Active Directory Hierarchical Framework

How is Active Directory structured?

Active Directory is a directory service provided by Microsoft, which allows administrators to manage network resources. It is composed of both physical and logical structures. The physical structure is composed of Domain Controllers, servers, physical subnets and sites. It is used to manage traffic on the network.

Active Directory has a logical and hierarchical framework that is made up different levels such as forests, trees, domains, organizational units (OU), groups and objects. This is independent of the physical locations of the objects and allows resources to be managed based with respect to logical levels.

Active Directory Logical Structure

As mentioned previously, the Active Directory logical structure is composed of different hierarchical levels. This provides flexibility in grouping objects together based on the business structure of an organization, making it easier for resources to be located by their names as opposed to their physical locations.

For instance, consider an organization that has branches in Chennai, Mumbai and Bangalore. The primary IT team operates out of the headquarters in Bangalore. With the hierarchical framework, the IT administrator can group all the printers together in one organizational unit, regardless of the branch they are located in. Or trainees from all three branches may be grouped together, and restricted access to resources such as printers and the internet. This logical structure makes it easier for the administrator to manage users and give access to resources.

But this may not be possible with the physical structure, where the objects are grouped together based on their physical locations. However, the physical structure also has certain advantages

What are the different levels of hierarchy in the logical structure?

The logical structure of Active Directory is made up of different levels of hierarchy such as forests, domain trees, domains, organizational units, groups and objects. The forests make up the top level of the hierarchy, and are made up of a collection of domain trees. The domain trees in turn, are composed of a set of domains. The domains contain a collection of organizational units, which in turn are containers that hold objects. Thus objects make up the lowest level of hierarchy. All the different levels are explained in detail in the following sections.

Fig 1. Active Directory Logical Structure

Active Directory Objects

Objects are the basic units of data in Active Directory and form the lowest level of the hierarchical framework. Information can be stored in AD using different types of objects, although users, computers and groups are the most frequently used objects. Other objects include servers, hardware resources (such as printers), shared folders and many more.

A set of descriptors called properties or attributes are used to describe the characteristics of an object. These attributes usually possess unique and multiple values which helps to locate and identify objects easily. For example a user object may contain attributes such as first name, last name, department and email address.

Objects may be of two types namely container objects and leaf objects. Container objects hold other objects (for example, folders). Leaf objects cannot hold other objects (for example, single files).

Another classification of objects categorizes them as either resources or security principals. Resources include objects such as computers, printers and shared devices. Security principals are objects that need to be authenticated or given permissions for access. These include users, passwords and groups. They are given a unique Security Identifier (SID).

Creating an Object in AD

1.   Open the Active Directory Users and Computers console.

2.   Right click on the container within which the object needs to be created.

3.   Choose the New option.

4.   Select the object that you want to create.

5.   Enter the attribute values for the object in the dialog box that appears.

Organizational Units (OU)

An Organizational Unit (OU) is a container that can hold different types of objects such as users, groups, computers and other containers. OUs are present within a single domain and they can be used to organize network resources logically. They are the smallest level of organization that can be administered in Active Directory and make administration easier by grouping similar objects together within a domain.

Organizational Units are not the same as groups and other containers in Active Directory. A generic Active Directory container cannot have a Group Policy Object (GPO) linked to it. Whereas, OUs can have Group Policy Objects linked to them, which in turn makes administration easier.

Organizational Units are used to perform the following functions.

1.   To organize objects together so that Group Policies can be applied to all objects within the OU.

2.   To group objects together so that administrative tasks can be delegated to other users and administrators within the domain.

Creating an Organizational Unit in AD

An Organizational Unit can be created with the Active Directory Users and Computers console using the following steps.

1.   Open the Active Directory Users and Computers console.

2.   Select the domain in which the new OU needs to be created.

3.   Select Newà Organizational Unit by right clicking on the domain name.

4.   A dialog box prompting for the name of the OU appears. Specify the name of the new OU.

5.   Click OK to complete the process.


A domain is a collection of objects that share a common directory database. It forms the core units of the logical structure in Active Directory. Each domain includes a database that contains object identity information and policies that are applied to all the objects within the domain. Hence it acts as the boundary for policies, authentication and authorization. In other words, it acts as a security boundary. It can be identified using a DNS name. A domain may consist of several organizational units that contain objects.

Every domain has a Domain Controller (DC) which is a server that controls the domain. It takes care of all the authentications, permissions and modifications within a domain.

Typically, domains correspond to either the departments within an organization or its geographical locations. For example, an organization may have separate domains for different departments such as Production, Sales and Marketing. For an organization operating out of different locations such as Mumbai, Pune and Bangalore there may be separate domains corresponding to each location.

Domains perform the following functions.

1.   Managing user identity

2.   Replication

3.   Forming trust relationships

4.   Authentication of users

Creating a Domain in AD

1.   Open Server Manager from the Start menu.

2.   Select Add Roles and FeatutresàNext.

3.   Select Role-based or feature based installationàNext.

4.   On the Server Selection page, choose the Select a server from the server pool option and click Next.

5.   Select Active Directory Domain ServicesàAdd FeaturesàNext.

6.   Select Group Policy ManagementàNext.

7.   Click on Install once all the options have been selected.

8.   Click on the notification after installation and select the Promote this server to a Domain Controller option.

9.   Select Add a new forest and enter the domain name. Click on Next.

10.  Create a DRSM password and confirm it. Click on Next.

11.  Confirm the NetBIOS domain nameàNext.

12.  Confirm the pathsàNext.

13.  Review the selections àNext.

14.  Click on Install to finish setting up the domain.


A tree is a collection of domains that share a contiguous namespace. Besides the namespace, they also share the same schema and configuration. For example, in an organization called ABC, which registers the domain name as, the sub-domains for each department can be, and All these domains make up a tree which is derived from a common root domain which is

The domains within a tree share transitive trusts with each other. Trees also form the logical boundary for multiple domains.


A forest is a collection of trees and forms the highest level of the hierarchical framework. It is made up of trees that share a common schema, global catalogue, directory configuration and a security boundary. The trees in the forest have a transitive trust relationship with each other. As a result, a user belonging to any domain within the forest can access all other resources within the same forest. With Active Directory forests, authentication and authorization process across an organization are centralized and made easier to manage. This includes applying group policy settings across various levels of hierarchy.

A forest can also be referred to as a collection of domain trees that do not share a common parent domain. For example, consider a company A that acquires another company B. Both the companies have been using Active Directory to manage their resources. In the event of the acquisition, A and B can have separate forests for their users and resources. This is much less complex than migrating company B’s users and resources over to A’s forest and domains. A transitive trust can be established between the forests, allowing the two, forests to be merged on a logical level.

Creating a Tree and Forest in AD

1.   To create a new Active Directory domain forest, install Windows Server.

2.   To promote the server to a Domain Controller, install the Active Directory Domain Services role and the DNS Server role.

3.   The Active Directory Domain Services Configuration wizard is launched.

4.   Select the Domain Controller for a new domain option and click Next.

5.   Select the Create a new domain tree option and click Next.

6.   Select the Create a new forest of domain trees option and specify a root domain name.

7.   The rest of the steps can be followed according to the prompts.

Advantages of the Active Directory Logical Structure

The logical and hierarchical framework of Active Directory provides the following advantages.

·         It offers more security by providing access to resources that have been authenticated and given permission.

·         It simplifies network management and resource sharing by organizing the resources into different logical levels.

·         It reduces the administration costs by simplifying the management of network and a large number of objects.



1 Star2 Stars3 Stars4 Stars5 Stars (1 votes, average: 5.00 out of 5)