Skip to main content This browser is no longer supported. Show
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support. Understanding the Active Directory Logical Model
In this article
Designing your logical structure for Active Directory Domain Services (AD DS) involves defining the relationships between the containers in your directory. These relationships might be based on administrative requirements, such as delegation of authority, or they might be defined by operational requirements, such as the need to control replication. Before you design your Active Directory logical structure, it is important to understand the Active Directory logical model. AD DS is a distributed database that stores and manages information about network resources as well as application-specific data from directory-enabled applications. AD DS allows administrators to organize elements of a network (such as users, computers, and devices) into a hierarchical containment structure. The top-level container is the forest. Within forests are domains, and within domains are organizational units (OUs). This is called the logical model because it is independent of the physical aspects of the deployment, such as the number of domain controllers required within each domain and network topology. Active Directory forestA forest is a collection of one or more Active Directory domains that share a common logical structure, directory schema (class and attribute definitions), directory configuration (site and replication information), and global catalog (forest-wide search capabilities). Domains in the same forest are automatically linked with two-way, transitive trust relationships. Active Directory domainA domain is a partition in an Active Directory forest. Partitioning data enables organizations to replicate data only to where it is needed. In this way, the directory can scale globally over a network that has limited available bandwidth. In addition, the domain supports a number of other core functions related to administration, including:
Active Directory organizational unitsOUs can be used to form a hierarchy of containers within a domain. OUs are used to group objects for administrative purposes such as the application of Group Policy or delegation of authority. Control (over an OU and the objects within it) is determined by the access control lists (ACLs) on the OU and on the objects in the OU. To facilitate the management of large numbers of objects, AD DS supports the concept of delegation of authority. By means of delegation, owners can transfer full or limited administrative control over objects to other users or groups. Delegation is important because it helps to distribute the management of large numbers of objects across a number of people who are trusted to perform management tasks. FeedbackSubmit and view feedback for SGD is built on the principles of directory services. Users, applications, and application servers are represented by objects in a directory. The objects are arranged into an organizational hierarchy representing your organization. An organizational hierarchy starts with a top-level directory object, usually an organization object. Other directory objects, such as an organizational unit (OU), are containers that can be used to divide the organizational hierarchy. You can create group objects. Group objects are not containers. Groups have members that are objects located in other parts of the organizational hierarchy. SGD also includes a number of different object types for representing users, applications, and application servers. Each object has a number of configuration settings, known as attributes. For example, an application object has an Icon attribute that is the name of an icon to display to users. SGD objects, and the attributes used for each object, are based on the commonly-used LDAP version 3 schema. These objects have been extended, using the standard method of doing so, to support SGD functionality. For more information on the LDAP schema, see RFC 2256. SGD uses a local repository to store all the objects in your organizational hierarchy. Each object is
distinguished from other objects in the same container by using an attribute name as a prefix, for example
The relationships between objects are significant. For example, to deploy an application to users, you associate user profile objects with an application object. SGD calls these relationships assignments. Assignments are described in more detail in Section 3.2, “Publishing Applications”. For more information about hierarchies and objects, see the following sections:
3.1.1. Organizational HierarchiesSGD uses four organizational hierarchies: one each for users, applications, and application servers, and a System Objects hierarchy that contains objects for use by SGD. In the Administration Console, you use the following tabs to manage these organizational hierarchies:
The following sections describe these tabs, the objects that they can contain, and how they are used. The System Objects organization is also described. On the command line, you manage your organizational hierarchies with the tarantella object command. You can also use this command to populate an organizational hierarchy using a batch script. See Section 3.1.5, “Populating the SGD Organizational Hierarchy Using a Batch Script”. 3.1.1.1. User Profiles TabIn the Administration Console, the User Profiles tab is where you create and configure objects for managing SGD users. You use the objects on this tab to control users' SGD-related settings, and the applications that they can access through SGD. By default, this tab contains two objects, an organization object called The following are the SGD object types that are available on the User Profiles tab:
3.1.1.2. Applications Tab In the Administration Console, the Applications tab is where you create and configure objects that represent the applications and documents that users can access through SGD. These objects are always created within the applications organization. On the command line, this organization is called The following are the SGD object types that are available on the Applications tab:
3.1.1.4. The System Objects Organization The System Objects organization contains objects that are essential for the running and maintenance of SGD. On the command line, the System Objects
organization is displayed as The System Objects organization contains the Global Administrators role object. This object determines who is an SGD Administrator, and who can use the SGD graphical administration tools. See Section 3.1.7, “SGD Administrators”. The System Objects organization also contains profile objects. These are
default user profile objects for use with the various SGD authentication mechanisms. For example, the profile object You can edit objects in the System Objects organization, but you cannot create, move, rename, or delete objects. 3.1.2. SGD Object TypesThis section describes the available SGD object types and how they are used. The following are the object types that are used to organize users, applications, and application servers:
The following are the object types used to represent users, applications, and application servers.
3.1.2.1. Directory Object: OrganizationDirectory objects that are organization objects are used for the things that apply to your organization as a whole. Organization objects are always at the top of the organizational hierarchy and can contain OU, Active Directory container, or user profile objects. On the command line, you create an organization object with the tarantella object new_org command. Organization objects have an 3.1.2.2. Directory (Light) Object: Domain ComponentDirectory (light) objects that are domain component objects are used to replicate a directory structure, usually a Microsoft Active Directory structure, within the SGD organizational hierarchy. Domain component objects are similar to organization objects, but do not include additional SGD-specific attributes or allow you to assign applications. This is why they are called directory (light) objects. Domain component objects can only appear at the top of the organizational hierarchy, or within another domain component object. Domain component objects can contain OU, domain component, Active Directory container, or user profile objects. On the command line, you create a domain component object with the tarantella object new_dc command. Domain component objects have a 3.1.2.3. Directory Object: Organizational UnitDirectory objects that are OU objects are used to divide your users, applications, and application servers into different departments, sites, or teams. An OU can be contained in an organization or a domain component object. On the command line, you create a directory object with the tarantella object new_orgunit command. Directory objects have an 3.1.2.4. Directory (Light) Object: Active Directory Container
Active Directory container objects are used to replicate your Microsoft Active Directory structure within the SGD organizational hierarchy. Active Directory container objects are similar to OUs, but do not include additional SGD-specific attributes or allow you to assign applications. This is why they are called directory (light) objects. An Active Directory container object can be contained in an organization, an OU, or a domain component object. On the command line, you create an Active Directory container object with the tarantella object new_container command. Active Directory container objects have a 3.1.2.5. User Profile ObjectUser profile objects are used to represent a user in your organization, and give that user access to applications. They also define the SGD settings associated with a user. How SGD associates a user profile object with a user depends on the authentication mechanisms in use. For some authentication mechanisms, you might not have to create user profile objects at all. See Section 2.1, “Secure Global Desktop Authentication” for details. On the command line, you create a user profile object with the tarantella object new_person command. User profile objects can have a 3.1.2.6. Group ObjectGroup objects are used to associate groups of applications with an object on the User Profiles tab or groups of application servers with an object on the Applications tab. Group objects are not the same as directory objects. Applications or application servers can only belong to one directory, but can be a member of many different groups. Members of a group can be applications, application servers, or other groups. Groups can moved or renamed without affecting group membership. Groups of application server objects can be used to associate similar application servers for load balancing. See Section 7.2, “Load Balancing” for details. On the command line, you create a group object with the tarantella object new_group command. Group objects have a 3.1.2.7. Windows Application ObjectWindows application objects are used to give Microsoft Windows graphical applications to users. See Section 4.1, “Windows Applications” for more details. On the command line, you create a Windows application object with the tarantella object new_windowsapp command. Windows application objects have a
3.1.2.8. X Application ObjectX application objects are used to give X11 graphical applications to users. See Section 4.2, “X Applications” for more details. On the command line, you create an X application object with the tarantella object new_xapp command. X
application objects have a 3.1.2.9. Character Application ObjectCharacter application objects are used to give VT420, Wyse 60, or SCO Console character applications to users. See Section 4.4, “Character Applications” for more details. On the command line, you create a character application object with the tarantella object new_charapp command. Character application objects have a 3.1.2.10. Document ObjectDocument objects are used to give documents to users. A document object can refer to any URL. On the command line, you create a document object with the tarantella object new_doc command. Document objects have a 3.1.2.11. 3270 Application Object3270 application objects are used to give 3270 (mainframe) applications to users. On the command line, you create a 3270 application object with the tarantella object new_3270app command. 3270 application objects have a 3.1.2.12. 5250 Application Object5250 application objects are used to give 5250 (AS/400) applications to users. On the command line, you create a 5250 application object with the tarantella object new_5250app command. 5250 Application objects have a 3.1.2.13. Dynamic Application ObjectDynamic application objects are used with dynamic launch to enable users to select an application to run. See Section 4.5, “Dynamic Launch” for details. On the command line, you create a dynamic application object with the tarantella object new_dynamicapp command. Dynamic application
objects have a 3.1.2.14. Application Server ObjectApplication server objects are used to represent an application server that is used to run applications through SGD. Application servers are used with load balancing. If you assign two or more application server objects to an application object, SGD chooses which application server to use, based on the load across the application servers. See Section 7.2, “Load Balancing” for details. On the command line, you create an application server object with the tarantella object new_host command. Application server objects have a 3.1.2.15. Dynamic Application Server ObjectDynamic application server objects are used with dynamic launch to enable users to select the application server that runs the application. See Section 4.5, “Dynamic Launch” for details. On the command line, you create a dynamic application server object with the tarantella object new_host 3.1.3. Designing the Organizational HierarchyYou have complete control over the objects that you create to model your organizational hierarchy. However it is important to design and test your organizational hierarchy before implementing it. The following factors affect your design:
3.1.4. Naming Objects in the Organizational HierarchyWhen you create an object in the Administration Console, you can use any characters you want for the name of the object, apart from backslash (\) or plus (+). On the command line, if you use a forward slash in an object name, you must backslash protect, or escape, it. This is because
SGD interprets the forward slash as a part of the organizational hierarchy. For example, if you try to create an object with the relative name On the command line, if the name of an object includes spaces, make sure you enclose the name in quotes, for example With the tarantella object command, any name in the local repository is treated as case insensitive. When you create or rename an object, the case used is preserved. However, other commands, such as the tarantella webtopsession and tarantella emulatorsession commands, are case sensitive. 3.1.5. Populating the SGD Organizational Hierarchy Using a Batch ScriptIf you want to populate your organizational hierarchy with a large number of objects, using the Administration Console to do this is not very efficient. The solution is to use the batch scripting functionality of the tarantella object command. Once you have designed the structure of your SGD organizational hierarchy, you create a file for each type of object you want. Each file contains one
line per object, with the correct syntax for creating the object from the appropriate tarantella object command. For example, to create five OUs you might have a file called --name "o=Example/ou=IT" \ --name "o=Example/ou=Sales" \ --name "o=Example/ou=Marketing" \ --name "o=Example/ou=Finance" \ --name "o=Example/ou=Finance/ou=Administration" Do not include the actual tarantella object command name, for example object new_orgunit, as part of each line. Remember the following:
Once all your files are complete, use the tarantella object script command to process them all at once, for example: #!/bin/sh tarantella object script << EOF new_orgunit --file orgunits.txt new_group --file groups.txt new_host --file hosts.txt new_person --file people.txt new_xapp --file xapps.txt new_windowsapp --file windowsapps.txt new_charapp --file charapps.txt EOF The tarantella object script command runs each command in order. Each command reads and processes the specified file. You can use any tarantella object subcommand with the tarantella object script command. You do not have to read in object details from other files. Many other commands, for example the tarantella passcache command, accept --file arguments so you can perform multiple related actions at once. 3.1.6. LDAP MirroringWhen a user is authenticated with either LDAP authentication, Active Directory authentication, or third-party authentication using the LDAP search, SGD establishes the user profile for a user by searching the local repository, allowing for differences between the LDAP and SGD naming systems. SGD searches for the following until a match is found:
If there is no match, the profile object Typically LDAP and Active Directory users use the default LDAP profile, and applications and documents are assigned to them using LDAP assignments. See Section 3.2.2, “LDAP Assignments”. However, user profile objects can also be used to control a user's SGD-specific settings, such as the ability to use copy and paste or to edit client profiles. If you want to customize an LDAP or Active Directory user's SGD settings, you might have to mirror some of your LDAP structure in the local repository. When you mirror your LDAP structure, remember the following:
You can configure service objects that specify a base DN (a search root) as part of the LDAP URL, see
Section 2.8.4, “Using Service Objects”. The base DN can be used as the starting point when mirroring your LDAP structure. SGD only permits an organization object ( When working with LDAP mirroring in the Administration Console, it is useful to display the naming attribute for the objects you work with. By default the Administration Console does not display naming attributes. You enable the display of naming attributes in the Preferences for the Administration Console. When working with user profiles in the Administration Console, select Local + LDAP from the Repository list on the User Profiles tab. LDAP objects that are mirrored in the local repository are indicated by the following icon: The following is an example of how to mirror your LDAP organization to give users different SGD settings. 3.1.6.1. An Example of LDAP MirroringThe company example.com has five departments: IT, Sales, Marketing, Finance, and Administration. The Finance and Marketing departments need different SGD settings to the other departments. Sid Cerise in the Finance department needs different SGD settings to the other users in the Finance department. The objects you create depend on the type of LDAP directory server used, as described in the following sections. 3.1.6.1.1. Oracle Directory Server Enterprise EditionFor Oracle Directory Server Enterprise Edition (formerly Sun Java System Directory Server), the following are the LDAP names of the objects you need to mirror in the local repository and the object types to use:
Note In the Administration Console, create Directory objects. The naming attribute is set automatically. Figure 3.1, “Example Mirrored LDAP Objects for Oracle Directory Server” shows the mirrored objects in the Administration Console. Figure 3.1. Example Mirrored LDAP Objects for Oracle Directory Server With this structure in place, create the following user profile objects in the local repository:
Note In the Administration Console, remember to
select uid as the naming attribute for the user profile object With this organizational hierarchy, users receive settings as follows:
3.1.6.1.2. Microsoft Active DirectoryFor Microsoft Active Directory, the following are the LDAP names of the objects you need to mirror in the local repository and the object types to use:
Note In the Administration Console, you create domain components and Active Directory containers by creating Directory (light) objects, and then selecting the correct naming attribute. Figure 3.2, “Example Mirrored LDAP Objects for Microsoft Active Directory” shows the mirrored objects in the Administration Console. Figure 3.2. Example Mirrored LDAP Objects for Microsoft Active Directory With this structure in place, create the following user profile objects in the local repository:
With this organizational hierarchy, users receive settings as follows:
Note It is not possible to inherit SGD settings from domain component and Active Directory container objects. 3.1.7. SGD AdministratorsIn SGD, administration privileges are managed using the Global Administrators role object in the System Objects organization. The Global Administrators role object has a list of members, and a list of assigned applications. All SGD Administrators are defined as members of the Global Administrators role object. The list of assigned applications is used to assign administration tools to SGD Administrators. SGD Administrators are assigned these applications in addition to any other applications assigned to them. Only SGD Administrators can configure SGD using the SGD graphical administration tools, Administration Console and Profile Editor. To use the SGD command-line tools, the following conditions apply:
Use the
usermod You can use the SGD Administration Console or the tarantella role command to add or remove SGD Administrators. If no user profile objects are defined as members of the Global Administrators role object, the UNIX or Linux system root user has administration privileges. Note If you want SGD Administrators to authenticate using an LDAP directory or Active Directory authentication, you must create user profiles for them. See Section 3.1.6, “LDAP Mirroring” for details. 3.1.7.1. How To Add an SGD Administrator
3.1.7.2. How To Remove an SGD Administrator
What is an organizational unit in Active Directory?Organizational units (OUs) in an Active Directory Domain Services (AD DS) managed domain let you logically group objects such as user accounts, service accounts, or computer accounts. You can then assign administrators to specific OUs, and apply group policy to enforce targeted configuration settings.
Which of the following protocols is Active Directory based upon?Active Directory uses Lightweight Directory Access Protocol (LDAP) versions 2 and 3, Microsoft's version of Kerberos, and DNS.
Which is not of the 4 divisions or container structures in Active Directory?Which is not one of the four divisions or container structures in Active Directory? Forests - The collection of every object, its attributes and attribute syntax in the Active Directory.
Which of the following are the logical components of Active Directory?The logical parts of Active Directory include forests, trees, domains, OUs and global catalogs.
|