Previous Page | Next Page

  1. Introduction
  2. Windows 2000 Professional
  3. Windows 2000 Server
  4. Windows 2000 Advanced Server
  5. Windows 2000 Datacenter Server
  6. Application Support
  7. System Operation
  8. Disks and Volumes
  9. Filesystems
  10. Configuration Files
  11. Security
  12. Network Support
  13. Access Management
  14. Processes
  15. AD Structure
  16. AD Objects
  17. AD Object Naming
  18. AD Schema
  19. AD Sites
  20. Domains
  21. AD Functions
  22. AD Replication
  23. DNS
  24. AD Security
  25. AD Installation
  26. AD Configuration
  27. AD Performance
  28. Installation
  29. Installation Options
  30. Unattended Installation
  31. Software Distribution
  32. Remote Installation Service
  33. Language
  34. Accessibility
  35. File Attributes
  37. Distributed File System
  38. Control Panel
  39. Active Directory Tools
  40. Computer Management Console Tools
  41. MMC Tools
  42. Network Tools
  43. Network Monitor
  44. System Performance Monitoring
  45. Tools
  46. Managing Services
  47. Connections
  48. TCP/IP
  49. DHCP
  50. Printing
  51. Routing
  52. IPSec
  53. ICS
  54. Fault Tolerance
  55. Backup
  56. System Failure
  57. Services
  58. Remote Access
  59. WINS
  60. IIS
  61. Certificate Server
  62. Terminal Services
  63. Web Services
  64. Authentication
  65. Accounts
  66. Permissions
  67. Groups
  68. User Rights and Auditing
  69. Auditing
  70. User Profiles
  71. Policies
  72. Group Policies
  73. Miscellaneous
  74. Terms
  75. Credits

Windows 2000 Active Directory Structure

To understand Active Directory, the reader should have some knowledge of object oriented concepts. It should be helpful to read the Object Guide and the UML Guide on this website.


  • Network resources are easy to find.
  • Uses group policies for easier administration
  • Scalability
  • Flexibility with the ability to add new classes, attributes, and objects.
  • Fully integrated security
  • Extensibility
  • Works on any network.

Parts and Structure

The domain is the core unit in the Active Directory structure. Active Directory includes:

  • A database of information about network users and resources.
  • A service managing the database.

Active directory is organized hierarchially and contains information about:

  • User Accounts
  • Computers
  • Shared folders
  • Printers

Active directory depends on and requires Domain Name Service (DNS) to be implemented on the network.


  • Users can logon and are authenticated.
  • Users can locate network resources.
  • Administrators manage user and group access to network objects (resources).
  • Users can have some administrative rights to some parts of the Active Directory database.

Object Oriented

Active Directory is object oriented. This means that items in active directory is treated as objects. Objects contain both behavior (executable code) and attributes (data or characteristics). Objects are constructed using classes, similar to the way a cookie cutter is used to construct cookies. Classes are templates for objects. Active Directory object classes include:

  • Domain
  • Organizational Unit - Contain either objects and/or other organizational units and are also called container objects. The OU simplifies administration by allowing the organization of objects and other OUs (Its primary purpose).
  • Group
  • User
  • Computer
  • Contact
  • Shared folder
  • Printer

A domain tree is a hierarchial group of one or more domains with one root domain.

Structure of Active Directory Database

All databases have a schema which is a formal definition (set of rules) which govern the database structure and types of objects and attributes which can be contained in the database. The schema contains a list of all classes and attributes in the forest.

The schema keeps track of:

  • Classes
  • Class attributes
  • Class relationships such as subclasses (Child classes that inherit attributes from the super class) and super classes (Parent classes).
  • Object relationships such as what objects are contained by other objects or what objects contain other objects.

The Active Directory database is stored in the SystemRoot\NTDS directory. The file "ntds.dit" contains the directory and schema data, and the file "schema.ini" contains the information to control Active Directory security and create the default directory. Changes to the database are stored temporarily in log files in this directory until changes are finalized to the database with replication to other controllers complete.

A forest is the set of all domains in an organization's network. It consists of one or more trees, combined with two way transitive trusts. It represents a non-contiguous or disjointed namespace in Active Directory.

A tree represents a contiguous name space in Active Directory and consiste of a hierarch of domains.

A Global Catalog is a searchable master index with data about all objects in a forest. The schema is stored in the global catalog. Only information required to find an object is stored in the global catalog. When the first domain controller in the forest is established, a default catalog is created automatically on that controller. More than one server can house the global catalog.

An Organizational Unit (OU) is an Active Directory container object that contains other organizational units or objects.

Changing the Active Directory Database Structure (Schema)

There are several ways to change the schema of Active Directory:

  • Application vendors can provide the capability to change the schema.
  • MMC - The Microsoft Management Console snap-in is a tool provided by Microsoft to allow the schema to be changed. The Windows 2000 Administration Tools (ADMINPAK) must be installed. The snap-in is called Active Directory Schema. The group that can use this tool is called "Schema Admins". This is a new group for Windows 2000 just for administering the Active Directory database schema.

Domain Controllers

When Active Directory is installed on a Windows 2000 server computer, that computer becomes a domain controller. Domain controllers are used to authenticate users and control access to objects in the Windows domain. A windows domain is a partial or full organizational structure which may or may not coincide with DNS domains on the internet. Active Directory allows these Windows domains to be structured into a tree relationship using trusts which are described later.

Domain controllers each contain a "replica" which is a copy of the domain directory.