Networks provide remote access to resources. Controlling access to services requires a directory of accounts and permissions (directory services). Windows has two directory modes: workgroup or domain. Domain model uses a single directory of enterprise resources that is trusted by all domain members: Active Directory. Systems can use the security principals of the directory to secure resources. Active Directory includes:

• database of security principals

• database transaction logs

• system volume containing logon scripts and group policy information

• services supporting access to the database, eg LDAP, Kerberos, Replication and File Replication services (FRS)

Domain controllers host replicas of AD. A domain is the core administration unit of AD. An AD may have more than one domain. Multiple domains are known as trees, when they share contiguous domain names. If the domains have non-contiguous domain names, they create a forest. Global Catalog contains information about resources held in other domains in the forest. Enterprise resources are represented in AD as objects or records in the database. Each object has attributes or properties that define it. AD objects include:

• users
• groups
• computers
• printers
• shared folders
• sites
• site links
• GPOs
• DNS zones
• host records
• Organizational Units

OUs are used to group objects and provide structure to AD. They provide points at which administration functions can be delegated and to which group policies can be linked. Delegation affected by setting permissions OU objects: these permissions and linked group policies are inherited by objects contained by the OU.