MCITP 70-640: Active Directory forest and trees

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

Welcome back to your free training course for Active Directory. In this video I will look into how Active Directory is represented in an enterprise environment. To make things simply let’s start with one network. In this network you have ITFreeTraining. All the users in ITFreeTraining can access resources in ITFreeTraining assuming they have permission to do so. All the users in ITFreeTraining belong to the one domain. A domain is defined as a logical group of computers that share the same Active Directory database. Regardless of how big your network is and how many places around the global it is located, when possible you want to keep your network to just one domain. In the real world this is not always possible. Active Directory in Windows Server 2008 can scale easily to millions of objects but there are many reasons why you may have a network with more than one domain. This could be because of limitations in earlier version of Active Directory to the company structure and politics. Imagine that you had a secure department in your company that held all the Intellectual property for the company. For maximum security the company puts people who work in this department in their own domain and even hired there only IT support staff. This separate department could be added to the original domain as a child domain. In this case the new child domain is called secure dot ITFreeTraining.com. When you have two domains like these that share the same root name space, in this case ITFreeTraining dot com, these are referred to as being in the same tree. ITFreeTraining is at the top of the tree so it is considered to be the root domain. To illustrate this better, you could add yet another domain called sales. As long as sales shares the ITFreeTraining dot com name space it is part of the tree. Under sales dot ITFreeTraining dot com you could even add additional child domains called east and west. All these domains share the ITFreeTraining name space and thus are considered to be in the same tree in Active Directory. Each domain however has its own group of user and computers and thus means each domain has its own Active Directory database. The advantage of having domains like these in the same tree is that Active Directory will automatically create trusts between the child and parents domains. These trust relationships allow members of each domain to access resources in any other domain assuming that they have access. The next question is what would happen when you add another domain that has a different name space to the other domains. For example, if I added the domain high cost training dot com. When this happens the new domain, high cost training will be part of a new tree. I now have two trees, the ITFreeTraining tree and the high Cost Training tree. So far I have looked at the root domain and child domains in a tree but there is one structure that links all these together called a forest. A forest encases multiple domains and trees into one structure. You don’t have to have multiple domains and trees to have a forest. To illustrate this I will go back to my original example of one domain. As soon as you create your first domain a forest is automatically created for that domain. When I added the two child domains to IT Free Training these now form a tree in the one forest. The high cost training domain is then added and this forms anther tree in the same forest. So why is there a need to have a forest? All domains in a forest have something in common. They share what is called the schema. The schema defines the Active Directory database. The schema determines what can be stored in the database and the structure of that data. Each domain has its only copy of the database but it is the schema that determines its design and the schema is shared between all domains in the forest. When changes are made to the schema these changes are replicated to every domain in the forest. The advantage of having a forest is that all domains in a forest also have trust relationships generated automatically. As shown here, a user in high cost training could access a resource in east dot ITFreeTraining.com The trust relationship is automatically created between parent and child domains and between trees in the forest. Assuming the user in high cost training has access they can access any resource in any domain in the forest. This brings up the question how does one find items in a forest? In order to find items in a forest you need an index. In any Active Directory forest there will be servers that provide an index for all items in the forest. These are called global catalog servers. There is at least on global catalog server per domain. Global catalog servers or GC’s contain an index of every object in the forest. This is not a full copy of the object, but enough to allow a user to perform a search. For example, using a global catalog server you could search a forest for all the color printers. Since the global catalog contains the basic information about each object in the forest a user can find this information quickly. The global catalog server does not contain any detailed information about the printer but it can tell the user where this object is located in the forest. Think of a global catalog server like an index at a library. The index gives you an idea what is in the book and more importantly where to find it if you want to know more. The last example I want to show you is when anther forest is added. This may occur if your company takes over another company that already has its own Active Directory infrastructure. Active Directory does support this by an administrator manually creating a trust between the two forests. In this case there are two forests. Each forest has it only schema and each domain has its own copy of the Active Directory database. In the real world you want to reduce the number of domains that you have to the bare minimum. Having one domain and one forest makes things a lot easier. In cases like these you don’t have a choice. A separate company is going to have its own Active Directory forest regardless. In some cases you may need to create a separate forest. For example if you are testing an application that makes changes to the schema you may decide to put it in its own forest. By doing this you can be assured the testing of the application does not make permanent changes to the production network. That’s it for forests, trees and domains. In the next video I will look at the system requirements to install your first server for use with Active Directory. We hope you have enjoyed this free training video. For more free training videos please go to are web site or you tube channel. Thanks for watching.

Info

Channel: itfreetraining

Views: 306,567

Rating: undefined out of 5

Keywords: Forest, Global Catalog, Trusts, 70-640, MCITP, MCTS, ITFreeTraining, Microsoft Certified Professional, Windows Server (Operating System), Active Directory (Software), Information Technology (Industry)

Id: Whh3kPS0FdA

Channel Id: undefined

Length: 8min 8sec (488 seconds)

Published: Mon Jan 16 2012