In this lesson, we will see that the Active Directory infrastructure operates according to a hierarchy.
This hierarchy forms a tree structure composed of domains, trees, and forests.
Understanding this lesson will help you for the rest of the course.
Table of Content
Domain
A domain is a logical (administrative) Active Directory entity within which features and characteristics are shared.
A domain hosts users, computers in which policy settings are defined.
Representation of a domain:
TREE
A tree is represented by a set of domains that share the same namespace. A tree consists of a root domain, a parent domain, and subdomains in a contiguous and hierarchical namespace.
Each (sub-)domain is an administrative entity that has its own domain controllers with users, computers linked to the domain of which it is a member.
The configuration and schema partition is common to all domains, and the forest controllers share a global catalog.
Representation of a tree:
Forest
A forest is a grouping of several domains that share the same schema and partition configuration. A forest can consist of several trees that do not share the same namespace.
The first domain installed in the forest is the root domain
Representation of an Active Directory forest:
Functional levels
The forest and the domains have a functional level that determines the active functionalities.
The different functional levels available with Windows 2019:
- Windows Server 2016
- Windows Server 2012 R2
- Windows Server 2012
- Windows Server 2008 R2
- Windows Server 2008
The article: Windows Server Functional Levels The Microsoft website lists all the levels with the new features that have been added.
With the exception of Windows Server 2019, each new version of Windows Server brings a new level of functionality with new features to Active Directory.
The functional level is often determined by the domain controller that has the oldest version.
When adding a new domain controller to an existing environment, you must check the compatibility of the levels with the versions of Windows Server. If you take an existing Active Directory environment and the levels are Windows Server 2003, it will not be possible to directly add a domain controller with the Windows Server 2016 or 2019 operating system.
Functional levels can be increased to enable new features and make the environment compatible with new versions of Windows Server.
Before upgrading, you must ensure that the environment is compatible because going back is not possible.
The two levels are more or less independent; it is possible to have one functional level for the forest and another version for the domain, respecting the following:
- The functional level of the domain may be higher than that of the forest.
- The functional level of the domain may be lower than that of the forest’s functional level.
Conclusion
The majority of Active Directory environments are single-domain, meaning the domain and the forest are the same element.
To ensure the integrity of the Active Directory environment and the availability of services, a minimum of two domain controllers per domain is required. Using the forest example above, the environment must include at least 12 domain controllers.