain objects such as printers, computers, user accounts, shares, or other OUs. Each domain within a forest can implement their own OU hierarchy that is completely independent of all others.

One of the main reasons for creating OUs to group objects is for delegation of control. Administrators within a domain no longer need to have sweeping control over all network resources. Instead, resources can be grouped into an OU and another user can be given delegation of control over the OU.

As you will see when you begin to look at the design aspects of Active Directory, OUs also eliminate the need of having to create multiple domains, for example, for each business unit. This was one of the limitations of Windows NT 4.0. There was no way to give a user or group administrative control without having to give them control over the entire domain. With Windows Server 2003 Active Directory, OUs make it easier to give a user limited administrative rights and permissions over certain objects or containers within a domain. OUs can be created within one domain for each business unit, for example and the appropriate users given administrative control over the OUs.