Saturday, March 15, 2008

Modeling the Directory Structure After Your Business Organization

The main points to consider when grouping users and resources are how you want to administer them and what this will do to affect the network traffic associated with logon authentication and directory information replication.

Do you want to create a network that allows centralized or decentralized control? In Windows NT, domains were used to enable you to group users and resources into convenient, manageable units that share a common security policy. With the X.500 naming hierarchy adopted by the Active Directory, you might find that you now can get by with fewer domains, while using other methods, such as organizational units, to make administration more flexible.

Having a single domain and using OUs to divide users and resources for administrative control purposes is a good idea if the network is connected by high-speed links. If your network is widely dispersed over a large geographical distance (or via slow links), you should take into consideration the replication traffic that will occur when changes are made to the database if a single domain is used. If frequent changes to the database occur, you might want to consider using separate domains for users and resources in different locations so that only the domain tree metadata becomes the object of replication.

Internet 2010

For example, suppose that a manufacturer has just decided to upgrade all its business sites to Windows 2000 and use the Active Directory to manage resources. The sales office is located in New York and two manufacturing sites are located in Dallas. The user base at the Dallas site has a much higher turnover rate than that of the New York site. Because users at each site mainly access only resources local to their site, it makes sense to use two domains, one for each geographical site. Using two domains also keeps replication traffic between the sites to a minimum because the frequent changeover of users at the Dallas site does not need to be replicated to the New York site.

Later, the company decides to open another manufacturing plant in San Antonio. A high-speed leased line is installed between the Dallas and San Antonio sites because the plants will be sharing a lot of information between them. The Dallas domain is expanded to include the San Antonio users. However, a separate OU is used for each of these sites so that users can be dealt with easily by the local managers for each site. Because both of these OUs reside in the same domain, controlling user access to domain resources is a simple task no matter where the user is located.

Domains Are Partitions of the Active Directory

A domain in the Active Directory is basically a partition of the entire domain tree namespace. The namespace consists of all domains in the domain tree of which the domain is a member. In the Active Directory, each domain controller in the domain holds a complete replica of that domain's partition of the directory database. Each domain is responsible for holding directory information about users, resources, and other objects defined in the domain. The global catalog enables users in other domains in the domain tree the ability to quickly locate resources that are entered in other partitions, or domains, of the tree.


You aren't stuck with your initial decision when you set up a domain tree or forest. The Active Directory uses a unique number, the globally unique identifier (GUID), to identify each domain in the network. Because this identifier is used throughout the network to uniquely identify the domain, the directory enables you to add, delete, and change domain names easily

as your organization or network changes. Because each domain can be easily identified by its GUID, you can make changes to the shape of the domain tree or forest by moving domains around and reattaching them at different points to match your current needs. In the Windows 2003 Active Directory, you can use drag-and-drop utilities to rearrange domains in a tree.

Another important characteristic of a domain is the domain security policy. You define certain characteristics of the security policy, such as the password history and account lockout values, on a domain-by-domain basis. However, you cannot assign different account policies, such as lockout values, on an OU basis.

Organizational Units Allow for Delegation of Control

Organizational units are container objects in the Active Directory. A container object is an object that can hold other objects in the directory. An OU can hold other organizational units and container objects, as well as leaf objects in the directory. Leaf objects are the endpoints in the tree structure of the directory and hold information about such things as users, printers, applications, and other resources.


In the Active Directory, you can use the OU to subdivide portions of the directory. By doing so, you can reduce the number of domains that you need. You can delegate authority to manage OUs to only those administrators who need such access. Thus, OUs can be used not only to partially replace domains, but also can be a very useful method for controlling rights and access for day-to-day management chores.

In Windows NT, you use a domain to group users and resources so that they can be managed as a unit. Within a domain, you can grant certain users the rights to perform system management andadministrative tasks, such as creating user accounts or adding computers to the domain. However, this administrative control is domainwide. For example, if you grant a user account the right to modify user accounts, that user can modify any user account in the domain.OUs enable you to further subdivide a domain and grant those same user rights based on the OU instead of the entire domain. This finer granularity of control can make it possible for you to get by with fewer domains in situations in which you want to use a large number of user groupings for administrative control purposes. Instead of creating a domain for each of the accounting, human resources and manufacturing departments, you can create one domain and assign administrative privileges by OUs created within the domain to allow each department to control its own users and resources.

No comments:

Internet Blogosphere