The core of Active Directory is a combination of an LDAP server and MIT Kerberos 5 KDC running on a Windows 2000 server acting as a domain controller that work as a unit to provide authentication ("Who are you?") and authorization ("What are you allowed to do?") information within a group of interlinked systems.
Above and beyond that, the LDAP "face" of this structure behaves as an enterprise-wide distributed database that not only contains Windows-specific information but can be extended to incorporate user-defined data as well.
The AD is held together by DNS, which is used not only to locate specific machines within the AD but also to locate which functions of the AD are running on which domain controllers.
While not an administrative block by themselves, forests are a major boundary in that only limited communication is available between forests. For example, it is difficult for a user in one forest to access a resource in another forest.
It is very difficult to integrate forests at this time because of potential problems reconciling schema differences between two forests.
Domains can be organized into parent-child relationships to form a hierarchy. A parent domain is the domain directly superior in the hierarchy to one or more subordinate, or child, domains. A child domain also can be the parent of one or more child domains, as shown below.
OU's are created by an administrator of an AD domain and can be freely named (and renamed). The OU can then be populated objects of many types including computers, groups, printers, users and other sub-OU's.
The real power of an OU is that once it is established, the administrator of its "parent" can delegate administrative authority -- in total or in part -- to any user or group that is in the AD.
When this happens, the designated user/group gains complete administrative authority over all objects in their OU and thus has all of the rights and abilities that a Windows NT domain administrator would have as well as some new ones such as the ability to further segment their OU into sub-OU's and delegate authority over those sub-elements as they see fit.
Group Policy can control everything from user interface settings such as screen background images to deep control settings in the client such as its TCP/IP configuration and authentication settings. There are currently over 500 controllable settings. Microsoft has provided some templates as well to provide a starting point for creating policy objects.
A significant advantage of group policy over the old NT-style policies is that the changes they make are reversed when the policy no longer applies to a system. In NT 4, once a policy was applied to a system, removing that policy did not by itself roll back the settings that it imposed on the client. With Windows 2000, when a specified policy no longer applies to a system it will revert to its previous state without administrative interference.
Multiple policies from different sources can be applied to the same object. For example, a domain might have one or more domain-wide policies that apply to all systems in the domain. Below that, systems in an OU can also have policy objects applied to it, and the OU can even be further divided into sub-OU's with their own policies.
This can create a very complex web of settings so administrators must be very careful when creating these multiple layers of policy to make sure the end result -- which is the union of all of the applicable policies with the "closest" policy taking priority in most cases -- is correct for that system. In addition, because Group policy is checked and applied during the system boot process for machine settings and again during logon for user settings, it is recommended that GPO's be applied to a computer from no more than five "layers" in the AD to keep reboot and/or login times from becoming unacceptably long.