What Does the Active Directory Do?

The Active Directory is a directory serviceit provides a number of different

services relating to the organized storage of network resources. The following points
highlight some of the Active Directorys features:
Introduction to Active Directory Technology and Deployment Planning
Organized ApproachThe Active Directory brings order to your network by
organizing network resources, such as user accounts, group accounts, shared
folders, printers, and so on. With the Active Directory, users can quickly find
information they need.
Ease of administrationWindows 2000 networks no longer use primary
domain controllers (PDCs) and backup domain controllers (BDCs). All domain
controllers are simply peers, providing you a single point of administration
and excellent fault tolerance.
Removes Topology from UsersThe Active Directory helps remove knowledge
of the network topology from end users. End users do not have to know which
server holds which resource and where it is located on the network.
The Active Directory contains powerful query capabilities so users can perform full
text searches to find what resources they need.
Reduction of NT DomainsThis is the part where all Windows NT network
administrators cringe. A major goal of the Active Directory is to make large
networks more manageableand part of that lofty goal is to reduce the number
of NT domains. The Active Directory does not have a domain user/group account
limit (well, it does have one of about 1 million), and due to its design, many
networks that currently have several existing NT domains now need
only one Windows 2000 domain.

 Growth PotentialTwo buzzwords thrown around about the Active Directory are
scalability and extensibility. Scalability means that a service can grow with the
needs of your network. The Active Directory is a scalable product because it can
grow to meet the needs of your network. The Active Directory works on a network of
a few hundred computers or on a network of thousands of computers. Extensibility
means that service can be extended. The Active Directory can be extended in terms
of its namespace and through resources it contains.

StandardizationThe Active Directory is completely built on networking and

protocol standards that currently exist and are heavily used. In other words, there
are no totally new standards that must be mastered. The Active Directory is built on
a TCP/IP network, which is the networking protocol of choice these days, and it is
completely integrated with Domain Name System (DNS) and Lightweight Directory
Access Protocol (LDAP), both of which are explored in detail later in this book.
Network ControlThe Active Directory offers a very fine level of network
management, both in terms of server management and desktop management.
Through Windows 2000s Group Policy, you can manage network user desktop
configurations much more easily and effectively. Through the Active Directory, you
can finely control resource security and even delegate administrative tasks to other
people through Delegation of Control

Explains Domain Controller

A domain gives access to another domain in a trust relationship so that a user
logging into a domain can access resources in another domain. If the server
performing the domain controller role is lost, the domain can still function. If the
primary domain controller is not available, the administrator can designate an
alternate domain controller to assume the role.
Early versions of Windows such as Windows NT had one domain controller per
domain, which was called a primary domain controller. All other domain controllers
were backup domain controllers.
Windows 2000 does not have a domain controller because the primary domain
controller and backup domain controller roles are replaced by the active directory.
The domain controllers in these domains are considered to be equal, as all
controllers have full access to the accounts database stored on their machines.

Global catalog servers

Global catalog servers

Global catalog servers contain a full replica of Active Directory objects within their
domain and a partial replica of Active Directory objects in other domains in the
forest. As I mentioned in the previous section, when you install the root domain in a

forest, the first domain controller becomes a global catalog server by default. You
can check out Chapter 1 for a complete overview of global catalog servers.

In order to plan the placement of global catalog servers in your implementation, you
have to step away from the logical structure planning and examine your physical
structure planning. Sites are maintained in the Active Directory to help control user
and replication traffic over slower WAN links. For global catalogs, the best
configuration is to have one global catalog server at each site. This will increase
traffic somewhat, but users will experience the best query performance this way. As
you are making notes and planning your deployment, make a note that a global
catalog server should ideally reside in each physical site.

LDAP(Lightweight Directory Access Protocol)

How does LDAP work ?
LDAP directory service is based on a client-server model. One or more LDAP servers
contain the data making up the LDAP directory tree or LDAP backend database. An
LDAP client connects to an LDAP server and asks it a question. The server responds
with the answer, or with a pointer to where the client can get more information
(typically, another LDAP server). No matter what LDAP server a client connects to, it
sees the same view of the directory; a name presented to one LDAP server
references the same entry it would at another LDAP server. This is an important
feature of a global directory service, like LDAP.

What Does the PDC Emulator Do, Exactly?

The PDC Emulator performs processes that make it look like a PDC to Windows NT
BDCs
and like a logon server to downlevel client computers. The Active Directory is a
hierarchical

database, but NT BDCs have no concept of this hierarchy. The PDC Emulator
displays
directory data to BDCs as a flat store and replicates database changes to them
using LAN
Manager Replication Server. (Windows 2000 uses File Replication Service.)
Essentially, every job function a PDC performed, the PDC Emulator performs as well.
However, to other Windows 2000 domain controllers, the PDC Emulator appears and
functions
as just another domain controller. You use the PDC Emulator just like any other
domain controller to create, modify, or delete Active Directory objects. In fact, the
PDC
Emulator role is invisible to the administrator, who simply uses the server like any
other
Windows 2000 domain controller.
What Is the Active Directory Schema?
The schema is the Active Directory component that defines all the objects and
attributes that the directory service uses to store data.
Active Directory stores and retrieves information from a wide variety of applications
and services. So that it can store and replicate data from a potentially infinite
variety of sources, Active Directory standardizes how data is stored in the directory.
By standardizing how data is stored, the directory service can retrieve, update, and
replicate data while ensuring that the integrity of the data is maintained.

The directory service uses objects as units of storage. All objects are defined in the
schema. Each time that the directory handles data, the directory queries the
schema for an appropriate object definition. Based on the object definition in the
schema, the directory creates the object and stores the data.

What if My Company Name Changes After AD Implementation?

Heres a pitfall of the Active Directory. Suppose your company, Wilson Dog Collars
(wilsondogcollars.com) changes its name to Wilson Pet Products. The company
easily reserves the new name of Wilsonpetproducts.com on the Internet, but now
wants to change the name of the Active Directory root to reflect the new company
name. Sorry, no cigar. You cannot change the root domain name without completely
reinstalling the Active Directorya process that is going to be seriously timeconsuming and full of problems. While the Active Directory is a great directory
service, the naming lockdown is a serious problem that needs to be addressed. In
fact, Ill bet that Microsoft is going to address it, and you can look for a future tool to
solve this problem.

What is a trust relationship between domains?

When there are trust relationships between domains, the authentication
mechanism for each domain trusts the authentication mechanism for all other
trusted domains. If a user or application is authenticated by one domain, its
authentication is accepted by all other domains that trust the authenticating
domain.

What is a transitive trust?

Transitive trust is a two-way relationship automatically created between parent
and child domains in a Microsoft Active Directory forest. When a new domain is
created, it shares resources with its parent domain by default, enabling an
authenticated user to access resources in both the child and parent.

What is a domain trust?

A domain trust is a useful way to allow users from a trusted domain to access
services in a trusting domain. If all users and services can be managed in a single
enterprise domain, there is no need for trust relationships. However, there are
several advantages to creating separate domains.

Transitive trust
Each time that you create a new domain in a forest, a two-way, transitive trust
relationship is automatically created between the new domain and its parent
domain. If child domains are added to the new domain, the trust path flows upward
through the domain hierarchy, extending the initial trust path that is created
between the new domain and its parent domain.
Transitive trust relationships flow upward through a domain tree as it is formed,
creating transitive trusts between all domains in the domain tree.
Understanding Trust Types
Communication between domains occurs through trusts. Trusts are authentication pipelines
that must be present in order for users in one domain to access resources in another

domain. Two default trusts are created when using the Active Directory Installation Wizard.
There are four other types of trusts that can be created using the New Trust Wizard or the
Netdom command-line tool.

Default trusts
By default, two-way, transitive trusts are automatically created when a new domain is added
to a domain tree or forest root domain using the Active Directory Installation Wizard. The two
default trust types are defined in the following table.

Other trusts
Four other types of trusts can be created using the New Trust Wizard or the Netdom
command-line tool: external, realm, forest, and shortcut trusts. These trusts are defined in
the following table.

What Is a Site?
An Active Directory site is a physical grouping of computers. A site, by definition,
encompasses a certain geographic location in which all computers reside on one or
more well-connected subnets. In reality, a site can be one specific geographic place,
or it can span several geographic locations. The key to understanding sites in the
Active Directory is to see sites in the same way the Active Directory sees themin
terms of connectivity. The Active Directory expects your sites to be based on wellconnected TCP/IP subnets. The term well-connected is a soft term in that it does not
mean one specific thing. Typically, a well-connected subnet has fast, reliable,
inexpensive, and abundant bandwidth, such as in typical LAN connectivity. How you
define well-connected will vary from one Active Directory planner to the next, but
the key pointand it is a very important oneis to understand that the Active
Directory always assumes a site has fast, reliable, inexpensive, and abundant

bandwidth. In short, if your view of site definition is different from how the Active
Directory sees sites, be sure to get on board with the Active Directorys definition
before planning your own sites.

The Active Directory defines two kinds of replication: intrasite and intersite. Intrasite
replication occurs within a site, while intersite replication occurs between sites.
Before you start worrying about massive replication configuration headaches, let me
just put your mind at ease. The Active Directory configures its own replication
topology, which is simply a series of connections, and enables database changes to
reach one domain controller to the next. For intrasite replication, an Active Directory
service
called the Knowledge Consistency Checker (KCC) examines all of your domain
controllers in a site and builds connections between them so that replication can
occur automatically. In other words, you, as the administrator, do not have to
configure anything. The Active Directory completely generates its own replication
topology within a site and then configures how replication will work. The KCC
constantly monitors the replication topology and changes it if a new domain
controller is added to the domain or if one goes offline or is removed. For intrasite
replication, shown in Figure 5-4, theres nothing for you to configure or manageit
is all automatic.

Although intrasite replication is automatically generated and managed, you can

manually adjust the topology for certain specific reasons. Chapter 13 shows you
how. For intersite replication, or replication that occurs between sitesshown in
Figure 5-5the Active Directory automatically generates a replication topology after
you configure your sites and define the communication links between them,
which are called the site links. Once you have defined your sites and site links, the
Active Directory, using the KCC, determines how to best manage replication data
over the WAN.

So, the following are important points about Active Directory replication:
It is quite capable and does a good job of managing replication. In other words,
replication is not something you spend your time configuring as an administrator.
It uses the information you give it about your sites and site links to configure

replication between sites. Therefore, defining sites as well as the links that connect
them appropriately is very important. In the past few paragraphs, I have sung the
praises of the Active Directory replication
model and the automatic work of the KCC. The Active Directory does a good job of
generating its own replication topology and managing replication on a daily basis.
However, the Active Directory only does a good job if your network matches the
Active Directorys own internal assumptions. In other words, the Active Directory
assumes that your sites are based on well-connected IP subnets and that each site
is connected by at least one site link. So, what do you do if your site is not based on
well-connected subnets or if you have some serious connectivity problems within a
particular site? The answer is not much.

The KCC manages the replication topology and replication with the site. Intrasite
replication is not scheduled, not compressed, and occurs often. In other words, the
Active Directory assumes you
have sufficient and available bandwidth within your site so that replication can
occur frequently and without restraint. If this is not the case, theres not much you
can do to change the Active Directorys behavior. This is why I say that the Active
Directory functions great if it is built on a physical network that can support it. If it is
not, Im afraid you are going to have a lot of problems.

So, once again I make the point that it is very important that your physical network
topology and your TCP/IP implementation is carefully examined and even upgraded
if necessary before implementing the Active Directory. Careful exploration of your
current network enables you to resolve connectivity issues and bandwidth problems
before implementation, and doing so will help you avoid many serious problems
with intrasite and intersite replication and connectivity.

Understanding Site Links

Now that you have a global understanding of Active Directory sites and why sites are needed due to a user traffic and
database replication, I want to turn your attention to a very important part of site configuration, the site link. As I
mentioned in the previous section, the Active Directory assumes that each site is connected to at least one other site
through some kind of WAN connection. The good news is that the Active Directory does not assume those WAN
connections are fast and inexpensive as it does with the intrasite topology. In fact, the Active Directory was designed so
that you must input information about site links to help the Active Directory determine how to control replication data.

The following sections explore the three items that help the Active Directory determine how replication should occur over
the site link: cost, frequency, and schedule.

Cost
In order to determine how to use site links, the Active Directory enables you to assign a cost to the link. This cost is
considered a logical cost in that it defines bandwidth usage. For example, a T1 link would have a much lower cost than a
56 Kbps dial-up connection because the T1 link has much more bandwidth available. So, in terms of the Active Directory
the cost of a link is based on the amount of available bandwidth. Low-cost links are defined as those that have a higher
amount of bandwidth and are more reliable.

Frequency
When you create a site link, you can determine how often replication should occur over the link. For example, you can tell
the Active Directory to replicate over the link every 15 minutes, every hour, every three hours, and so forth. In reality, the
Active Directory uses pull replication, which simply means that domain controllers pull replication data from other
domain controllers instead of having it forced on them through push replication. The frequency interval you input
determines how often a domain controller can poll another domain controller over the site link for replication updates. If
you have ever worked with replication in a WAN environment, you know that it is a juggling act of sorts. You want
replication to occur as frequently as possible to reduce the amount of time when domain controller databases are out of
sync due to database changes (called latency). However, you should consider the following questions
about your WAN connection:
How much traffic can it handle?

 How often is it available?

Is the WAN connection costing your company money each time it is used?
You must weigh all of these factors and determine a frequency value that is right for your network and, ultimately, your
users. The good news is that the frequency of a site link is easy to configure and easy to change, so you may have to do
some experimenting to determine what works best for your network.

Schedule
Intrasite replication occurs without a schedule because the Active Directory assumes you have fast, inexpensive, and
available bandwidth within the site. However, replication between sites can be scheduled to avoid peak traffic hours.
For example, suppose a particular site link always experiences a lot of traffic from 10:00 a.m. to 2:00 p.m. You can use the
site links schedule to block replication so that it cannot occur during those hours. Of course, the more time you block, the
longer replication will take due to the delays, so again, you are faced with the proverbial juggling act to find what works
best for your company and network.

Understanding the Bridgehead Server

When you create an Active Directory site, the Active Directory automatically assigns the role of bridgehead server to one
domain controller. A bridgehead server sends and receives replication data for an Active Directory site. When the
bridgehead server receives data from a remote site, it replicates that data to all other domain controllers throughout the
site. In other words, domain controllers do not directly replicate data to domain controllers in other sites, but all exchange
of information is performed through the bridgehead server, as shown in Figure 5-7. As you can see in Figure 5-7, the
bridgehead server is considered the preeminent server for exchanging directory information between sites. As I mentioned,
the Active Directory automatically assigns a bridgehead server when you create a new site, but you can change the
bridgehead server to a different domain controller if desired. You may have a server with more system resources or a
server who does not have as much user load that you prefer to use as the bridgehead server. At any rate, the bridgehead
server should be a domain controller that has adequate system resources to handle the additional processing load placed on
the bridgehead. An easy way to establish the bridgehead server is simply to use the domain controller
in a site that has the best bandwidth and system resources, such as RAM and processor.