Lesson 8
Active Directory Physical Structure Conclusion
The main points of this module include the following:
The physical structure of Active Directory is defined by sites and the placement of domain controllers.
Domain controllers fall into three categories: domain controllers, global catalog servers, and operations masters.
There are five operations masters: the PDC emulator, the schema master, the RID master, the domain naming master, and the infrastructure master. A global catalog server is a repository of information containing a subset of attributes for all Active Directory objects used to locate objects within the directory.
Physical Aspects of Active Directory
- These are some of the important physical aspects of Active Directory.
- The physical structure as defined by sites is separate from the logical structure of Active Directory, which is defined by domains.
- Sites are created for optimization of replication traffic and more efficient logon authentication.
- Domain controllers store a copy of the Active Directory database. There is no designated primary domain controller in a Windows 2000 network.
- The cost of global catalog replication is weighed against the need for speedier logon and response to global catalog queries.
Domains and Domain Trees
Active Directory's
logical structure is built around the concept of domains. Domains were introduced in Windows NT 3.x and 4.0.
However, in Active Directory, domains have been updated significantly from the flat and inflexible structure imposed by Windows NT. An Active Directory domain is made up of the following components:
- An X.500-based hierarchical structure of containers and objects
- A DNS domain name as a unique identifier
- A security service, which authenticates and authorizes any access to resources via accounts in the domain or trusts with other domains
- Policies that dictate how functionality is restricted for users or machines within that domain
A
domain controller (DC) can be authoritative for one and only one domain. It is not possible to host multiple domains on a single DC. For example, DispersedNet has already been allocated a DNS domain name for its company called dispersednet.com, so it decides that the first Active Directory domain that it is going to build is to be named dispersednet.com.
However, this is only the first domain in a series that may need to be created, and dispersednet.com is in fact the root of a
domain tree.
The dispersednet.com domain itself is automatically created as the root node of a
hierarchical structure called a domain tree. This is literally a series of domains connected together in a hierarchical fashion, all using a contiguous naming scheme.
If DispersedNet were to add domains called Europe, Asia, and Americas, then the names would be
- europe.dispersednet.com,
- asia.dispersednet.com, and
- americas.dispersednet.com.
Each domain tree is called by the name given to the root of the tree; hence, this domain tree is known as the dispersednet.com tree.
You can see that in the setup of DispersedNet we now have a
contiguous set of domains that all fit into a tree. Even if we had only one domain, it would still be a
domain tree with one domain.
New terms for Module 3
This module introduced you to the following terms:
- Active Directory: The Windows 2000 Directory Service which is a database that contains information about all the objects in a Windows 2000 Domain. Objects include: 1) Users, 2) Computers, 3) Group, 4) Printers and other objects on the network. The Active Directory is a hierarchical database, which is in contrast to the Windows NT 4.0 Flat database structure.
- Domain: The basic administrative unit in a Windows 2000 network.
- Global server catalog: A Windows 2000 computer that holds a copy of the global catalog for the forest.
- Multi-master replication: Multi-master (or multimaster) replication is a replication model in which any domain controller accepts and replicates changes to any other domain controller. This is different from replication in Windows NT, where one computer stored a single modifiable copy of the directory and other computers stored backup copies.
- Subnets: A subnet, or subnetwork, is a network inside a network. Subnets make networks more efficient. Through subnetting, network traffic can travel a shorter distance without passing through unnecessary routers to reach its destination.
You are now ready to apply some of what you have learned about the physical aspects of Active Directory by creating sites, subnets, and the global catalog server.
Review: Creating a Site
Problem: You want to create a site.
Solution: Using a graphical user interface
- Open the Active Directory Sites and Services snap-in (dssite.msc).
- Right-click on the Sites container and select New Site.
- Beside Name, enter the name of the new site.
- Under Link Name, select a site link for the site.
- Click OK twice.
Using a command-line interface
Create an LDIF file called create_site.ldf with the following contents:
dn: cn=<SiteName>,cn=sites,cn=configuration,<ForestRootDN>
changetype: add
objectclass: site
dn: cn=Licensing Site Settings,cn=<SiteName>,cn=sites,cn=configuration,
<ForestRootDN>
changetype: add
objectclass: licensingSiteSettings
dn: cn=NTDS Site Settings,cn=<SiteName>,cn=sites,cn=configuration,<ForestRootDN>
changetype: add
objectclass: nTDSSiteSettings
dn: cn=Servers,cn=<SiteName>,cn=sites,cn=configuration,<ForestRootDN>
changetype: add
objectclass: serversContainer
Then run the following command:
>> ldifde -v -i -f create_site.ldf
You also can create a site by issuing the following three AdMod commands:
> admod -config -rb "cn=<SiteName>,cn=sites" -add objectclass::site
> admod -config -rb "cn=NTDS Site Settings,cn=<SiteName>,cn=sites" -add↵
objectclass::nTDSSiteSettings
> admod -config -rb cn=Servers,cn=<SiteName>,cn=sites" -add↵
objectclass::serversContainer
Active Directory Logon - Quiz