Server 2003 Tutorials

This article explains ADS (Active Directory Serveries) Terminology such as Objects, Organizational Units, Delegation, Sites, Domain Controllers, Domains, Trees and Forests in detail.

Active Directory includes a replication feature. Replication ensures that changes to a domain controller are reflected in all domain controllers within a domain. A domain controller stores a replica of the domain directory. Each domain can contain one or more domain controllers.

Within a site, Active Directory automatically generates a ring topology for replication among domain controllers in the same domain. The topology defines the path for directory updates to flow from one domain controller to another until all receive the directory updates.

Replication Between Domain Controllers

The ring structure ensures that there are at least two replication paths from one domain controller to another. Therefore, if one domain controller is down temporarily, replication still continues to all other domain controllers.

Active Directory periodically analyzes the replication topology within a site to ensure that it is still efficient. If you add or remove a domain controller from the network or a site, Active Directory reconfigures the topology to reflect the change.


An object is a distinct named set of attributes that represents a network resource.
Enterprise resources are represented in Active Directory as objects, or records in the database. Each object has numerous attributes, or properties, that define it. For example, a user object includes the user name and password; a group object includes the group name and a list of its members. Active Directory is capable of hosting millions of objects, including users, groups, computers, printers, shared folders, sites, site links, Group Policy Objects (GPOs), and even DNS zones and host records.

object and Organizational Units

Organizational Units

An organizational unit (OU) is a container used to organize objects within a domain into logical administrative groups. They provide important administrative capabilities because they provide a point at which administrative functions can be delegated and to which group policies can be linked. Enterprises often have thousands of computers, groups, and users. If you had several thousand computers in a single list, it would be very difficult to identify all the computers belonging to, say, the Accounting department, or located within the Lucknow office. Enterprises need a way to organize these objects. OUs provide a way to create administrative boundaries within a domain, allowing you to delegate administrative tasks within the domain. An OU can contain objects such as user accounts, groups, computers, printers, applications, file shares, and other OUs.

The OU hierarchy within a domain is independent of the OU hierarchy structure of other domain's search domain can implement its own OU hierarchy. There are no restrictions on the depth of the OU hierarchy. However, a shallow hierarchy performs better than a deep one, so you should not create an OU hierarchy any deeper than necessary.


Each object in Active Directory ( user objects) includes an access control list (ACL) that defines permissions for that object, just as files on a disk volume have ACLs that define access for those files.

For example, a user object's ACL will define what groups are allowed to reset its password. It would get complicated to assign the frontline administrator permissions to change each individual user's password, so instead you can put all of those users in a single OU and assign that administrator the reset password permission on the OU. That permission will be inherited by all user objects in the OU, thereby allowing that administrator to modify permissions for all users. Resetting user passwords is just one example of administrative delegation.

There are thousands of combinations of permissions that could be assigned to groups administering and supporting Active Directory. OUs allow an enterprise to create an active representation of its administrative model and to specify who can do what to objects in the domain.


A site is a combination of one or more Internet Protocol (IP) subnets connected by a highly reliable, fast link to localize as much network traffic as possible. Typically, a site has the same boundaries as a local area network (LAN). When you group subnets on your network, you should combine only those subnets that have fast, cheap, and reliable network connections with one another. Fast network connections are at least 512 kilobits per second (Kbps). An available bandwidth of 128 Kbps and higher is sufficient.

Classes Attributes Directory Schema

In Active Directory, you can organize objects in classes, which are logical groupings of objects.Object classes help organize objects by their similarities. For example, all user objects fall under the object class Users.

When you create a new object, it automatically inherits attributes from its class. When you create a new user account, the information you can enter about that user account (its attributes) are derived from the object class Users. Microsoft defines a default set of object classes (and the attributes they define) used by Active Directory. Of course, because Active Directory is extensible, administrators and applications can modify the object classes available and the attributes that those classes define.

Classes Attributes Directory Schema

The classes and the attributes that they define are collectively referred to as the Active Directory schema in database terms, a schema is the structure of the tables and fields and how they are related to one another. You can think of the Active Directory schema as a collection of data (object classes) that defines how the real data of the directory (the attributes of an object) is organized and stored.

Active directory is a central component of the Windows platform, Active Directory service provides the means to manage the identities and relationships that make up network environments. After installing the Active Directory You can create centralized User & group for Whole Network. We can say Active Directory does the function in the form of a main switch board for Network operating System. Active Directory itself is more than just a database. It is a collection of supporting files that includes transaction logs and the system volume, or Sysvol, that contains logon scripts and Group Policy information.

Active Directory simplifies the security and administration of resources throughout a network (including the computers that are part of the network) by providing a single point of administration for all objects on the network. Active Directory organizes resources hierarchically in domains, which are logical groupings of servers and other network resources.

One big advantage that Active Directory provides is a single logon point for all network resources, so a user can log on to the network with a single user name and password, and then access any resources to which the user account is granted access. An administrator can log on to one computer and administer objects on any computer in the network.

Domain Controllers

A domain controller is a server that has been promoted by running the Active Directory Installation Wizard by running DCPROMO from the command line or using add remove a role from manage your server . Once a server has become a domain controller, it hosts a copy, or replica, of Active Directory and changes to the database on any domain controller are replicated to all domain controllers within the domain.


The core unit of logical structure in Active Directory is the domain. However, an enterprise might have more than one domain in its Active Directory.

Feature of Domains :-

  • Domains allows administrators to divide the network into manageable boundaries.
  • Administrators from different domains can establish their own security models (including password complexity and password-length requirements); security from one domain can then be isolated so that other domains security models are not affected.
  • Domains provide a way to logically partition a network along the same administrative lines as an organization. Organizations that are large enough to have more than one domain usually have divisions that are responsible for maintaining and securing their own resources. Grouping objects into one or more domains enables your network to reflect your company's organization.
  • Domains are independent administrative units, with their own security and administrative policies.
  • All network objects exist within a domain, and each domain stores information only about the objects that it contains.
  • Theoretically, a domain directory can contain up to 10 million objects, but 1 million objects per domain is a more practical amount.


A tree is a hierarchical arrangement of one or more domains that share a common schema and a contiguous namespace. In the example shown in Figure all the domains in the tree under the root domain share the namespace

domain tree

The first domain you create in a tree is called the root domain. The next domain that you add becomes a child domain of that root. In this figure and are the child domains.

Feature of Tree

  • Following DNS standards, the domain name of a child domain is the relative name of that child domain appended with the name of the parent domain.
  • All domains within a single tree share a common schema, which is a formal definition of all object types that you can store in an Active Directory deployment.
  • All domains within a single tree share a common Global Catalog, which is the central repository of information about objects in a tree.


A forest is a grouping or hierarchical arrangement of one or more domain trees that form a disjointed namespace, but might share a common schema and Global Catalog If domains in an Active Directory do not share a common root domain, they create multiple trees. That leads you to the largest structure in an Active Directory: the forest. An Active Directory forest includes all domains within that Active Directory. A forest might contain multiple domains in multiple trees, or just one domain. When more than one domain exists, a component of Active Directory called the Global Catalog becomes important because it provides information about objects that are located in other domains in the forest.

In the figure given above the namespace is represented in one tree, and the namespace is represented in another. There is always at least one forest on a network, and it is created when the first Active Directory enabled computer (domain controller) on a network is installed. This first domain in a forest, called the forest root domain, is special because it holds the schema and controls domain naming for the entire forest. It cannot be removed from the forest without removing the entire forest itself. Also, no other domain can ever be created above the forest root domain in the forest domain hierarchy.

Feature of Forests

  • All trees in a forest share a common schema.
  • Trees in a forest have different naming structures, according to their domains.
  • All domains in a forest share a common Global Catalog.
  • Domains in a forest operate independently, but the forest enables communication across the entire organization.