|
ACTIVE DIRECTORY SERVICES
Overview
Microsoft
made many changes and improvements to their operating system (OS)
when they designed Windows 2000. The most important change was the
addition of Active Directory (AD). Nearly every facet of the OS
now revolves around AD and we’re already seeing the next generation
of BackOffice products that are dependent upon it (i.e., Exchange
2000). Active Directory is the central holding space for all objects
making up our enterprise: domains, organizational units, users,
groups, computers, printers, etc. By using some of the specifications
of the X.500 directory services, the hierarchical structure of AD
removes many of the deficiencies of the flat domain structure found
in NT 4.0.
Put
simply, the AD is a hierarchical database of all objects in the
entire enterprise. These objects include users, groups, computers,
domain controllers, printers, contacts, shared folders, and organizational
units. Active Directory must use TCP/IP as its network protocol.
Active
Directory uses a basic top-down hierarchical model. At the top is
a single forest of one or more trees, that must contain at least
one (root) domain, which must contain at least one organizational
unit (OU), and several other containers. There is a recommended
size limitation of one million objects per domain for the initial
Windows 2000 release, however tests have run the number of objects
up to ten times that without failures.
All
Windows 2000 computers can use the AD. Legacy computers (those running
Windows NT 4.0, NT 3.51, Windows 98, Windows 95, Windows 3.x) can
log into a Windows 2000 domain, but they won’t be able to
take advantage of the features of AD. Windows 95 and Windows 98
computers will require a new Directory Services add-on client (dsclient.exe)
that ships with 2000 Server to interact with AD. There is no such
tool for OS’s prior to 95/98.
TERMINOLOGY
Domains
The
concept of domain as we remember it from the NT 4.0 days stays the
same in Windows 2000. The architecture, however changes from the
flat model from NT 4.0 to a hierarchical model with a parent domain
and child domains under it. The parent (also known as the root)
domain and all of its child domains are defined as a single domain
tree. Multiple trees within the same AD are defined as a forest.
Naming Contexts
A change in Windows 2000 affects the naming contexts within a domain.
Now they are done according to the Internet’s Domain Name
System (DNS) standard (RFCs 1034 & 1035). To better explain
this concept, let’s assume the root domain in our tree is
called “mycompany.com”. The sales “child”
domain under it is names “sales.mycompany.com”; the
finance “child” domain is called “finance.mycompany.com”,
and so on.
There
must be a separate naming context for each parent, or root. Each
root domain begins a new tree within the forest. This naming context
allows DNS to be used for all Windows 2000 name resolutions.
Design
Tip: 1 DNS server per site.
Global Catalog
Also new in Windows 2000 is the Global Catalog (GC). The GC is a
search engine that helps users and applications find objects that
are published in the AD. Without the GC it could be difficult and
quite time consuming to search the AD database since there could
potentially be hundreds, or even hundreds of thousands of objects
in any single directory.
The
Global Catalog can only exist on a Domain Controller (DC). It contains
a listing of every object in every domain in the entire forest,
however, it does not contain every property of every object. By
default, only one GC server exists in the entire forest and it’s
on the first DC that was created in the forest. It’s replication
is forest wide.
Design
Tip: 1 Global Catalog server per site.
Forest
An Active Directory forest sets the boundaries of the Windows 2000
AD. There is a single forest in the AD. Within it are trees, and
within the trees are domains. The forest allows us to facilitate
movement of objects within its boundaries. In a forest, all objects
of the same type share the same properties (schema).
Organizational Units
Another new term with Windows 2000 – Organizational Units
(OUs). Within a domain, there exists OUs. They can be thought of
as a subdomain containing AD objects grouped by similar function
or geographic location. The primary purpose for OUs is to delegate
administrative authority and group policy application. Organizational
Units can contain just about any AD object, including another OU.
By default OUs inherit their permissions and group policies from
their parent.
Domain Controllers
A big change with Windows 2000 is the master/slave PDC/BDC roles
of the servers. Now they are all Domain Controllers and they are
all masters, accepting updates at any time. This multi-master model
allows for replication throughout the domain and increases fault
tolerance for the domain.
Whether
a server is going to become a Domain Controller is a decision that
is left until after the server installation is complete. Any Windows
2000 Server can be promoted to a domain controller and any domain
controller can be demoted back down to a stand alone server or a
member server.
Domain
Controllers default to running in a mixed mode. Running in mixed
mode allows the NT4 servers’ PDC/BDC replication to continue.
Once all the servers are upgraded to Windows 2000 then the switch
can be made to native mode. It’s important to note, however,
that once the switch is made from mixed to native mode it cannot
be reversed.
Design
Tip: 1 domain controller per site.
Sites
If you’ve worked with Exchange, then the concept of a site
is not new to you. A site is a physical boundary defined within
Active Directory, unlike forests, trees, domains, and OUs, which
are all logical elements of AD. A site is defined as one or more
well-connected IP subnets. Well-connected implies a reasonably fast,
reliable connection (usually a T-1).
There
is only one site per forest, by default. Sites are used to control
domain replication, allow for faster user logons, and quicken response
times to queries and searches by users. Sites can only contain computers
and administrators have to manually create and configure all sites,
site links, and site link bridges.
So, if you were counting along, the design tips recommended:
• 1 DC
• 1 DNS server
• 1 GC server
(all of these roles can be housed on the same computer)
|
