Various Active Directory components are used to build a directory structure that meets the needs of your organization. The following Active Directory components represent logical structures in an organization: domains, organizational units (OUs), trees, and forests. The following Active Directory components represent physical structures in an organization: sites (physical subnets) and domain controllers. Active Directory completely separates the logical structure from the physical structure.
Logical Structures
In Active Directory, you organize resources in a logical structure—a structure that mirrors organizational models—using domains, OUs, trees, and forests. Grouping resources logically allows you to easily find a resource by its name rather than by remembering its physical location. Because you group resources logically, Active Directory makes the network’s physical structure transparent to users. Figure 1-4 illustrates the relationship of the Active Directory domains, OUs, trees, and forests.
Logical Structures
In Active Directory, you organize resources in a logical structure—a structure that mirrors organizational models—using domains, OUs, trees, and forests. Grouping resources logically allows you to easily find a resource by its name rather than by remembering its physical location. Because you group resources logically, Active Directory makes the network’s physical structure transparent to users. Figure 1-4 illustrates the relationship of the Active Directory domains, OUs, trees, and forests.
Domains The core unit of logical structure in Active Directory is the domain, which can store millions of objects. Objects stored in a domain are those considered vital to the network. These vital objects are items the members of the networked community need in order to do their jobs: printers, documents, e-mail addresses, databases, users, distributed components, and other resources. All network objects exist within a domain, and each domain stores information only about the objects it contains. Active Directory is made up of one or more domains. A domain can span more than one physical location. Domains share the following characteristics:
■ All network objects exist within a domain, and each domain stores information only about the objects that it contains.
■ A domain is a security boundary. Access to domain objects is governed by access control lists (ACLs), which contain the permissions associated with the objects. Such permissions control which users can gain access to an object and what type of access they can gain. In the Windows Server 2003 family, objects include files, folders, shares, printers, and other Active Directory objects. None of the security policies and settings—such as administrative rights, security policies, and ACLs— can cross from one domain to another. You, as the domain administrator, have absolute rights to set policies only within your domain.
■ All network objects exist within a domain, and each domain stores information only about the objects that it contains.
■ A domain is a security boundary. Access to domain objects is governed by access control lists (ACLs), which contain the permissions associated with the objects. Such permissions control which users can gain access to an object and what type of access they can gain. In the Windows Server 2003 family, objects include files, folders, shares, printers, and other Active Directory objects. None of the security policies and settings—such as administrative rights, security policies, and ACLs— can cross from one domain to another. You, as the domain administrator, have absolute rights to set policies only within your domain.
OUs An OU is a container used to organize objects within a domain into a logical administrative group. OUs provide a means for handling administrative tasks, such as the administration of users and resources, as they are the smallest scope to which you can delegate administrative authority. An OU can contain objects such as user accounts, groups, computers, printers, applications, file shares, and other OUs from the same domain. The OU hierarchy within a domain is independent of the OU hierarchy structure of other domains—each domain can implement its own OU hierarchy. By adding OUs to other OUs, or nesting, you can provide administrative control in a hierarchical fashion.
Trees A tree is a grouping or hierarchical arrangement of one or more Windows Server 2003 domains that you create by adding one or more child domains to an existing parent domain. Domains in a tree share a contiguous namespace and a hierarchical naming structure. Namespaces are covered in detail in the next lesson. Following DNS standards, the domain name of a child domain is the relative name of that child domain appended with the name of the parent domain.
Forests A forest is a grouping or hierarchical arrangement of one or more separate, completely independent domain trees. As such, forests have the following characteristics:
■ All domains in a forest share a common schema.
■ All domains in a forest share a common global catalog.
■ All domains in a forest are linked by implicit two-way transitive trusts.
■ Trees in a forest have different naming structures, according to their domains.
■ Domains in a forest operate independently, but the forest enables communication across the entire organization.
■ All domains in a forest share a common schema.
■ All domains in a forest share a common global catalog.
■ All domains in a forest are linked by implicit two-way transitive trusts.
■ Trees in a forest have different naming structures, according to their domains.
■ Domains in a forest operate independently, but the forest enables communication across the entire organization.
Physical Structures
The physical components of Active Directory are sites and domain controllers. As an administrator, you use these components to develop a directory structure that mirrors the physical structure of your organization.
Sites A site is a combination of one or more IP subnets connected by a highly reliable and fast link to localize as much network traffic as possible. Typically, a site has the same boundaries as a local area network (LAN). When you group subnets on your net-work, you should combine only subnets that have fast, cheap, and reliable network connections with one another. “Fast” network connections are at least 512 kilobits per second (Kbps). An available bandwidth (the average amount of bandwidth that is available for use after normal network traffic is handled) of 128 Kbps and higher is sufficient for a site.
With Active Directory, sites are not part of the namespace. When you browse the logical namespace, you see computers and users grouped into domains and OUs, not sites. Sites contain only computer objects and connection objects used to configure replication between sites. As shown in Figure 1-8, a single domain can span one or more geographical sites, and a single site can include user accounts and computers belonging to multiple domains.
The physical components of Active Directory are sites and domain controllers. As an administrator, you use these components to develop a directory structure that mirrors the physical structure of your organization.
Sites A site is a combination of one or more IP subnets connected by a highly reliable and fast link to localize as much network traffic as possible. Typically, a site has the same boundaries as a local area network (LAN). When you group subnets on your net-work, you should combine only subnets that have fast, cheap, and reliable network connections with one another. “Fast” network connections are at least 512 kilobits per second (Kbps). An available bandwidth (the average amount of bandwidth that is available for use after normal network traffic is handled) of 128 Kbps and higher is sufficient for a site.
With Active Directory, sites are not part of the namespace. When you browse the logical namespace, you see computers and users grouped into domains and OUs, not sites. Sites contain only computer objects and connection objects used to configure replication between sites. As shown in Figure 1-8, a single domain can span one or more geographical sites, and a single site can include user accounts and computers belonging to multiple domains.
Domain Controllers A domain controller is a computer running Windows Server 2003 that stores a replica of the domain directory (local domain database). Because a domain can contain one or more domain controllers, each domain controller in a domain has a complete replica of the domain’s portion of the directory. A domain con-troller can service only one domain. A domain controller also authenticates user logon attempts and maintains the security policy for a domain.
The following list describes the functions of domain controllers:
■ Each domain controller stores a complete copy of all Active Directory information for that domain, manages changes to that information, and replicates those changes to other domain controllers in the same domain.
■ Domain controllers in a domain automatically replicate directory information for all objects in the domain to each other. When you perform an action that causes an update to Active Directory, you are actually making the change at one of the domain controllers. That domain controller then replicates the change to all other domain controllers within the domain. You can control replication of traffic between domain controllers in the network by specifying how often replication occurs and the amount of data that each domain controller replicates at one time.
■ Domain controllers immediately replicate certain important updates, such as the disabling of a user account.
■ Active Directory uses multimaster replication, in which no one domain controller is the master domain controller. Instead, all domain controllers within a domain are peers, and each domain controller contains a copy of the directory database that can be written to. Domain controllers can hold different information for short periods of time until all domain controllers have synchronized changes to Active Directory.
■ Although Active Directory supports multimaster replication, some changes are impractical to perform in multimaster fashion. One or more domain controllers can be assigned to perform single-master replication (operations not permitted to occur at different places in a network at the same time). Operations master roles are special roles assigned to one or more domain controllers in a domain to per-form single-master replication.
■ Domain controllers detect collisions, which can occur when an attribute is modified on a domain controller before a change to the same attribute on another domain controller is completely propagated. Collisions are detected by comparing each attribute’s property version number, a number specific to an attribute that is initialized upon creation of the attribute. Active Directory resolves the collision by replicating the changed attribute with the higher property version number.
The following list describes the functions of domain controllers:
■ Each domain controller stores a complete copy of all Active Directory information for that domain, manages changes to that information, and replicates those changes to other domain controllers in the same domain.
■ Domain controllers in a domain automatically replicate directory information for all objects in the domain to each other. When you perform an action that causes an update to Active Directory, you are actually making the change at one of the domain controllers. That domain controller then replicates the change to all other domain controllers within the domain. You can control replication of traffic between domain controllers in the network by specifying how often replication occurs and the amount of data that each domain controller replicates at one time.
■ Domain controllers immediately replicate certain important updates, such as the disabling of a user account.
■ Active Directory uses multimaster replication, in which no one domain controller is the master domain controller. Instead, all domain controllers within a domain are peers, and each domain controller contains a copy of the directory database that can be written to. Domain controllers can hold different information for short periods of time until all domain controllers have synchronized changes to Active Directory.
■ Although Active Directory supports multimaster replication, some changes are impractical to perform in multimaster fashion. One or more domain controllers can be assigned to perform single-master replication (operations not permitted to occur at different places in a network at the same time). Operations master roles are special roles assigned to one or more domain controllers in a domain to per-form single-master replication.
■ Domain controllers detect collisions, which can occur when an attribute is modified on a domain controller before a change to the same attribute on another domain controller is completely propagated. Collisions are detected by comparing each attribute’s property version number, a number specific to an attribute that is initialized upon creation of the attribute. Active Directory resolves the collision by replicating the changed attribute with the higher property version number.
■ Having more than one domain controller in a domain provides fault tolerance. If one domain controller is offline, another domain controller can provide all required functions, such as recording changes to Active Directory.
■ Domain controllers manage all aspects of users’ domain interaction, such as locating Active Directory objects and validating user logon attempts.
■ Domain controllers manage all aspects of users’ domain interaction, such as locating Active Directory objects and validating user logon attempts.
Catalog Services—The Global Catalog
Active Directory allows users and administrators to find objects such as files, printers, or users in their own domain. However, finding objects outside of the domain and across the enterprise requires a mechanism that allows the domains to act as one entity. A catalog service contains selected information about every object in all domains in the directory, which is useful in performing searches across an enterprise. The global catalog is the catalog service provided by Active Directory.
The global catalog is the central repository of information about objects in a tree or forest. By default, a global catalog is created automatically on the initial domain controller in the first domain in the forest. A domain controller that holds a copy of the global catalog is called a global catalog server. You can designate any domain controller in the forest as a global catalog server. Active Directory uses multimaster replication to replicate the global catalog information between global catalog servers in other domains. It stores a full replica of all object attributes in the directory for its host domain and a partial replica of all object attributes contained in the directory for every domain in the forest. The partial replica stores attributes most frequently used in search operations (such as a user’s first and last names, logon name, and so on). Attributes are marked or unmarked for replication in the global catalog when they are defined in the Active Directory schema. Object attributes replicated to the global catalog inherit the same permissions as in source domains, ensuring that data in the global catalog is secure.
Global Catalog Functions
The global catalog performs the following two key functions:
■ It enables a user to log on to a network by providing universal group membership information to a domain controller when a logon process is initiated.
■ It enables finding directory information regardless of which domain in the forest actually contains the data.
Active Directory allows users and administrators to find objects such as files, printers, or users in their own domain. However, finding objects outside of the domain and across the enterprise requires a mechanism that allows the domains to act as one entity. A catalog service contains selected information about every object in all domains in the directory, which is useful in performing searches across an enterprise. The global catalog is the catalog service provided by Active Directory.
The global catalog is the central repository of information about objects in a tree or forest. By default, a global catalog is created automatically on the initial domain controller in the first domain in the forest. A domain controller that holds a copy of the global catalog is called a global catalog server. You can designate any domain controller in the forest as a global catalog server. Active Directory uses multimaster replication to replicate the global catalog information between global catalog servers in other domains. It stores a full replica of all object attributes in the directory for its host domain and a partial replica of all object attributes contained in the directory for every domain in the forest. The partial replica stores attributes most frequently used in search operations (such as a user’s first and last names, logon name, and so on). Attributes are marked or unmarked for replication in the global catalog when they are defined in the Active Directory schema. Object attributes replicated to the global catalog inherit the same permissions as in source domains, ensuring that data in the global catalog is secure.
Global Catalog Functions
The global catalog performs the following two key functions:
■ It enables a user to log on to a network by providing universal group membership information to a domain controller when a logon process is initiated.
■ It enables finding directory information regardless of which domain in the forest actually contains the data.
When a user logs on to the network, the global catalog provides universal group membership information for the account to the domain controller processing the user logon information. If there is only one domain controller in a domain, the domain controller holds the global catalog server. If there are multiple domain controllers in the network, one domain controller is configured to hold the global catalog. If a global catalog is not available when a user initiates a network logon process, the user is able to log on only to the local computer unless the site has been specifically configured to cache universal group membership lookups when processing user logon attempts.
Tip If a user is a member of the Domain Admins group, he or she is able to log on to the network even when the global catalog is not available.
The global catalog is designed to respond to user and programmatic queries about objects anywhere in the domain tree or forest with maximum speed and minimum net-work traffic. Because a single global catalog contains information about all objects in all domains in the forest, a query about an object that is not contained in the local domain can be resolved by a global catalog server in the domain in which the query is initiated. Thus, finding information in the directory does not produce unnecessary query traffic across domain boundaries.
The Query Process
A query is a specific request made by a user to the global catalog in order to retrieve, modify, or delete Active Directory data. The following steps, illustrated in Figure 1-9, describe the query process:
1. The client queries its DNS server for the location of the global catalog server.
2. The DNS server searches for the global catalog server location and returns the IP address of the domain controller designated as the global catalog server.
3. The client queries the IP address of the domain controller designated as the global catalog server. The query is sent to port 3268 on the domain controller; standard Active Directory queries are sent to port 389.
4. The global catalog server processes the query. If the global catalog contains the attribute of the object being searched for, the global catalog server provides a response to the client. If the global catalog does not contain the attribute of the object being searched for, the query is referred to Active Directory.
You can configure any domain controller or designate additional domain controllers as global catalog servers. When considering which domain controllers to designate as global catalog servers, base your decision on the ability of your network structure to handle replication and query traffic.
Tip If a user is a member of the Domain Admins group, he or she is able to log on to the network even when the global catalog is not available.
The global catalog is designed to respond to user and programmatic queries about objects anywhere in the domain tree or forest with maximum speed and minimum net-work traffic. Because a single global catalog contains information about all objects in all domains in the forest, a query about an object that is not contained in the local domain can be resolved by a global catalog server in the domain in which the query is initiated. Thus, finding information in the directory does not produce unnecessary query traffic across domain boundaries.
The Query Process
A query is a specific request made by a user to the global catalog in order to retrieve, modify, or delete Active Directory data. The following steps, illustrated in Figure 1-9, describe the query process:
1. The client queries its DNS server for the location of the global catalog server.
2. The DNS server searches for the global catalog server location and returns the IP address of the domain controller designated as the global catalog server.
3. The client queries the IP address of the domain controller designated as the global catalog server. The query is sent to port 3268 on the domain controller; standard Active Directory queries are sent to port 389.
4. The global catalog server processes the query. If the global catalog contains the attribute of the object being searched for, the global catalog server provides a response to the client. If the global catalog does not contain the attribute of the object being searched for, the query is referred to Active Directory.
You can configure any domain controller or designate additional domain controllers as global catalog servers. When considering which domain controllers to designate as global catalog servers, base your decision on the ability of your network structure to handle replication and query traffic.
No comments:
Post a Comment