Windows Server 2003 Active Directory and Network Infrastructure by
Team uCertify
Introduction
Windows Server 2003 Active Directory is a centralized database that stores the
collection of information about all the Subscriptions available on the Windows
Server 2003 domain. It is a hierarchical representation of all the objects and
their attributes available on the network. It enables administrators to manage
the network Subscriptions, i.e., computers, users, printers, shared folders, etc.,
in an easy way. The logical structure represented by Active Directory consists
of forests, trees, domains, organizational units, and individual objects. This
structure is completely independent from the physical structure of the network,
and allows administrators to manage domains according to the organizational
needs without bothering about the physical network structure.
Following is the description of all logical components of the Active Directory
structure:
Forest:
A forest is the outermost boundary of an Active Directory structure. It is a
group of multiple domain trees that share a common schema but do not form a
contiguous namespace. It is created when the first Active Directory-based
computer is installed on a network. There is at least one forest on a network.
The first domain in a forest is called a root domain. It controls the schema
and domain naming for the entire forest. It can be separately removed from the
forest. Administrators can create multiple forests and then create trust
relationships between specific domains in those forests, depending upon the
organizational needs.
Trees:
A hierarchical structure of multiple domains organized in the Active Directory
forest is referred to as a tree. It consists of a root domain and several child
domains. The first domain created in a tree becomes the root domain. Any domain
added to the root domain becomes its child, and the root domain becomes its
parent. The parent-child hierarchy continues until the terminal node is
reached. All domains in a tree share a common schema, which is defined at the
forest level. Depending upon the organizational needs, multiple domain trees
can be included in a forest.
Domains:
A domain is the basic organizational structure of a Windows Server 2003
networking model. It logically organizes the Subscriptions on a network and defines
a security boundary in Active Directory. The directory may contain more than
one domain, and each domain follows its own security policy and trust
relationships with other domains. Almost all the organizations having a large
network use domain type of networking model to enhance network security and
enable administrators to efficiently manage the entire network.
Objects:
Active Directory stores all network Subscriptions in the form of objects in a
hierarchical structure of containers and subcontainers, thereby making them
easily accessible and manageable. Each object class consists of several
attributes. Whenever a new object is created for a particular class, it
automatically inherits all attributes from its member class. Although the
Windows Server 2003 Active Directory defines its default set of objects,
administrators can modify it according to the organizational needs.
Organizational Unit (OU):
It is the least abstract component of the Windows Server 2003 Active Directory.
It works as a container into which Subscriptions of a domain can be placed. Its
logical structure is similar to an organization's functional structure. It
allows creating administrative boundaries in a domain by delegating separate
administrative tasks to the administrators on the domain. Administrators can
create multiple Organizational Units in the network. They can also create
nesting of OUs, which means that other OUs can be created within an OU.
In a large complex network, the Active Directory service provides a single
point of management for the administrators by placing all the network Subscriptions
at a single place. It allows administrators to effectively delegate
administrative tasks as well as facilitate fast searching of network Subscriptions.
It is easily scalable, i.e., administrators can add a large number of Subscriptions
to it without having additional administrative burden. It is accomplished by
partitioning the directory database, distributing it across other domains, and
establishing trust relationships, thereby providing users with benefits of
decentralization, and at the same time, maintaining the centralized
administration.
The physical network infrastructure of Active Directory is far too simple as
compared to its logical structure. The physical components are domain
controllers and sites.
Domain Controller:
A Windows 2003 server on which Active Directory services are installed and run
is called a domain controller. A domain controller locally resolves queries for
information about objects in its domain. A domain can have multiple domain
controllers. Each domain controller in a domain follows the multimaster model
by having a complete replica of the domain's directory partition. In this
model, every domain controller holds a master copy of its directory partition.
Administrators can use any of the domain controllers to modify the Active
Directory database. The changes performed by the administrators are
automatically replicated to other domain controllers in the domain.
However, there are some operations that do not follow the multimaster model.
Active Directory handles these operations and assigns them to a single domain
controller to be accomplished. Such a domain controller is referred to as
operations master. The operations master performs several roles, which can be
forest-wide as well as domain-wide.
Forest-wide roles:
There are two types of forest-wide roles:
Schema Master and Domain Naming Master. The Schema Master is responsible for
maintaining the schema and distributing it to the entire forest. The Domain
Naming Master is responsible for maintaining the integrity of the forest by
recording additions of domains to and deletions of domains from the forest.
When new domains are to be added to a forest, the Domain Naming Master role is
queried. In the absence of this role, new domains cannot be added.
Domain-wide roles:
There are three types of domain-wide roles: RID Master, PDC Emulator, and
Infrastructure Master.
RID Master: The RID Master is one of the operations master roles that exist in
each domain in a forest. It controls the sequence number for the domain
controllers within a domain. It provides a unique sequence of RIDs to each
domain controller in a domain. When a domain controller creates a new object,
the object is assigned a unique security ID consisting of a combination of a
domain SID and a RID. The domain SID is a constant ID, whereas the RID is
assigned to each object by the domain controller. The domain controller
receives the RIDs from the RID Master. When the domain controller has used all
the RIDs provided by the RID Master, it requests the RID Master to issue more
RIDs for creating additional objects within the domain. When a domain
controller exhausts its pool of RIDs, and the RID Master is unavailable, any
new object in the domain cannot be created.
PDC Emulator: The PDC emulator is one of the five operations master roles in
Active Directory. It is used in a domain containing non-Active Directory
computers. It processes the password changes from both users and computers,
replicates those updates to backup domain controllers, and runs the Domain
Master browser. When a domain user requests a domain controller for
authentication, and the domain controller is unable to authenticate the user
due to bad password, the request is forwarded to the PDC emulator. The PDC
emulator then verifies the password, and if it finds the updated entry for the
requested password, it authenticates the request.
Infrastructure Master: The Infrastructure Master role is one of the Operations
Master roles in Active Directory. It functions at the domain level and exists
in each domain in the forest. It maintains all inter-domain object references
by updating references from the objects in its domain to the objects in other
domains. It performs a very important role in a multiple domain environment. It
compares its data with that of a Global Catalog, which always has up-to-date
information about the objects of all domains. When the Infrastructure Master
finds data that is obsolete, it requests the global catalog for its updated
version. If the updated data is available in the global catalog, the
Infrastructure Master extracts and replicates the updated data to all the other
domain controllers in the domain.
Domain controllers can also be assigned the role of a Global Catalog server. A
Global Catalog is a special Active Directory database that stores a full
replica of the directory for its host domain and the partial replica of the
directories of other domains in a forest. It is created by default on the
initial domain controller in the forest. It performs the following primary
functions regarding logon capabilities and queries within Active Directory:
It enables network logon by providing universal group membership information to
a domain controller when a logon request is initiated.
It enables finding directory information about all the domains in an Active
Directory forest.
A Global Catalog is required to log on to a network within a multidomain
environment. By providing universal group membership information, it greatly
improves the response time for queries. In its absence, a user will be allowed
to log on only to his local domain if his user account is external to the local
domain.
Site: A site is a group of domain controllers that exist on different IP
subnets and are connected via a fast and reliable network connection. A network
may contain multiple sites connected by a WAN link. Sites are used to control
replication traffic, which may occur within a site or between sites.
Replication within a site is referred to as intrasite replication, and that
between sites is referred to as intersite replication. Since all domain
controllers within a site are generally connected by a fast LAN connection, the
intrasite replication is always in uncompressed form. Any changes made in the
domain are quickly replicated to the other domain controllers. Since sites are
connected to each other via a WAN connection, the intersite replication always
occurs in compressed form. Therefore, it is slower than the intrasite
replication.
About the Author
About the Author:
uCertify was formed in 1996 with an aim to offer high quality educational
training software and services in the field of information technology to its
customers. uCertify provides exam preparation solutions for the certification
exams of Microsoft, CIW, CompTIA, Oracle, Sun and other leading IT vendors. To
know more about uCertify, please visit
http://www.ucertify.com/
|
