Active Directory Structure

We have been writing a lot article series lately, and we’ll continue this trend with a series about Active Directory. We’ll discuss the various components of Active Directory and of course pay attention to monitoring Active Directory performance of Active Directory. In this first article we’ll talk about the logical and physical structure of Active Directory. Let’s start with the Logical Structure.

Logical Structure of Active Directory

Active Directory provides the flexibility in designing a business structure for an organization’s current and future needs. Understanding Active Directory is key when designing your organization’s Directory structure. In Active Directory all resources are organized in a logical structure which enables any resource to be located by name rather than physical location.

In Active Directory there are different type of resources and objects that define the logical structure:

  • User, computer, group, printer, and network share objects
  • Organizational Units
  • Domains – Logical boundaries for objects
  • Trees – Logical boundary for multiple domains
  • Forests – Logical boundary for multiple trees

All these Active Directory components work together in defining your logical structure. By the way, a Forest defines the logical boundary for one or more Trees, and a Tree defines the logical boundary for one or more domains.

So what are the benefits of having a well-designed Active Directory structure? One important aspect is better security by using Organizational Units and Security Groups in them. Organizational Units can also be linked directly to Group Policy Objects (GPO) further expanding on security. Network management and administration is simplified and the relationship between the domains and forests allows for sharing resources across an organization.

When you considering your Active Directory design and it comes to setting up your Organizational Units, there are mainly two approaches you can take:

  • Layout based on physical office locations in your organization
  • Layout based on functional hierarchy of departments in your organization

Personally, I favor the functional layout and create my Organizational Units based on the departments in the organization. This method has the benefit that staff members in, for example, the marketing department can work in various different office locations in an organization, but you want them to have similar security permissions and access to network resources. By placing my user accounts for the marketing department in the Marketing Organizational Unit, it does not matter where a user is physically located, he or she will receive the correct permissions and Group Policies that are defined for the Marketing department. Now let’s talk about the physical structure that makes up Active Directory.

Physical Structure of Active Directory

The physical structure of Active Directory consists of a database that is replicated to all domain controllers in a Forest. The Data Store is what handles all access to the database and consists of services and physical files that make the directory available. The storage architecture of Active Directory has four different parts:

  • Forests, Domains, and Organizational Units are the core elements
  • DNS provides name resolution for domain controllers
  • The Schema provides the object definitions stored in the directory
  • The Data Store manages storage and retrieval of data

Another main aspect of Active Directory is Sites. Sites are used for communication between domain controllers located in the same site, and we can use sites to optimize bandwidth between domain controllers that are in different physical locations. All IP subnets that share the same local area network are part of the same site.

For example: A site has subnets 10.10.25.x and 10.10.35.x, where 10.10.25.x is a computer on a subnet located in California and 10.10.35.x is a computer on a subnet located in Florida. Because both computers are on a different subnet, we create a site for each subnet in Active Directory. Each site will have a domain controller at its location. Obviously, you want to make sure there is proper bandwidth between each site to avoid replication issues between each domain controller.

Then there are Active Directory Partitions. Each domain controller has partitions for the schema, the domain, and the optionally, applications. The domain partition contains a copy of all objects and replication of those objects only occurs to domain controllers that are in the same domain. The schema partition spans the entire forest. Each forest has a single schema which is replicated to all domain controllers in the forest. The application partition can be used by applications and does not carry any security objects. This partition is replicated to all domain controllers in the forest.

That’s it for the physical partition. In our next article we’ll talk about DNS integration in Active Directory and provide you with some best practices for configuring and managing Active Directory-Integrated DNS.