[Previous] [Next]

Lesson 2: Active Directory Structure and Replication

Active Directory directory services provide a method for designing a directory structure that meets your organization's needs. As a result, before installing Active Directory directory services, examine your organization's business structure and operations. Active Directory directory services completely separate the logical structure of the domain hierarchy from the physical structure.

Many companies have a centralized structure. Typically, these companies have strong IT departments that define and implement the network structure down to the smallest detail. Other organizations, especially large enterprises, are decentralized. These companies have multiple businesses, each of which is quite focused. They need decentralized approaches to managing their business relationships and networks.

After this lesson, you will be able to

• Explain Active Directory structure and replication.

Estimated lesson time: 15 minutes

Logical Structure

In Active Directory directory services, you organize resources in a logical structure. Grouping resources logically enables you to find a resource by its name rather than by its physical location. Since you group resources logically, Active Directory directory services make the network's physical structure transparent to users.

Object

An object is a distinct, named set of attributes that represents a network resource. Object attributes are characteristics of objects in the Directory. For example, the attributes of a user account might include the user's first and last names, department, and e-mail address (see Figure 9.1).

In Active Directory directory services, you can organize objects in classes, which are logical groupings of objects. For example, an object class might be user accounts, groups, computers, domains, or organizational units.

NOTE

---

Some objects, known as containers, can contain other objects. For example, a domain is a container object.

Figure 9.1 Active Directory objects and attributes

Organizational Units

An organizational unit (OU) is a container that you use to organize objects within a domain into logical administrative groups. An OU can contain objects such as user accounts, groups, computers, printers, applications, file shares, and other OUs (see Figure 9.2).

Figure 9.2 Resources organized in a logical hierarchical structure

The OU hierarchy within a domain is independent of the OU hierarchy structure of other domains—each domain can implement its own OU hierarchy. The depth of the OU hierarchy is unrestricted. However, a shallow hierarchy performs better than a deep one, so you should not create an OU hierarchy any deeper than necessary.

NOTE

---

You can delegate administrative tasks by assigning permissions to OUs.

Domain

The core unit of logical structure in Active Directory directory services is the domain. Grouping objects into one or more domains allows your network to reflect your company's organization. Domains share these characteristics:

• All network objects exist within a domain, and each domain stores information only about the objects that it contains. Theoretically, a domain directory can contain up to 10 million objects, but 1 million objects per domain is more practical.
• A domain is a security boundary. Access to domain objects is controlled by access control lists (ACLs). ACLs contain the permissions associated with objects that control which users can gain access to an object and which type of access users can gain to the objects. In Windows 2000, objects include files, folders, shares, printers, and Active Directory objects. All security policies and settings—such as administrative rights, security policies, and ACLs—do not cross from one domain to another. The domain administrator has absolute rights to set policies only within that domain.

A tree is a grouping or hierarchical arrangement of one or more Windows 2000 domains that share a contiguous namespace:

• Following DNS standards, the domain name of a child domain is the relative name of that child domain appended with the name of the parent domain.
• All domains within a single tree share a common schema, which is a formal definition of all object types that you can store in an Active Directory deployment.
• All domains within a single tree share a common global catalog, which is the central repository of information about objects in a tree.

A forest is a grouping or hierarchical arrangement of one or more domain trees that form a disjointed namespace. As such, forests have the following characteristics:

• All trees in a forest share a common schema.
• Trees in a forest have different naming structures, according to their domains.
• All domains in a forest share a common global catalog.
• Domains in a forest operate independently, but the forest enables communication across the entire organization.

The physical structure of Active Directory directory services is based on sites. A site is a combination of one or more IP subnets, which should be connected by a high-speed link. Typically, a site has the same boundaries as a LAN. When you group subnets on your network, you should combine only those subnets that have fast, cheap, and reliable network connections with one another. Fast network connections are at least 512 kilobits per second (Kbps). An available bandwidth of 128 Kbps and higher is sufficient.

With Active Directory directory services, sites are not part of the namespace. When you browse the logical namespace, you see computers and users grouped into domains and OUs, not sites. Sites contain only computer objects and connection objects used to configure replication between sites.

NOTE

---

A single domain can span multiple geographical sites, and a single site can include user accounts and computers belonging to multiple domains.

Replication Within a Site

Active Directory directory services also include a replication feature. Replication ensures that changes to a domain controller are reflected in all domain controllers within a domain. To understand replication, you must understand domain controllers. A domain controller is a computer running Windows 2000 Server that stores a replica of the domain directory. A domain can contain one or more domain controllers.

The following list describes the functions of domain controllers:

• Each domain controller stores a complete copy of all Active Directory information for that domain, manages changes to that information, and replicates those changes to other domain controllers in the same domain.
• Domain controllers in a domain automatically replicate all objects in the domain to each other. When you perform an action that causes an update to Active Directory directory services, you are actually making the change at one of the domain controllers. The domain controller then replicates the change to all other domain controllers within the domain. You can control replication of traffic between domain controllers in the network by specifying how often replication occurs and the amount of data that Windows 2000 replicates at one time.
• Domain controllers immediately replicate certain important updates, such as a user account being disabled.
• Active Directory directory services use multimaster replication, in which no one domain controller is the master domain controller. Instead, all domain controllers within a domain are peers, and each domain controller contains a copy of the Directory database that can be written to. Domain controllers can hold different information for short periods of time until all domain controllers have synchronized changes to Active Directory directory services.
• Domain controllers affect fault tolerance. Having more than one domain controller in a domain provides fault tolerance. If one domain controller is offline, another domain controller can provide all required functions, such as recording changes to Active Directory directory services.
• Domain controllers manage all aspects of user domain interaction, such as locating Active Directory objects and validating user logon attempts.

Within a site, Active Directory directory services automatically generate a ring topology for replication among domain controllers in the same domain. The topology defines the path for directory updates to flow from one domain con- troller to another until all domain controllers receive the directory updates (see Figure 9.3).

Figure 9.3 Replication topology among domain controllers (DC)

The ring structure ensures that at least two replication paths flow from one domain controller to another; if one domain controller is down temporarily, replication still continues to all other domain controllers.

Active Directory directory services periodically analyze the replication topology within a site to ensure that it is still efficient. If you add or remove a domain controller from the network or a site, Active Directory directory services reconfigure the topology to reflect the change.

Lesson Summary

In this lesson you learned that Active Directory directory services offer you a method for designing a directory structure to meet the needs of your organization's business structure and operations. Active Directory directory services completely separate the logical structure of the domain hierarchy from the physical structure. Grouping resources logically enables you to find a resource by its name rather than by its physical location. Since you group resources logically, Active Directory directory services make the network's physical structure transparent to users.

You learned that the core unit of logical structure in Active Directory directory services is the domain. All network objects exist within a domain, and each domain stores information only about the objects that it contains. An OU is a container that you use to organize objects within a domain into logical administrative groups, and an OU can contain objects such as user accounts, groups, computers, printers, applications, file shares, and other OUs. A tree is a grouping or hierarchical arrangement of one or more Windows 2000 domains that share a contiguous namespace. A forest is a grouping or hierarchical arrangement of one or more trees that form a disjointed namespace.

You also learned that the physical structure of Active Directory directory services is based on sites. A site is a combination of one or more IP subnets, connected by a high-speed link. Active Directory directory services also include replication to ensure that changes to a domain controller are reflected in all domain controllers within a domain. Within a site, Active Directory directory services automatically generate a ring topology for replication among domain controllers in the same domain. The ring structure ensures that at least two replication paths exist from one domain controller to another; if one domain controller is down temporarily, replication still continues to all other domain controllers. If you add or remove a domain controller from the network or a site, Active Directory directory services reconfigure the topology to reflect the change.