The buzz surrounding Active Directory (AD) hails the directory service as the most important new feature of the Windows 2000 server. It has been touted as a complex, fast, reliable resource management system that, if properly configured and maintained, will provide the backbone for Windows 2000.
If you’d like to learn more about enterprise migration to Windows 2000, download our free Windows 2000 White Paper , which aims to bring you up to speed on what you can expect with Microsoft’s forthcoming OS.
How will AD work?
AD has been designed to centralize all of the user, group, application, printer, and computer information on your network in one repository. Rather than having to administer many different domains and trust relationships between them, all network information can be placed in AD.

Active Directory is the most-touted new feature in Windows 2000.

AD can maintain up to 10 million objects—network users, groups, and computers—in a single domain.

Technologies and architecture
Having a single domain with 10 million AD objects makes for a very large database. Active Directory’s primary function is to provide fast, reliable access to this large database. AD is based on the X.500 architecture and uses the Extensible Storage Engine database format (ESE97), the same architecture introduced by Microsoft Exchange Server 5.5. This database is hierarchical, allowing it to grow larger while still providing fast access.

The domain model for Windows 2000 has changed drastically from the model used for Windows NT 4.0. AD drops the concept of Primary Domain Controllers (PDCs) and Backup Domain Controllers (BDCs) within domains. Instead, all domain controllers (DCs) act as peers with one another, allowing you to make changes to the database of any server in the tree. All changes are forwarded to all servers throughout the network in what Microsoft calls a multi-master replication. This can make for a lot of network traffic, and special consideration should be made for slow wide area network (WAN) links.

Not only do the controllers all work together, you can also quickly reassign DCs to other domains in your Active Directory tree. You no longer have to completely reinstall the operating system to move DCs from one domain to another.

Even though Microsoft built Active Directory from scratch, it did so using many Internet-based standards. Microsoft based AD authentication on the Kerberos and X.509 security models, increasing overall network security. Active Directory makes use of DNS to resolve network names and server locations. AD itself is based around and can use LDAP (Lightweight Directory Access Protocol) for the basis of its directory schema and access.

Good things come in trees
Domains in earlier versions of NT made up the entire manageable collection of users, printers, servers, and workstations on your network. In Windows 2000, domains are merely a subset of the larger tree. Each domain is a partition of the network’s namespace. Items within the domain share a common security policy.

Be prepared for new terms with Active Directory.

Also new is the concept of forests and trees. AD trees consist of a group of domains that share the same schema and configuration. Domains in a directory tree all have a contiguous namespace.

In contrast, a forest contains one or more sets of trees that don’t form a contiguous namespace. Different trees in a forest trust one another using transitive Kerberos trust relationships. Trees in a forest share a common schema, configuration, and global catalog.

Don’t confuse trees and forests with sites. Trees and forests are used to manage administration and security in an organization. Sites reflect geographical boundaries. You may choose to arrange a site’s trees and forests using a geographical or an organizational approach, but doing so doesn’t affect the sites of the domains.

When designing the tree, Microsoft allows you to break the tree down into sites. A site is a collection of workstations and servers along subnets with fast connections. Within a site, NT replicates information after a regularly defined time. Between sites, NT replicates data only at selected times or events to minimize WAN traffic.

To speed tree-wide searches, AD creates a separate index file called the global catalog. The global catalog contains a list of all the objects from all the domains in the entire AD tree. It also contains a few of the properties from each object. (An administrator can change the index criteria.) This global catalog is then distributed to all servers in the AD.

Microsoft uses the term namespace to refer to any collection of domains with a common DNS root name. Examples of items within the same namespace include,, and

Namespaces in an Active Directory tree can be contiguous or disjointed. In a contiguous namespace, domain names share the same root name. For example, is contiguous with a namespace of

Disjointed namespaces contain domains that are interrelated but that don’t share common root names. For example, if you have related resources in and, the namespaces are considered disjointed.

Within a domain, you can create organizational units(OUs). OUs are containers that hold objects such as users, groups, and printers in the Active Directory. You can organize OUs into a logical structure that matches the way you work and organize your business. Additionally, you can delegate administration based on permissions assigned to the organizational unit. Therefore, it would be wise to use OUs to divide the domain into functional units such as Accounting, Human Resources, and Information Systems. Using organizational units reduces the number of domains needed to manage the tree.
Keep your eyes open for part 2, in which we’ll examine resource name resolution, object rights, tree replication, and limitations.