Domain, Domain tree, Forest, Domain Controller, Active Directory
Q: What are the basics concepts of a corporate network on the Windows platform?
When you imagine a basic computer network (for example: a home or small office network) you usually think of a bunch of computers connected via switches, that probably have a router connecting them to the internet and maybe some printers or scanners that they can share among them selves.
Now when I say that “the computers share” printers and scanners I of course mean that one user sitting at a computer with a printer (scanner) lets another user sitting at another computer use his/hers printer (scanner). I say that computers share to illustrate one point: home and small office networks users mostly don’t interchange or share computers. They authenticate only locally (against the username and password stored on the local computer) and have mostly full access to the computer.
Aside from internet access and file/printer/scanner sharing there is usually not much else going on in these networks.
Q: How are the corporate networks different?
There are some obvious and some not so obvious ways. They are obviously bigger. Not only workstations (personal computers) but also servers — computes dedicated to providing services to the network (e.g. File servers, Print servers, DNS servers, etc.) are on the network. The size of the network can vary — laptop users coming and going. And the security on corporate networks must be stricter assuming that the data handled are more sensitive than data handled on a home network 
also when it provides some sort of access to it from the internet for example a Web server hosting the corporate web applications or the network provides Remote Desktop Connection.
The less obvious reasons can be that the corporate network does not only host a lot of computers (be it workstations or servers) but also can span not only floor in a building or buildings but also cities and even continents. Company specific services (physically located on one side of the globe) have to be accessible to authorized users (even on the other side of the globe). Workstation users can interchange their computers (free-seating). A corporate network has to accommodate companies with complex inner structure without forcing their structure to change and has to be flexible for example in an event of one company buying another.
Now with this in mind we can ask how does the Windows platform accomplish these things?
Q: What do you mean by ‘these things’?
- user authentication – controlling user access to the network
- user authorization – controlling authenticated user access to network resources (data, servers, printers, etc.)
- user account management – controlling user account security (by forcing secure passwords or restricting user local machine privileges like disallowing changes to hardware or network settings)
- network resources management (providing names and lookup services for those names – physical resource location transparency)
- logical grouping of user and network resources to simplify their management
The Windows platform provides many more features but for now lets focus on the above.
Q: So how do I build a network solution on the Windows platform?
First of all you have to understand that your network and its resources are on the Windows platform network solution managed by a service called Active Directory. The Active Directory directory service is provided with Windows servers. So to build a network on the Windows platform you will need a Windows server for example a Windows Server 2003. So lets assume that you have one. What is next? Next you’ll need to understand a little bit about Active Directory and the structures it manages.
Active Directory
We said that Active Directory is a directory service. From Wikipedia:
A directory service (DS) is a software application — or a set of applications — that stores and organizes information about a computer network’s users and network resources, and that allows network administrators to manage users’ access to the resources. Additionally, directory services act as an abstraction layer between users and shared resources.
And more specifically it’s Microsoft’s implementation of the Lightweight Directory Access Protocol or LDAP and was first released with Windows 2000 Server edition.
Active Directory is simply a database of objects which represent users, computers, network resources and groupings of each of them. On the top level Active Directory manages a domain forest which is a grouping of domain trees. A domain forest can also consist of a single domain tree. The picture below shows a more general version of a domain forest.
To understand what a domain forest is and what it is good for lets first discuss what is a domain.
Domain
A domain is a logical grouping of objects (just like the domain forest) but something like a second level grouping. And by second level I mean a more specific grouping. The objects managed in a single domain have the same distinguished name suffix (the domain component part).
Q: What are distinguished names?
Distinguished name (DN) is a notion from LDAP — Active Directory is an implementation of LDAP remember? As you might have guessed DNs are used in Active Directory to identify the specific objects stored in it. Everything in Active Directory has a distinguished name — users, computers, groups, organization units and so on.
The best way to explain this is to look at an example.
Lets say we have our own organization called awesome organization , you are part of the management of the organization and your name is John Doe. Then your distinguished name (the name given to you by Active Directory) would be something like this:
CN="John Doe", CN="management", DC="awesome", DC="org"
Where CN stands for Common Name and DC stands for Domain Component. You can see that the naming in Active Directory is hierarchical. Another thing you can notice is that the domain has a name! And as we’ve discussed above the domain manages objects with the same distinguished name suffices. In the above example that would mean objects whose distinguished names end with DC=”awesome”, DC=”org”.
Q: Do I have to buy a domain called awesome.org to be able to use it with Active Directory?
No you don’t. Domain names in Active Directory are completely independent of domain names on the Internet. You can call you domain local or business or whatever you like. If it bothers you that they look the same it’s just because the method used to resolve domain names on the Internet and in Windows domains is the same namely DNS.
With the notion of domains as a collection of objects with the same distinguished name suffix we can return to the domain forest and see its function. The domain forest is a grouping of domains (domain trees) and that means that a domain forest can manage objects without the need for them to have the same distinguished name suffix.
Domain tree
A domain tree is actually a more general term for a domain. You can think of a domain tree as a domain with zero or more subdomains.
If from our previous example (awesome.org) we wanted to make our management department a whole subdomain its name would be management.awesome.org. And then your DN would be:
CN="John Doe", DC="management", DC="awesome", DC="org"
The CN in front of management changed to DC.
Domain Controllers
OK, so we know a bit about Active Directory. We know that it’s a database of some sorts. It manages objects that represent users, computers, user groups, computer groups, organizational units (more on these later). But where is this database stored physically? The answer is (as the title of this section suggests) Domain Controllers. A domain controller is a piece of software shipped with Windows servers that manages the authentication requests in a windows domain. If a computer is a part of a domain and a user wants to log in he/she provides the username and password. The computer instead of checking that information against something stored locally it contacts a domain controller and asks if it can do the authentication instead. If the domain controller authenticates the user the user is granted access to the local machine and the domain.
Three things to remember:
- the computer must be part of a domain
- the computer uses the domain controller to check the users credentials
- the domain controller does the authentication not the authorization
Resource and user/machine management concepts
There are two concepts: one for managing network resources (access to servers, share files, printers, etc.) and one for managing the user workstations and user accounts.
Access Control Lists
To manage network resources windows domains use Access Control Lists or ACLs. ACL is just an enumeration of users or groups with their rights to use a particular resource. The important thing is that the ACL are stored with the resources. Active Directory does not store them. For example:
You have a File server in your domain. A File server provides the users of the domain with the access to certain folders in its directory structure. On each of those folders you can set an ACL saying which users can read/write/delete(/and many more options) these folders, subfolder and so on. Here is a concrete example setting permissions to Read & Execute, List Folder Contents and Read for the group named Managers on the folder named DATA.
You can imagine that setting permissions for every individual user would be a daunting task. The solution? Groups! Group users, group machines, group groups, group everything and set ACLs on groups instead of individual users.
Group Policies
To manage user accounts and machines you use a Group Policy (GP). Group policies are rules applied to the users workstation at computer startup (Computer configuration) and/or at logon (User configuration). There are around 1000 individual setting you can apply to the users workstation with Group Policies. From the complexity of passwords needed to logon, the contents of the Start menu, access to the Control Panel to write permission of the local hard drive or profile folder redirections.
You can even use GPs to remove the pesky Recycle Bin desktop icon if you don’t want it there
Q: I really don’t want to set all 1000 individual setting. Is there no easier way?
YES, THERE IS! And thank God for that! Microsoft developed the Common Desktop Scenarios which are implementation if GPs for some common types of users and workstations. The scenarios contain GPs for:
- Lightly managed
- Power users
- Laptop users
- Highly managed
- Application station
- Multi-user station
- Task stations
- Kiosk station
In most cases only minor adjustments to those scenarios are necessary to get the desired result.
Additional useful links
http://www.windowsnetworking.com/articles_tutorials/Networking-Basics-Part1.html
http://web2.blogtells.com/
