PlayUKlottery.com - win up to 42 million Pounds
Lesson 2: Active Directory Structure and Site Replication

Cover
LOC Page
About This Book
Chapter and Appendix Overview
Getting Started
The Microsoft Certified Professional Program
Technical Support
Chapter 1 -- The Microsoft Windows 2000 Platform
Lesson 1: Overview of the Windows 2000 Platform
Lesson 2: Windows 2000 Professional
Lesson 3: Windows 2000 Server
Lesson 4: Windows 2000 Advanced Server and Windows 2000 Datacenter Server
Review
Chapter 2 -- Installing Windows 2000
Lesson 1: Preparing to Install
Lesson 2: Installing Windows 2000 from a CD-ROM
Lesson 3: Installing Windows 2000 over the Network
Lesson 4: Troubleshooting Windows 2000 Setup
Review
Chapter 3 -- Configuring the DNS Service
Lesson 1: Understanding DNS
Lesson 2: Resolving Names
Lesson 3: Installing the DNS Service
Lesson 4: Configuring the DNS Service
Lesson 5: Configuring a DNS Client
Lesson 6: Troubleshooting the DNS Service
Review
Chapter 4 -- Implementing Active Directory Directory Services
Lesson 1: Introduction to Active Directory Directory Services
Lesson 2: Active Directory Structure and Site Replication
Lesson 3: Active Directory Concepts
Lesson 4: Introduction to Planning
Lesson 5: Installing Active Directory Directory Services
Lesson 6: Configuring Active Directory Replication
Review
Chapter 5 -- Administering Active Directory Directory Services
Lesson 1: Creating Organizational Units
Lesson 2: Creating User and Computer Accounts
Lesson 3: Managing Groups
Lesson 4: Controlling Access to Active Directory Objects
Review
Chapter 6 -- Managing Desktop Environments with Group Policy
Lesson 1: Understanding Group Policy
Lesson 2: Applying Group Policy
Lesson 3: Configuring Group Policy
Review
Chapter 7 -- Managing Software by Using Group Policy
Lesson 1: Introducing the Software Installation and Maintenance Technology
Lesson 2: Deploying Software
Lesson 3: Upgrading Software
Lesson 4: Managing Software
Review
Chapter 8 -- Managing File Resources
Lesson 1: Sharing and Publishing File Resources
Lesson 2: Administering Shared Folders by Using Dfs
Lesson 3: Using NTFS Special Access Permissions
Lesson 4: Managing Disk Quotas on NTFS Volumes
Lesson 5: Increasing Security with EFS
Lesson 6: Using Disk Defragmenter
Review
Chapter 9 -- Configuring Remote Access
Lesson 1: Understanding the New Authentication Protocols in Windows 2000
Lesson 2: Configuring Inbound Connections
Lesson 3: Configuring Outbound Connections
Lesson 4: Examining Remote Access Policies
Lesson 5: Creating a Remote Access Policy
Review
Chapter 10 -- Supporting DHCP and WINS
Lesson 1: New DHCP Functionality
Lesson 2: New WINS Functionality
Review
Chapter 11 -- Managing Disks
Lesson 1: Introduction to Disk Management
Lesson 2: Common Disk Management Tasks
Review
Chapter 12 -- Implementing Disaster Protection
Lesson 1: Using Fault-Tolerant Volumes
Lesson 2: Using Advanced Startup Options
Lesson 3: Using the Recovery Console
Lesson 4: Using the Backup Utility
Lesson 5: Performing an Emergency Repair
Review
Chapter 13 -- Upgrading a Network to Windows 2000
Lesson 1: Planning a Network Upgrade
Lesson 2: Establishing the Root Domain
Lesson 3: Upgrading Domain Controllers and Member Servers
Lesson 4: Upgrading Client Operating Systems
Review
Chapter 14 -- Using Remote Installation Services
Lesson 1: Performing Remote Installations
Lesson 2: Creating Distribution Servers
Review
Appendix A -- Questions and Answers
Appendix B -- Creating Setup Disks
About This Electronic Book
About Microsoft Press


[Previous] [Next]

Lesson 2: Active Directory Structure and Site Replication

Active Directory directory services provide a method for designing a directory structure that meets the needs of your organization. As a result, before installing Active Directory directory services, you should examine your organization's business structure and operations.

Many companies have a centralized structure. Typically, these companies have strong information technology (IT) departments that define and implement the network structure down to the smallest detail. Other organizations, especially large enterprises, are very decentralized. These companies have multiple businesses, each of which is very focused. They need decentralized approaches to managing their business relationships and networks.

With the flexibility of Active Directory directory services, you can create the network structure that best fits your company's needs. Active Directory directory services completely separate the logical structure of the domain hierarchy from the physical structure.

After this lesson, you will be able to

  • Explain Active Directory directory services' structure and replication.

Estimated lesson time: 15 minutes

Logical Structure

In Active Directory directory services, you organize resources in a logical structure. Grouping resources logically enables you to find a resource by its name rather than by its physical location. Since you group resources logically, Active Directory directory services make the network's physical structure transparent to users. The logical structure is composed of objects, organizational units, domains, trees, and forests.

Object

An object is a distinct, named set of attributes that represents a network resource. Object attributes are characteristics of objects in the directory. For example, the attributes of a user account might include the user's first and last names, department, and e-mail address (see Figure 4.1).

Click to view at full size.

Figure 4.1 Active Directory directory services objects and attributes

In Active Directory directory services, you can organize objects in classes, which are logical groupings of objects. For example, an object class might be user accounts, groups, computers, domains, or organizational units.

Organizational Units

An organizational unit (OU) is a container that you use to organize objects within a domain into logical administrative groups. An OU can contain objects such as user accounts, groups, computers, printers, applications, file shares, and other OUs (see Figure 4.2).

  • Use OUs to structure Active Directory directory services based on a company's

    • Organizational structure

    • Network administrative model

  • Assign permissions to OUs to delegate administrative control

The OU hierarchy within a domain is independent of the OU hierarchy structure of other domains—each domain can implement its own OU hierarchy. There are no restrictions on the depth of the OU hierarchy. However, a shallow hierarchy performs better than a deep one, so you should not create an OU hierarchy any deeper than necessary.

NOTE
You can delegate administrative tasks by assigning permissions to OUs.

Click to view at full size.

Figure 4.2 Resources organized in a logical hierarchical structure

Domain

The core unit of logical structure in Active Directory directory services is the domain (see Figure 4.3). Grouping objects into one or more domains allows your network to reflect your company's organization.

Click to view at full size.

Figure 4.3 A domain is the core unit of logical structure.

All network objects exist within a domain, and each domain stores information about only the objects that it contains. Theoretically, a domain directory can contain up to 10 million objects, but 1 million objects per domain is more practical.

A domain is a security boundary. Access to domain objects is controlled by access control lists (ACLs). ACLs contain the permissions associated with objects that control which users can gain access to an object and what type of access users can gain to the objects. In Windows 2000, objects include files, folders, shares, printers, and Active Directory directory services objects. All security polices and settings—such as administrative rights, security policies, and ACLs—do not cross from one domain to another. The domain administrator has absolute rights to set policies only within that domain.

Tree and Forest

A tree is a grouping or hierarchical arrangement of one or more Windows 2000 domains. A forest is a grouping or hierarchical arrangement of one or more trees (See Figure 4.4).

Click to view at full size.

Figure 4.4 Structure of a tree and a forest

Both a tree and a forest are namespaces. Since a namespace is any bounded area in which a name can be resolved, using a common namespace allows you to unify and manage multiple hardware and software environments in your network. There are two types of namespaces:

  • Contiguous namespace. The name of the child object in an object hierarchy always contains the name of the parent domain. A tree is a contiguous namespace because the name of any child object in a tree always contains the name of the parent tree.

  • Disjointed namespace. The names of a parent object and of a child of the same parent object are not directly related to one another. A forest is a disjointed namespace because all trees in a forest do not share a common naming structure.

Since all trees in a forest do not share a common naming structure, you could use a forest to group the various divisions of a company that do not use the same naming scheme and that operate independently, but that need to communicate with an entire organization.

Sites and Replication Within a Site

A site is a combination of one or more Internet Protocol (IP) subnets, which should be connected by a high-speed link. Typically, a site has the same boundaries as a local area network (LAN). When you group subnets on your network, you should combine only those subnets that have fast, cheap, and reliable network connections with one another. "Fast" network connections are at least 512 kilobits per second (Kbps). An available bandwidth of 128 Kbps and higher is sufficient. Defining sites as a set of subnets allows you to configure the Active Directory directory services access and replication topology to take advantage of the physical network.

You create sites for two primary reasons:

  • To optimize replication traffic

  • To enable users to connect to a domain controller by using a reliable, high-speed connection

With Active Directory directory services, sites are not part of the namespace. When you browse the logical namespace, you see computers and users grouped into domains and OUs, not sites. Sites contain only computer objects and connection objects used to configure replication between sites.

NOTE
A single domain can span multiple geographical sites, and a single site can include user accounts and computers belonging to multiple domains.

Active Directory directory services also include a replication feature. Replication ensures that changes to a domain controller are reflected in all domain controllers within a domain (see Figure 4.5).

Click to view at full size.

Figure 4.5 Replication within a site

To understand replication, you must understand domain controllers. A domain controller is a computer running Windows 2000 Server, Windows 2000 Advanced Server, or Windows 2000 Datacenter that stores a replica of the domain directory. A domain can contain one or more domain controllers. The following list describes the functions of domain controllers:

  • Each domain controller stores a complete copy of all Active Directory directory services information for that domain, manages changes to that information, and replicates those changes to other domain controllers in the same domain.

  • Domain controllers in a domain automatically replicate all objects in the domain to each other. When you perform an action that causes an update to Active Directory directory services, you are actually making the change at one of the domain controllers. The domain controller then replicates the change to all other domain controllers within the domain. You can control replication of traffic between domain controllers in the network by specifying how often replication occurs and the amount of data that Windows 2000 replicates at one time.

  • Domain controllers immediately replicate certain important updates, such as a user account being disabled.

  • Active Directory directory services use multimaster replication, in which no one domain controller is the master domain controller. Instead, all domain controllers within a domain are peers, and each domain controller contains a copy of the directory database that can be written to. Domain controllers might hold different information for short periods of time until all domain controllers have synchronized changes to Active Directory directory services.

  • Having more than one domain controller in a domain provides fault tolerance. If one domain controller is offline, another domain controller can provide all required functions, such as recording changes to Active Directory directory services.

  • Domain controllers manage all aspects of user domain interaction, such as locating Active Directory objects and validating user logon attempts.

Within a site, Active Directory directory services automatically generate a ring topology for replication among domain controllers in the same domain. The topology defines the path for directory updates to flow from one domain controller (DC) to another until all domain controllers receive the directory updates (see Figure 4.6).

Click to view at full size.

Figure 4.6 Replication topology

The ring structure ensures that there are at least two replication paths from one domain controller to another; if one domain controller is down temporarily, replication still continues to all other domain controllers.

Active Directory directory services periodically analyze the replication topology within a site to ensure that it is still efficient. If you add or remove a domain controller from the network or a site, Active Directory directory services reconfigure the topology to reflect the change.

Lesson Summary

Active Directory directory services provide a method to design a directory structure to meet the needs of your organization's business structure and operations. Active Directory directory services completely separate the logical structure of the domain hierarchy from the physical structure. In Active Directory directory services, grouping resources logically enables you to find a resource by its name rather than by its physical location. Since you group resources logically, Active Directory directory services make the network's physical structure transparent to users.

The core unit of logical structure in Active Directory directory services is the domain. All network objects exist within a domain, and each domain stores information only about the objects that it contains. An organizational unit (OU) is a container that you use to organize objects within a domain into logical administrative groups, and an OU can contain objects such as user accounts, groups, computers, printers, applications, file shares, and other OUs. A tree is a grouping or hierarchical arrangement of one or more Windows 2000 domains that share a contiguous namespace, and a forest is a grouping or hierarchical arrangement of one or more trees that form a disjointed namespace.

The physical structure of Active Directory directory services is based on sites. A site is a combination of one or more Internet Protocol (IP) subnets, connected by a high-speed link. Active Directory directory services also include replication to ensure that changes to a domain controller are reflected in all domain controllers within a domain. Within a site, Active Directory directory services automatically generate a ring topology for replication among domain controllers in the same domain. The ring structure ensures that there are at least two replication paths from one domain controller to another; if one domain controller is down temporarily, replication still continues to all other domain controllers. If you add or remove a domain controller from the network or a site, Active Directory directory services reconfigure the topology to reflect the change.