Step-by-Step Guide to Creating Active Directory Diagrams in Visio 2002

Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

Published: November 1, 2001

Visimation, Inc.

Microsoft Certified Partner

Applies to:

Microsoft Visio Professional 2002

Microsoft Visio Enterprise Network Tools 2002

Summary: Create diagrams of Microsoft Windows 2000 Active Directory structures for use in network planning and migration with Visio Professional and Visio Enterprise Network Tools. (19 printed pages)

For the latest information, please see and

On This Page

Section I. Steps to Creating an Active Directory Diagram
Section II. Importing from a Live Directory (Visio Enterprise Network Tools only)
Section III. Exporting to LDIF (Visio Enterprise Network Tools only)
Section IV. Creating a High-Level Structure Diagram Using the Sites and Services Stencil


The directory services solution in Microsoft® Visio® Professional 2002 and Microsoft Visio Enterprise Network Tools enables network and system administrators to plan, create, and maintain their networks by providing a clear and detailed graphic representation of their Microsoft Windows® 2000 Active Directory™ network structure.

Managing a computer network today is no small task. In addition to controlling access to printers and files over the network, most administrators must also manage security and access, optimize traffic flow across Local Area Networks (LANs) and Wide Area Networks (WANs), coordinate repair and maintenance of network equipment, and oversee data backup, storage, and recovery.

Directory service applications, such as Active Directory, provide a central location for managing network assets, such as domains, computers, users, groups, and so on. Active Directory organizes those assets into a hierarchical tree structure, which is typically viewed in a small window with expandable/collapsible icons, much like Windows Explorer.

Figure 1 shows the Active Directory management window.


Figure 1: The Active Directory management window

Although this view of the directory can be simple to use, it does not provide a clear high-level diagram of the directory structure and—most importantly—cannot be printed.

The Visio 2002 Directory Services solution provides administrators with clear, detailed representations of current and proposed directory structures, which can be viewed, printed, and presented to management for planning new networks, coordinating migrations, and for documenting existing networks.

Windows 2000 Migration Planning

If you are migrating from Microsoft Windows NT® or Novell Directory Services (NDS) to Windows 2000 Active Directory, Visio is the only tool that will enable you to plan every stage and aspect of the design. Migrations do not simply occur from start to finish in a single step, but rather go through incremental changes as various departments and locations upgrade to the company standard. Visio provides administrators with tools to plan every step, including the intermediate stages. Exporting capabilities (Visio Enterprise Network Tools only) enable the administrator to export Visio drawing data for import into Active Directory, providing a live testing scenario. Importing capabilities (Visio Enterprise Network Tools only) enable round-tripping back into Visio from the live directory, creating a 360 degree editing circle between Active Directory and Visio.

Ease of Use

The strength of Visio lies in its ease-of-use. You don't need to be a graphic artist or have years of experience with complex graphic software packages to create directory services diagrams. You simply drag and drop from a stencil of shapes onto the drawing page.

This article is divided into four sections. The first section is a step-by-step guide to creating an Active Directory diagram using Visio drawing tools and SmartShape® symbols. This first section applies to both Microsoft Visio Professional 2002 and Microsoft Visio Enterprise Network Tools.

The second section demonstrates how to import existing directory structures from a server, while the third section will show you how to export Visio drawing data to a LDAP Data Interchange Format (LDIF) file for import back into Active Directory. The fourth section discusses the use of the Active Directory Sites and Services stencil to create a high-level plan of network topologies.

Section I. Steps to Creating an Active Directory Diagram

There are several steps to creating an Active Directory diagram:

  • Starting the proper template

  • Adding shapes

  • Laying out shapes

  • Entering property information

  • Printing the diagram

Starting the Proper Template

Visio uses a set of templates and stencils to comprise a solution. In this example, you will create an Active Directory solution using the Active Directory stencils and templates. In order to create an Active Directory diagram, you must first start the Active Directory solution.

If Visio is not running

  • Start Visio.

  • In Choose Drawing Type, under Category, click Network.

  • Under Template, click Active Directory.

If Visio is already running

  • On the File menu, point to New, point to Network, and click Active Directory.

This opens up the Active Directory template with its drawing page and set of stencils. Figure 2 shows the Connect to Directory dialog box, which you must exit before you can begin creating your diagram.

  • In this section, we will work offline so accept the default Work offline option and click OK.


    Figure 2: The Connect to Directory dialog box

  • Your screen should now look like Figure 3.


    Figure 3: The Active Directory diagram environment

On the left side are stencils that store the master shapes (reusable shapes), and on the right is the drawing page. The drawing window includes a small window called the Directory Navigator.

The Directory Navigator

The Directory Navigator schema lists the classes and properties you need to document and diagram a directory service. Classes and properties vary according to the directory service schema. The [Sub Tree] level of the Directory Navigator displays the structure of the directory in a tree view as you add objects, also called views, to the directory diagram.

When you start a directory service solution, the default schema for that service is loaded into the Directory Navigator. Each directory service has its own set of classes and properties, which make up the default schema. Valid schema classes and properties for Active Directory are often not valid for another directory service.

In addition to these display features, the Directory Navigator also enables you to drag shapes directly from the Navigator window onto the drawing page, and to add and edit classes and properties in the directory schema.

Directory Navigator Components

The Directory Navigator has two main components to it: the Sub Tree and the schema. The Sub Tree level displays any objects that are present in the directory, and shows their relationships by organizing them into collapsible or expandable branches. The schema level displays all of the classes and properties in the current directory's schema.

An expandable branch is an object that has children. Common to all directory services applications is a parent/child relationship among objects in the directory. When a shape is dropped on the drawing page, or when a class is dragged out from the schema, it becomes instantiated as an object at the [Sub Tree] level of the Directory Navigator. This is where the hierarchy of the directory is established.

Figure 4 shows the Directory Navigator window.

Figure 4: The Directory Navigator window

Figure 4: The Directory Navigator window

Adding Shapes to the Page

You add directory objects to the drawing page by dragging and dropping from the stencil onto the drawing page. In this exercise, you will create a diagram of the directory structure of a fictitious company called

Here is the scenario:

Championzone has one domain, called In this domain, the network administrators want to create Organizational Units (OUs) for their three branches: London, Tokyo, and New York. In each of these OUs they want three other OUs named Users, Computers, and Printers. Lastly, they want to populate the Users, Computers, and Printers OUs with leaf objects. Leaf objects typically exist at the bottom of the directory tree, and are the actual objects in the directory, such as computers, users, and printers. Your job is to model this structure using the shapes in the Active Directory Objects stencil.

  1. Adding the shapes.

    The first step is to add a Domain shape to the page at the top of the directory tree as shown in Figure 5.

    • Right-click the [Sub Tree] icon in the Directory Navigator and select Add Entries from the shortcut menu.

      Figure 5: Using the Add Entries option to add the domain shape

      Figure 5: Using the Add Entries option to add the domain shape

    • In the Add Entries dialog box, select the class of object to add to the directory from the Entry class list. Select the domainDNS class from the list and proceed to Step 2.

  2. Rename the Domain shape.

    Notice that when you select the domainDNS class from the list, that item appears in the lower half of the Add Entries dialog box. You can now rename the domain object by selecting the name and typing in a new name.

    • Type "" in the Entry name field and click OK.

    • At this point, the domain object will not appear on the drawing page, but will appear in the Directory Navigator.

    • To place the object on the page, simply drag it from the Directory Navigator and drop it on the page.

    Figure 6 shows how to add an entry and change its name in the Add Entries dialog box.

    Figure 6: Adding an entry and changing its name

    Figure 6: Adding an entry and changing its name

  3. Add the Organizational Units.

    The next step is to add the three organizational units to the domain. For this step, instead of adding the shapes to the Directory Navigator first, you will add them directly to the page.

    • Right-click the domain shape on the page, and choose Add Entries from the shortcut menu.

    • In the Add Entries dialog box, select the organizationalUnit class from the Entry class list.

    • In the Number of entries section, enter "3". You will then see the names of the new objects in the lower half of the Add Entries dialog box.

  4. Rename the OU shapes.

    • Rename the OU shapes by clicking in the Entry name field and typing "Tokyo", "London", and "New York". Click OK.

    • The shapes will be added to the drawing page automatically, and will become children of the parent domain shape. Your drawing should look similar to Figure 7.


    Figure 7: The drawing with three organizational units

  5. Add OUs for Users, Computers, and Printers

    To demonstrate the easy-to-use drag and drop functionality in Visio, you will add the next set of objects using a new method:

    • From the Active Directory Objects stencil, drag and drop three OU shapes directly on top of the Tokyo OU shape. When you place one of the OU shapes directly on top of the Tokyo shape, that OU shape automatically becomes a child of the Tokyo shape.

    • When done, rename each of the new OU shapes, but instead of doing this through the Add Entries dialog box, simply double-click the shapes. When a shape is double-clicked, it enters text-edit mode. At this point, you can type in the new name of the shape.

    • Rename the shapes "Users", "Computers", and "Printers". Repeat these actions so that the London and New York OUs also have three OUs under them. Your drawing should look like Figure 8.


    Figure 8: Drawing with container classes

  6. Add leaf objects.

    In typical directories, the leaf objects are at the bottom of the directory tree. In this example, the actual computers, users, and printers that are part of the network will be the leaf objects. In this step you will add 8 users to Tokyo's Users OU, 10 computers to its Computer OU, and three printers to its Printers OU. Figure 9 shows the Add Entries dialog box.

    • For this step, right-click the Users OU under the Tokyo OU and select Add Entries from the shortcut menu. Enter 8 for the number of entries. Click OK.

    • Repeat the step for the Computer and Printer OUs, adding 10 computers and three printers.

    Figure 9: Adding user objects

    Figure 9: Adding user objects

Laying Out Shapes

At this point, your drawing will have expanded horizontally to such an extent that the objects will have been moved off the page. To fix this, it is necessary to change the layout of the child shapes in the drawing. Layout options are numerous and flexible, with the ability to apply different layout styles to different parent shapes.

Layout options are viewed by selecting a shape, opening the Directory Services menu, and choosing Lay Out Children. The Lay Out Children dialog box provides options for horizontal, vertical, or side-by-side layouts. All changes made in this dialog box apply to the children of the selected shape.

Figure 10 shows the choices in the Lay Out Children dialog box.

Figure 10: The Lay Out Children dialog box

Figure 10: The Lay Out Children dialog box

Several other layout options can be found in the Directory Services menu. These include Move Shape Left/Up and Move Shape Right/Down.

Adding Shapes with the Navigator

The Directory Navigator acts as a catalog of all directory objects in an Active Directory diagram. Any objects on the drawing page appear in the Directory Navigator, as well as any objects that have been deleted from the drawing.

Deleting objects from the page does not delete them from the Directory Navigator. The reason for this is to give greater control over the display of objects on the page, while maintaining the structure. For example, if you only wanted to display a particular OU in a drawing, you could delete the other OUs, print the drawing, but still keep the original structure intact in the Directory Navigator. When you wish to display the deleted objects again, simply drag and drop from the Directory Navigator to the drawing page.

Note: When dragging an object from the Directory Navigator onto the drawing page, an error message appears if that object is already on the drawing page. The Active Directory solution does not allow more than one object with the same name and the same parent to exist in the drawing. The error message informs you that the new shape will be deleted, and the existing shape selected instead.

Note: To delete an object from the Directory Navigator, and subsequently from the directory model, right-click the shape to be deleted in the Directory Navigator and choose Delete Entry. Deleting an object from the Directory Navigator also automatically deletes the object from the drawing page.

Entering Property Information

A benefit of having a network directory is the ability to define properties for each object in the directory. These properties are set for each object class, and are then applied to each individual object based on its object type.

Each Active Directory object has a set of pre-defined properties, which can be viewed or modified by right-clicking the shape and selecting Edit Properties from the shortcut menu. The Edit Properties dialog box shown in Figure 11 provides an easy way to enter and store information with the shape. Simply click in the appropriate cells and type in the values.

Note: If you have multiple values for a property, be sure to separate them with a semicolon.

Figure 11: Entering properties for a shape

Figure 11: Entering properties for a shape

Default properties exist for the default types of objects in each directory's schema, and the International Standards Organization (ISO) has usually established these. However, an administrator can create custom properties and custom objects, which do not have to conform to any ISO standard.

Similarly, Visio allows you to create custom properties in addition to the default properties.

Adding New Properties

New properties are added to a schema using the Directory Navigator. The procedure involves expanding the Schema folder in the Directory Navigator so that the property and class folders are visible. Right-clicking the Properties folder and choosing Add Property Class from the shortcut menu opens the Edit Property Definition dialog box and enables you to define such values as syntax, property name, and maximum character length. Editing an existing property is done by right-clicking the property, choosing Edit Property Definition from the shortcut menu, and modifying the attributes.

Note: It is best practice to make sure that a newly defined property is also created in the live directory tree.

Figure 12 shows the Edit Property Definition dialog box.


Figure 12: Properties can be created or changed in the Edit Property Definition dialog box

Section II. Importing from a Live Directory (Visio Enterprise Network Tools only)

The Active Directory solution in Microsoft Visio Enterprise Network Tools allows an administrator to import an existing Active Directory structure and its schema into a Visio drawing, where the parent/child relationship of objects can be better displayed. The imported directory is an exact replica of the original directory, and contains all of the objects and object attributes of the original.

Note: Microsoft Visio Enterprise Network Tools, an add-on to Microsoft Visio Professional 2002, provides advanced network diagramming solutions for IT professionals, and includes subscription-based access to the latest Visio network and directory services diagramming tools, up-to-date library of exact-replica network equipment shapes, and additional network documentation resources via the Web. The solutions and shapes in Visio Enterprise Network Tools enable IT professionals to document, design, and share detailed information about their network and directory services so that they can better plan, deploy, maintain, and upgrade their network infrastructures. For more information about Visio Enterprise Network Tools, please visit

Having a replica to work with allows administrators to plan and make changes to the directory without affecting the existing structure. Network updates and migrations can be planned and displayed to management before the physical network is actually in place.

Importing from a live directory involves the following steps:

  • Connecting to a server

  • Specifying filter options and import depths

Connecting to a Server

To import from a live Active Directory database, you must first connect to the server that stores the Active Directory data. When you start the Active Directory solution, the Connect To Directory dialog box, shown in Figure 13, is displayed. In order to connect to the Active Directory server, the Import from a live directory option must be selected.


Figure 13: The Connect to Directory dialog box

After selecting that option, the next step is to click the Browse button. This will open up the Supply Credentials dialog box shown in Figure 14, where the name of the server, user name, and password are required.

Note: Windows 2000 installs the Active Directory Services Interface (ADSI), which is required to connect to the network. Windows 98 and NT clients must download this from the Microsoft Web site in order to connect to the server and begin the import process. Windows 95 is not supported by the Directory Services solution.

Note: If you do not have administrator privileges on the server you will not be able to proceed with the import.

Figure 14: The Supply Credentials dialog box

Figure 14: The Supply Credentials dialog box

After supplying the user name and password and clicking OK, the Directory Browser dialog box will appear. The box will enable you to choose which levels of the tree to import, which is especially useful when working with large directories.

Figure 15 shows the Directory Browser window.


Figure 15: Choosing which objects to import in the Directory Browser

Once the connection has been established and the objects have been selected in the Directory Browser dialog box, the next step is to filter the results. In the Connect To Directory dialog box there are two types of filter options: Filter options (classes) and Import Depth.

Import Depth

Import depth refers to the number of levels in the directory tree that the Active Directory modeler will search down from the root level. You can specify the import depth by choosing the number of child levels to import in the Import depth section.

Filter Options (classes)

In the Filter options section, there are several choices for filtering classes. Choosing All classes imports every class in the directory, while choosing Common container classes imports a preset group of classes. If you are only interested in importing certain classes of objects, the Selected classes option is very useful. Clicking Select opens the Select Classes dialog box and enables you to choose exactly which classes to import.

Importing Properties

When Active Directory objects are imported, any properties associated with them are also imported. For large networks, importing the properties of every object may lengthen the duration of the import process, and can also lead to large file sizes. It may also cause a considerable strain on computer resources. Safeguards have been added into the Directory Services Options dialog box that enable you to set the number of objects to import. When that number is reached during import, you are asked if you want to import an additional number of objects. You get this message until you either stop or all objects have been imported.

If either import times or file sizes are concerns, it is possible to import the properties later. Clearing the Import all properties now option avoids importing the properties for the objects. The properties may be imported at a later stage by right-clicking any object in the Directory Navigator sub-tree level and choosing Import from the shortcut menu.

If you decide to delay the import, the solution has a "properties on demand" feature. This means that when a property is edited, the solution connects to the network and imports the properties automatically, even if the properties were not imported in the beginning. Delaying the import can be very efficient if you anticipate editing only a select number of objects.

Post Import

After the importing has occurred, the drawing page is not populated with objects. The import process only populates the Directory Navigator, and does not place any objects on the page. To begin creating your drawing, drag the objects from the Directory Navigator onto the drawing page.

Section III. Exporting to LDIF (Visio Enterprise Network Tools only)

In addition to importing directory objects from a live directory, Visio enables you to export your drawing data to a LDAP Data Interchange File (LDIF). This file is an ASCII text file with syntax unique to directory service applications, which stores all of the Visio drawing's directory data including objects, properties, and classes. An administrator can take this LDIF file and import its data into Active Directory for live testing.

Note: Visio does not export directly into a live directory. Instead, it exports directory information into a file format (LDIF) that Active Directory can interpret. To import into Active Directory, the administrator must open Active Directory, select the LDIF file created by Visio, and specify import criteria.

  • Once a drawing has been created and object properties have been added, the export process can begin. On the Directory Services menu, point to Export to LDIF, and click Export entries.

  • Choosing Export entries opens up the Save As dialog box with LDIF selected as the default file type. You can name this file and a folder to store it in. Figure 16 shows how to save the exported data as an LDIF file.


    Figure 16: Saving the exported data as an LDIF file

  • Opening this LDIF file with Notepad.exe displays the manner in which the directory data is exported. It is this information, in plain text, that Active Directory uses for importing. Figure 17 shows an example of directory information in the LDIF file.


    Figure 17: The directory information in the LDIF file

Section IV. Creating a High-Level Structure Diagram Using the Sites and Services Stencil

In addition to the object and container diagrams, high-level structure diagrams can be created with the Active Directory solution. These structure diagrams represent the physical arrangement of the network, as opposed to the logical structure of the network that is depicted in the standard directory services diagram. Figure 18 shows a typical active Directory Structure diagram.


Figure 18: A typical Active Directory Structure diagram

Structure diagrams display site connectivity, database replication information, domain controller locations, and WAN areas. Structure diagrams and structure shapes are not included in the export capabilities of the directory services solution, and are simply aides in planning distribution and replication information between sites and across WAN areas. The Active Directory Sites and Services stencil contains the shapes to be used in these structure diagrams. The shapes in this stencil cannot be exported into LDIF format. They are solely used to document replication and connectivity among different sites in a network.

There are four types of shapes in the Sites and Services stencil:

  • Site shapes

  • Domain shapes

  • Site Link shapes

  • Replication Connection shapes

Site Shapes

These are used to represent areas of good connectivity, mainly local area networks (LANs). Domain controllers can be placed on these site shapes to indicate their presence on a LAN.

Domain Shapes

The Domain shapes exist either within or across sites, and are used to dictate security and administrative boundaries in a network, each of whose members share certain access rights. Domains may live on a server in a single site, or may be distributed over multiple sites.

The Domain Controller shapes represent Microsoft Windows 2000 domain controllers, Microsoft Windows NT 4.0 domain controllers, or PDCs and BDCs. When a Domain shape is added to a Site shape, it is automatically grouped with that site and moves if the Site shape moves. This feature takes advantage of the Add Shapes to Group on Drop feature unique to Visio 2002, and automatically adds a domain shape to the group site shape.

Site Link Shapes

These shapes represent connections between sites, and are generally less-optimal areas of connectivity. The WAN shape is a member of the Site Link shapes.

The WAN shape can be connected to Site shapes by dragging any of the eight control handles on the shape to a connection point on a site shape.

Replication Connection Shapes

Replication Connection shapes are used to represent the types of connections between domain controllers, and show the directional flow of directory database replication information.

The Replication Connection shape can be used by dragging the end-point of the shape to a connection point of one domain controller, and by dragging the other end-point to a connection point of another controller. Right-clicking the shape allows you to choose the direction of flow, either one-directional or bi-directional, from the shortcut menu.

About Visimation

Visimation is a Microsoft Certified Partner who specializes in Microsoft Visio consulting, custom development, training, and services.