OBTAIN AN IP ADDRESS BY USING DHCPBEFORE YOU BEGIN THIS EXERCISE, YOU...

14-9Lesson 1 Overview of Active Directory

Physical Structure of Active Directory

The physical components of Active Directory, domain controllers and sites, are used to

mirror the physical structure of an organization.

Domain Controllers

A domain controller is a computer running Windows 2000 Server or Windows Server

2003 that stores a replica of the domain directory (local domain database). You can cre-

ate any number of domain controllers in a domain. Each domain controller in a given

domain has a complete replica of that domain’s directory partition. Domain controllers

locally resolve queries for information about objects in their domain and refer queries

regarding information they do not hold to domain controllers in other domains.

Domain controllers also manage changes to directory information and are responsible

for replicating those changes to other domain controllers.

Because each domain controller holds a full replica of the directory partition for their

domain, domain controllers follow what is known as a multimaster model: Every

domain controller holds a master copy of the partition that can be used to modify that

information.

The functions of domain controllers include the following:

■

Each domain controller stores a complete copy of all Active Directory information

for that domain, manages changes to that information, and replicates those

changes to other domain controllers in the same domain.

■

Domain controllers in a domain automatically replicate all objects in the domain to

each other. When you perform an action that causes an update to Active Direc-

tory, you are actually making the change at one of the domain controllers. That

domain controller then replicates the change to all other domain controllers within

the domain. You can control replication of traffic between domain controllers in

the network by specifying how often replication occurs and the amount of data

that Active Directory replicates at one time.

■

Domain controllers immediately replicate certain important updates, such as the

disabling of a user account.

■

Active Directory uses multimaster replication, in which no one domain controller

is the master domain controller. Instead, all domain controllers within a domain

are peers, and each domain controller contains a copy of the directory database

that can be written to. Domain controllers can hold different information for short

periods of time until all domain controllers have synchronized changes to Active

Directory.

■

Domain controllers detect collisions, which can occur when an attribute is modi-

fied on a domain controller before a change to the same attribute on another

domain controller is completely propagated. Collisions are detected by comparing

each attribute’s property version number, a number specific to an attribute that is

initialized on creation of the attribute. Active Directory resolves the collision by

replicating the changed attribute with the higher property version number.

■

Having more than one domain controller in a domain provides fault tolerance. If

one domain controller is offline, another domain controller can provide all

required functions, such as recording changes to Active Directory.

■

Domain controllers manage all aspects of user domain interaction, such as locat-

ing Active Directory objects and validating user logon attempts.

In general, there should be at least one domain controller for each domain in each site

for authentication purposes. However, authentication requirements for your organiza-

tion determine the number of domain controllers and their locations.

Sites

A site is a combination of one or more Internet Protocol (IP) subnets connected by a

highly reliable, fast link to localize as much network traffic as possible. Typically, a site

has the same boundaries as a local area network (LAN). When you group subnets on

your network, you should combine only those subnets that have fast, cheap, and reli-

able network connections with one another. Fast network connections are at least 512

kilobits per second (Kbps). An available bandwidth of 128 Kbps and higher is suffi-

cient.

With Active Directory, sites are not part of the namespace. When you browse the log-

ical namespace, you see computers and users grouped into domains and OUs, not

sites. Sites contain only computer objects and connection objects used to configure

replication between sites.

Note A single domain can span multiple geographical sites, and a single site can include user accounts and computers belonging to multiple domains.On the CD At this point, you should view the multimedia presentation “The Physical Struc-ture of Active Directory,” which is included in the Multimedia folder on the CD accompanying this book.