In contrast to a workgroup, all accounts and resources are administered centrally in a domain. This means that with a single login into the domain a user has automatic access to all resources of the entire domain for which he or she has the appropriate rights. The log in takes place exclusively on the domain controller of the domain. This is where the central database, which contains entries about user accounts, rights, resources, etc., is located. A domain controller does not have a local security database. Up to two million objects can be stored in a single domain. In an SBS 2003 network, SBS 2003 is the domain controller.

A Windows Server 2003 domain can have several domain controllers with equal rights. However, SBS 2003 is restricted to being the only domain controller in an SBS 2003 domain. Domain controllers in a non-SBS 2003 domain automatically synchronize their databases with each other ensuring that updated data is always available to the network. This process is known as replication. With the installation and configuration of SBS 2003, the domain itself is set up anew.

In contrast to Windows Server 2003, you do not have to run the installation wizard for Active Directory here. Since the SBS 2003 domain can consist of only one domain that has just one domain controller with no trust relationships to other domains, the configuration of Active Directory is considerably simpler and takes place automatically in the background. A domain controller is responsible for the registration and authentication of users in its environment as well as for object searches carried out on the directory. It stores all the Active Directory data.

A domain does not have to be identical with the physical boundaries of a company location. It is possible for a domain to have objects from several physically separated domains.

Under Windows NT if no domain controller was available for a client, it could not access any network resources. This problem was recognized and addressed from Windows 2000 onwards. Clients running Windows 2000 or later automatically use login caching.

In login caching, every successful login to the domain is cached on the client. By default, ten entries can be stored on the client. This value can be changed in the security guidelines. If this client wants to log in to the domain again later and cannot connect to the domain controller, it can still do so. The settings pertaining to rights, group memberships, etc. are taken over from the client's cache based on the last successful login to the domain. Even if these entries have been changed on the domain controller in the meantime, these settings in the client's local cache are still valid. The cache is updated at the next successful connection to the domain.

An SBS 2003 domain can have the following types of domains: a domain controller, client computers, and optionally member servers that can act as file and print servers.

Structures are a hierarchical arrangement of several Windows 2000/2003 domains. As you have already learned, no structures can be built with SBS 2003, which can only form a single domain. Nonetheless, this topic is discussed here briefly.

There are higher-level domains and subordinate domains. Structures are of two types—trees and forests. Trees are often referred to as just structures.

In a tree, all domains are in a continuous DNS namespace. The name structure is hierarchical. Each domain has a unique domain name.

Within a tree, all domains use the same Active Directory schema, the same replication information, and the same global catalogue.

In a structure, a subordinate domain inherits the name of the higher-level domains. The relative name of the subordinate domains is placed in front of these. For example the domain vertrieb.firma.de inherits the name of the higher-level domain firma.de and the relative name vertrieb is put in front of it (see the following figure). This is called a continuous or coherent namespace.

A tree is at the same time also a complete forest.

A forest is a hierarchical arrangement of either just one tree or several separate, independent trees. Even a single domain such as firma.de without any subordinate domains forms a self-contained forest.

In all the domains of a forest the same Active Directory Schema, the same replication information and the same global catalogue are used. The namespace is coherent only within the trees. In the figure, the two structures firma.de and filial.de constitute separate trees within the forest. Only within the two structures is the namespace continuous. The first domain in a forest is also called the master domain of the forest—here firma.de.

The installation wizard for Active Directory helps you determine at what level in the hierarchy the new domain should be placed. The following possibilities exist:

After setting up the first domain controller of one of the above-mentioned domain types, you can install additional domain controllers for this domain.

Trust relationships are created automatically between all Windows 2000 domains within the forest. This holds only for Windows 2000 domains. If you are still using Windows NT domains in the forest, trust relationships to these will have to be configured manually. The automatic set up refers to trust relationships between higher-level and subordinate domains as well as to those between the master domain of the forest and the first domains of new trees.

The global catalogue is responsible for object searches in the directory. It is created automatically on the first domain controller of the master domain of the forest. This special domain controller is therefore also called the catalogue server. In the SBS 2003 environment, the SBS 2003 machine also acts as the catalogue server.

Two separate copies of the object attributes are maintained in the global catalogue. The catalogue server gets on the one hand a complete copy of all the object attributes in the entire directory and, on the other hand, a partial copy consisting of only the object attributes found in the directories of individual domains of the forest. Although the partial copy contains all the objects, the number of attributes is limited. Search requests for objects in the directory are dealt with via this partial copy. It contains only those object attributes that come up most frequently in search requests—e.g. user names—or are required to find the full copy of the object. To ensure secure access to the objects in the global catalogue, these objects inherit the access rights of their source domains.

The distinguished name of an object is enough to find the path to the complete copy of this object. In many cases, however, the user does not know the complete distinguished name. The global catalogue makes it possible for the user to find the desired object even from a few known attributes. It is therefore not necessary for the user to know the precise location of the object within the forest.

It is therefore also important to specify as many characteristics as possible at the time of creating an object so as to be able to use the efficacy of the global catalogue optimally.

The use of the global catalogue greatly reduces network traffic. Since the catalogue contains information about all objects in all domains of the forest, the search request can be processed within the domain to which the user making the search request is logged on. So, there is no search, and therefore no network traffic, across domain boundaries.

The catalogue server plays an important role when users log on to the domain. It makes user account information available to the domain controller. When a client logs on, a list containing all the groups of which this client is a member is generated. However, this feature is used only in multi-domain environments in which the client can be a member of several groups in several domains. The global catalogue servers contain membership lists of all universal security groups. These lists are used when clients or servers need to verify membership in the security groups.

The catalogue server has to play one more role if you deploy Microsoft Exchange Server 2000 or 2003 in your environment. The catalogue servers are responsible for looking up address book entries and resolving e-mail addresses for Outlook clients from Outlook 98 SP2 onwards. Older e-mail clients use the Exchange Server itself for this purpose, which again requires access to a catalogue server.

Locations structure networks as much as domains do. Domains reflect the logical structure of a company while locations reflect its physical structure. Organizational units also contribute to the logical structuring of the network.

A location corresponds to a group of computers that belong to a specific IP subnet. These computers are taken to be well connected with each other. The computers at a location can also belong to different subnets. In this case, however, there must be a fast connection between them. This fast connection is required because within a location the replication as well as resource requests from Active Directory consume a not insignificant part of the network bandwidth. For this reason, it is makes more sense to configure several locations for a WAN. For the relationship between locations and domains, the following points hold: a domain can contain several locations (see the following figure) and the other way round a location can contain several domains. From this, it follows that there does not have to be any correspondence between location boundaries and the namespace of the domains. So, in an SBS 2003 environment you can configure several locations for the SBS domain.

In this model, a domain has several locations. Each of the three locations has its own subnet range. The computers in locations 1 and 2 have slow connections to the domain (dial-up or WAN). That is why a separate location was created for each of them. The third location comprises computers with a fast LAN connection to the domain. The computers in all the locations are members of the domain firma.de.

In this example, there is only one subnet with a coherent 16-bit subnet. Computers that by their logical structure belong to the domain firma.de, are part of this location. The location says nothing about the logical affiliation of the computers.

If you open the Microsoft Management Console (MMC) ACTIVE DIRECTORY LOCATIONS AND SERVICES, you will find that it does not list computers belonging to a particular location. Searching a domain returns computers only in their logical structure. You will find individual computers only under their domains and organizational units. Under ACTIVE DIRECTORY LOCATIONS you will only find elements that are responsible for configuring the replication between the locations.

Apart from domains, organizational units are the second way of grouping network resources. The members of organizational units are all members of the domain that contains the organizational unit(s). In contrast to a location, an organizational unit does not have its own domain controllers. Organizational units are used instead of the resource domains in the Windows NT domain models. In an organizational unit, objects are divided into groups. These groups reflect the company structure. An organizational unit can contain objects such as computers, contacts, groups, other organizational units, printers, users, and released files. The fact that organizational units have fewer objects makes it easier to administer and display them.

Administrative tasks can be delegated to an organizational unit. The rights that a user needs for carrying out his or her administrative tasks can be assigned either to a separate organizational unit or to a higher-level organizational unit, which then passes on these rights to the subordinate units. This makes it possible to distribute the administration of the domain among several administrators. In this way, you can perform special administrative tasks for the organizational unit. By default, there are no pre-configured organizational units in the MMC ACTIVE DIRECTORY USERS AND COMPUTERS. This would not make sense because it is precisely the individual characteristics of the administration units that should structure your company network.

The following figure gives an overview of the organizational units within a domain as well as the different object that an organizational unit can contain.

The figure shows a domain with four organizational units. The two organizational units Administration and Marketing are at a higher level; the organizational unit Administration contains the organizational units Personnel and Accounts as subordinate objects.

Each individual organizational unit has its own independent structure and resources. Objects that are present in an organizational unit do not have to occur in all organizational units of the domain, and conversely, all objects do not have to be bound to an organizational unit.

All resources are stored as objects in Active Directory. Objects can be computers, accounts, printers, contacts, etc. Each object consists of a definite set of characteristics or attributes that are specific to this object. For example, a domain controller object has the following attributes under general characteristics: computer name, DNS name, function, and description. For Active Directory these characteristics serve as patterns for the objects. These patterns must be known to the directory service to store the objects.

The Active Directory Schema has a pre-given set of definitions for the objects and information in Active Directory. There are two types of definitions—attributes and classes. These are also known as schema objects or metadata. The Active Directory Schema is compulsorily the same for all domains within a forest. The information in the schema is replicated automatically.

Group Policies are the central component of Active Directory for the effective management of rights. Group Policies are an extension of the System Policies under Windows NT.

Group Policies can be applied at the level of locations, domains, and organizational units. A group policy object gives the user a collection of company rules in relation to available resources, access rights, and configuration of these resources. The desktop settings of a user are configured using a group policy. For example, you can assign software or determine which items the user is allowed to see in the start menu. Under Windows NT, you had the System Policy for this purpose, even though its scope was not as wide. Group Policies are a part of IntelliMirror. IntelliMirror is the generic term for regulating client desktops under Windows 2000/XP. You can determine policies for each client based on its function, location, and group membership. The user receives the settings defined for him or her in the Group Policy irrespective of the computer from which he or she logs on. IntelliMirror covers the administration of user data and settings as well as assignment, and the installation and configuration of software. The administration and configuration of group policies is discussed in detail in the Chapter 8.

Replication means the exchange of directory information between several domain controllers. All domain controllers in a domain must have access to current directory information at all times. If you make changes on any domain controller in the domain, these changes must be accessible to the other domain controllers as quickly as possible. In replication, the changed directory information is sent from the one domain controller to all the others.