Active Directory includes a replication
feature. Replication ensures that changes to a domain controller are
reflected in all domain controllers within a domain. A domain controller stores
a replica of the domain directory. Each domain can contain one or more domain
controllers.
Within a site, Active Directory
automatically generates a ring topology for replication among domain
controllers in the same domain. The topology defines the path for directory
updates to flow from one domain controller to another until all receive the
directory updates.
Active Directory periodically
analyzes the replication topology within a site to ensure that it is still
efficient. If you add or remove a domain controller from the network or a site,
Active Directory reconfigures the topology to reflect the change.
ObjectsAn object is a distinct named set of attributes that represents a network resource.
Enterprise resources are represented in Active Directory as objects, or records in the database. Each object has numerous attributes, or properties, that define it. For example, a user object includes the user name and password; a group object includes the group name and a list of its members. Active Directory is capable of hosting millions of objects, including users, groups, computers, printers, shared folders, sites, site links, Group Policy Objects (GPOs), and even DNS zones and host records.
Organizational Units
An organizational unit (OU) is a container used to organize objects within a domain into logical administrative groups. They provide important administrative capabilities because they provide a point at which administrative functions can be delegated and to which group policies can be linked. Enterprises often have thousands of computers, groups, and users. If you had several thousand computers in a single list, it would be very difficult to identify all the computers belonging to, say, the Accounting department, or located within the Lucknow office. Enterprises need a way to organize these objects. OUs provide a way to create administrative boundaries within a domain, allowing you to delegate administrative tasks within the domain. An OU can contain objects such as user accounts, groups, computers, printers, applications, file shares, and other OUs.
The OU hierarchy within a domain is
independent of the OU hierarchy structure of other domain's search domain can
implement its own OU hierarchy. There are no restrictions on the depth of the
OU hierarchy. However, a shallow hierarchy performs better than a deep one, so
you should not create an OU hierarchy any deeper than necessary.
Delegation
Each object in Active Directory (
user objects) includes an access control list (ACL) that defines permissions
for that object, just as files on a disk volume have ACLs that define access
for those files.
For example, a user object's ACL
will define what groups are allowed to reset its password. It would get
complicated to assign the frontline administrator permissions to change each
individual user's password, so instead you can put all of those users in a
single OU and assign that administrator the reset password permission on the
OU. That permission will be inherited by all user objects in the OU, thereby
allowing that administrator to modify permissions for all users. Resetting user
passwords is just one example of administrative delegation.
There are thousands of combinations
of permissions that could be assigned to groups administering and supporting
Active Directory. OUs allow an enterprise to create an active representation of
its administrative model and to specify who can do what to objects in the domain.
Sites
A site is a combination of
one or more Internet Protocol (IP) subnets connected by a highly reliable, fast
link to localize as much network traffic as possible. Typically, a site has the
same boundaries as a local area network (LAN). When you group subnets on your
network, you should combine only those subnets that have fast, cheap, and
reliable network connections with one another. Fast network connections are at
least 512 kilobits per second (Kbps). An available bandwidth of 128 Kbps and
higher is sufficient.
Classes Attributes Directory Schema
In Active Directory, you can
organize objects in classes, which are logical groupings of objects.Object
classes help organize objects by their similarities. For example, all user
objects fall under the object class Users.
When you create a new object, it
automatically inherits attributes from its class. When you create a new user
account, the information you can enter about that user account (its
attributes) are derived from the object class Users. Microsoft defines
a default set of object classes (and the attributes they define) used by Active
Directory. Of course, because Active Directory is extensible, administrators
and applications can modify the object classes available and the attributes
that those classes define.
No comments:
Post a Comment