Physical Structure  «Prev  Next»
Lesson 8

Active Directory Physical Structure Conclusion

This module focused on the physical structure of Active Directory—how directory services behave on the network based on sites, subnets, and domain controller placement. In practical terms, the “physical” design is how you control:
  • replication traffic between locations,
  • logon authentication efficiency, and
  • directory query performance and resiliency.
The main takeaways are:
  • The physical structure of Active Directory is defined by sites and the placement of domain controllers.
  • Sites map to one or more IP subnets and are used to optimize replication and client-to-DC affinity.
  • Domain controllers can host additional directory roles, including Global Catalog and FSMO (operations master) roles.
  • FSMO roles exist because Active Directory is multi-master for most changes, but a small set of operations requires a single authoritative owner.

Physical Aspects of Active Directory

  1. Physical vs. logical structure: Sites and subnets describe the network topology; domains and OUs describe administrative boundaries.
  2. Why sites exist: Sites reduce unnecessary WAN traffic by scoping replication schedules and directing clients to nearby domain controllers.
  3. Replication optimization: Intersite replication is designed to be bandwidth-aware; site links and schedules keep replication predictable.
  4. Domain controller placement: DC placement determines authentication latency, replication cost, and fault tolerance for each location.
  5. Global Catalog tradeoff: GC servers improve forest-wide searches and some logon scenarios, but increase replication scope.

Domains and Domain Trees

Although this module emphasized the physical side of Active Directory, your physical design always sits on top of AD’s logical structure, which is built around domains.

An Active Directory domain includes:
  1. An X.500-based hierarchy of containers and objects
  2. A DNS domain name as a unique identifier
  3. A security service that authenticates and authorizes access to resources
  4. Policies (for users and computers) that enforce security and configuration baselines

A domain controller (DC) is authoritative for one domain partition. In a typical design, a forest begins with a root domain (for example, dispersednet.com) and can expand into a domain tree using a contiguous namespace.

Example child domains:
  1. europe.dispersednet.com
  2. asia.dispersednet.com
  3. americas.dispersednet.com
This illustrates why the physical structure matters: as the environment grows, well-designed sites and DC placement prevent authentication delays and replication overload.

Module 3 review: key terms you should retain

  1. Active Directory (AD DS): A directory service that stores and organizes objects (users, computers, groups, printers, and more) and enforces authentication and authorization.
  2. Domain: A core administrative and security boundary in Active Directory.
  3. Global Catalog (GC): A directory service that stores a full replica of its own domain plus a partial replica of other domains to enable efficient forest-wide searches and assist with certain logon scenarios.
  4. Multi-master replication: Most directory changes can be made on any writable domain controller and then replicated throughout the domain/forest.
  5. Subnet: A logical subdivision of an IP network. Subnets are mapped to sites to help clients discover “nearest” domain controllers and to control replication behavior.

Security note: legacy cryptography such as DES should not be used in modern environments. Prefer AES and SHA-256+ when selecting cryptographic baselines.

You are now ready to apply these concepts by creating sites, mapping subnets, and planning domain controller and Global Catalog placement.

Review: Creating a site

Problem: You want to create a site.
Solution (GUI):
  1. Open Active Directory Sites and Services (dssite.msc).
  2. Right-click the Sites container and select New Site.
  3. Enter a site name that matches your location or topology convention.
  4. Select an appropriate site link.
  5. Click OK twice, then create/match the related subnet objects for client site affinity.

Using a command-line interface (LDIF)

Create an LDIF file called create_site.ldf with the following contents: 
dn: cn=<SiteName>,cn=sites,cn=configuration,<ForestRootDN>
changetype: add
objectclass: site
dn: cn=Licensing Site Settings,cn=<SiteName>,cn=sites,cn=configuration,<ForestRootDN>
changetype: add
objectclass: licensingSiteSettings
dn: cn=NTDS Site Settings,cn=<SiteName>,cn=sites,cn=configuration,<ForestRootDN>
changetype: add
objectclass: nTDSSiteSettings

dn: cn=Servers,cn=<SiteName>,cn=sites,cn=configuration,<ForestRootDN>
changetype: add
objectclass: serversContainer
Then run: 
>> ldifde -v -i -f create_site.ldf

Alternative tools (legacy / environment-dependent)

Some environments historically used third-party tooling (for example, AdMod) to automate directory changes. If you use such tooling, validate it against your organization’s security and change-control standards, and prefer modern administrative automation patterns (for example, PowerShell-based workflows) where feasible. 
> admod -config -rb "cn=<SiteName>,cn=sites" -add objectclass::site
> admod -config -rb "cn=NTDS Site Settings,cn=<SiteName>,cn=sites" -add objectclass::nTDSSiteSettings
> admod -config -rb "cn=Servers,cn=<SiteName>,cn=sites" -add objectclass::serversContainer

Active Directory Logon - Quiz

Click the Quiz link below to check your knowledge of the physical structure of Active Directory.
Active Directory Logon- Quiz

SEMrush Software 8 SEMrush Banner 8