Network Administration: Structure of Active Directory

The terms object, organizational unit, domain, tree, and forest are used to describe the way Active Directory organizes its directory data. Like all directories, Active Directory is essentially a database management system. The Active Directory database is where the individual objects tracked by the directory are stored. Active Directory uses a hierarchical database model, which groups items in a tree-like structure.

The following sections explain the meaning of these important Active Directory terms.


The basic unit of data in Active Directory is called an object. Active Directory can store information about many different kinds of objects. The objects you work with most are users, groups, computers, and printers.

The figure below shows the Active Directory Manager displaying a list of built-in objects that come preconfigured with Windows Server 2008 R2. To get to this management tool, choose Start→Administrative Tools→Active Directory Users and Computers. Then click the Builtin node to show the built-in objects.


Objects have descriptive characteristics called properties or attributes. You can call up the properties of an object by double-clicking the object in the management console.


A domain is the basic unit for grouping related objects in Active Directory. Typically, domains correspond to departments in a company. For example, a company with separate Accounting, Manufacturing, and Sales departments might have domains named (you guessed it) Accounting, Manufacturing, and Sales. Or the domains correspond to geographical locations. For example, a company with offices in Detroit, Dallas, and Denver might have domains named det, dal, and den.

Note that because Active Directory domains use DNS naming conventions, you can create subdomains that are considered to be child domains. You should always create the top-level domain for your entire network before you create any other domain.

For example, if your company is named Nimbus Brooms and you’ve registered as your domain name, you should create a top-level domain named before you create any other domains. Then, you can create subdomains such as,, and

If you have Microsoft Visio, you can use it to draw diagrams for your Active Directory domain structure. Visio includes several templates that provide cool icons for various types of Active Directory objects. For example, the following figure shows a diagram that shows an Active Directory with four domains created with Visio.


Note that these domains have little to do with the physical structure of your network. In Windows NT, domains usually are related to the network’s physical structure.

Every domain must have at least one domain controller, which is a server that’s responsible for the domain. However, unlike a Windows NT PDC, an Active Directory domain controller doesn’t have unique authority over its domain. In fact, a domain can have two or more domain controllers that share administrative duties. A feature called replication works hard at keeping all the domain controllers in sync with each other.

Organizational units

Many domains have too many objects to manage all together in a single group. Fortunately, Active Directory lets you create one or more organizational units, also known as OUs. OUs let you organize objects within a domain, without the extra work and inefficiency of creating additional domains.

One reason to create OUs within a domain is so that you can assign administrative rights to each OU of different users. Then, these users can perform routine administrative tasks such as creating new user accounts or resetting passwords.

For example, suppose the domain for the Denver office, named den, houses the Accounting and Legal departments. Rather than create separate domains for these departments, you could create organizational units for the departments.


A tree is a set of Active Directory names that share a common namespace. For example, the domains,,, and make up a tree that is derived from a common root domain,

The domains that make up a tree are related to each other through transitive trusts. In a transitive trust, if DomainA trusts DomainB and DomainB trusts DomainC, then DomainA automatically trusts DomainC.

Note that a single domain all by itself is still considered to be a tree.


As its name suggests, a forest is a collection of trees. In other words, a forest is a collection of one or more domain trees that do not share a common parent domain.

For example, suppose Nimbus Brooms acquires Tracorum Technical Enterprises, which already has its own root domain named, with several subdomains of its own. Then, you can create a forest from these two domain trees so the domains can trust each other.


The key to Active Directory forests is a database called the global catalog. The global catalog is sort of a super-directory that contains information about all of the objects in a forest, regardless of the domain. Then, if a user account can’t be found in the current domain, the global catalog is searched for the account. The global catalog provides a reference to the domain in which the account is defined.