Structures of Active Directory

Posted: February 20, 2013 in Active Directory, Domain Controller, Server 2008
Tags: , , ,

Active Directory is made up of components that constitute its logical and physical structure. To administer Active Directory, we must understand the purpose of these components


Logical Structure: The logical structure of Active Directory provides methods for organizing network resources such as computers, printers, users and groups. It is made up of objects, organizational units, domains, domain trees, and forests.


1. Objects

The object is the most basic component of the logical structure. Object classes are template for the types of objects that can be created in Active Directory. Each object class is defined by a group of attribute. Attributes define the possible values that can be associated with an object. Each object has a unique combination of attribute values.


2. Organizational units

Organizational units are container objects that are used to group other objects in a manner that supports your administrative purposes. By grouping objects by organizational unit in a logical fashion, it becomes easier to locate and administer objects. We can also delegate the authority to administer an organizational unit.  Organizational units can be nested in other organizational units. By nesting organizational units, we can further simplify the administration of objects.


3. Domains

Domains are the core functional units in the Active Directory logical structure. A domain is a collection of objects that share a common directory database, security policies, and security relationships with other domains.  Domains provide the following three functions:

  • • Serve as an administrative boundary for objects
  • • Help to manage security for shared resources
  • • Serve as a unit of replication for objects


4. Domain Trees

Domains can be grouped together in hierarchical structures that are called trees. When a second domain is added to a tree, it becomes a child of the tree root domain. The domain to which a child domain is attached is called the parent domain. A child domain may in turn have its own child domain.  The name of a child domain is combined with the name of its parent domain to form its own unique Domain Name System (DNS) name. In this manner, a tree has a contiguous namespace.


5. Forests

Forests are made up of one or more trees, although a single two-level tree is recommended for most organizations. A two-level tree is when all child domains are made children of the forest root domain to form one contiguous tree. The first domain in the forest is called the forest root domain, and the name of that domain is used to refer to the forest. A forest is a complete instance of Active Directory. By default, the information within Active Directory is shared only within the forest. In this way, the forest is a security boundary for the information contained in the instance of Active Directory.


Physical Structure: The physical structure of Active Directory models the physical structure of the network, and is made up of domain controllers and sites. The physical structure of Active Directory defines where and when replication and logon traffic occur, and is used to and manage network traffic. The physical structure enables you to optimize network traffic by determining when and where replication and logon traffic occur.  The elements of the Active Directory physical structure are:


1. Domain controllers Domain controller performs storage and replication functions. A domain controller can support only one domain. A domain can have one or more domain controllers.


2. Active Directory sites Created mainly to optimize replication traffic and to enable users to connect domain controllers by using reliable, high speed connection. A site is a group of well-connected computers. When sites are established, domain controllers within a single site communicate frequently. This communication minimizes the latency within the site. Latency is the time required for a change that is made on one domain controller to be replicated on other domain controllers. You create sites to optimize the use of bandwidth between separated domain controllers. There can be multiple domains in a single site and single site can have multiple sites.


Note: We use Logical structure to organize the network resources and Physical structure to manage the network traffic.


  1. Thiago Lima says:

    It is in point of fact a nice and useful piece of info. I’m glad that you just shared this useful information with us. Please keep us up to date like this. Thanks for sharing

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s