Welcome back to your free training course
for Active Directory. In this video I will look into how Active Directory is represented
in an enterprise environment. To make things simply let’s start with one network.
In this network you have ITFreeTraining. All the users in ITFreeTraining can access
resources in ITFreeTraining assuming they have permission to do so. All the users in
ITFreeTraining belong to the one domain. A domain is defined as a logical group of
computers that share the same Active Directory database.
Regardless of how big your network is and how many places around the global it is located,
when possible you want to keep your network to just one domain. In the real world this
is not always possible. Active Directory in Windows Server 2008 can
scale easily to millions of objects but there are many reasons why you may have a network
with more than one domain. This could be because of limitations in earlier version of Active
Directory to the company structure and politics. Imagine that you had a secure department in
your company that held all the Intellectual property for the company. For maximum security
the company puts people who work in this department in their own domain and even hired there only
IT support staff. This separate department could be added to
the original domain as a child domain. In this case the new child domain is called secure
dot ITFreeTraining.com. When you have two domains like these that share the same
root name space, in this case ITFreeTraining dot com, these are referred to as being in
the same tree. ITFreeTraining is at the top of the tree so it is considered to be
the root domain. To illustrate this better, you could add yet
another domain called sales. As long as sales shares the ITFreeTraining dot com name
space it is part of the tree. Under sales dot ITFreeTraining dot com you could even
add additional child domains called east and west.
All these domains share the ITFreeTraining name space and thus are considered to be in
the same tree in Active Directory. Each domain however has its own group of user and computers
and thus means each domain has its own Active Directory database.
The advantage of having domains like these in the same tree is that Active Directory
will automatically create trusts between the child and parents domains. These trust relationships
allow members of each domain to access resources in any other domain assuming that they have
access. The next question is what would happen when
you add another domain that has a different name space to the other domains. For example,
if I added the domain high cost training dot com. When this happens the new domain, high
cost training will be part of a new tree. I now have two trees, the ITFreeTraining
tree and the high Cost Training tree. So far I have looked at the root domain and
child domains in a tree but there is one structure that links all these together called a forest.
A forest encases multiple domains and trees into one structure. You don’t have to have
multiple domains and trees to have a forest. To illustrate this I will go back to my original
example of one domain. As soon as you create your first domain a forest is automatically
created for that domain. When I added the two child domains to IT
Free Training these now form a tree in the one forest. The high cost training domain
is then added and this forms anther tree in the same forest. So why is there a need to
have a forest? All domains in a forest have something in
common. They share what is called the schema. The schema defines the Active Directory database.
The schema determines what can be stored in the database and the structure of that data.
Each domain has its only copy of the database but it is the schema that determines its design
and the schema is shared between all domains in the forest. When changes are made to the
schema these changes are replicated to every domain in the forest.
The advantage of having a forest is that all domains in a forest also have trust relationships
generated automatically. As shown here, a user in high cost training could access a
resource in east dot ITFreeTraining.com The trust relationship is automatically
created between parent and child domains and between trees in the forest. Assuming the
user in high cost training has access they can access any resource in any domain in the
forest. This brings up the question how does one find
items in a forest? In order to find items in a forest you need an index. In any Active
Directory forest there will be servers that provide an index for all items in the forest.
These are called global catalog servers. There is at least on global catalog server per domain.
Global catalog servers or GC’s contain an index of every object in the forest. This
is not a full copy of the object, but enough to allow a user to perform a search. For example,
using a global catalog server you could search a forest for all the color printers. Since
the global catalog contains the basic information about each object in the forest a user can
find this information quickly. The global catalog server does not contain any detailed
information about the printer but it can tell the user where this object is located in the
forest. Think of a global catalog server like an index at a library. The index gives you
an idea what is in the book and more importantly where to find it if you want to know more.
The last example I want to show you is when anther forest is added. This may occur if
your company takes over another company that already has its own Active Directory infrastructure.
Active Directory does support this by an administrator manually creating a trust between the two
forests. In this case there are two forests. Each forest
has it only schema and each domain has its own copy of the Active Directory database.
In the real world you want to reduce the number of domains that you have to the bare minimum.
Having one domain and one forest makes things a lot easier. In cases like these you don’t
have a choice. A separate company is going to have its own Active Directory forest regardless.
In some cases you may need to create a separate forest. For example if you are testing an
application that makes changes to the schema you may decide to put it in its own forest.
By doing this you can be assured the testing of the application does not make permanent
changes to the production network. That’s it for forests, trees and domains.
In the next video I will look at the system requirements to install your first server
for use with Active Directory. We hope you have enjoyed this free training
video. For more free training videos please go to are web site or you tube channel. Thanks