Chapter 15. Active Directory
Active Directory is an LDAP-based directory that supports the LDAP v3 specification defined in RFC 2251. In this chapter, I'm going to cover some of the most common tasks that you'll need to do to support an Active Directory infrastructure. However, Active Directory is a complex intermixed set of technologies that cannot be covered comprehensively in a single chapter. If you want more information after finishing this chapter, read Active Directory (O'Reilly) to get a thorough understanding of Active Directory's capabilities or Active Directory Cookbook (O'Reilly) for more examples, scripts, and tips.
A Really Brief Introduction
A forest is a logical structure that is a collection of domains,
plus the configuration and schema naming contexts, and application
partitions. Forests are considered the primary security boundary in
Active Directory. By that I mean, if you need to definitively restrict
access to a domain to block access by administrators from other
domains, you need to implement a separate forest (and subsequently a
domain in that forest), instead of using a domain within a given
forest. This is due to the transitive trust relationship between all
domains in a forest and the extensive permissions that members of the
Domain Admins group have. Unlike domains and trusts, a forest is not represented by a container or any other type of object in Active Directory. At a minimum, a forest consists of three naming contexts: the forest root domain, ...