Windows Domain Administration Configuring Computer Science Essay

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

In this report I will describe the structure of a multi-domain environment and discuss its configuration and management. I will use this report to discuss topics that are important in the structure and configuration of a multi domain environment. Topics include; Active Directory, Forests, Trees, Domains, Replication and Trusts. For each topic I will describe what it is and how you configure it in Windows Server 2008 R2.



Active Directory (AD) is a directory service that was created by Microsoft to be used for Windows Domain Networks. Most Windows Server operating systems include Active Directory. AD is very helpful when it comes to controlling a whole network from just one computer. When it comes to Security and Network administration, Active Directory provides a central location. Server computers running Active Directory are known as Domain Controllers. An AD domain controller authenticates and authorises all users and computers in a Windows domain type network and assigns and enforces security policies for all computers. For example, when a user logs onto a computer that is part of a domain, Active Directory checks the submitted password and then determines whether the user is a system administrator or a normal user.

With the release of Windows Server 2008 R2, the domain controller role was renamed to Active Directory Domain Services.

The structure of Active Directory includes; Objects, Forests, Trees, Domains, Organisational Units (OU).

To configure Active Directory in Windows Server 2008 R2, you need to open up Server Manager and then in the Roles Summary section, click Add Roles and follow the wizard. When 'Add features required' appears, click 'Add required features' and then follow the wizard until the installation is complete. Once the installation is complete, check the Roles Summary Section in Server Manager.


The structure of an Active Directory is a hierarchical arrangement of information about objects. There are two broad categories in which the objects fall into. These categories are resources (e.g. printers) and security principles (computer or user accounts and groups). Each security principle is assigned a unique security identifier (SID).

Each object represents a single entity, whether it's a computer, a user, a printer, or a group and its attributes. Certain objects can contain other objects. An object is uniquely identified by its name and has a set of attributes. These attributes are the characteristics and information that an object represents.


The Active Directory framework that holds the objects can be viewed at a number of levels. Forest, Tree and Domain are the logical divisions in an Active Directory network.

Within a deployment, objects are grouped into domains. The objects for a single domain are stored in a single database (which can be replicated). DNS name structure and the namespace are used to identify domains.

A tree is a collection of one or more domains and domain trees in a contiguous namespace, which are linked in a transitive trust hierarchy.

A forest is at the top of the structure. A forest is a collection of trees that share a common logical structure, global catalog, directory schema and directory configuration. The forest represents the security boundary within which computers, users, groups and other objects can be accessed.


Active Directory uses trusts in order to allow users that are in one domain, to access resources that are in another domain.

Inside a forest, when domains are created, trusts are automatically created. The forest sets the default boundaries of trust, and implicit, transitive trust is automatic for all domains within a forest.


External Trust - Nontransitive and can be one-way or two-way. You can use External Trusts to provide access to resources that are located on a domain that is located in a separate forest that is not joined by a forest trust.

Forest Trust - Transitive and can be one-way or two-way. You can use Forest Trusts to share resources between forests. If a Forest trust is a two-way trust, authentication requests that are made in either forest can reach the other forest.

Shortcut Trust - Transitive and can be one-way or two-way. You can use Shortcut trusts to improve user logon times between two domains within an Active Directory forest. This is useful when two domains are separated by two domain trees.



A Group is a collection of user accounts which is used to manage resources, e.g. network shared folders and printers. It is possible to have groups as members of other groups. If a user is a member of group A, then they acquire all the rights and permissions of group A (If these are changed while the user is logged on, changes will only take effect after the user logs off and then logs back on again.


Organizational Units are Active Directory containers. Users, Groups, Computers and even other Organizational Units can be placed inside these containers. Objects held in a domain can be grouped into Organizational Units (OUs). Hierarchy to a domain can be provided by Organizational Units. Its administration can be eased and it can resemble, in managerial or geographical terms, the structure of the organization. It is recommended by Microsoft that you use OUs rather than domains when it comes to structure and to also simplify the implementation of the policies and the administration. The recommended level where to apply group policies is the OU. These group policies are Active Directory objects, which used to be known as Group Policy Objects (GPOs), although policies also can be applied to sites and domains. Administrative powers are usually delegated, but this process can also be performed on individual objects and even the attributes as well.


Group Policy is responsible for controlling the working environment of the user accounts and computer accounts. In an Active Directory environment, Group Policy provides the centralized management and the configuration of the operating systems, applications and user's settings.

Group Policy in part controls what the users can and what they cannot do on a computer system, e.g. Users can be prevented from choosing a simple password by enforcing a Password Complexity policy, Restrict access to certain files and folders, block access to the Task Manager.

The Group Policy objects are handled in the following order:

LOCAL - Any of the settings in the Computer's local policy. Before Windows Vista, only one local group policy was allowed to be stored on each computer. Vista and newer versions allow an individual group policy for each user account.

SITE - Any group policies that are associated with the Active Directory Site where the computer resides. If multiple policies are linked to the same Site, they will be handled in the order that has been set by the Administrator.

DOMAIN - Any group policies that are associated to the Domain in which the computer resides. If multiple policies are linked to the same Domain, they will be handled in the order that has been set by the Administrator.

ORGANIZATIONAL UNIT - Any group policies that are assigned to the Active Directory Organizational Unit (OU) where the computer or user is placed.


A policy setting that is inside a hierarchical structure is normally passed from parent to child and from children to grandchildren, and so on and so forth. This is known as inheritance. It can be blocked or enforced to control what policies are to be applied at each level of the structure. If a higher level administrator (enterprise) creates a policy that has inheritance blocked by a lower level administrator (domain), the policy will still be processed.


The Global Catalog is all the objects that are in an Active Directory Domain Services (AD DS) forest. A Global Catalog server is a Domain Controller that keeps a full copy of all the objects in the directory for its host domain. It also keeps a partial read-only copy of all objects for the other domains that are in the forest. Global Catalog Servers respond to Global Catalog Queries.


When AS DS is installed, the global catalog for a new forest will be automatically created on the first domain controller in the forest. Global Catalog functionality can also be added to additional domain controllers in the forest. The Global Catalog can also be removed from a domain controller.

A Global Catalog Server:

Finds Objects - The Global Catalog Server enables searches from users for directory information throughout all the domains in a forest, no matter the data is stored. Any searches inside a forest are performed with maximum speed and minimum network traffic.

It supplies user principal name authentication - A Global Catalog Server resolves a user principal name (UPN) when the authenticating Domain Controller does not recognize that user account. For example, if a user's account is located in and the user logs on with a UPN of [email protected] from a computer that is located in, the Domain Controller in cannot locate that user account and therefore it must contact a Global Catalog Server in order to complete the logon process.

It validates the object references within a forest - Domain Controllers use the Global Catalog in order to validate references to the objects of any of the other domains in the forest. When a directory object that has an attribute that contains a reference to an object that is in another domain, is being held by a Domain Controller, the Domain Controller will validate the reference by contacting a Global Catalog Server.

It supplies universal group membership information in a muti-domain environment - A Domain Controller always can discover domain local group and global group for any of the users that are in its domain. The membership of these groups is not replicated to the Global Catalog. In a single-domain forest, the Domain Controller always can discover the universal group memberships. However, universal groups can also have members in other domains. For this reason, the member attribute of universal groups, this contains the list of the members in a particular group, is replicated to the global catalog. When a user that is part of a multiple domain forest tries to log on to a domain in which universal groups are allowed, the Domain Controller must therefore contact a Global Catalog Server in order to retrieve any universal group memberships that this particular user may have in other domains. If the Global Catalog Server is not available when a user tries to logon to a domain, cached credentials can be used to logon to the user's client computer only if the user has logged onto the domain before. If this is not the case, then the user will be able to logon only to the local computer.