14-9Lesson 1 Overview of Active Directory
Physical Structure of Active Directory
The physical components of Active Directory, domain controllers and sites, are used to
mirror the physical structure of an organization.
Domain Controllers
A domain controller is a computer running Windows 2000 Server or Windows Server
2003 that stores a replica of the domain directory (local domain database). You can cre-
ate any number of domain controllers in a domain. Each domain controller in a given
domain has a complete replica of that domain’s directory partition. Domain controllers
locally resolve queries for information about objects in their domain and refer queries
regarding information they do not hold to domain controllers in other domains.
Domain controllers also manage changes to directory information and are responsible
for replicating those changes to other domain controllers.
Because each domain controller holds a full replica of the directory partition for their
domain, domain controllers follow what is known as a multimaster model: Every
domain controller holds a master copy of the partition that can be used to modify that
information.
The functions of domain controllers include the following:
■ Each domain controller stores a complete copy of all Active Directory information
for that domain, manages changes to that information, and replicates those
changes to other domain controllers in the same domain.
■ Domain controllers in a domain automatically replicate all objects in the domain to
each other. When you perform an action that causes an update to Active Direc-
tory, you are actually making the change at one of the domain controllers. That
domain controller then replicates the change to all other domain controllers within
the domain. You can control replication of traffic between domain controllers in
the network by specifying how often replication occurs and the amount of data
that Active Directory replicates at one time.
■ Domain controllers immediately replicate certain important updates, such as the
disabling of a user account.
■ Active Directory uses multimaster replication, in which no one domain controller
is the master domain controller. Instead, all domain controllers within a domain
are peers, and each domain controller contains a copy of the directory database
that can be written to. Domain controllers can hold different information for short
periods of time until all domain controllers have synchronized changes to Active
Directory.
■ Domain controllers detect collisions, which can occur when an attribute is modi-
fied on a domain controller before a change to the same attribute on another
domain controller is completely propagated. Collisions are detected by comparing
each attribute’s property version number, a number specific to an attribute that is
initialized on creation of the attribute. Active Directory resolves the collision by
replicating the changed attribute with the higher property version number.
■ Having more than one domain controller in a domain provides fault tolerance. If
one domain controller is offline, another domain controller can provide all
required functions, such as recording changes to Active Directory.
■ Domain controllers manage all aspects of user domain interaction, such as locat-
ing Active Directory objects and validating user logon attempts.
In general, there should be at least one domain controller for each domain in each site
for authentication purposes. However, authentication requirements for your organiza-
tion determine the number of domain controllers and their locations.
Sites
A site is a combination of one or more Internet Protocol (IP) subnets connected by a
highly reliable, fast link to localize as much network traffic as possible. Typically, a site
has the same boundaries as a local area network (LAN). When you group subnets on
your network, you should combine only those subnets that have fast, cheap, and reli-
able network connections with one another. Fast network connections are at least 512
kilobits per second (Kbps). An available bandwidth of 128 Kbps and higher is suffi-
cient.
With Active Directory, sites are not part of the namespace. When you browse the log-
ical namespace, you see computers and users grouped into domains and OUs, not
sites. Sites contain only computer objects and connection objects used to configure
replication between sites.
Note A single domain can span multiple geographical sites, and a single site can include user accounts and computers belonging to multiple domains.On the CD At this point, you should view the multimedia presentation “The Physical Struc-ture of Active Directory,” which is included in the Multimedia folder on the CD accompanying this book.
Bạn đang xem 14 - - MICROSOFT WINDOWS XP PROFESSIONAL EXAM 70 270 PHẦN 6 PPTX