Although domains, trees, and forests are logical representations of your organization, sites and domain controllers represent the physical structure of your network.
A site is one or more IP subnets that are connected by a high-speed link, typically defined by a geographical location. For example, say you have a four-story office building. Although the building includes several subnets, all of the computers within the building use layer-2 and layer-3 switches to communicate with each other. If you have multiple sites, each site is connected to other sites over a much slower WAN link (at least slower than the LAN speeds you would find within an individual site).You can then define various network traffic patterns based on how the sites are defined.
When a user logs on, Active Directory clients locate an Active Directory server (using the DNS SRV resource records) known as a domain controller in the same site as the computer.
Each domain has its own set of domain controllers to provide access to the domain resources, such as users and computers.
For fault tolerance, a site should have two or more domain controllers. That way, if one domain controller fails, the other domain controller can still service the clients. Note that whenever an object (such as a username or password) is modified, it is automatically replicated to the other domain controllers within a domain.
A domain controller is a Windows server that stores a replica of the account and security information for the domain and defines the domain boundaries. To make a computer running Windows Server 2008 a domain controller, you must install the Active Directory Domain Services and execute the dcpromo (short for dc promotion) command.
After you have promoted a computer to a domain controller, you can use several MMC snap-in consoles to manage Active Directory. These consoles are as follows:
• Active Directory Users and Computers: Used to manage users, groups, computers, and organizational units.
• Active Directory Domains and Trusts: Used to administer domain trusts, domain and forest functional levels, and user principal name (UPN) suffixes.
• Active Directory Sites and Services: Used to administer replication of directory data among all sites in an Active Directory Domain Services (AD DS) forest (Figure 5-5).
Figure 5-5
Active Directory Sites and Services console
c05EssentialServices.indd Page 140 12/10/10 8:39:34 PM user-f391
c05EssentialServices.indd Page 140 12/10/10 8:39:34 PM user-f391 /Users/user-f391/Desktop/24_09_10/JWCL339/New File/Users/user-f391/Desktop/24_09_10/JWCL339/New File
Essential Services | 141
• Active Directory Administrative Center: Used to administer and publish information in the directory, including managing users, groups, computers, domains, domain control-lers, and organizational units. Active Directory Administrative Center is new in Windows Server 2008 R2.
• Group Policy Management Console (GPMC): Provides a single administrative tool for managing Group Policy across the enterprise. GPMC is automatically installed in Windows Server 2008 and subsequent domain controllers but must be downloaded and installed on Windows Server 2003 domain controllers.
Although these tools are installed on domain controllers, they can also be installed on client PCs so that you can manage Active Directory without logging on to a domain controller.
A server that is not running as a domain controller is known as a member server. To demote a domain controller to a member server, you would rerun the dcpromo program.
The replication path, or site topology, within a site is automatically managed by a service called the Knowledge Consistency Checker (KCC). Typically, replication within sites happens more quickly than replication between sites. The Active Directory Sites and Services MMC snap-in allows you to control intersite replication. You can use it to create site-link bridge objects and to configure replication patterns.
Within Active Directory, you need to define each subnet. Once you have done this, Active Directory can figure out the best way to replicate information locally and between sites.
To minimize traffic across a WAN link, bridgehead servers perform directory replication between two sites, whereas only two designated domain controllers talk to each other. If you have domain controllers from multiple domains, you will have a bridgehead server for each domain.
FLEXIBLE SINGLE MASTER OPERATIONS
Active Directory uses multimaster replication, which means that there is no master domain controller, commonly referred to as a primary domain controller within Windows NT domains. However, because there are certain functions that can be handled by only one domain controller at a time, Active Directory uses Flexible Single Master Operations (FSMO) roles, also known as operations master roles. See Table 5-1 and Figure 5-6.
Table 5-1
FSMO roles ROLE NAME SCOPE DESCRIPTION
Schema Master 1 per forest Controls and handles updates/modifications to the Active Directory schema.
Domain Naming Master 1 per forest Controls the addition and removal of domains from the forest if present in root domain.
PDC Emulator 1 per domain PDC is short for Primary Domain Controller, which was the main domain controller used with Windows NT. The PDC emulator provides backwards compatibility for NT4 clients. It also acts as the primary server for password changes and as the master time server within the domain.
RID Master 1 per domain Allocates pools of unique identifiers to domain controllers for use when creating objects.
Infrastructure Master 1 per domain Synchronizes cross-domain group membership changes. The infrastructure master cannot run on a global catalog server unless all DCs are also GCs.
c05EssentialServices.indd Page 141 12/10/10 8:39:34 PM user-f391
c05EssentialServices.indd Page 141 12/10/10 8:39:34 PM user-f391 /Users/user-f391/Desktop/24_09_10/JWCL339/New File/Users/user-f391/Desktop/24_09_10/JWCL339/New File
142 | Lesson 5
LOOKING AT GLOBAL CATALOGS
Because the domain controller only has information for the domain and does not store a copy of the objects for other domains, you still need a way to find and access objects in other domains within your tree and forest. A global catalog replicates the information of every object in a tree and forest. However, instead of storing the entire object, it stores just those attributes that are most frequently used in search operations, such as a user’s first and last name, computer name, and so forth. By default, a global catalog is created automatically on the first domain controller in the forest, but any domain controller can be made into a global catalog. See Figure 5-7.
Figure 5-6
Domain-level FMSO roles
Figure 5-7
Configuring a domain controller as a global catalog
c05EssentialServices.indd Page 142 12/10/10 8:39:34 PM user-f391
c05EssentialServices.indd Page 142 12/10/10 8:39:34 PM user-f391 /Users/user-f391/Desktop/24_09_10/JWCL339/New File/Users/user-f391/Desktop/24_09_10/JWCL339/New File
Essential Services | 143 Beyond being used to find objects in a forest, global catalogs are also used during user authentication as follows:
• In Windows 2000 native mode and above domain functional levels, domain controllers must request universal group membership enumeration from a global catalog server.
• When a user principal name (UPN) is used at logon and the forest has more than one domain, a global catalog server is required to resolve the name. A UPN follows the same format as an email address (i.e., [email protected]).
Last, a global catalog is needed for universal group membership caching. In a forest that has more than one domain, and in sites that have domain users but no global catalog server, universal group membership caching can be used to enable caching of logon credentials so that the global catalog does not have to be contacted for subsequent user logons. This feature eliminates the need to retrieve universal group memberships across a WAN link from a global catalog server in a different site. Besides having a global catalog in each geographical site, it is a best practice to enable universal group membership caching in each geographic site.
DEFINING FUNCTIONAL LEVELS
In Active Directory, you can have domain controllers running different versions of
Windows servers, such as Windows 2000, Windows Server 2003, or Windows Server 2008.
The functional level of a domain or forest depends on which Windows Server operating system versions are running on the domain controllers in that domain or forest. The functional level also controls which advanced features are available in the domain or forest.
To get all of the features available with Active Directory, you must have the latest version of the Windows Server operating system, and you have to use the highest forest and domain functional level. Of course, you must take care before migrating to the higher functional level because doing so may close out some legacy features that were only available with the older functional levels. Upgrading to a higher functional level is a one-way process that cannot be reversed.
The six domain functional levels available at the time of this writing include:
• Windows 2000 mixed (the default in Windows Server 2003)
• Windows 2000 native
• Windows Server 2003 interim
• Windows Server 2003
• Windows Server 2008
• Windows Server 2008 R2
Setting the functional level for a domain enables features that affect the entire domain and that domain only. If all domain controllers in a domain are running Windows Server 2008 R2 and the functional level is set to Windows Server 2008 R2, all domain-wide features are available.
The five forest functional levels available at the time of this writing include:
• Windows 2000 (the default in Windows Server 2003 and Windows Server 2008)
• Windows Server 2003 interim
• Windows Server 2003 (the default in Windows Server 2008 R2)
• Windows Server 2008
• Windows Server 2008 R2
Setting the functional level for a forest enables features across all the domains within the forest. Also, if all domain controllers in a forest are running Windows Server 2008 R2
c05EssentialServices.indd Page 143 12/10/10 8:39:35 PM user-f391
c05EssentialServices.indd Page 143 12/10/10 8:39:35 PM user-f391 /Users/user-f391/Desktop/24_09_10/JWCL339/New File/Users/user-f391/Desktop/24_09_10/JWCL339/New File
144 | Lesson 5
and the functional level is set to Windows Server 2008 R2, all forest-wide features are available.
For example, although Windows 2000 mixed mode can support Windows NT 4.0 backup controllers, if you upgrade to Windows 2000 native, you can use universal security groups, group nesting (groups inside other groups), and security identifier (SID) history capabilities. Windows Server 2003 domain functional level supports the LastLogonTimestamp attribute, which is updated with the last logon time of the user or computer. This attribute is replicated within the domain. By running in Windows Server 2008 R2 domain functional level, Active Directory supports a Recycle Bin to undelete deleted objects.
MORE INFORMATION For a list of functions available with each domain and forest functional level, visit the following Web site:
http://technet.microsoft.com/
en-us/library/understanding-active-directory-functional-levels (WS.10).aspx