Microsoft Azure AZ-800 — Section 3: Deploy and manage AD DS domain controllers Part 2

Microsoft Azure AZ-800 — Section 3: Deploy and manage AD DS domain controllers Part 2

18. Visualizing Domains, Trees, and Forests

And now like to walk you through and help you understand the concepts of domains, trees and forests. Now, if you haven’t already, it’s very important that you go back and watch the foundation videos at the beginning of the course. The foundation videos outline the basic concepts of what a domain is. So, this video here is going to assume that you’ve watched that and that you do have an understanding of the basic concepts of what a domain is, and we’re going to kind of expand from there.

OK, so let’s talk about domains, trees and forest. Now, to start out with one concept I want to get across to you that this concept of what a forest is. First thing to be aware of is that every single Active Directory domain must be part of this thing called a forest. OK. As well as a tree, it is. There is no way possible for a domain to not be part of a domain, to not be part of a forest and a tree. OK. A lot of people think, “Well, what if you have a single domain, then that it’s not part of a tree or forest. You have to have at least two domains to have what’s called a tree, and you have to have at least two trees to make a forest.” That is not true. That’s absolutely not true, OK? I can tell you, I’ve taught Active Directory design for, I think, about twenty-one years of my life. I can tell you that every single domain must be part of a tree and must be part of a forest. If you don’t have a tree in a forest when you set up a domain, you will have one when it’s all set and done, even if it’s just a single domain.

So, in this diagram that I’ve got up on the screen, this domain is a domain, a tree in a forest all rolled into one. It’s not a very big tree. It’s not a very big forest, but it is a tree in a forest all rolled into one.

OK. You know, ultimately, when most people think of trees and forests, this concept of trees and force, you generally think of more than one domain. And I’ll give you that because that’s generally the idea. We want to have a group of domains that make up this thing called a tree and then a group of trees to make this thing called the forest. But let me help you visualize this a little bit more. I’m going to open up another drawing here. All right. And we’ll just start out. With the single triangle here, single triangle is going to represent name. All right. So, All right. So, at that point is, say, this company just got started. This company is just starting up. It’s a single domain. But when you set the domain up, it’s a domain, a tree in a forest all rolled into one. OK, not a very big tree, not a very big forest, but it is a domain tree.

And of course, the question now would be why would you move into having multiple domains? So, there’s multiple reasons why you would go to having multiple domains. One reason would be administrative purposes because your company is spread out through large amounts of geographical locations. For example,, part of my company, might be based in the United States. Maybe, that’s where the company got started in all of that, but the company is expanding and growing. It’s moving to different countries in the world. For example, maybe, we’ve got a location that is over in the UK. All right. So, we’ll draw another little triangle here. This other little triangle is going to represent the United Kingdom. All right. And so, maybe, we’ve also got another location in Japan. So, our company has spread out to other geographic regions, other parts of the world. And so, I’m going to call this domain UK. But when you do that, then it becomes what’s known as a child domain because it’s going to be underneath this exam, I practice name, it’s going to be called All right. And then if this going to be the Japan domain, it’s going to be called JP. We’ll say All right. And then these are child domains. They’ll have these lines here that are going to represent what are known as trust relationships. Trust relationships allow our domains to share resources together.

So, these domains here can all exchanges resources now, believe it or not. Now, you have domain admins that are in control of the UK, but they can only control the UK. You have domain admin, Japan can only control Japan. We have domain admins that can only control, although we can’t have what are called enterprise administrators that can control the whole thing. OK.

Child domains can even have other child domains. So, if I wanted to, I could have another triangle. Maybe, underneath the UK here and we’ll call that… Maybe, it’s Scotland. So, we’ll say All right. So this, you know, getting into a bigger organization where you want to have lots of domains. And I will tell you that the more domains you have, the bigger the headache. A lot of times. But ultimately, if you need to give full blown admin control over the different areas of the world, using domains to do that as opposed to something known as an OU, might be a better way to do it. Now, I’m not getting into organizational units right now. I’ll just say this that, generally speaking, when you start getting into different branches, areas of the world, you got different languages, you’re dealing with different time zones. It’s a good idea to just let the admins in those areas of the world have their own domain. But the beauty is these lines here, these trust relationships, they still allow us to share resources together.

OK, so, right now, what you’re actually looking at four domains, you’re looking at one tree and one forest, these are not two trees. It’s not two forests. This whole thing is one tree. How do I know that these domains are part of the same tree? Because they share the parent’s name. If they share the parent’s name, which is, then they are part of the tree.

OK, now when would you go to multiple trees? You would go to multiple trees when there is a namespace change. So, for example, if we had another part of our company that had a different naming convention of some sort. Then, we would expand out to that other name. For example, I’ve got, and maybe I’m going to call this other domain. I’ll call it And again, I don’t really own that domain name, I’m just using that as an example. So, I don’t really have any control over it, but I’m just using this as an example. So, then we got another triangle here. All right. Another domain. Let me just maneuver that a little bit better. All right. We’ll put it right here. Now, what happens is that you have a trust relationship that connects those triangles together. So, now you’re actually looking at another tree.

So, when you have a different domain name that you want to use, that is a different tree. All right. And then from there, I want and have a child domain underneath that. I could, for example, perhaps, maybe, we’ve got We have a location that is stored over in Australia. So, maybe, I call it, and I’ll have to move this up a little bit just because I don’t have enough room. I’ll just maneuver this a little bit better, hang on. All right, and we’ll just put the domain name down here like that. All right. And so that indicates now that I’ve got a total of six domains because there’re six triangles, right? There are two trees. OK. So, this a tree. And this a tree, and then we have one forest. OK. So that’s how that works. OK.

Now, in order for domains to truly be part of the same forest, they must be born into that forest. We must bring them up, we must join them. You must have started this domain first. And then when you bring this into existence, you would join in the domain. You can’t already have this created and join and truly be part of the same forest. You may say, “Wait a minute. Now, what happens if this company already existed, and they merged?’ Well, you can set up something called a trust relationship still, but they’re technically two different forest because when domains are part of the same forest, they share the same schema. The schema is part of the Active Directory database that makes up all of the different objects, all the different attributes. OK.

So, when domains are part of the same forest, they can share the following. They can share resources so that files and folders, they can access printers, things like that. right? And then they also share the same schema. All right. These are the object templates and attributes and all of that, and I’m not getting too deep into the schema right now, but basically this involves the actual database itself.

Now, when two different companies merge and they’ve already got Active Directory like it, is another company and they already have their forest set up and we merged. They would not be sharing the same schema. We could set up a forest trust between the two and they could share resources, but they would not share the same schema. That means that if you created a special type of object in one forest, it’s not going to replicate over to the other forest. OK.

All right. Now, the other thing that there are domains that are part of the same forest. They’ll share this thing called the global catalog. The global catalog is a part of the Active Directory database that if you’re part of the same forest, you share all the global catalog and this part of what allows domains to search for objects in different domains.

So, for example, if I’m in Scotland and I’m trying to look up somebody’s user information over in Australia, I could I could do that, especially if I needed their contact information or something like that because of this thing called the global catalog that’s shared across the entire forest. OK, not to get too deep in the global catalog right now. I just wanted to give you that basic idea. OK.

So, again, just to kind of summarize, every domain must be part of a domain. A tree in a forest. Even a single domain. OK. If you can get away with not having multiple domains in your forest, then do it because it’s easier to deal with one domain than it is lots of domains. But if you need to expand because, maybe, you’re spread out all over the world, then that’s a good reason to go to multiple child domains. From there, these are all part of the same tree.

Now, you don’t really need to go to a separate tree in your forest unless you have a namespace difference. So, for example, this name here prepareforexamsnow is a different name, a different domain name. We could go to a separate tree for that. You would still only have one route of the forest to, though the very first domain in the forest is called the route of the forest. This where your enterprise admins are usually created. Enterprise admins have control over the entire forest, whereas domain admins are user accounts that only have admin rights over just their individual domains. All right. OK.

So, hopefully that gives you a decent little understanding now of domains, trees and forest.

19. Visualizing Active Directory Partitions

Now, something that’s important to understand about Active Directory. Active Directory is a database and of course, like a lot of other databases out there, Active Directory has these things called partitions. Partitions are used to replicate from one domain controller to the other. But the interesting thing about that is you have to consider not just having multiple domain controllers inside the same domain like I’ve got in my diagram here, but also, If I had multiple domains.

So, when you start branching out and having, you know, multiple child domains in multiple trees and discussing kind of how replication is going to occur across those multiple domain controllers when they’re spread out like that.

So, I want to draw a little something out for you now to kind of help you visualize and understand the concept of the different partitions that we have in a Microsoft domain.

So here we are with another drawing, and I am going to let’s say that this your domain controller right here.

So, we’ve got domain controller and that domain controller is has got a database on it. Of course, that database is Active Directory.

So, we just make this big cylinder here in the cylinder is going to represent our Active Directory database. OK.

OK. In the Active Directory database, let’s see Active Directory DB. The name of that database is actually in a file called in TD-SCDMA IT.

OK, so that’s actually where your database is stores and stored inside of a file called into the I.T. on your domain controller.

So the Active Directory database originally many years ago when Windows 2000 came out, there was really only about three real partitions that made up Active Directory.

OK. And it was these first three here, and I’ll tell you what this fourth one is in just a moment.

So the first one is a partition called the config partition, also known as the configuration partition. All right.

Now the configuration partition, the thing to understand about it. Is that this partition will replicate to every single domain controller in the entire force? I don’t care if you’ve got a single domain or you got you got 50 domains. A copy of this information replicates for SWAT, so, it contains info about how the forest is laid out. All right. Is that, we’ll say, configured? All right. And it replicates forest wide, so every domain controller in the forest gets a copy of this partition. All right. Which also means that you don’t want to somehow mess that up because you’re going to mess it up for the entire forest. All right. The next partition is called the schema partition, and the schema partition is actually a partition that is a partition that makes up all of the object types and attributes for the entire forest.

OK, so what exactly is that? Well, every time Active Directory goes to create something, if you’re going to create a user account or group or an organizational unit, I don’t care what it is. Active Directory communicates with this partition known as the schema. And that’s how it knows how to build that object.

So, when I go to create a user, it’s got to go to the schema to know how to build it. It’s sort of like made up of all the templates always use the analogy of it’s like, imagine this big, massive box in your head and in that box says the word schema on the front of it. And then inside that box is a bunch of rolled up blueprints, kind of like the type of blueprints that you might build a house with or something.

OK? And each one of those blueprints is labeled after an Active Directory object like user account group, account group policy object organizational unit. And so when you go to create something, Active Directory goes and it pulls out that blueprint and it knows how to build that object.

So the schema is made up of all the different objects and the attributes that go with those objects on how to build objects so, it doesn’t store any information about the object. It doesn’t store like what the user’s name is or password or any that it just knows how to build the object.

OK. That’s what the schema partition contains. All right, so contains all object templates and attributes. For building objects. This also replicates forest wide, so every single domain controller in the forest is going to have a replica copy of the schema.

OK? The third partition is called the domain partition, and the domain partition is unique for every domain.

So every domain gets their own copy of this partition, and in they can add their own objects to it.

So this where all of your user accounts, your passwords, your grooves organizes. Organizational units are all stored here in their unique for the domain that you’re dealing with.

So, if you look back here, every single domain in this forest has their own unique pour up domain partition.

OK. It’s not a shared partition across the forest. They’ve each got their own unique portion of this partition. All right. And so this where all of your different object information is stored, so contains all domain related. Objects, object information. For just this domain replicates only to deceive in this domain. All right, so, it contains all domain related object information for just this domain, and it replicates only two disks in this domain.

So, all right. It does not replicate across the forest like some of these other other ones do.

OK. All right, so that’s important.

Now, guys, when this came out in the year 2000, that was it. There was only three partitions that existed Microsoft when Server 2003 Active Directory came out. They released the ability to create a fourth partition called an application partition.

Now an application partition, this a custom partition, OK, that you can create and you can choose what’s going to get stored in there.

OK? So you get to choose what’s going to get stored inside this partition.

So, if your company was doing, you know, developing applications in these applications had created special types of objects and Active Directory, and you only wanted certain domain controllers to have a copy of these objects. That’s what this for it, to be honest with you. It’s not really use that often nowadays. It was something I think Microsoft really thought would take off. It didn’t really, though. It’s not used by a lot of a lot of people out there, though it could be used if you develop custom objects that are going to be stored in Active Directory, you wanted it to pick and choose which devices are going to replicate this information.

So. This a custom partition. I could spill custom partition that you create. And choose which D.C. get a copy of the information.

OK, so this a custom partition that you create and choose, which dishes get a copy of the information. I will tell you that actor director nowadays does come with a couple of these that are built in. One is called the Forest DNS Zone Custom Partition. The other is called the Domain DNS Zone Custom Partition, and that gets specifically into DNS and how you want DNS to replicate, which I’m not getting into just the very moment. But essentially what it means is that if we’re if Active Directory is hosting its own DNS, which most people do that you can choose to replicate your entire DNS information across the forest or just a specific domain. And so there’s actually a couple of these that are tied to Active Directory involving DNS, but ultimately those are your three main partitions right there. This one is a custom one that you can create. There is a couple of built in ones that Microsoft has. They don’t really advertise this a whole lot, but that they involve DNS.

Now, the last thing that I would like to mention is that you have this thing called the global catalog. The global catalog is a special job you can assign to a domain controller, and when you do that, it will replicate. It will replicate a subset of all the objects in every domains domain partition.

OK. I have to lower the font on that just a little bit, so, it’ll all fit in there. Well, let me say that again. It replicates a subset of all the objects in every domain, every domains, domain, partition. That’s this partition right here.

OK, let’s see this guy now. The global catalog. The purpose of it is so that our different computers can locate objects in those different domains.

So, if I come over here, it makes it to where I could be in, say, the Scotland domain and I could look up a user account that exists in Australia. The global catalog is what makes that possible. It does not replicate all the attributes about every object. It just represents a subset of those objects so that the different machines in your domain in forest can find each other. This doesn’t really do a whole lot if you’ve only got a single domain because your domain controller knows everybody anyway. But if you spread out to multiple domains like I had in that other diagram, that’s where the global catalog is really going to come into play. All right. All right.

So hopefully that gives you guys a good understanding now of the different partitions. This again kind of the behind the scenes stuff of hacking happening and Active Directory, but hopefully it helps you understand now what these different partitions are used for.