Understanding Logical Structure of Active Directory

Spread the love




Active Directory is the heart of Microsoft’s identity and access management system. If you are new to Windows servers, understanding logical structure of Active Directory may be difficult. Active Directory infrastructure is made up of, domains, trees, forests, domain controllers, etc. There are five different server roles in Active Directory. Active Directory Domain Services is core role and other services are installed on top of it. The five roles are: –

  • Active Directory Domain Services
  • Active Directory Certificate Services
  • Active Directory Federation Services
  • Active Directory Lightweight Directory Services
  • Active Directory Rights Management Services

Understanding Logical Structure of Active Directory

Understanding Logical Structure of Active Directory

In the above diagram, Active Directory Domain Controller is a Windows Server (MBG-DC01) with Active Directory Domain Services server roles installed. Once Active Directory Domain Services is installed a database called NTDS.DIT is created. All the objects like users, computers, printers etc. are stored in this database. A domain is a boundary where administration is scoped. Example of domain is contoso.com, mustbegeek.com and so on. A domain is created while installing Active Directory Domain Services server role. So user would login to domain using username+domain-name. For example, user1@contoso.com or contoso.com\user1 or consoto\user1. Active Directory consists of domains, forests, trees and trust.

Understanding Logical Structure of Active Directory

  • Root Domain: Root domain is the first domain created in the forest. When you install first domain controller and setup a domain say mustbegeek.com, this domain is the root domain.
  • Child Domain: A child domain is a domain that has same namespace as it’s parent. When you create additional domain in an existing forest, for example, asia.mustbegeek.com then this domain is a child domain of mustbegeek.com. Here, mustbegeek.com is called parent domain.
  • Tree: A tree is group of domains that share same domain name. In the diagram above there are two trees.
  • Forest: All trees or domains created under same root domain is called a forest. A forest can have different domains like, mustbegeek.com and contoso.com. In the diagram above there is one forest. constoso.com domain is created under mustbegeek.com forest root domain and is fourth domain.
  • Trust: There are different types of trusts between domains. When you create a child domain, a two-way trust is created by default with parent domain. In two-way trust user of parent domain can access resource of child domain and vice-versa.



The following two tabs change content below.
Bipin is a freelance Network and System Engineer with expertise on Cisco, Juniper, Microsoft, VMware, and other technologies. You can hire him on UpWork. Bipin enjoys writing articles and tutorials related to Network technologies. Some of his certifications are, MCSE:Messaging, JNCIP-SEC, JNCIS-ENT, and others.

Latest posts by Bipin (see all)

scroll to top