Designing the Active Directory Structure |
A forest is a collection of Active Directory domains. Forests serve two main purposes: to simplify user interaction with the directory, and to simplify the management of multiple domains. Forests have the following key characteristics:
The Active Directory schema defines the object classes and the attributes of object classes that can be created in the directory. Object classes define the types of objects that can be created in the directory. The schema exists as a naming context that is replicated to every domain controller in the forest. The schema administrators security group has full control over the schema.
The Active Directory Configuration container is a naming context that is replicated to every domain controller in the forest. Directory-aware applications store information in the Configuration container that applies forest wide. For example, Active Directory stores information about the physical network in the Configuration container and uses it to guide the creation of replication connections between domain controllers. The enterprise administrators security group has full control over the Configuration container.
Sharing a single, consistent configuration across the domains of a forest eliminates the need to configure domains separately.
Active Directory automatically creates transitive, two-way trust relationships between the domains in a forest. Users and groups from any domain can be recognized by any member computer in the forest, and included in groups or access control lists (ACLs).
Complete trust makes managing multiple domains simpler in Windows 2000. In previous versions of Windows NT, a popular model for deploying domains was the Multiple Master Domain model. In that model, a domain containing primarily user accounts was called a master user domain, and a domain that contained primarily computer accounts and resources was called a resource domain. A common deployment consisted of a small number of master user domains, each of which was trusted by a large number of resource domains. Adding a new domain to the deployment required several trusts to be created. With Windows 2000 Active Directory, when you add a domain to a forest it is automatically configured with two-way transitive trust. This eliminates the need to create additional trusts with domains in the same forest.
The global catalog contains a copy of every object from every domain in the forest but only a select set of the attributes from each object. The global catalog enables fast, efficient searches that span the entire forest.
The global catalog makes directory structures within a forest transparent to end users. Using the global catalog as a search scope makes finding objects in the directory simple. Logging on is made simpler through the global catalog and user principal names, described as follows:
Users Search the Global Catalog In the directory search user interface, the global catalog is abstracted as the Entire Directory when selecting a search scope. Users can search the forest without having any prior knowledge of the forest structure. Having a single, consistent search interface reduces the need to educate users on directory structure, and allows administrators to change the structure within a forest without affecting the way users interact with the directory.
Users Log on Using User Principal Names A user principal name (UPN) is an e-mail-like name that uniquely represents a user. A UPN consists of two parts, a user identification portion and a domain portion. The two parts are separated by an "@" symbol, to form <user>@<DNS-domain-name>, for example, liz@noam.reskit.com. Every user is automatically assigned a default UPN, where the <user> portion of the name is the same as the user's logon name, and the <DNS-domain-name> portion of the name is the DNS name of the Active Directory domain where the user account is located. When logging on using a UPN, users no longer have to choose a domain from a list on the logon dialog box.
You can set UPNs to arbitrary values. For example, even if Liz's account is in the noam.reskit.com domain, her UPN could be set to liz@reskit.com. When the user logs on, the user account to be validated is discovered by searching the global catalog for a user account with a matching UPN value. By making UPN values independent from domain names, administrators can move user accounts between domains, leaving UPN values unchanged and making interdomain moves more transparent to users.