Chapter 15. Active Directory


Active Directory is an LDAP-based directory that supports the LDAP v3 specification defined in RFC 2251. In this chapter, I'm going to cover some of the most common tasks that you'll need to do to support an Active Directory infrastructure. However, Active Directory is a complex intermixed set of technologies that cannot be covered comprehensively in a single chapter. If you want more information after finishing this chapter, read Active Directory (O'Reilly) to get a thorough understanding of Active Directory's capabilities or Active Directory Cookbook (O'Reilly) for more examples, scripts, and tips.

A Really Brief Introduction

A forest is a logical structure that is a collection of domains, plus the configuration and schema naming contexts, and application partitions. Forests are considered the primary security boundary in Active Directory. By that I mean, if you need to definitively restrict access to a domain to block access by administrators from other domains, you need to implement a separate forest (and subsequently a domain in that forest), instead of using a domain within a given forest. This is due to the transitive trust relationship between all domains in a forest and the extensive permissions that members of the Domain Admins group have. Unlike domains and trusts, a forest is not represented by a container or any other type of object in Active Directory. At a minimum, a forest consists of three naming contexts: the forest root domain, ...

Get Windows Server Cookbook now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.