Active Directory Structure

Active Directory is used to store and organize objects in a network, such as Users, Computers, Devices and other objects in a secure and hierarchical structure, which is known as the Logical Structure.

Forests and Domains form the basis of the Logical Structure.

Forests are the security boundaries of the logical structure. They can be structured to provide data and service autonomy and isolation in an organization in ways that can both reflect the site and group identities and remove dependencies on the physical topology.

Domains can be structured in a Forest to provide data and service autonomy. This does not provide Isolation, though. This separation of logical and physical structures improves manageability and reduces administrative costs – because the logical structure does not get affected by changes in physical structure. This means the logical structure can be used to compartmentalize data so that you can control access to it by controlling access to the various compartments.

The Active Directory Structure and Storage Architecture has four parts. They are as follows:

1. Active Directory Forests, Domains and Organizational Units (OUs):

In Active Directory, Forests, Domains and Organizational Units(OUs) form the very basis of the Logical structure. Forests form the Security boundary, whereas Domains provide a way to partition the Forest. OUs allow grouping of objects, such as Users, Computers etc in the domain, so that they can be managed as one unit and also to allow application of group policies.

2. Domain Name System(DNS) support for Active Directory:

Active Directory uses DNS as a mechanism to locate the Domain Controllers and Domain Controllers also use DNS to locate each other. When any major operation is performed in Active Directory, like Authentication, Searching or Updating the computers use DNS to locate the Domain controllers. For example, when a network user with an Active Directory user account logs on to an Active Directory domain, the user’s computer uses DNS to locate a domain controller for the Active Directory domain to which the user wants to log on.

In order to logon to a network that consists of an Active Directory, a client workstation on the network should first be able to locate the nearest Domain Controller on the network. This is necessary for the initial authentication of the workstation/client as well as the user and also for the subsequent access to other resources that the user might need.

3. Active Directory Schema: The Active Directory schema contains definitions of all the objects that are used to store information in it. All objects in the Schema are classified as classSchema objects and attributeSchema objects. There is one Schema per forest. A copy of the schema is stored in every domain controller in the forest so that all the Domain controllers have the definitions they need and also so that all the domain controllers in the forest use the same definitions.

4. Active Directory Data Store: The Active Directory Data store manages the storage and retrieval of data on each domain controller. This is made up of several components, which collectively provide directory services to the clients on the network. The AD Data Store consists of Four Interfaces & Three Service Components (as shown in the figure below) and the Active Directory Database itself.

The data store consists of three layers of components. The first layer provides the interfaces that clients need to access the directory. The second layer provides the services that perform the operations that are associated with reading data from and writing data to the directory database. The third layer is the database itself, which exists as a single file on the hard disk of each domain controller.

Interfaces and Services of Active Directory Data Store:

Windows Server 2003 Active Directory Structure