Resources in Active Directory are represented by objects. An object is any resource present within Active Directory such as OUs, printers, users, domain controllers, etc. Every object has a set of characteristic attributes which describe it. For example, a computer object has attributes such as hostname and DNS name. Additionally, all AD attributes are associated with an LDAP name which can be used when performing LDAP queries.
Every object carries information in these attributes, some of which are mandatory and some optional. Objects can be instantiated with a predefined set of attributes from a class in order to make the process of object creation easier. For example, the computer object PC1
will be an instance of the computer class in Active Directory.
It is common for objects to contain other objects, in which case they are called containers. An object holding no other objects is known as a leaf.
The full path to an object in AD is specified via a Distinguished Name (DN). A Relative Distinguished Name (RDN) is a single component of the DN that separates the object from other objects at the current level in the naming hierarchy. RDNs are represented as attribute-value pairs in the form attribute=value
, typically expressed in UTF-8.
A DN is simply a comma-separated list of RDNs which begins with the top-most hierarchical layer and becomes more specific as you go to the right. For example, the DN for the John Doe user would be dc=local,dc=company,dc=admin,ou=employees,ou=users,cn=jdoe
.
The following attribute names for RDNs are defined:
LDAP Name | Attribute |
---|---|
DC | domainComponent |
CN | commonName |
OU | organizationalUnitName |
O | organizationName |
STREET | streetAddress |
L | localityName |
ST | stateOrProvinceName |
C | countryName |
UID | userid |
It is also important to note that the following characters are special and need to be escaped by a \
if they appear in the attribute value:
Character | Description |
---|---|
space or # at the beginning of a string |
|
space at the end of a string | |
, |
comma |
+ |
plus sign |
" |
double quotes |
\ |
backslash |
/ |
forwards slash |
< |
left angle bracket |
> |
right angle bracket |
; |
semicolon |
LF |
line feed |
CR |
carriage return |
= |
equals sign |
Objects are organised in logical groups called domains. These can further have nested subdomains in them and can either operate independently or be linked to other domains via trust relationships. A root domain together with all of its subdomains and nested objects is known as a domain tree.
Each domain controller is responsible for a single domain - hosting multiple domains on the same controller is not allowed. However, a single domain may have multiple domain controllers with different roles.
A collection of domain trees is referred to as a forest (really???) and it is the root container for all objects in a given AD environment. A forest is named after the first domain created inside it, which is called the forest root domain.
Whilst renaming the forest root domain is possible in AD environment from Windows Server 2003 onwards, it is not possible to change it to another domain
Removing the forest root domain results in the irrevocable destruction of the entire forest and all of its domains.
Relationships and access across domains in a single forest as well as domains in different forests are facilitated via trusts.
Trusts in Active Directory allow for forest-forest or domain-domain links. They allow users in one domain to access resources in another domain where their account does not reside. The way they work is by linking the authentication systems between two domains.
The two parties in a trust do not necessarily have the same capabilities with respect to each other:
Additionally, trusts can either be transitive or non-transitive. Transitivity means that the trust relationship is propagated upwards through a domain tree as it is formed.
For example, a transitive two-way trust is established between a new domain and its parent domain upon creation. Any children of the new domain (grandchildren of the parent domain) will also then share a trust relationship with the master parent.
Five possible types of trusts can be discerned depending on the relationships between the systems being linked:
Trust | Description |
---|---|
Parent-child | A two-way transitive relationship between a parent and a child domain. |
Cross-link | A trust between two child domains at the same hierarchical level, which is used to speed up authentication. |
External | A non-transitive trust between two separate domains in separate forests which are not already linked by a forest trust. |
Tree-root | A two-way transitive trust between a forest root domain and a new tree root domain. |
Forest | A transitive trust between two forest root domains in separate forests. |