• Physical and Logical Structure of Active Directory

    In comparison to the logical structure, which performs administrative tasks, the Active Directory physical structure checks when and where logon and replication traffic occurs. The physical structure of Active Directory contains all the physical subnets present in your network like domain controllers and replication between domain controllers.
    The physical structure of Active Directory:
                 Domain Controllers: These computers run Microsoft Windows Server 2003/2000, and Active Directory. Every Domain Controller performs specific functions like replication, storage and authentication. It can support maximum one domain. It is always advised to have more than one domain controller in each domain.
                 Active Directory Sites: These sites are collection of well-connected computers. The reason why we create site is domain controllers can communicate frequently within the site. This way it minimizes the latency within site say changes made on one domain controller to be replicated to other domain controllers. The other reason behind creating a site is to optimize bandwidth between domain controllers which are located in different locations.
    All IP subnets who share the common Local Area Network (LAN) connectivity without knowing the actual physical location of computers is called site.
    Let's take an example: A site has subnets 192.168.5. A and 192.168.50.A, where 192.168.5.A computer is located in Texas and 192.168.50.A computer is located in London. In this case physical location of both the computer is not known to user. Because of proper bandwidth between these two, they are able to work and configure computers within the same Active Directory Site.
    Few considerations an Administrator should examine before creating a new site are proper bandwidth, available bandwidth cost and replication traffic expected.
                 Active Directory Partitions: Each Domain Controller contains the following active directory partitions:
    o             The Domain Partition contains a copy of all the objects in that domain. Replication in Domain Partition is only to other domain controllers which are in the same domain.
    o             The Schema Partition is forest wide. Every forest has one schema with consistent object class. The Schema and Configuration take part in replication, and get replicated to all domain controllers in a forest.
    o             Application Partition which is optional carries objects which are not related to security and can be used by one or more applications. Application Partition replicates to specific domain controller in the forest.
    Logical Structure of an Active Directory
    Active Directory fulfills all the needs of an organization by designing a directory structure. It provides flexibility in designing the business structure according to current and future needs for an organization, so it should be examined prior to installing active directory. In Active Directory, resources are organized in a logical structure, and this grouping of resources logically enables a resource to be found by its name rather than by its physical location.
    Benefits of AD Logical Structure
                 Logical Structure provides more network security by means of providing access to resources to only specified groups (OU).
                 Logical structure simplified the network management by administration, configuration and control of the network.
                 The relationship between the logical structure of domains and forests simplifies resource sharing across an organization.
                 As logical structure provides simplified network management, it reduces the load on network resources and lower the total cost of ownership.
    Components of AD Logical Structure
    The logical structure components have relationship with each other so it manage to control access to stored data and finds how the data will be managed between different domains in a forest.
                 Objects: like a user, computer, group, printer etc…
                 Organizational Units – like any folder but in control of Active Directory
                 Domains – Logical boundaries for objects
                 Trees – Logical boundary for multiple domains
                 Forests – Logical boundary for multiple trees
    Overall, one physical machine running as a Microsoft Domain controller can control all these logical divisions with the help of 'A Operation Master' dedicated to perform specific tasks.
    Sunday, January 23, 2011 Selva 4 comments

  • The Global Catalog Server

    An Overview on Global Catalog Servers

    The Global Catalog (GC) is an important component in Active Directory because it serves as the central information store of the Active Directory objects located in domains, and forests. Because the GC maintains a list of the Active Directory objects in domains and forests, without actually including all information on the objects; and it is used when users search for Active Directory objects or for specific attributes of an object; the GC improves network performance and provides maximum accessibility to Active Directory objects.

    The Global Catalog server is the domain controller that stores a full copy of all objects in its host domain. It also stores a partial copy of all objects in all other domains within the forest. The partial copy holds the list of objects most frequently searched for. The first domain controller that is created in the first domain in a forest is by default the Global Catalog server. If a domain only has one domain controller, that particular domain controller and the GC server are the same server. If you add an additional domain controller to the domain, you can configure that domain controller as the GC server. You can also assign additional domain controllers to serve as GC servers for a domain. This is usually done to improve response time for user logon requests and search requests.global catalog server The Global Catalog Server

    In order for Global Catalog servers to store a full copy of all objects in its host domain, and a partial copy of all objects in all other domains within the forest, GC replication has to occur between those domain controllers that are configured as GC servers. GC replication does not occur between domain controllers that are not GC servers.

    The functions of the GC server are discussed in the following section. The functions performed by the GC server can be summarized as follows:
    • GC servers are crucial for Active Directory's UPN functionality because they resolve user principal names (UPNs) when the domain controller handling the authentication request is unable to authenticate the user account because the user account actually exists in another domain. The authenticating domain controller would have no knowledge of the particular user account. The GC server in this case assists in locating the user account so that the authenticating domain controller can proceed with the logon request for the user.
    • The GC server deals with all search requests of users searching for information in Active Directory. It can find all Active Directory data irrespective of the domain in which the data is held. The GC server deals with requests for the entire forest.
    • The GC also makes it possible for users to provide Universal Group membership information to the domain controller for network logon requests.
    Universal Groups are available when the domain functional level is raised or set to least Windows 2000 Native. Universal Groups can contain members that belong to different domains within the forest, and their Universal Group membership information is only stored in the GC. What this means is that only those domain controllers configured as GC servers would contain Universal Group membership information. The remainder of the domain controllers would not hold Universal Group membership information.

    The universal group membership caching feature introduced in Windows Server 2003 Active Directory, enables a site that has no GC server to cache universal group membership information for users who log on to domain controllers within the site. In this manner, a domain controller can serve logon requests for directory information when a GC server is unavailable. The settings of the Active Directory replication schedule determine how often the cache is refreshed.

    Configure a New Global Catalog Server

    To configure a Windows 2000/2003 Domain Controller as a GC server, perform the following steps:
    1. Start the Microsoft Management Console (MMC) Active Directory Sites and Services Manager. (From the Start menu, select Programs, Administrative Tools, Active Directory Sites and Services Manager).
    2. Select the Sites branch.
    3. Select the site that owns the server, and expand the Servers branch.
    4. Select the server you want to configure.
    5. Right-click NTDS Settings, and select Properties.
    1. Select or clear the Global Catalog Server checkbox, which the Screen shows.
    1. Click Apply, OK.
    You must allow for the GC to replicate itself throughout the forest. This process might take anywhere between 10-15 minutes to even several days, all depending on your AD infrastructure.
    Selva No comments
« Older Entries