#


























&RQWHQWV##
2YHUYLHZ#4#
,QWURGXFWLRQ#WR#$FWLYH#'LUHFWRU\#5#

/RJLFDO#6WUXFWXUH#<#
3K\VLFDO#6WUXFWXUH# 49#
6SHFLILF#'RPDLQ#&RQWUROOHU#5ROHV# 4<#
6FKHPD#)XQGDPHQWDOV# 57#
6HFXULW\#6XEV\VWHP# 64#
5HYLHZ# 68#
#
Module 2:
Overview of Microsoft
Windows 2000
Active Directory

Information in this document is subject to change without notice. The names of companies,
products, people, characters, and/or data mentioned herein are fictitious and are in no way intended
to represent any real individual, company, product, or event, unless otherwise noted. Complying
with all applicable copyright laws is the responsibility of the user. No part of this document may
be reproduced or transmitted in any form or by any means, electronic or mechanical, for any
purpose, without the express written permission of Microsoft Corporation. If, however, your only
means of access is electronic, permission to print one copy is hereby granted.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.


2000 Microsoft Corporation. All rights reserved.

Microsoft, MS-DOS, MS, Windows, Windows NT, Active Directory directory service, ActiveX,
BackOffice, FrontPage, Hotmail, MSN, Outlook, PowerPoint, SQL Server, Visual Studios, and

Win32, are either registered trademarks or trademarks of Microsoft Corporation in the U.S.A.
and/or other countries.

The names of companies, products, people, characters, and/or data mentioned herein are fictitious
and are in no way intended to represent any real individual, company, product, or event, unless
otherwise noted.

Other product and company names mentioned herein may be the trademarks of their respective
owners.

Project Lead:
David Phillips
Instructional Designers:
Lance Morrison (Wasser), Janet Sheperdigian, Steve Thues
Lead Program Manager:
Mark Adcock
Program Manager:
Lyle Curry, Scott Hay, Janice Howd, Steve Schwartz (Implement.Com),
Bill Wade (Wadeware LLC)

Graphic Artist:
Kimberly Jackson, Andrea Heuston (Artitudes Layout and Design)
Editing Manager:
Lynette Skinner
Editor:
Elizabeth Reese (Write Stuff)
Copy Editor:
Ed Casper (S&T Consulting), Carolyn Emory (S&T Consulting), Patricia Neff
(S&T Consulting), Noelle Robertson (S&T Consulting)
Online Program Manager:

Debbi Conger
Online Publications Manager:
Arlo Emerson (Aquent Partners)
Online Support:
Eric Brandt
Multimedia Developer
: Kelly Renner (Entex)
Compact Disc Testing:
Data Dimensions, Inc.
Production Support:
Ed Casper (S&T Consulting)
Manufacturing Manager:
Bo Galford
Manufacturing Support:
Rick Terek
Lead Product Manager, Development Services:

Lead Product Manager:
David Bramble
Group Product Manager:
Robert Stewart

# 0RGXOH#5=#2YHUYLHZ#RI#0LFURVRIW#:LQGRZV#5333#$FWLYH#'LUHFWRU\##4#


,QVWUXFWRU#1RWHV#
This module provides an introduction to the purpose and structural components
of the Active Directory
™
directory service in Microsoft

®
Windows
®
2000.
At the end of this module, students will be able to:
„#
Describe the role of Active Directory in Windows 2000.
„#
Describe the logical structure of Active Directory.
„#
Describe the physical structure of Active Directory.
„#
Describe the roles of global catalog servers and operations masters in Active
Directory.
„#
Describe the security subsystem and the role of Active Directory in it.

0DWHULDOV#DQG#3UHSDUDWLRQ#
This section provides you with the required materials and preparation tasks that
are needed to teach this module.
5HTXLUHG#0DWHULDOV#
To teach this module, you need the following materials:
•
Microsoft PowerPoint
®
file 1569A_02.ppt

3UHSDUDWLRQ#7DVNV#
To prepare for this module, you should:
•

Read all the materials for this module.

3UHVHQWDWLRQ=#
78#0LQXWHV#
#
/DE=#
33#0LQXWHV#
5# # 0RGXOH#5=#2YHUYLHZ#RI#0LFURVRIW#:LQGRZV#5333#$FWLYH#'LUHFWRU\#


0RGXOH#6WUDWHJ\#
Use the following strategy to present this module:
„#
Introduction to Active Directory
The purpose of this topic is to describe Active Directory in relation to its
role in a Windows 2000 network, and to introduce technologies that apply to
both logical and physical components of Active Directory. Begin by
describing the purpose of directory services in a network, and then explain
in general terms how Active Directory achieves that purpose in a
Windows 2000 network. Mention some of the Internet-standard
technologies that Active Directory and Windows 2000 support. Explain the
naming conventions for Active Directory and why Domain Name System
(DNS) is essential for name resolution.
„#
Logical Structure
Define structure and new terms introduced in Active Directory:
organizational units (OUs), trees, and forests. Expand on those definitions
and encourage student input on real-world applications of the logical
structure. Discuss domains and OUs with an emphasis on the single domain
model. When you explain trees and forests, solicit reasons why an

organization might find it necessary to have more than one domain. Finally,
discuss the types of trust relationships that are possible in Active Directory.
„#
Physical Structure
Explain that in Active Directory, the physical structure of a network is
completely independent of its logical structure. This means the network
topology can be optimized without compromising the logical structure. Note
that an Active Directory site is completely different than the site concept in
previous versions of Microsoft Exchange.
„#
Specific Domain Controller Roles
Explain the function of roles that are assigned to specific domain
controllers.
„#
Schema Fundamentals
Explain the reasons and methods for changing the schema and the
implications of those changes.
„#
Windows 2000 Security Subsystem
Explain the structure of the security subsystem and the position of Active
Directory within it.

# 0RGXOH#5=#2YHUYLHZ#RI#0LFURVRIW#:LQGRZV#5333#$FWLYH#'LUHFWRU\##4#


2YHUYLHZ#
„
,QWURGXFWLRQ#WR#$FWLYH#'LUHFWRU\
„
/RJLFDO#6WUXFWXUH

„
3K\VLFDO#6WUXFWXUH
„
6SHFLILF#'RPDLQ#&RQWUROOHU#5ROHV
„
6FKHPD#)XQGDPHQWDOV
„
:LQGRZV#5333#6HFXULW\#6XEV\VWHP#


In a Microsoft
®
Windows
®
2000 network, the Active Directory
™
directory
service provides the structure and functions for organizing, managing, and
controlling network resources. To administer or support a Windows 2000
network, you must understand the purpose and structure of Active Directory.
At the end of this module, you will be able to:
„#
Describe the role of Active Directory in Windows 2000.
„#
Describe the logical structure of Active Directory.
„#
Describe the physical structure of Active Directory.
„#
Describe the roles of global catalog servers and operations masters in Active
Directory.

„#
Install Active Directory.

6OLGH#2EMHFWLYH#
7R#SURYLGH#DQ#RYHUYLHZ#RI#
WKH#PRGXOH#WRSLFV#DQG#
REMHFWLYHV1#
/HDG0LQ#
,Q#WKLV#PRGXOH/#\RX#ZLOO#OHDUQ#
DERXW#WKH#UROH#RI#$FWLYH#
'LUHFWRU\#LQ#D#
:LQGRZV#5333#QHWZRUN1#
'HOLYHU\#7LS#
(PSKDVL]H#WR#\RXU#VWXGHQWV#
WKDW#WKLV#PRGXOH#LV#PHDQW#WR#
EH#D#UHYLHZ#RI#$FWLYH#
'LUHFWRU\#IXQGDPHQWDOV1#,W#
GRHV#QRW#LQFOXGH#LQIRUPDWLRQ#
DERXW#WKH#UHODWLRQVKLS#
EHWZHHQ#([FKDQJH#5333#
DQG#$FWLYH#'LUHFWRU\/#ZKLFK#
LV#FRYHUHG#LQ#WKH#QH[W#
PRGXOH1#
5# # 0RGXOH#5=#2YHUYLHZ#RI#0LFURVRIW#:LQGRZV#5333#$FWLYH#'LUHFWRU\#


‹‹
#
,QWURGXFWLRQ#WR#$FWLYH#'LUHFWRU\#
„

$FWLYH#'LUHFWRU\#2YHUYLHZ
„
$FWLYH#'LUHFWRU\#6XSSRUWHG#7HFKQRORJLHV
„
$FWLYH#'LUHFWRU\#1DPLQJ#&RQYHQWLRQV
„
$FWLYH#'LUHFWRU\#DQG#'RPDLQ#1DPH#6\VWHP#


Information Technology (IT) professionals require a thorough understanding of
Active Directory to set up and administer a Windows 2000 network. Some of
the questions about Active Directory that this section answers are:
„#
What are the benefits of using Active Directory?
„#
Which Internet standards does Active Directory support?
„#
What are the naming conventions in Active Directory that you must
consider when establishing a Windows 2000 network?
„#
What is the role of Domain Name System (DNS) in Active Directory?

6OLGH#2EMHFWLYH#
7R#LQWURGXFH#WKH#IHDWXUHV/#
VWDQGDUGV/#DQG#QDPLQJ#
FRQYHQWLRQV#RI#$FWLYH#
'LUHFWRU\/#DV#ZHOO#DV#LWV#
UHODWLRQVKLS#ZLWK#'161#
/HDG0LQ#
$FWLYH#'LUHFWRU\#LV#DQ#

LQWHJUDO#SDUW#RI#D#
:LQGRZV#5333#QHWZRUN1#
# 0RGXOH#5=#2YHUYLHZ#RI#0LFURVRIW#:LQGRZV#5333#$FWLYH#'LUHFWRU\##6#


$FWLYH#'LUHFWRU\#2YHUYLHZ#
'LUHFWRU\#6HUYLFH#
)XQFWLRQDOLW\
'LUHFWRU\#6HUYLFH#
'LUHFWRU\#6HUYLFH#
)XQFWLRQDOLW\
)XQFWLRQDOLW\
„
2UJDQL]H
„
0DQDJH
„
&RQWURO
„
2UJDQL]H
„
0DQDJH
„
&RQWURO
&HQWUDOL]HG#0DQDJHPHQW
&HQWUDOL]HG#0DQDJHPHQW
&HQWUDOL]HG#0DQDJHPHQW
„
6LQJOH#SRLQW#RI#DGPLQLVWUDWLRQ
„

8VHUV#ORJ#RQ#RQFH#IRU#IXOO#DFFHVV#WR#
UHVRXUFHV#WKURXJKRXW#GLUHFWRU\
„
6LQJOH#SRLQW#RI#DGPLQLVWUDWLRQ
„
8VHUV#ORJ#RQ#RQFH#IRU#IXOO#DFFHVV#WR#
UHVRXUFHV#WKURXJKRXW#GLUHFWRU\
Resources
Resources


Active Directory is the directory service in a Windows 2000 network. A
directory service is a network service that stores information about network
resources and makes it accessible to users and applications. Directory services
are important because they provide a consistent way to name, describe, locate,
access, manage, and secure information about these resources.
'LUHFWRU\#6HUYLFH#)XQFWLRQDOLW\#
Active Directory provides directory service functionality, including a means of
centrally organizing, managing, and controlling access to network resources.
Active Directory makes the physical network topology and protocols
transparent so that a user on a network can access any resource without
knowing where the resource is or how it is physically connected, such as in the
case of a printer.
Active Directory organizes the directory into sections that permit storage for a
very large number of objects. As a result, Active Directory can expand as your
company grows, which enables you to grow from a single server with a few
hundred objects to thousands of servers and millions of objects.
&HQWUDOL]HG#0DQDJHPHQW#
Windows 2000 Server stores information about system configuration, user
profiles, and applications in Active Directory. Combined with Group Policy,

Active Directory enables administrators to manage distributed desktops,
network services, and applications from a central location while using a
consistent management interface. Network administrators also have a consistent
way to monitor and manage network devices, such as routers.
6OLGH#2EMHFWLYH#
7R#H[SODLQ#WKH#SXUSRVH#RI#
$FWLYH#'LUHFWRU\#DV#D#
QHWZRUN#GLUHFWRU\#VHUYLFH1#
/HDG0LQ#
'LUHFWRU\#VHUYLFHV#VWRUH#
LQIRUPDWLRQ#DERXW#QHWZRUN#
UHVRXUFHV1#
7# # 0RGXOH#5=#2YHUYLHZ#RI#0LFURVRIW#:LQGRZV#5333#$FWLYH#'LUHFWRU\#


$FWLYH#'LUHFWRU\#6XSSRUWHG#7HFKQRORJLHV#
'+&3
'+&3
'16
'16
'16
6173
6173
6173
/'$3
/'$3
/'$3
.HUEHURV
.HUEHURV
.HUEHURV

;183<
;183<
;183<
7&32,3
7&32,3
7&32,3
/',)
/',)
/',)
,QWHUQHW06WDQGDUG#7HFKQRORJLHV
,QWHUQHW
,QWHUQHW
0
0
6WDQGDUG#7HFKQRORJLHV
6WDQGDUG#7HFKQRORJLHV


The goal of Active Directory is to provide a unified view of the network that
will greatly reduce the number of directories and namespaces with which
network administrators and users must contend. Active Directory is specifically
designed to interoperate with and manage other directories, regardless of their
location or their underlying operating systems. To accomplish this, Active
Directory provides extensive support for existing standards and protocols, and
provides application programming interfaces (APIs) that facilitate
communication with these other directories.
The following table describes the technologies that Active Directory supports,
the purpose of the technology, and a reference for more information on the
technology.
Technology Purpose Reference


Dynamic Host Configuration
Protocol (DHCP)
Network address
management
RFC 2131
DNS dynamic update
protocol
Host namespace
management
RFC 2052 and 2163
Simple Network Time
Protocol (SNTP)
Distributed time service RFC 1769
Lightweight Directory Access
Protocol (LDAP) v3
Directory access RFC 2251
LDAP ‘C’ Directory API RFC 1823
LDAP Data Interchange
Format (LDIF)
Directory
synchronization
Internet Engineering Task
Force (IETF) Draft
LDAP Directory schema RFC 2247, 2252, and 2256

6OLGH#2EMHFWLYH#
7R#GHVFULEH#WKH#VWDQGDUGV/#
SURWRFROV/#DQG#$3,V#WKDW#
$FWLYH#'LUHFWRU\#DQG#

:LQGRZV#5333#VXSSRUW1#
/HDG0LQ#
$FWLYH#'LUHFWRU\#VXSSRUWV#
VHYHUDO#PDMRU#VWDQGDUGV/#
SURWRFROV/#DQG#$3,V1#
# 0RGXOH#5=#2YHUYLHZ#RI#0LFURVRIW#:LQGRZV#5333#$FWLYH#'LUHFWRU\##8#


(
continued
)
Technology Purpose Reference

Kerberos version 5 Authentication RFC 1510
X.509 v3 certificates Authentication International Organization
for Standardization (ISO)
X.509
Transmission Control
Protocol/Internet Protocol
(TCP/IP)
Network transport RFC 791 and 793

Supporting these Internet standards provides several benefits:
„#
DNS dynamic update protocol enables corporations to achieve a global
naming structure that is compatible with standard Internet DNS
conventions.
„#
LDAP


maximizes the interoperability between applications and directory
services and facilitates directory interoperability through synchronization.
„#
Kerberos v5 and X.509 certificate integration with Active Directory gives
corporations the flexibility to mix and match the security that they deploy—
in both Internet and intranet environments—based on their needs.

9# # 0RGXOH#5=#2YHUYLHZ#RI#0LFURVRIW#:LQGRZV#5333#$FWLYH#'LUHFWRU\#


$FWLYH#'LUHFWRU\#1DPLQJ#&RQYHQWLRQV#
„
'LVWLQJXLVKHG#1DPH
„
5HODWLYH#'LVWLQJXLVKHG#1DPH
„
8VHU#3ULQFLSDO#1DPH
„
*OREDOO\#8QLTXH#,GHQWLILHU
„
8QLTXHQHVV#RI#1DPHV
'& FRP/'& FRQWRVR/&1 8VHUV/&1 -DPHV#6PLWK
-DPHV6#FRQWRVR1FRP
-DPHV6#FRQWRVR1FRP
8QLTXH#45;0ELW#QXPEHU
8QLTXH#45;0ELW#QXPEHU


Users and applications are both effected by the naming conventions that
directory services use. To locate network resources, you must know the name or

a property of the resource. Active Directory supports many naming schemes,
which enables you to use familiar formats to access Active Directory resources.
'LVWLQJXLVKHG#1DPH#
Every object in Active Directory has a distinguished name. It identifies the
domain where the object is located, in addition to the complete path by which
the object is reached. A typical distinguished name is:
DC=com,DC=contoso,CN=Users,CN=James Smith
This distinguished name identifies the James Smith user object in the
contoso.com domain. (In the distinguished name, DC is the abbreviation for
domain component, and CN is the abbreviation for common name.)
5HODWLYH#'LVWLQJXLVKHG#1DPH#
The relative distinguished name of an object is the part of the distinguished
name that is an attribute of the object. In the preceding example, the relative
distinguished name of the James Smith user object is James Smith. The relative
distinguished name of the parent object is Users.
8VHU#3ULQFLSDO#1DPH#
The user principal name of a user object is composed of the user’s logon name
and the DNS name of the domain where the user object resides. For example,
user James Smith in the contoso.com domain might have a user principal name
of Users can log on to the network with their user
principal name. An administrator can define additional suffixes for user
principal names, if required.
6OLGH#2EMHFWLYH#
7R#H[SODLQ#WKH#QDPLQJ#
FRQYHQWLRQV#IRU#REMHFWV#LQ#
$FWLYH#'LUHFWRU\1#
/HDG0LQ#
(YHU\#$FWLYH#'LUHFWRU\#
REMHFW#KDV#D#XQLTXH#QDPH1#
# 0RGXOH#5=#2YHUYLHZ#RI#0LFURVRIW#:LQGRZV#5333#$FWLYH#'LUHFWRU\##:#



*OREDOO\#8QLTXH#,GHQWLILHU#
The globally unique identifier (GUID) is a 128-bit number that is guaranteed to
be unique. Windows 2000 assigns a GUID to objects when they are created.
The GUID never changes, even if you move or rename the object. Applications
can store the GUID of an object and retrieve that object even if the
distinguished name of the object changes.
8QLTXHQHVV#RI#1DPHV#
Distinguished names are guaranteed to be unique in the forest. Active Directory
does not permit two objects with the same relative distinguished name under the
same parent container. By definition, GUIDs are unique. User principal names
are required to be unique, but Active Directory does not enforce this
requirement, so it is possible to have duplicate user principal names.
;# # 0RGXOH#5=#2YHUYLHZ#RI#0LFURVRIW#:LQGRZV#5333#$FWLYH#'LUHFWRU\#


$FWLYH#'LUHFWRU\#DQG#'RPDLQ#1DPH#6\VWHP#
„
1DPH#5HVROXWLRQ
„
1DPHVSDFH#'HILQLWLRQ
„
/RFDWLQJ#WKH#3K\VLFDO#&RPSRQHQWV#RI#$FWLYH#'LUHFWRU\


Active Directory uses Active Directory and Domain Name System (DNS) for
three primary functions:
„#
Name resolution. DNS provides name resolution by translating host names

into IP addresses.
„#
Namespace definition. Active Directory uses DNS naming conventions to
name domains. Windows 2000 domain names are DNS domain names. For
example, contoso.com is a valid DNS domain name and could also be the
name of a Windows 2000 domain.
„#
Locating the physical components of Active Directory. To log on to the
network and perform queries in Active Directory, a computer running
Windows 2000 first must locate a domain controller or global catalog server
to process the logon authentication or the query. The DNS database stores
the information about which computers perform these functions and
provides that information so that subsequent requests can be processed more
quickly.

6OLGH#2EMHFWLYH#
7R#H[SODLQ#WKH#UROH#RI#'16#
LQ#$FWLYH#'LUHFWRU\1#
/HDG0LQ#
'16#VHUYHV#WKUHH#SULPDU\#
IXQFWLRQV#LQ#$FWLYH#'LUHFWRU\1#
# 0RGXOH#5=#2YHUYLHZ#RI#0LFURVRIW#:LQGRZV#5333#$FWLYH#'LUHFWRU\##<#


‹‹
#
/RJLFDO#6WUXFWXUH#
'RPDLQ
'RPDLQ
'RPDLQ

'RPDLQ
'RPDLQ
'RPDLQ
7UHH
'RPDLQ
'RPDLQ
'RPDLQ
'RPDLQ
'RPDLQ
'RPDLQ
7UHH
)RUHVW
'RPDLQ
'RPDLQ
28
28
28
28
28
28
„
'RPDLQV
„
2UJDQL]DWLRQDO#8QLWV
„
7UHHV#DQG#)RUHVWV


The logical structure of Active Directory is flexible and provides a method for
designing a directory hierarchy that makes sense to its users and to those who

manage it. The logical components of Active Directory structure include:
„#
Domains
„#
Organizational units
„#
Trees and Forests

Understanding the purpose and function of the logical components of the
Active Directory structure is important for a variety of tasks, including
planning, installing, configuring, and troubleshooting Active Directory.
6OLGH#2EMHFWLYH#
7R#LQWURGXFH#WKH#ORJLFDO#
FRPSRQHQWV#RI#$FWLYH#
'LUHFWRU\1#
/HDG0LQ#
<RX#XVH#WKH#ORJLFDO#
FRPSRQHQWV#RI#$FWLYH#
'LUHFWRU\#WR#GHVLJQ#D#
GLUHFWRU\#KLHUDUFK\1#
43# # 0RGXOH#5=#2YHUYLHZ#RI#0LFURVRIW#:LQGRZV#5333#$FWLYH#'LUHFWRU\#


'RPDLQV#
„
6HFXULW\#%RXQGDU\
„
8QLW#RI#5HSOLFDWLRQ
„
'RPDLQ#0RGHV

Mixed Mode
Native ModeMixed Mode
'RPDLQ#FRQWUROOHUV#
+:LQGRZV#5333#RQO\,
'RPDLQ#FRQWUROOHUV#
+:LQGRZV#5333#RQO\,
DQG
'RPDLQ#FRQWUROOHU#
+:LQGRZV#5333,
'RPDLQ#FRQWUROOHU#
+:LQGRZV#5333,
'RPDLQ#FRQWUROOHU#
+:LQGRZV#17#713,
'RPDLQ#FRQWUROOHU#
+:LQGRZV#17#713,


The core unit of the logical structure in Active Directory is the domain. A
domain is a collection of computers defined by an administrator that share a
common directory database.
6HFXULW\#%RXQGDU\#
In a Windows 2000 network, the domain serves as a security boundary. The
administrator of a domain has the necessary permissions and rights to perform
administration within that domain only, unless the administrator is explicitly
granted those rights in another domain. Every domain has its own security
policies and security relationships with other domains.
8QLW#RI#5HSOLFDWLRQ#
Domains are also units of replication. All domain controllers in a domain
participate in replication and contain a complete copy of all of the directory
information for their domain.

Active Directory uses a multi-master replication model. All of the domain
controllers in a particular domain can receive changes to Active Directory
information and replicate those changes to all of the other domain controllers in
the domain.
6OLGH#2EMHFWLYH#
7R#H[SODLQ#WKH#SXUSRVH#RI#
WKH#GRPDLQ#LQ#$FWLYH#
'LUHFWRU\1#
/HDG0LQ#
7KH#GRPDLQ#LV#WKH#FRUH#XQLW#
LQ#WKH#ORJLFDO#VWUXFWXUH1#
# 0RGXOH#5=#2YHUYLHZ#RI#0LFURVRIW#:LQGRZV#5333#$FWLYH#'LUHFWRU\# # 44#


'RPDLQ#0RGHV#
Active Directory installs in mixed mode by default. A mixed mode domain
supports domain controllers that are running either Windows 2000 or Microsoft
Windows NT
®
. Active Directory uses mixed mode to provide support for
existing domain controllers that have not been upgraded to Windows 2000. You
can operate your domain in mixed mode indefinitely, which allows you to
upgrade domain controllers running Windows NT on a schedule that meets the
needs of your organization.
If your network does not have any domain controllers running Windows NT, or
when all of your domain controllers have been upgraded to Windows 2000, you
can convert the domain from mixed mode to native mode.
In a native mode domain, all domain controllers run Windows 2000. However,
member servers and client computers do not need to be upgraded to
Windows 2000 before you convert a domain to native mode. Some Active

Directory functionality, such as group nesting and security-type universal
groups, requires that the domain be in native mode.

The change from mixed mode to native mode is a one-way process;
you cannot change from native mode to mixed mode.


.H\#3RLQWV#
7KH#RSHUDWLQJ#V\VWHP#RQ#WKH#
GRPDLQ#FRQWUROOHUV#
GHWHUPLQHV#WKH#PRGH#WKDW#
\RXU#GRPDLQ#FDQ#XVH1#
&DXWLRQ#
45# # 0RGXOH#5=#2YHUYLHZ#RI#0LFURVRIW#:LQGRZV#5333#$FWLYH#'LUHFWRU\#


2UJDQL]DWLRQDO#8QLWV#
„
$UUDQJH#28V#$FFRUGLQJ#WR=
„
'HOHJDWH#$GPLQLVWUDWLYH#&RQWURO#DW#28#/HYHO
„
28V#(QDEOH#6LQJOH#'RPDLQ#0RGHO
„
*HRJUDSKLF#6WUXFWXUH
„
*HRJUDSKLF#6WUXFWXUH
6DOHV
3DULV
5HSDLU

8VHUV
6DOHV
&RPSXWHUV
„
2UJDQL]DWLRQDO#6WUXFWXUH
„
2UJDQL]DWLRQDO#6WUXFWXUH


An organizational

unit (OU) is a container object that you use to organize
objects within a domain. An OU contains objects, such as user accounts,
groups, computers, printers, and other OUs.
28#+LHUDUFK\#
You can use OUs to group objects into a logical hierarchy to represent an
organization’s:
„#
Organizational structure based on departmental or geographical boundaries.
„#
Network administrative model based on administrative responsibilities. For
example, a company might have one administrator who is responsible for all
of the user accounts and another who is responsible for all of the computers.
In this case, you would create one OU for users and another OU for
computers.

The OU hierarchy within a domain is independent of the OU hierarchy structure
of other domains—each domain can implement its own OU hierarchy.
$GPLQLVWUDWLYH#&RQWURO#RI#28V#
You can delegate administrative control over the objects within an OU. To

delegate administrative control of an OU, you grant specific permissions for the
OU and the objects that it contains to one or more users and groups.
For an OU, you can assign complete administrative control (for example, full
control over all objects in the OU) or limited administrative control (for
example, the ability to modify e-mail information on user objects in the OU).
6OLGH#2EMHFWLYH#
7R#H[SODLQ#WKH#SXUSRVH#RI#
28V#LQ#$FWLYH#'LUHFWRU\1#
/HDG0LQ#
$Q#28#LV#D#FRQWDLQHU#LQ#
ZKLFK#\RX#RUJDQL]H#REMHFWV1##