The basic hierarchical units of a directory in Active Directory are forests, domains, and objects. Forests, which define security boundaries for the network with respect to the Internet, contain domains, which are sets of computer, user, and group objects that have been defined by the administrator. Active Directory objects, the basic units of directory data stored and referenced by the entire system, represent the real objects on the network and their relationships to each other. Domains contain partitions and other organizational units to further subdivide the various administrative segments of the entire organization.
The Active Directory database file (Ntds.dit) provides for the physical storage of all Active Directory objects for a single forest. By means of Active Directory replication, any directory updates are automatically distributed to the appropriate domain controllers according to a regular schedule. Domain controllers (DCs) are servers that store replicas of all the objects and object attributes in a particular domain, plus the schema and directory partitions for the entire forest. Thus the data repository for the whole directory is centralized and can be administered from one location, but is also physically distributed, with built-in redundancy on multiple DCs throughout the network. Active Directory replication is designed to maintain directory consistency and minimize network overhead.
When you create a server role for a computer, you can create a new forest, a new domain, or an additional DC in an existing domain by installing Active Directory on that computer, which then becomes a DC.
A DC that is designated as a global catalog stores the objects from all domains in the forest. A global catalog server stores its own full, writeable domain replica —all objects and all attributes — plus a partial, read-only replica of every other domain in the forest. The objects and attributes stored in each global catalog allow clients to search Active Directory without having to refer directly to the DC for the requested object. The first DC in a forest is automatically designated a global catalog.
Most operations associated with managing users, groups, and computers involve changes that can be made on any DC, which then replicates the change to the appropriate DCs or global catalogs. However, for some operations, specially designated DCs must manage the changes in a single location. For example, certain operations at the forest level might involve the schema or the domain itself. Such operations must therefore be handled by a DC designated as the schema master or the domain naming master. Such a DC has been assigned a Flexible Single Master Operations (FSMO) role by the administrator. Operations at the domain level might include the Primary Domain Controller (PDC) emulator, Relative ID (RID) master, or infrastructure master. Domain controllers with extra authorizations to manage these changes are called operations masters.
Security is an extremely important part of Active Directory design and operation. Active Directory controls access to objects, properties, content, and operations based on the identity of the user requesting access. Whether the account is that of the logged-on user, another user, a service account, a computer account, or an unauthenticated user, Active Directory verifies a user’s access rights before any operation is performed. Similarly, Active Directory replications use a replication protocol that establishes a secure remote procedure call (RPC) connection between replication partners.
The RPC connection uses the Kerberos authentication protocol to provide authentication and encryption. The Kerberos standard defines how clients interact with a network authentication service. Clients obtain “tickets” from the Kerberos Key Distribution Center (KDC), and present these tickets to servers after connections are established.
As another security measure, Active Directory for Windows Server 2008 includes a read-only domain controller (RODC) that hosts read-only portions of the Active Directory database. RODCs allow you to deploy DCs in scenarios that cannot guarantee security and in sites that do not have a user who is a member of the Domain Admins group.
Active Directory uses Domain Name System (DNS) to locate resources, such as printers, computers, or DCs, by resolving computer names to IP addresses. A DC locator service (Locator) works with DNS and Windows APIs to find DCs. When a DC has been located, LDAP is used to retrieve information from the directory. LDAP is the means by which Active Directory provides information about the objects it stores for administrators, users, and applications.