Basics of Active Directory: Logical Topology

Active Directory is a directory service that allows you to manage all elements of your network. This would include computers, groups, users, domains, security policies, and any type of user-defined objects. This is a great tool to utilize when you need to maintain your IT assets. For this to be possible, Active Directory has a logical structure it follows with hierarchical groups for administrators to provide better oversight. 

One great aspect of Active Directory is that it is built around DNS (Domain Name System) and LDAP (Lightweight Directory Access Protocol). It uses DNS because it is the standard protocol for allowing to match human-readable web addresses to their respective IP addresses.  It uses LDAP to locate and access any type of resource on the network. Because LDAP and DNS are platform-independent protocols, Unix, Macintosh, and other clients can access resources in the same fashion as Windows clients.

When we look at the logical structure of Active Directory, there are 4 principal areas:

1. Domain
2. Organizational Unit
3. Trees
4. Forests

Before we dive into these principal areas, we need to understand what objects are. 

An object is the basic element of Active Directory that represents something on the network, such as a user, a group, a computer, an application, a printer, or a shared folder.

Each object will also have their own attributes. For example, the user object will have attributes like:

• First Name
• Last Name
• Email

Organizational Unit (OU):

• This is a container within a domain which can hold objects like users, computers, and groups. 
• OUs can have other OUs within them. 
• This is the smallest unit an administrator can assign group policy settings to. 
• We can organize users, computers, etc. by location, departments, etc. 
• OUs are different from AD Groups. 
• OUs are used for managing PCs and accounts, such as login screen, toolbar, password requirements, etc. 
• AD Groups are used for managing permissions on files.

Domain:

• This is a logical group of objects that share common administration, security and replication settings.
• This is important because you may not want the sales team to have access to resources to the engineering team.
• IT Teams can define administrative boundaries and manage sets of devices, services, and systems in a centralized manner. 
• Generally, a domain also encompasses a physical space like an office or multiple offices.
• Domains group network objects and OUs into a unit with a security boundary.
• You also have a Domain Controller, which is a server that manages network and identity security, and user authentication for IT resources within a domain.

Trees:

• A tree is a collection of sub-domains that share a DNS namespace.
• Trees consists of multiple domains connected by transitive trusts. 
• Each domain in a tree shares a common schema and global catalog.
• Global Catalog (GC) allows for users and applications to find objects in an Active Directory Tree. 
• Schema is just a list of definitions that determines what objects can be stored. 
• For example, you may have a domain of "company.com". 
• Then, have a sub-domain called "hr.company.com" and "sales.company.com". 
• Clearly, this is a tree--a collection of sub-domains that share a DNS namespace of "company.com". 
• The subdomains would be "hr" and "sales". 

Forests:

• Highest level on the hierarchical structure of Active Directory
• These are groups of Domain Trees. 
• Each forest shares a single database, a single global address list and a security boundary