Domains
Domains group network objects and OUs into a unit with a security boundary. By default, security policies and settings don’t flow from one domain to another.
Domain Trees
Domain trees are a hierarchical way to group domains. All domains have, by default, a two-way trust arrangement with all other domains. The domains share a hierarchical naming structure with the child domain name appended to the parent name in the fully-qualified domain name.
Domain Forests
Domain forests are groups of domain trees. The domain trees within the domain forest don’t share a naming structure, but a two-way transitive trust is created among the root (top-level) domains in each domain tree. Because the domains within the domain trees are all joined with two-way trusts, in effect, resources become available to any user within the domain forest. Domain trees within the domain forest also share a global catalog.
The domain forest structure is particularly useful in this era of company mergers. If one company buys another company or if two companies decide to merge, an administrator doesn’t have to spend hours renaming and restructuring the domains within an organization. By typing DCPromo from the Run command on a 2000 Server and running the wizard, the administrator has the option of joining an existing domain to another domain to form a domain tree or joining an existing domain tree to another to form a domain forest. To see the domains, domain trees, and domain forests in the Active Directory namespace, click Start and select Programs, Administrative Tools, Domain Tree Management.
Physical Domain Structure
The logical domain structure and the physical domain structure don’t have to be the same. Active Directory lets you create sites to mirror the physical domain structure. Computers linked with high-speed, reliable network links can be grouped in one site, while computers linked with lower speed lines can be partitioned into separate sites.
Suppose that you have a department that contains several local subdepartments and several remote subdepartments connected with a slow link. A good logical partitioning would have the department as a domain and each subdepartment represented by an OU. The physical partitioning, however, would group the local domain and local OUs into one site and leave each remote subdepartment as its own separate site.
The physical domain structure is managed with the Active Directory Sites and Services Manager, which you access by clicking Programs, Administrative Tools. Figure 7.5 shows a site that has been automatically configured on a 2000 Server domain controller.
The site has the default name Default-First-Site-Name. To create a new site, highlight Sites and select Action, New Site. Type the new site name (the name must not include spaces), as shown in Figure 7.6.
Highlight a site link name — in this case, there’s only one choice, DEFAULTIPSITELINK — then click OK. You’ve created a new site.
Replication
Active Directory renders obsolete the notion of primary and backup domain controllers. With Active Directory, each controller has a copy of the directory and any controller can initiate and replicate changes. To avoid conflicts, each controller maintains a table of update sequence numbers (USNs) in its database. The tables identify the latest copy of the directory received from every other controller.
Replication can occur at several levels:
Within a domain
Within a site (intrasite)
Between sites
Replication within a domain is automatic and transparent to the administrator. USNs determine the most recent copy of the directory database, and timestamps are used only to break a tie.
You can configure intrasite replication by selecting the NTDS settings of a server (domain controller) as shown in Figure 7.7.
Right-click NTDS Settings, then select New NTDS Connection from the drop-down menu.
From the list of all the domain controllers within the site, select the one to which you wish to replicate, then click OK.
Name the connection in the next box — it’s a good idea to use a naming scheme that involves the name of the other domain controller — and click OK. The new connection appears in the right pane of the Active Directory Sites and Services Manager.
A default replication schedule is set automatically. To change the schedule, highlight the connector, and select Properties, Schedule to see a window similar to Figure 7.8.
To change the replication frequency for a time period, highlight the time period, then select one of the four options — None, Once per Hour, Twice per Hour, or Four Times per Hour. As an administrator, you may choose to replicate data between nonvolatile sites (sites where changes are infrequent) less often than the default of four times per hour. On the other hand, if changes on the site are frequent and bandwidth is plentiful, two to four times per hour may be appropriate. You may also stagger peak replication times for different connections — for example, making one connection replicate frequently between noon and 4:00 P.M. and another connection replicate frequently between 4:00 P.M. and 8:00 P.M. The possibilities are endless.
Special Note: Replication doesn’t automatically take place between domains that are not part of the same site, even if they belong to the same domain tree or domain forest. Replication between sites takes place automatically only under the following two conditions:
A second domain controller is installed at site A and then is moved to site B.
A third domain controller is installed at site B, which creates a replication link between the first domain controller at site A and the third domain controller at site B.
Replications are tracked by the up-to-date vector , a number that represents the number of originating writes received from each controller within the domain. (An originating write is a change that has not been replicated, but has originated at the controller itself.) Each controller keeps a copy of the up-to-date vector within its database, along with the USN.
To provide fault tolerance, interdomain replication (within a site) is configured in a ring topology, ensuring there are two possible paths by which a domain controller can receive its directory database. A mechanism known as propagation dampening is used to cut down on the amount of network traffic this topology could generate. To understand this mechanism, let’s consider an example.
Let’s say you have three controllers — Server A, Server B, and Server C. On Server A, you make three password changes; the USN for this property change is 3 and because these property changes originated from the server itself, it is considered an originating write. The up-to-date vector count is therefore 3.
Let’s say, that Server A now replicates to Server C. Server C’s USN for the property change (password change on Server A) is incremented by 1. (Let’s say that originally this USN was 0, so now it is 1.) However, because the up-to-date vector for this property change is 3 on Server A, the up-to-date vector for the same property change becomes 3 on Server C. The following table summarizes this first replication:
Property change
Server A
Server B
Server C
USN
Password change Server A
3
0
0 —>1
Up-to-date vector
Password change Server A
3
0
0 —>3
Let’s say we now have two more password changes on Server A — the USN becomes 5 while the up-to-date vector becomes 5 as well. A replication now occurs between Server A and Server B. Server B’s USN for this property change (password change on server A) becomes 1 (assuming again that the USN was 0 before). The up-to-date vector, however, becomes 5 for this property change because it is 5 on Server A. The following table summarizes this second replication:
Property change
Server A
Server B
Server C
USN
Password change Server A
5
0 —>1
1
Up-to-date vector
Password change Server A
5
0 —>5
3
Now another replication occurs between Server A and Server C. Server C’s USN becomes 2, while the up-to-date vector for the property change becomes 5. The following table summarizes this third replication:
Property change
Server A
Server B
Server C
USN
Password change Server A
5
1
1 —>2
Up-to-date vector
Password change Server A
5
5
3 —>5
Finally, replication occurs between Server C and Server B — Server C’s USN is greater — 2 rather than 1; but because the up-to-date vector is the same (5), replication of that property change (again, password change on Server A) doesn’t occur. However, Server B’s USN is incremented by 1 (which makes it 2). The following table summarizes this last replication:
Property change
Server A
Server B
Server C
USN
Password change Server A
5
1—>2
2
Up-to-date vector
Password change Server A
5
5
5
Even though this mechanism seems extraordinarily complex for one property change, it reduces a large amount of network traffic when you consider the number of property changes that can occur frequently on an enterprise-level network.
Because domain controllers in 2000 Server are peers, there is always the possibility of collisions, which occur when the same object or item is changed at the same time from two different domain controllers. To avoid this, Active Directory uses property version numbers. When a property on an object is changed, the property version number is incremented. The server to which the change is being replicated looks at the property version number in its local database and makes the change only if its locally stored property version number for that property is lower than the new property version number. If the property version numbers are the same, replication of this property occurs only if the timestamp of the update is later than the timestamp of the existing property version number.
Microsoft Learning Snack - Green IT Through Virtualization Many organizations face rising operating costs caused by excessive energy consumption. Virtualization and "Green IT" can help cut these costs. Get the information you need to bring Green IT savings to your business.
Order Your Fundamentals CD Today! Register today for your in-depth copy of one of three Fundamental CDs on the following topics – Exchange, SQL, and SharePoint.
Microsoft Learning Snack - Virtualization Basics With virtualization, computing components essentially become on-demand services, freeing each element of a system from the others. This short video explains the needs, benefits, and technologies behind virtualization.
Microsoft Learning Snack - Virtualization Basics With virtualization, computing components essentially become on-demand services, freeing each element of a system from the others. This short video explains the needs, benefits, and technologies behind virtualization.
Empower Your Processes with PowerShell 201 Paul Robichaux delves deep into PowerShell how-tos in 3 informative lessons, each followed by live Q&A—all on your own computer! Register today!
Microsoft Learning Snack - Green IT Through Virtualization Many organizations face rising operating costs caused by excessive energy consumption. Virtualization and "Green IT" can help cut these costs. Get the information you need to bring Green IT savings to your business.
New Release: Windows IT Pro Master CD 13 years of content archives, fast answers with advanced search tools, and full access to WindowsITPro.com—order today!
Windows IT Pro
Register
