A domain controller will not store a copy of any schema or forest information from a different forest even if they are on the same network. In addition, each domain controller stores the schema for the entire forest, as well as all information about the forest.
A domain controller is any Windows Server installed with the Domain Controller role.Įach domain controller stores a copy of the Active Directory database containing information about all objects within the same domain. OUs should be used to implement and limit security and roles among groups, while domains should be used to control Active Directory replication.ĭomain controllers are Windows Servers, which contain the Active Directory database and perform Active Directory related functions, including authentication and authorization. OUs are used to delegate control within functional groupings. An OU provides a security boundary on elevated privileges and authorization, but does not limit the replication of AD objects. Organizational units (OUs)Īn organizational unit provides for the grouping of authority over a subset of resources from a domain.
While domains were used in the previous Windows-NT based model, and still do provide a security barrier, the recommendation is to not only use domains to control replication, but use organizational units (OUs) to group and limit security permissions instead. This is kept up to date via constant replication. This saves bandwidth and limits damage from a security breach.Įach domain controller in a domain has an identical copy of that domain’s Active Directory database.
For example, an office in Oakland wouldn’t need to be replicating AD data from the office in Pittsburg. A domain limits Active Directory replication to only the other domain controllers within the same domain. The purpose of a domain is to break the directory into smaller pieces to control replication. Additional domains can be used to create further partitions within a forest. DomainsĮach forest contains a root domain. While a tree shares a name space, trees are not limits on security or replication. The domains within a tree share the same root name space. Forest information is stored on all domain controllers, in all domains, within the forest. It is possible to just use a single forest on a network. This provides for an administrator with full-access rights and permissions, but only to a specific subset of resources. A forest allows for delegation of authority to be segregated within a single environment. A forest is a security boundary within an organization. The forest is the highest level of the organization hierarchy. Each part of the AD organizational structure limits either authorization or replication to within that particular sub-part. One key feature of Active Directory structure is delegated authorization and efficient replication. These rights are commonly used to prevent the printing, copying or taking a screenshot of a document. The rights and restrictions are attached to the document rather than the user. This is a rights management services that breaks down authorization beyond an access granted or access denied model and limits what a user can do with particular files or documents. Active Directory rights management services Thus, a contractor might log on to his own network and be authorized for his/her access on the client’s network as well. Provides a web-based, single sign-on authentication and authorization service primarily for use across organizations. This service can store, validate, create and revoke public key credentials used for encryption rather than generating keys externally or locally. Active Directory certificate servicesĬertificate Services offers digital certification services and supports public key infrastructure, or PKI. Typically used in small, single office network environments. This light version of Domain Services removes some complexity and advanced functionality to offer just the basic directory service functionality, without the use of domain controllers, forests or domains. Active Directory lightweight directory services Over time, Microsoft has added additional services under the Active Directory banner.