Lesson 5:?Understanding Active Directory Structure and Replication
Active Directory provides a method for designing a directory structure that meets the needs of your organization. As a result, before installing Active Directory, you should examine your organization's business structure and operations.
Many companies have a centralized structure. Typically, these companies have strong information technology (IT) departments that define and implement the network structure down to the smallest detail. Other organizations, especially large enterprises, are very decentralized. These companies have multiple businesses, each of which is very focused. They need decentralized approaches to managing their business relationships and networks.
With the flexibility of Active Directory, you can create the network structure that best fits your company's needs. Active Directory completely separates the logical structure of the domain hierarchy from the physical structure.
After this lesson, you will be able to
- Explain Active Directory structure and replication
Estimated lesson time: 30 minutes
In Active Directory, you organize resources in a logical structure. This enables you to find a resource by its name rather than its physical location. Because you group resources logically, Active Directory makes the network's physical structure transparent to users.
An object is a distinct, named set of attributes that represents a network resource. Object attributes are characteristics of objects in the directory. For example, the attributes of a user account might include the user's first and last names, department, and e-mail address (see Figure 5.8).
Figure 5.8??Active Directory objects and attributes
In Active Directory, you can organize objects in classes, which are logical groupings of objects. For example, an object class might be user accounts, groups, computers, domains, or organizational units (OUs).
Some objects, known as containers, can contain other objects. For example, a domain is a container object.
An OU is a container used to organize objects within a domain into logical administrative groups. An OU can contain objects such as user accounts, groups, computers, printers, applications, file shares, and other OUs (see Figure 5.9).
Figure 5.9??Resources organized in a logical hierarchical structure
The OU hierarchy within a domain is independent of the OU hierarchy structure of other domains-each domain can implement its own OU hierarchy. There are no restrictions on the depth of the OU hierarchy. However, a shallow hierarchy performs better than a deep one, so you should not create an OU hierarchy any deeper than necessary.
You can delegate administrative tasks by assigning permissions to OUs.
The core unit of logical structure in Active Directory is the domain. Grouping objects into one or more domains allows your network to reflect your company's organization. Domains share the following characteristics:
- All network objects exist within a domain, and each domain stores information only about the objects that it contains. Theoretically, a domain directory can contain up to 10 million objects, but 1 million objects per domain is a more practical amount.
- A domain is a security boundary. Access control lists (ACLs) control access to domain objects. ACLs contain the permissions associated with objects that control which users can gain access to an object and what type of access users can gain. In Windows 2000, objects include files, folders, shares, printers, and Active Directory objects. All security policies and settings-such as administrative rights, security policies, and ACLs-do not cross from one domain to another. The domain administrator has absolute rights to set policies only within that domain.
A tree is a grouping or hierarchical arrangement of one or more Windows 2000 domains that share a contiguous namespace (see Figure 5.10).
Figure 5.10??A domain tree
Trees have the following characteristics:
- Following DNS standards, the domain name of a child domain is the relative name of that child domain appended with the name of the parent domain.
- All domains within a single tree share a common schema, which is a formal definition of all object types that you can store in an Active Directory deployment.
- All domains within a single tree share a common Global Catalog, which is the central repository of information about objects in a tree.
A forest is a grouping or hierarchical arrangement of one or more domain trees that form a disjointed namespace (see Figure 5.11).
Figure 5.11??A forest of trees
Forests have the following characteristics:
- All trees in a forest share a common schema.
- Trees in a forest have different naming structures, according to their domains.
- All domains in a forest share a common Global Catalog.
- Domains in a forest operate independently, but the forest enables communication across the entire organization.
In Figure 5.11, microsoft.com and msn.com form a forest. The namespace is contiguous only within each tree.
The physical components of Active Directory, domain controllers and sites, are used to mirror the physical structure of an organization.
A domain controller is a computer running Windows 2000 Server that stores a replica of the domain directory (local domain database). Because a domain can contain one or more domain controllers, each domain controller in a domain has a complete replica of the domain's portion of the directory.
The functions of domain controllers include the following:
- Each domain controller stores a complete copy of all Active Directory information for that domain, manages changes to that information, and replicates those changes to other domain controllers in the same domain.
- Domain controllers in a domain automatically replicate all objects in the domain to each other. When you perform an action that causes an update to Active Directory, you are actually making the change at one of the domain controllers. That domain controller then replicates the change to all other domain controllers within the domain. You can control replication of traffic between domain controllers in the network by specifying how often replication occurs and the amount of data that Windows 2000 replicates at one time.
- Domain controllers immediately replicate certain important updates, such as the disabling of a user account.
- Active Directory uses multimaster replication, in which no one domain controller is the master domain controller. Instead, all domain controllers within a domain are peers, and each domain controller contains a copy of the directory database that can be written to. Domain controllers can hold different information for short periods of time until all domain controllers have synchronized changes to Active Directory.
- Domain controllers detect collisions, which can occur when an attribute is modified on a domain controller before a change to the same attribute on another domain controller is completely propagated. Collisions are detected by comparing each attribute's property version number, a number specific to an attribute that is initialized on creation of the attribute. Active Directory resolves the collision by replicating the changed attribute with the higher property version number.
- Having more than one domain controller in a domain provides fault tolerance. If one domain controller is offline, another domain controller can provide all required functions, such as recording changes to Active Directory.
- Domain controllers manage all aspects of user domain interaction, such as locating Active Directory objects and validating user logon attempts.
In general there should be one domain controller for each domain in each site for authentication purposes. However, authentication requirements for your organization determine the number of domain controllers and their locations.
A site is a combination of one or more IP subnets connected by a highly reliable, fast link to localize as much network traffic as possible. Typically, a site has the same boundaries as a local area network (LAN). When you group subnets on your network, you should combine only those subnets that have fast, cheap, and reliable network connections with one another. Fast network connections are at least 512 kilobits per second (Kbps). An available bandwidth of 128 Kbps and higher is sufficient.
With Active Directory, sites are not part of the namespace. When you browse the logical namespace, you see computers and users grouped into domains and OUs, not sites. Sites contain only computer objects and connection objects used to configure replication between sites.
A single domain can span multiple geographical sites, and a single site can include user accounts and computers belonging to multiple domains.
Replication Within a Site
Active Directory also includes a replication feature. Replication ensures that changes to a domain controller are reflected in all domain controllers within a domain. To understand replication, you must understand domain controllers. A domain controller is a computer running Windows 2000 Server that stores a replica of the domain directory. A domain can contain one or more domain controllers.
Within a site, Active Directory automatically generates a ring topology for replication among domain controllers in the same domain. The topology defines the path for directory updates to flow from one domain controller to another until all receive the directory updates (see Figure 5.12).
Figure 5.12??Replication topology
The ring structure ensures that there are at least two replication paths from one domain controller to another. Therefore, if one domain controller is down temporarily, replication still continues to all other domain controllers.
Active Directory periodically analyzes the replication topology within a site to ensure that it is still efficient. If you add or remove a domain controller from the network or a site, Active Directory reconfigures the topology to reflect the change.
Here are some questions to help you determine whether you have learned enough to move on to the next lesson. If you have difficulty answering these questions, review the material in this lesson before beginning the next lesson. The answers are in Appendix A, "Questions and Answers."
- In Active Directory, you organize resources in a logical structure. What advantage does this provide?
- A(n) _____________ is a distinct, named set of attributes that represents a network resource.
- What component do you use to organize objects into logical administrative groups?
- A(n) ____________ is a grouping or hierarchical arrangement of one or more ___________________ that form a disjointed namespace.
- A site is a combination of one or more IP subnets connected by a highly reliable and fast link to localize as much network traffic as possible. Fast network connections are at least _________________________________ and an available bandwidth of ____________________________________ is sufficient.
- 256 Kbps, 128 Kbps and higher
- 512 Kbps, 128 Kbps and higher
- 512 Kbps, 256 Kbps and higher
- 1024 Kbps, 512 Kbps and higher
- The physical components of Active Directory are ______________________ and ________________.
- Active Directory completely separates the logical structure of the domain hierarchy from the physical structure.
- In Active Directory, grouping resources logically enables you to find a resource by its name rather than its physical location, making the network's physical structure transparent to users.
- The core unit of logical structure in Active Directory is the domain. All network objects exist within a domain, and each domain stores information only about the objects that it contains.
- An organizational unit (OU) is a container used to organize objects within a domain into logical administrative groups, and an OU can contain objects such as user accounts, groups, computers, printers, applications, file shares, and other OUs.
- A tree is a grouping or hierarchical arrangement of one or more Windows 2000 domains that share a contiguous namespace. A forest is a grouping or hierarchical arrangement of one or more trees that form a disjointed namespace.
- The physical structure of Active Directory is based on sites and domain controllers.
- A site is a combination of one or more IP subnets connected by a high-speed link.
- Within a site, Active Directory automatically generates a ring topology for replication among domain controllers in the same domain. The ring structure ensures that there are at least two replication paths from one domain controller to another; if one domain controller is down temporarily, replication continues to all other domain controllers.