Pages

Sunday, May 19, 2013

Creating Read Only Domain Controller

Read only Domain Controller is one of the best feature in Sever 2008. In Previous version of Windows this
feature is not available. If a user had to Authenticate over wide area network there was no such alternative.
The Main purpose of this feature to secure your domain Controller in Branch office. Most of the time you will see that Branch offices always lack in physical Security as well as highly experienced IT professional availability. In order to secure your Branch office you can have read only domain controller in branch office now you will learn how to create read only domain Controller . In order to perform this Task you must have
a Server working as a domain controller and you  must remember that first domain in the forest can not be read only. so let's learn how to install a read only domain controller. I will upload the Image as well. so that you can have better understanding of creating Read Only Domain Controller.
1:Start>dcpromo

 don't select the second option because that is for creating child domain. Select first option and and click next as you click next
you need to put the Administrator Credential and password and click ok on the next window

you will see it will examine the DNS Configuration and give you the options. look at the image

in next window you will see the option to select read only domain controller as you seen in the image given below
select the Read Only domain controller(RODC) click on next


Make sure that you select the first option that is highlighted there by me click next you can also set the name
of a user who can administer the Read-Only Domain Controller. see in imageda
and click next then you will see the window which will show you the location where the database will be stored leave the default location.
in next window you will see that it will prompt you to enter the password that password actually for domain
controller restore mode.
just click next and come on to next window
you can export the settings as well if you want to just click next.
you are almost done all you need to you need to wait unless it complete this process.





Transferring FSMO Roles

In this post let's learn how to transfer FSMO Roles. It's very easy to Transfer FSMO Roles. when you say
that you are going to transfer the FSMO Roles it means all five Roles you are going to move between domain Controllers it can be imitated either by Administrator or by demoting Domain Controller. FSMO Roles Transfer is never initiate by Operating System itself. so let's learn how to Transfer FSMO Roles from
one Domain to another domain. I will update the screen shot as well don't worry. For example if you want to transfer the Schema Master Role you must first run a command which "regsvr32 schmmgmt" otherwise you will not be able to transfer the schema Master Role between domain Controller. There are two way to transfer the FSMO Roles Either by using GUI or by Ntdsutil.exe command line tool. you can use Active directory Schema snap-in or Active Directory domain and Trust and you can use Active Directory user and computer snap-in too depends which role you want to transfer. I will let you know how to transfer the schema Role so first of all you need run the same command regsvr32 schmmgmt.dll on the server you want transfer the role from. After you run the command regsvr32 schmmgmt.dll you must get the message on the screen.
As you see in image you will also get the same message on the screen if you run the right command . Then
click on start>Administrative Tool>Active Directory domain and Trust>right click and select the option change domain controller as shown in screenshot
and then you need to right click Active Directory Domain and Trust and select the option operation Master
as shown in image below.
After that you will see a operation Master window and then you need to click on change you should get
a window which says are you sure you want to transfer the operation master role to a different computer
you need to click yes
As you click on yes you will get message that role has been Transferd successfully . Like this you can transfer other role as well.



FSMO Roles

In this post let's talk about the FSMO Roles. As we all know Active Directory is a Multi Master Replication
Model. Means Clients can register their records in  any available Active Directory Domain  Controller as well as they can access resources within Active Directory NTDS.Dit Database. Before you learn how to transfer FSMO Roles you must have a better understating why do we use FSMO roles, the answer is to avoid Conflicts in Active Directory . In old day there was only single master Replication. Primary DNS used
to have a read and write copy of DNS Data, Means Client Must locate their DNS Server and register their
resources in order to locate all other resources in Active Directory Domain Infrastructure. The main Drawback of Single Master Replication was single point of failure. If in case the Primary DNS was not reachable Clients Could not Register it's records to other domain Controller. Primary zone is forward look up zone in AD. And it's highly recommended to have reverse look up zone in all size of Network because it contains host names and IP Mapping Information.
So the Main purpose of FSMO roles is to avoid conflicts in AD and if there is any changes and update in AD FSMO Roles will take of it accordingly. We have Five Roles in FSMO
1: Schema Master 
2:Domain Naming Master
3:Infrastructure Master
4:RID(Relative ID) Master
5: PDC Emulator Master

1: Schema Master: This role is forest wide role and it is responsible for any update and medication or if there is any changes in Schema. Once the update is complete it will replicate these updates to other domain
controllers in the forest. There can be only one schema master in the whole forest.

2:Domain Naming Master: This is also a Forest wide Role. And it is responsible for if there is any addition and Removal of Domain in the Forest.When you create a new domain in an existing forest, the new domain represents a separate naming context and a new Cross-Ref object must be created in a Partitions container. As we know only one Domain Naming Master is allowed to make changes in Partition Container
in the forest . By default first Domain Controller in the forest would hold this role however you can transfer this to other domain Using Active Directory Domain and Trust in.

3:Infrastructure Master Role:   This role is responsible for updating the objects SID and distinguish name in cross domain object references. as it is domain wide role there can be only one domain controller acting as the infrastructure master in each domain.

4:RID(Relative ID) : All object in Active Directory Domain have a Security Identifier (SID)  which is a combination of Domain ID and sequential number called Relative ID which is supplied by Relative ID. It is a domain wide role. In Domains that are in Default in windows server 2000 mixed domain functional level only PDC Emulator create Security Principle. That's the reason RID and PDC Emulator are held by a domain controller so that it can ensure that SID is unique and sequential.

5:PDC Eumlator: PDC Emulator has a very unique Role. you might have seen in the offices when you Enter your user name and password which you have been provided by Administrator you are logged on , In some cases you might have seen you get an error message which says invalid user name and password. Have you ever thought how do you get that error message . when you enter the wrong user name and password domain controller checks for the password and for the confirmation it sends user's credential to the PDC Emulator. Because PDC Emulator contains the latest information about the objects credentials . if it finds that user has entered the wrong user name and password then user gets an error message on the screen invalid user name and password. when an Administrator change or reset the password those information are updated at the same time in PDC Emulator.
Apart from this PDC Emulator perform other task as well. I believe now you have the better knowledge of FSMO Roles now you will learn how to transfer the FSMO roles. 

 

Sunday, April 28, 2013

Creating Objects in Active Directory

After all configuration ,you are ready to create objects in ADDS. Don't worry it's fun. Creating users , groups,computers and  organizational unit is really very easy and an easy way to manage resources in ADDS. As previously mentioned that we create organizational units to place users, groups and computer so that we can manage and find an object in ADDS easily. so first of all I will let you know how to create an Organizational unit then groups and then users. Its not necessary that you will have to create groups first only then you can create users there is no such rule defined. why do we do it in that way so that you can manage because in an Enterprise Network it can be difficult for you to find an object. so let's get started with an OU
To create an organizational unit:
1. Open the Active Directory Users And Computers snap-in.
2. Right-click the Domain node or the OU node in which you want to add the new OU,
point to New, and then click Organizational Unit.
3. Type the name of the organizational unit.
Be sure to follow the naming conventions of your organization  
Here is an image of creating OU in ADDS


As you see the image it's very easy . After that, you will see another window in which you need to mention the name of the Organizational Unit. On the bottom you will see an option that says "protect container from
accidental deletion" . It is not mandatory that you must select this option it's just a caution . If you have ever worked in an IT company when you  are tired you are not really able to focus doing stuff. you may make mistake for instance if you delete an organizational unit you will loose all  groups and user and other object placed in that organizational Unit. Again you will have to create all groups and user and other objects again you will have to assign them permission and access to resources . One group can be the member of other groups moreover all groups and users will lose their access to network resources . I am pretty sure your boss will take your class if you make such mistake so it's better to save you ass first. Here is an Image for
the option I explained about.
 if this option is selected you will get an error message which I will show in the image .
If you intentionally want to delete an OU make sure this accidental protection option is not selected. Exactly in the same way you create groups and users and assign the name of Group. I strongly believe you can create group without any confusion. let's move and learn how to create a user, creating user is also very easy
just a little difference. I will upload an image so that you can easily can create user. when you create a user
you have to assign a First name,Initial ,last name and full name and user log on name too.



in next window you  will be prompted to enter a strong password to enter. you will see many option for passwordto select. keep in mind you can not leave the password option blank . if you leave it blank you will get an error message "windows can not create the object Ankit Mr. Tyagi because:unable to update the password.The value provided for the password does not meet the length, complexity or history requirements of the domain. To know the password complexity requirements go to command prompt and run it as administrator and then type the command " net accounts " you will be able to see the password requirements. such as password minimum or maximum age ,password length. Account lockout duration in minutes, Account lockout threshold ,lockout observation windows in minutes. by default password meximum
age is set  to 42 days. you can set password minimum and maximum age , Account lockout duration , Account lockout threshold and password complexity and other settings. At this time you are creating users
so let's continue with that after assigning the password you multiple option to select such as
1: User must change the password at next log on by default it is selected.  when the user logs on to the computer for the first time he or she will be prompted to change the password.
2: User can not change the password. you will be given the password and you will not be able to change that password.
3: The next option would be password will never expired . whatever the password you have been given by
  server administrator or member of the Admin group will never expire.
4: Account is disable . means you have the account but it is not enabled you can not log on to computer.
you  have successfully created user now you must be thinking how to enable an account and how can we
reset the password for a user. I would like to tell you that there are two way to reset the password , a user
also can change the password if user knows the current password. Resetting password is totally diffrent.
If you are member of the group which has permission to reset the password they don't need your current
password. so let's get started with Enabling user account and resetting password. There are multiple ways
to view your Active Directory User you may chose any one of them
1:Start>Search program and files and type dsa.msc it's short command to view Active Directory user and
   computer
2:Start>Administrative Tool> Active directory user and computers
   once you have Active Directory User and Computers select the user you want to enable or reset the
  password. If have not created any Organizational Unit or group you will see the user name appears
  right hand pane,that's the default location . you will see there are a lot folders which have been assigned
 name by windows itself. I will defiantly explain each container later. As you were going to learn how to
 enable an account and how would you come to know that account has been disabled . you will see down
 arrow on the user name. so let's enable an account. disable Account will look like as shown in image
 as you can see the disabled account which has been indicated by an arrow. Simply right click and just
click on enable and consider your job done. After enabling the Account you need to reset password ,you
can reset the password a disable account as well it not necessary that account must enabled only then you
can reset password. if the account is disable you have an option on the of the password resetting box that
says unblock this account , all you need to do just to select that option.

And we are done with enabling account and resetting password now . It's time to know about the Group
I strongly believe that you know how to create a group however you might not aware of the Group type
which is really very important to understand. I will explain each and everything about the Groups .

Group: Groups are an  important class object in ADDS. Most often are groups are used to assign permissions to network resources as it an easy way to manage and assign permissions.It would be
very difficult for you to assign permission to an individual user if you have to assign permission to 100
or more users probably you will have to spend whole day long to get it done. so you can say that groups
are center point of management from where you can assign read, write ,copy and  modify  permissions.
you might have seen that when you create a group you see multiple options to select. Most of the people
get confused about the type of Group in AD. There are only two types of group in Active Directory . So let's begin with creating group. Process is exactly same . The two types of groups are Security Groups and  distribution Groups. You can use distribution groups to create e-mail distribution lists and security groups to assign permissions to shared resources.
Distributions groups:Distribution groups can be used only with e-mail applications (such as Exchange) to send e-mail to collections of users. Distribution groups are not security-enabled, which means that they cannot be listed in discretionary access control lists (DACLs). If you need a group for controlling access to shared resources, create a security group.

Security groups: User rights are assigned to security groups to determine what members of that group can do within the scope of a domain (or forest). User rights are automatically assigned to some security groups at the time Active Directory is installed to help administrators define a person's administrative role in the domain. For example, a user who is added to the Backup Operators group in Active Directory has the ability to backup and restore files and directories located on each domain controller in the domain.
This is possible because by default, the user rights back up files and directory and  restore file and directory are automatically assigned to the Backup Operators group. Permissions should not be confused with user rights. Permissions are assigned to the security group on the shared resource. Permissions determine who can access the resource and the level of access, such as Full Control. Some permissions set on domain objects are automatically assigned to allow various levels of access to default security groups such as the Account Operators group or the Domain Admins group. I know you are thinking that it is really to understand security and distribution group however it is not that much difficult . May be you need to read
about groups one more time.  when you install active directory multiple groups are created automatically
such as Administrator Group, Back up operator Group, Account operator, power operator Group, Network Group etc. when your server is a domain controller more Group are added such domain admin
admin, schema Admin . If your domain controller is the domain in the forest then you will see more group.


1:Start>dsa.msc>Active Directory User and computer>Google.com(name of your domain) right click
  >New>Group images is shown below
I have explained enough about the group now I will upload image of Group and type and Scopes I did not
explain about the Scopes yet but don't worry I will do it 
I gave the name Security Group. On the left as you can see we have three scopes. 1: Domain Local 2:
Global 3: Universal . I will explain one by one and how to convert groups .
Domain Local Group:  Can contain users, computers, global groups and universal groups from any domain in the forest and any trusted domain, and domain local groups from the same domain.  Can be a member of any domain local group in the same domain.

Global Group: can contain users, computers and groups from same domain but NOT universal groups.  Can be a member of global groups of the same domain, domain local groups or universal groups of any domain in the forest or trusted domains.

Universal Group: can contain users and groups (global and universal) from any domain in the forest.  Universal groups do not care about trust.  Universal groups can be a member of domain local groups or other universal groups but NOT global groups.

Apart from these groups you will see multiple built in Groups in Builtin container . when you install server on your machine and promote it as domain controller additional Groups are added . you must first learn about these groups and their rights so that when you are do lab exercises or in production environment you will
easily be able to discover if something is wrong for example log on issues and access resources in domain
and in forest. so let's see how many Built in security Groups do we have in a domain and what then can do.
when you go to Active Directory User and computers you see multiple container on the left pane. As you se
in image. All are by default security Group and on the right pane you can seen the name of  the Group and
descriptions. 

These are default Security Groups which have access and rights to perform specific task Before you add
any member to these group you must know the rights of that group so that you can be sure that you are going
to do right things. I will explain what rights they have by default.
Account Operator: Account Operator Group is the  first Group in the list, by default it has no member if you add any member to this group that user will be able to add, delete, modify users , groups and computers located in Users and computer container and Organizational Unit in the Domain except from the Domain
controller Organizational Unit. This group does not have permission to make changes in Administrator group
and domain Admins Groups. Member of this Group can log on locally and shut down the Machine as they have given significant power in the domain.
Administrator: Administrator has the full control of all domain Controllers in the domain . Domain Admins
and Enterprise Admins are the member of this Group , Administrator Account is also default member of this
Administrator Group. If you add user to this group that user will be able to do whatever he/she wants. As
initially mentioned that the member of this group has full control. now you must be thinking what kind of
rights are given to member of Administrator group. so here are the rights they are given. Adjust memory quotas for a process; Back up files and directories; Bypass traverse checking; Change the system time; Create a pagefile; Debug programs; Enable computer and user accounts to be trusted for delegation; Force a shutdown from a remote system; Increase scheduling priority; Load and unload device drivers; Allow log on locally; Manage auditing and security log; Modify firmware environment values; Profile single process; Profile system performance; Remove computer from docking station; Restore files and directories; Shut down the system; Take ownership of files or other objects. I believe now you have the better understanding
about the rights which a user can have if you add him to this group.
Back up Operator : The member of this group are allowed to take the back up of file and directories as well as restore file and directories in domain Controller. Back up operator can also log on to the domain
controller and can shut down them so add user with caution as they have given significant power.
Print Operator : Member of Print Group manage ,add,delete and share printers connected to the domain Controllers in the domain. By default it has no member as the member of this group can load and unload device driver in domain controller. Be very careful before you add member to this group . Member of this Group can also log on locally and shut down the system.
Server Operator: Member of this Group log on interactively on domain Controller can add, delete shared
resources . can take back up and restore file they can start and stop some services , format hard disk and
shut down the Machine.
Remote Desktop User: Member of this Group can log on to domain controller remotely in the domain. By
default it has no member .
There are some other Groups too in built in container you can read about them , may be on the internet or in
the text book I mentioned only those group which have locally log on access . I explained about the Security Group which are in Built in Container. Now you need to know about the Group which are in Users container
before you learn about users group. let me explain about the Computer container which just below the Built in container . Computer container is for the computers when you join computer to domain it will go to that container however you can move your computers to specific Organizational Unit or Group. Its default computer container.

Domain Admins:Members of this group have full control of the domain. By default, this group is a member of the Administrators group on all domain controllers, all domain workstations, and all domain member servers at the time they are joined to the domain. By default, the Administrator account is a member of this group. Because the group has full control in the domain, add users with caution. If you talk about the ritghts
it has the same rights and can perform the same task as I mentioned in Administrator Group.
 Domain Computer:This group contains all workstations and servers joined to the domain. By default, any computer account created becomes a member of this group automatically. by default it has no member
Domain Controllers: This group contains all domain controllers in the domain.
Domain User:

This group contains all domain users. By default, any user account created in the domain becomes a member of this group automatically. This group can be used to represent all users in the domain. For example, if you want all domain users to have access to a printer, you can assign permissions for the printer to this group (or add the Domain Users group to a local group, on the print server, that has permissions for the printer).

Enterprise Admins(appears only in forest root domain ):  you must remember this if your domain is the first domain in the forest  that will be forest root domain and Enterprises Admins appears only in forest root
domain. Member of this Group exactly have the same rights and permission as Administrator do because of the membership so they also can do everything.
Schema Admins(Appears only in forest Root domain) :Members of this group can modify the Active Directory schema. By default, the Administrator account is a member of this group. By default it has no user.
 Group Policy Creator Owner:Members of this group can modify Group Policy in the domain. By default, the Administrator account is a member of this group


 






Saturday, April 27, 2013

Microsoft Management Console

I will continue with mmc.exe as we left with many things . After saving console on let say on desktop or on other desirable location. so now let's add tools so that we can use saved console for the purpose we created it. As you see in image how do we add Administrative tools.
on the right hand we have option to add tool , all you need to do just select the role and click on add and that role will be added. According to your wish you can move selected option up and down. in some tools you might get an option to chose that says do you want add the role on this local computer or on another. According to you work environment or your lab practice environment you can select. I have used both options and what my experience is when you doing it in a lab environment and you have one server and one client (joined domain) you can select the name of the computer , you have option to browse and select particular machine on which you  want tools be implemented. one thing I must mention here about the schema management if you don't find that option you will have to run a command "regsvr32.exe schmmgmt.dll" I am going to show you how to run that command so that you can have a better understaning
of this command. In the above image if you have a close look you will not find Active Directory Schema
Management.  so in order to add Schema Management you need type the mentioned command .
once you get the message that dllregisterserver in schmmgmt.dll succeeded. you will be able to see Active-
Directory Schma Management in console. Now you can say your console is ready. In previous as I promised about the mode of the console now I will let you know how to change the mode of the console.
in this image you can see by default Author mode is selected . As you can see the other mode. you can select
According to your wish. I would prefer to let you know the difference of mode

MODE USE WHEN
Author You want to continue customizing the console.
User Mode – Full Access You want users of the console to be able to navigate between
and use all snap-ins. Users cannot add or remove snap-ins or
change the properties of snap-ins or the console.
User Mode – Limited Access,multiple window
You want users to navigate to and use only the snap-ins that
you have made visible in the console tree, and you want
to preconfigure multiple windows that focus on specific
snap-ins. Users cannot open new windows.
User Mode – Limited
Access,single window
You want users to navigate to and use only the snap-ins that
you have made visible in the console tree within a single
window.
 you always need to remember that mmc has .msc file extension. One more thing you should always keep in
mind not to log on on a Server using your administrator account because an administrator has all the authority to perform any task and any changes on server. in case if something goes wrong you may damage something.
so the best practice to log on a server with an account which not a privileged .

Working with Active Directory Snap-ins

In Previous post we have learned about the component of an Active Directory Infrastructure  now it's time to
be familiar with Administrative Tools and snap-ins and how to work effectively with them. Before we begin I would say it's really necessary to understand Microsoft Management Console. Management Console is common framework called Microsoft Management Console in short we call MMC. MMC displays administrative tool called span-ins, in a customizable window.

These are the major components of MMC. Let me explain one by one so that you can have a  better understanding of the available options.
The Console Tree: The left pane that displays the console Tree also called Scope Pane

The Show/Hide Console Tree Tool Bar button: It turns the console Tree pane on and off.

Snap-ins: Provides the Administrative Functionality.

The Details Pane: Displays the Detail of the console Tree.

Apart from these we have more tool bars. which I did not mention. As you start using MMC you will come to know about the tool bars and how to use them. I believe now you have a basic knowledge of mmc.exe interface.  when you click on start button and type mmc and hit enter, A blank console opens which shown
by the image below. you can choose the name of your choice when you create MMC by Default it is given
console name and serial number. The File option which I indicated to let you to add and remove snap in. As you see in a image we have one option that says Add/Remove Snap-in. we use that option to add administrative tool. One thing you must remember when you save it by default its saved as an author mode. you must be thinking what the heck Author mode is. An author mode is used to create new consoles or modify existing consoles.It is recommended by Microsoft not to save a console in an author mode. I will definitely let you know how to change it to other available mode.

Friday, April 26, 2013

Components of an Active Directory Infrastructure

In my Previous posts I explained ADDS and It's Roles including installation, configuration, Management of
ADDS. Now it's time to have a better understating of Active Directory Components. so we are going to read them in a sequence . what are the Active Directory Components and what they do . so let's begin with
the first one.

Active Directory Data Store: As we know Active Directory stores it's Identities in a Directory in a format of a file and that file is known NTDS.dit and by default that file is located in %systemRoot% \ntds folder. you can say it's heart of Active Directory .The database is divided in many partition including schema,configuration and the domain naming context that contains the data about users, groups, computer within the domain. there may be an application partition in a Active directory(Application partition is a space in a Active directory that can be used to store information about a specific application . you must keep in mind that security principle can not be stored in a application partition  )  now most of the people face difficulties to understand what the schema is, what this term means. Schema is a structure described in a formal language. Schema determines what would be the layout of the data in a database it also determine what can be stored in a database .

Domain Controller:  As Defined by Microsoft, Computer that functions as a server within the domain can have one or two roles:1> Member Server 2> domain Controller.  1: Member Server> Member of the domain , a domain can have one or two or 100 or so. A member server can act like file server,Webserver If we talk about domain controller It is responsible for host access to domain resources. if someone says that my domain name is xyz.com that means AD has been configured to gain access to windows network resources.

Domain: The term domain can refer either to a local subnetwork or to descriptors for sites on the Internet such as www.google.com . Remember one or more domain controllers are required to create a Active Directory Domain. A domain Defines the boundaries administrative Polices such as Account lockout , password policy , password complexity . you might have seen when you create an account on website for
example on gmail , yahoo. facebook you fill your user and name password  when you enter the password
you seen it says that password must be between 6 to 16 character long that is Actually password complexity policy that has been configured by websites Server admin or the member of the group. A good example of
Account lockout policy would be > when you enter a wrong password more than 3 times or 5 times depends on the Account lockout policy you get an error message you have exceeded the limit of password
your Account has been blocked. Try in next 24 hours and this 24 hours duration of resetting a password is Account Threshold policy. All these policy can be configured on a domain. I hope that Domain term is pretty clear to understand .

Forest: A forest is collection of one or more Active Directory Domain Controller. If you install first domain
in the forest that would be forest root domain. A forest is single instance of the directory -no data will be replicated by Active Directory outside of the Forest.

Tree: The DNS Namespace of domains in a forest creates Tree within the Forest.If a domain is a sub domain of another domain  or you can say two domains are considered a Tree. For example google.com
contains two domain. Google.com and Tech.google.com both domain are using the same DNS Namespace.
so they are a single tree. if the two domains are like comcast.net or comcast.com which are not contiguous in
the DNS Namespace . The domain will be considered to have two Trees.
  
Functional Level: Functional Level determines the functionality of a domain or a forest. When you install ADDS you get this option to select. Functional level. In an ADDS Functional level is a setting enable advance feature that you can use accordingly . There are six domain functional level as you can see in image . 
 
  As you raise the functional level of your domain or forest . you enable all the feature available in that version of windows server
 for example if you raise the functional level from  2003 to 2008 or 2008R2 all the feature which are available are ready  to use  such as Recycle bin etc.I must mention here about the functional level you need be very sure beforeyou raise functional level because once you raise it you can not revert it.  it is not impossible you can revert it but you will have to do forest recovery. when you raise the functional level the communication between domain controller is changed and it also change the storage in Active Directory database. It's highly recommended to use Adprep.exe command line utility must be completed accordingly.

 Organizational Unit: An organizational unit (OU) is a subdivision within an Active Directory into which you can place users, groups, computers, and other organizational units. You can create organizational units to mirror your organization's functional or business structure. Each domain can implement its own organizational unit hierarchy. If your organization contains several domains, you can create organizational unit structures in each domain that are independent of the structures in the other domains.
The term "organizational unit" is often shortened to "OU" in casual conversation. "Container" is also often applied in its place, even in Microsoft's own documentation. All terms are considered correct and interchangeable.