Learn more at amazon.com
Windows Server 2003 Active Directory is a centralized database that stores the collection of information about all the resources available on the Windows Server 2003 domain. It is a hierarchical representation of all the objects and their attributes available on the network.
Windows Server 2003 Active Directory enables administrators to manage the network resources, i.e., computers, users, printers, shared folders, etc., in an easy way. The logical structure represented by Active Directory consists of forests, trees, domains, organizational units, and individual objects. This structure is completely independent from the physical structure of the network, and allows administrators to manage domains according to the organizational needs without bothering about the physical network structure.
Following is the description of all logical components of the Active Directory structure:
Forest: A forest is the outermost boundary of an Active Directory structure. It is a group of multiple domain trees that share a common schema but do not form a contiguous namespace. It is created when the first Active Directory-based computer is installed on a network.
There is at least one forest on a network. The first domain in a forest is called a root domain. It controls the schema and domain naming for the entire forest. It can be separately removed from the forest. Administrators can create multiple forests and then create trust relationships between specific domains in those forests, depending upon the organizational needs.
Trees: A hierarchical structure of multiple domains organized in the Active Directory forest is referred to as a tree. It consists of a root domain and several child domains. The first domain created in a tree becomes the root domain. Any domain added to the root domain becomes its child, and the root domain becomes its parent.
The parent-child hierarchy continues until the terminal node is reached. All domains in a tree share a common schema, which is defined at the forest level. Depending upon the organizational needs, multiple domain trees can be included in a forest.
Domains: A domain is the basic organizational structure of a Windows Server 2003 networking model. It logically organizes the resources on a network and defines a security boundary in Active Directory. The directory may contain more than one domain, and each domain follows its own security policy and trust relationships with other domains.
Almost all the organizations having a large network use domain type of networking model to enhance network security and enable administrators to efficiently manage the entire network.
Objects: Active Directory stores all network resources in the form of objects in a hierarchical structure of containers and subcontainers, thereby making them easily accessible and manageable. Each object class consists of several attributes.
Whenever a new object is created for a particular class, it automatically inherits all attributes from its member class. Although the Windows Server 2003 Active Directory defines its default set of objects, administrators can modify it according to the organizational needs.
Organizational Unit (OU): It is the least abstract component of the Windows Server 2003 Active Directory. It works as a container into which resources of a domain can be placed. Its logical structure is similar to an organization's functional structure. It allows creating administrative boundaries in a domain by delegating separate administrative tasks to the administrators on the domain.
Administrators can create multiple Organizational Units in the network. They can also create nesting of OUs, which means that other OUs can be created within an OU. In a large complex network, the Active Directory service provides a single point of management for the administrators by placing all the network resources at a single place. It allows administrators to effectively delegate administrative tasks as well as facilitate fast searching of network resources.
It is easily scalable, i.e., administrators can add a large number of resources to it without having additional administrative burden. It is accomplished by partitioning the directory database, distributing it across other domains, and establishing trust relationships, thereby providing users with benefits of decentralization, and at the same time, maintaining the centralized administration.
The physical network infrastructure of Active Directory is far too simple as compared to its logical structure. The physical components are domain controllers and sites.
Domain Controller: A Windows 2003 server on which Active Directory services are installed and run is called a domain controller. A domain controller locally resolves queries for information about objects in its domain. A domain can have multiple domain controllers. Each domain controller in a domain follows the multimaster model by having a complete replica of the domain's directory partition.
In this model, every domain controller holds a master copy of its directory partition. Administrators can use any of the domain controllers to modify the Active Directory database. The changes performed by the administrators are automatically replicated to other domain controllers in the domain.
However, there are some operations that do not follow the multimaster model. Active Directory handles these operations and assigns them to a single domain controller to be accomplished. Such a domain controller is referred to as operations master. The operations master performs several roles, which can be forest-wide as well as domain-wide.
Forest-wide roles: There are two types of forest-wide roles:
Schema Master and Domain Naming Master. The Schema Master is responsible for maintaining the schema and distributing it to the entire forest. The Domain Naming Master is responsible for maintaining the integrity of the forest by recording additions of domains to and deletions of domains from the forest. When new domains are to be added to a forest, the Domain Naming Master role is queried. In the absence of this role, new domains cannot be added.
Domain-wide roles: There are three types of domain-wide roles: RID Master, PDC Emulator, and Infrastructure Master.
RID Master: The RID Master is one of the operations master roles that exist in each domain in a forest. It controls the sequence number for the domain controllers within a domain. It provides a unique sequence of RIDs to each domain controller in a domain. When a domain controller creates a new object, the object is assigned a unique security ID consisting of a combination of a domain SID and a RID.
The domain SID is a constant ID, whereas the RID is assigned to each object by the domain controller. The domain controller receives the RIDs from the RID Master. When the domain controller has used all the RIDs provided by the RID Master, it requests the RID Master to issue more RIDs for creating additional objects within the domain. When a domain controller exhausts its pool of RIDs, and the RID Master is unavailable, any new object in the domain cannot be created.
PDC Emulator: The PDC emulator is one of the five operations master roles in Active Directory. It is used in a domain containing non-Active Directory computers. It processes the password changes from both users and computers, replicates those updates to backup domain controllers, and runs the Domain Master browser.
When a domain user requests a domain controller for authentication, and the domain controller is unable to authenticate the user due to bad password, the request is forwarded to the PDC emulator. The PDC emulator then verifies the password, and if it finds the updated entry for the requested password, it authenticates the request.
Infrastructure Master: The Infrastructure Master role is one of the Operations Master roles in Active Directory. It functions at the domain level and exists in each domain in the forest. It maintains all inter-domain object references by updating references from the objects in its domain to the objects in other domains. It performs a very important role in a multiple domain environment.
It compares its data with that of a Global Catalog, which always has up-to-date information about the objects of all domains. When the Infrastructure Master finds data that is obsolete, it requests the global catalog for its updated version. If the updated data is available in the global catalog, the Infrastructure Master extracts and replicates the updated data to all the other domain controllers in the domain.
Domain controllers can also be assigned the role of a Global Catalog server. A Global Catalog is a special Active Directory database that stores a full replica of the directory for its host domain and the partial replica of the directories of other domains in a forest. It is created by default on the initial domain controller in the forest. It performs the following primary functions regarding logon capabilities and queries within Active Directory:
- It enables network logon by providing universal group membership information to a domain controller when a logon request is initiated.
- It enables finding directory information about all the domains in an Active Directory forest.
A Global Catalog is required to log on to a network within a multidomain environment. By providing universal group membership information, it greatly improves the response time for queries. In its absence, a user will be allowed to log on only to his local domain if his user account is external to the local domain.
Site: A site is a group of domain controllers that exist on different IP subnets and are connected via a fast and reliable network connection. A network may contain multiple sites connected by a WAN link. Sites are used to control replication traffic, which may occur within a site or between sites. Replication within a site is referred to as intrasite replication, and that between sites is referred to as intersite replication.
Since all domain controllers within a site are generally connected by a fast LAN connection, the intrasite replication is always in uncompressed form. Any changes made in the domain are quickly replicated to the other domain controllers. Since sites are connected to each other via a WAN connection, the intersite replication always occurs in compressed form. Therefore, it is slower than the intrasite replication.
uCertify was formed in 1996 with an aim to offer high quality educational training software and services in the field of information technology to its customers. uCertify provides exam preparation solutions for the certification exams of Microsoft, CIW, CompTIA, Oracle, Sun and other leading IT vendors. To know more about uCertify, please visit uCertify.com
Learn more at amazon.com