ManageEngine x Forrester | Tips to strengthen security in the age of AI

Active Directory Fundamentals

Framework of Active Directory

The Active Directory structure is built on the domain level. The framework that holds the objects can be viewed at different levels namely forest, domain trees and domains.

Active Directory Framework

At the top of the level is the forest. A forest holds all the Active directory data. The first domain added to the forest is the forest root domain. Information exchange happens within a forest. All domains within a forest have a common schema, a common global catalog, and have trust relationships among the domains. The forest acts as a security boundary. To communicate with data in other forests, an external trust relationship is required. A domain tree is formed when a combination of domains share the schema, configuration and have a contiguous namespace. The domains inside a tree have implicit trust relationships with each other. Trust is the potential to allow access to resources. The logical structure of the Active directory is built around domains. A domain is a grouping of objects. Each domain has a name, its own database, policies that are applicable to all the resources within that domain. A domain functions as a boundary for policies, authentication, and authorization. A domain controller (DC) is the supreme authority for controlling all operations within a domain.

Organizational units (OU) are containers that hold other Active Directory objects like users, computers, printers, shared folders, and even other organizational Units. The advantage of OU is that it can be used to set security policies and delegate administrative control.

While forests, trees, domains are all logical grouping of objects, the physical grouping of objects is made possible using a site. A site groups objects based on IP addresses. Hence it cannot span across different physical locations. For example, if there are various branches of your organization located at different places, each location can be identified using a site. A site is mainly used for replication and traffic control purposes. It is important to understand that site and domains are not interrelated – a site can contain multiple domains and a single domain could span across multiple sites.

Related posts
Active Directory Fundamentals

How to schedule a process remotely via WMI

Active Directory Fundamentals

How to create a process via WMI remotely

Active Directory Fundamentals

How to create a task via WMI

Active Directory Fundamentals

WMI classes and categories


There are over 8,500 people who are getting towards perfection in Active Directory, IT Management & Cyber security through our insights from Identitude.

Wanna be a part of our bimonthly curation of IAM knowledge?

  • -Select-
  • By clicking 'Become an insider', you agree to processing of personal data according to the Privacy Policy.