Active Directory Comes Included Computer Science Essay

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

The following report will describe the structure of a multi domain environment using Windows Server operating systems, specifically server 2008R2 with configuration and comparisons between older versions. I will discuss the key principles of a multi domain environment, explaining the difference between domain types and a guide on how domains are configured and managed using Active Directory in Windows Server operating systems. I will also discuss 'Trees and Forests', trusts and the process of keeping domain controllers in a forest synchronized.

Active directory comes included in most Windows server operating systems and is used for controlling small and large networks from one computer. The software allows administrators to assign polices, deploy and update software as well as arrange all network users, computers and other objects into logical hierarchical groupings using organizational units. The information is used to authenticate and authorize the objects which are part of a network. Everything in active directory is referred to as an object and these objects contain attributes. A computer account for example is an object and the attributes associated with the account would be Name, Location, department etc.

To install active directory on the first domain we need to ensure we assign a static IP address and give the domain controller a name. After creating a name you will be prompted to restart the machine for settings to be applied. Once the restart has completed and the server manager window appears be sure to download and install updates. Once this is complete there are two ways we can install active directory. We can select run and type DCPROMO or we can click select role and follow the instructions, making sure when prompted, we select Active Directory Domain Service. We also need to ensure we select Install and configure DNS server on this computer. Active directory will not work if DNS is not installed.


To create a domain we can promote a server to a DC (Domain Controller) by installing Active Directory Services. This can be done by running the domain controller promotion wizard, DCPROMO.EXE. Using DCPROMO will include the set-up of DNS which needs to be installed in order for active directory to work. Having another DC is recommend because only using one, means there is a single point of failure. Using multiple DC's allows them to synchronise with each other and essentially create a backup of the active directory in case the Primary DC fails.

Single Domain Environment

The majority of small networks can be managed within a single domain, using one DC (Domain Controller) and a back-up DC. Not only does this make your network easier to manage but it is also the most cost effective.

Multiple Domain Environment

Larger networks are organized using a multiple domain environment, 'Trees and Forests'. A tree is the hierarchical groupings of domains within a common namespace. The trees within domains are linked together using trusts and a forest is a group of linked trees, also linked by trusts. I will cover this more in the sections below.

Trees and Forests

The forest and tree model is a logical structure for interconnecting multiple network domains in windows 2000 and later operating systems. A tree is a set of domains sharing a common network configuration, schema and global catalog. A forest is a collection of trees that does not form a contiguous namespace and represents the outermost boundary where users exist. In this model each Tree has a unique name and forests do not need to be named. The Trees in the forest are interconnected by trust relationships that are bi-directional, meaning they can function in either direction. Trust relationships are also transitive and that means they can be cascaded one after another in chains. In a Forest the Trees form a hierarchy for the purpose of the trust relationships. I will examine Trusts and global catalog servers in detail in the other sections of this report.

In windows server 2000 when you promote a member server to a Domain controller, DCPROMO creates a forest. With server 2000 forest creation can't occur at any other time, although this restriction was changed in the newer versions of windows server. In server 2008 a member server can be promoted to a Domain controller by using the traditional DCPROMO method or through server management which can be beneficial when implementing domains and save time with server administration.


In Windows Domain Administration Trusts are used to establish a relationship between domains and make it possible for users in a different domain to get authenticated by a Domain controller in another network. In Windows server 2008 you can use New Trust Wizard to create different types of trusts. Below are some examples:


This nontransitive trust type is bidirectional and used to provide access to resources that are located in a different forest.


This trust type is transitive or nontransitive and is used to for a trust relationship between a non-windows domain.


This is a transitive trust type and is bidirectional. Forest trust types share resources between other forests.


A transitive trust type that is bidirectional and used to improve logon times between two domains within an active directory forest.

Group Management


A collection of user and computer accounts can be managed as a single unit, we call this single unit a group. A group member is either a user or computer in a group. Groups can make it easier for administrators to assign permissions and rights too many accounts at once, rather than assigning permissions to each account individually.

Local groups can be created in Local Users & Groups in Computer Management within server 2008. This group type only applies to one specific computer. Local groups do not exist in Active Directory, they reside on local computers. To give the user rights we make them members of existing local built in groups. Local built in groups allow admins full access to a machine while users have no special rights. Power users can create local accounts, however they can't remove accounts apart from the ones they created.

Domain groups reside throughout a network and Object membership is stored in Active directory or a global catalog depending on group type. The most important domain group type is security groups.

Domain local group members can come from any domain but can only access resources in the local domain. This group is usually used for resources such as printers.

Global Groups only contain members from the same domain and can contain other global groups. We can give a global group rights and permissions and it can become a member of local groups. This group is usually where users reside.

In a universal group, members can come and access resources from any domain. The names and memberships are held in the global catalog, so can be seen from anywhere in the forest. Universal groups contain users, global groups and other universal groups.

Organizational Units (OU's)

Organizational units are created by domain administrators in the console tree of windows server 2008R2 and are used to organize objects into a hierarchy within a domain. OU's are used to manage the administration of accounts for users, groups and computers. As we know, objects can be referred to as everything within active directory. OU's are also used for other resources like printers and access to shared folders. OU's can contain other OU's, therefore an administrator is able to hierarchically group resources and other objects together, reflecting the organizations structure. This is also known as nesting OU's.

Some benefits of OU's:

Can be nested to support multiple hierarchy levels.

Each domain in AD can have its own structure and be independent of another OU's structure.

It's easy to change the structure of an OU.

Easy to apply group policy with OU's.

Can be used to delegate control of active directory objects.

Group Policy

Applying group policy in active directory gives users administrative control over objects like users and computers in a network. Group policy is applied to OU's to set permissions of computers and users that are in a specific Organizational unit. Windows server will force the group policy settings throughout an entire network or just to specific groups. Group policy is also used to determine how an application is accessed or how updates are implemented.

Benefits of Group Policy:

Only admins have full privilege to change policy settings making it very secure.

Settings can be removed and the changes rewritten.

Policy settings reflect all users, computers and OU's in a domain.

Group Policy settings get stored as an object within Active Directory and can be associated with one or more domain, organizational unit or site.

Global Catalog Servers

In Active Directory the global catolog is the main directory of information about objects in a tree or forest but with a limited number of each objects attributes. The domain controller that has the copy of the global catalog is known as the Global Catalog Server. The catalog only holds a partial representation of every object in every domain in the multidomain Active Directory Domain Services forest (AD DS) and this is distributed through multimaster replication. Searching using the global catalog is faster because they do not involve referrals to different domain controller.

Here are some examples of events that require a global catalog server:

Forest-wide searches. The global catalog provides a resource for searching an AD DS forest and are identified by the LDAP port they use. If the search query uses another port, the query is sent to a global catalog server.

User Logon. In a domain that uses Windows 2000 native domain functional level or higher the domain controllers have to request universal group membership information from a global catalog server.


Active directory contents get maintained throughout Domain controllers using replication. In windows 2000 and above AD uses multimaster replication. When an administrator changes anything to objects the changes are implemented to any domain controller. Replication is necessary as changes to AD information can become congested across multiple domain controllers in large networks, therefore necessary for Windows to synchronize the DC's using this replication process. If a large company has many Domain controllers, this can cause considerable network traffic. To reduce this active directory uses a structure called a 'Site'. A site is simply a collection of DC's that service a common group or users. The main advantage of using a site structure is that Active Directory replicates changes on a scheduled basis rather than a when needed basis.

Time Synchronization

On a windows domain, synchronizing time requires the active directory domain hierarchy to find a good source for our entire domain. In server 2008R2 the (PDC) primary domain controller will be the default time source for an entire network. To ensure all servers find the correct time the (PDC) must be configured to receive the time from an accurate and valid source. To do this we log onto the domain controller and type the following command line:

W32tm /config/manualpeerlist:<timeserver> /syncfromflags:manual

To update the windows time service configuration enter: net stop w32time net start w32time


In conclusion, the development of Windows Server operating Systems throughout the years, specifically Windows Server 2008R2 in my opinion is the best choice for implementing single and multiple domain environments. Active Directory can bring a number of advantages to medium and large networks, these include centralised user management, centralised policy management and security management. Replication of information between Domain Controllers is another big benefit of Active Directory. The benefits of AD do bring some network overheads, however I feel the benefits of centralized management that it brings still make it an essential part of a single/multiple domain environment, in my opinion.

The forest and tree model is the logical structure required for interconnecting domains in Windows server and later operating systems. This model is useful when implementing multiple units under separate DNS namespaces. A tree within a forest can be autonomous, meaning independent of the others. I am confident this report explains the model correctly and gives a better understanding of trusts, which link trees and forests together.

Finally, I feel in the report successfully describes the different types of domains and the structure of a multi domain environment using Windows Server 2008R2 and previous versions.