Organization units: Containers in a domain that allow you to organize and group

resources for easier administration, including providing delegating administrative

rights.

Domains: An administrative boundary for users and computers, which are stored in a

common directory database. A single domain can span multiple physical locations or

sites and can contain millions of objects.

Domain trees: Collection of domains that are grouped together in hierarchical

structures and that share a common root domain. A domain tree can have a single

domain or many domains. A domain (known as the parent domain) can have a child

domain. A child domain can have its own child domain. Because the child domain is

combined with the parent domain name to form its own unique Domain Name System

(DNS) name, the domains with a tree have a contiguous namespace.

Forests: A collection of domain trees that share a common Active Directory Domain

Services (AD DS). A forest can contain one or more domain trees or domains, all of

which share a common logical structure, global catalog, directory schema, and directory

configuration, as well as automatic two-way transitive trust relationships. A forest can be

a single domain tree or even a single domain. The first domain in the forest is called the

forest root domain. For multiple domain trees, each domain tree consists of a unique

namespace.

The physical components that make up Active Directory include the following:

Domain controllers: The servers that contain the Active Directory databases. A domain

partition stores only the information about objects located in that domain. All domain

controllers in a domain receive changes and replicate those changes to the domain

partition stored on all other domain controllers in the domain. As a result, all domain

controllers are peers in the domain and manage replication as a unit.

Global catalog servers: A domain controller that stores a full copy of all Active

Directory objects in the directory for its host domain and a partial copy of all objects for

all other domains in the forest. Applications and clients can query the global catalog to

locate any object in a forest. A global catalog is created automatically on the first domain
controller in the forest. Optionally, other domain controllers can be configured to serve

as global catalogs.

Operations Masters: Specialized domain controllers that perform certain tasks so that

multi-master domain controllers can operate and synchronize properly.

Read-only domain controllers: Specialized domain controllers that are intended for use

in branch offices and servers in a low physical security environment that holds only a

non-writable copy of Active Directory.

When a user logs on, Active Directory clients locate an Active Directory server (using

the DNS SRV resource records) known as a domain controller in the same site as the

computer.

Each domain has its own set of domain controllers to provide access to the domain resources,

such as users and computers. For fault tolerance, a site should have two or more domain

controllers. That way, if one domain controller fails, the other domain controller can still

service the clients. Note that whenever an object (such as a username or password) is modifi ed,

it is automatically replicated to the other domain controllers within a domain.