In comparison to the logical structure, which performs administrative tasks, the Active Directory physical structure checks when and where logon and replication traffic occurs. The physical structure of Active Directory contains all the physical subnets present in your network like domain controllers and replication between domain controllers.

The physical structure of Active Directory:

•             Domain Controllers: These computers run Microsoft Windows Server 2003/2000, and Active Directory. Every Domain Controller performs specific functions like replication, storage and authentication. It can support maximum one domain. It is always advised to have more than one domain controller in each domain.

•             Active Directory Sites: These sites are collection of well-connected computers. The reason why we create site is domain controllers can communicate frequently within the site. This way it minimizes the latency within site say changes made on one domain controller to be replicated to other domain controllers. The other reason behind creating a site is to optimize bandwidth between domain controllers which are located in different locations.

All IP subnets who share the common Local Area Network (LAN) connectivity without knowing the actual physical location of computers is called site.

Let's take an example: A site has subnets 192.168.5. A and 192.168.50.A, where 192.168.5.A computer is located in Texas and 192.168.50.A computer is located in London. In this case physical location of both the computer is not known to user. Because of proper bandwidth between these two, they are able to work and configure computers within the same Active Directory Site.

Few considerations an Administrator should examine before creating a new site are proper bandwidth, available bandwidth cost and replication traffic expected.

•             Active Directory Partitions: Each Domain Controller contains the following active directory partitions:

o             The Domain Partition contains a copy of all the objects in that domain. Replication in Domain Partition is only to other domain controllers which are in the same domain.

o             The Schema Partition is forest wide. Every forest has one schema with consistent object class. The Schema and Configuration take part in replication, and get replicated to all domain controllers in a forest.

o             Application Partition which is optional carries objects which are not related to security and can be used by one or more applications. Application Partition replicates to specific domain controller in the forest.

Logical Structure of an Active Directory

Active Directory fulfills all the needs of an organization by designing a directory structure. It provides flexibility in designing the business structure according to current and future needs for an organization, so it should be examined prior to installing active directory. In Active Directory, resources are organized in a logical structure, and this grouping of resources logically enables a resource to be found by its name rather than by its physical location.

Benefits of AD Logical Structure

•             Logical Structure provides more network security by means of providing access to resources to only specified groups (OU).

•             Logical structure simplified the network management by administration, configuration and control of the network.

•             The relationship between the logical structure of domains and forests simplifies resource sharing across an organization.

•             As logical structure provides simplified network management, it reduces the load on network resources and lower the total cost of ownership.

Components of AD Logical Structure

The logical structure components have relationship with each other so it manage to control access to stored data and finds how the data will be managed between different domains in a forest.

•             Objects: like a user, computer, group, printer etc…

•             Organizational Units – like any folder but in control of Active Directory

•             Domains – Logical boundaries for objects

•             Trees – Logical boundary for multiple domains

•             Forests – Logical boundary for multiple trees

Overall, one physical machine running as a Microsoft Domain controller can control all these logical divisions with the help of 'A Operation Master' dedicated to perform specific tasks.

An Overview on Global Catalog Servers

The Global Catalog (GC) is an important component in Active Directory because it serves as the central information store of the Active Directory objects located in domains, and forests. Because the GC maintains a list of the Active Directory objects in domains and forests, without actually including all information on the objects; and it is used when users search for Active Directory objects or for specific attributes of an object; the GC improves network performance and provides maximum accessibility to Active Directory objects.

The Global Catalog server is the domain controller that stores a full copy of all objects in its host domain. It also stores a partial copy of all objects in all other domains within the forest. The partial copy holds the list of objects most frequently searched for. The first domain controller that is created in the first domain in a forest is by default the Global Catalog server. If a domain only has one domain controller, that particular domain controller and the GC server are the same server. If you add an additional domain controller to the domain, you can configure that domain controller as the GC server. You can also assign additional domain controllers to serve as GC servers for a domain. This is usually done to improve response time for user logon requests and search requests.

In order for Global Catalog servers to store a full copy of all objects in its host domain, and a partial copy of all objects in all other domains within the forest, GC replication has to occur between those domain controllers that are configured as GC servers. GC replication does not occur between domain controllers that are not GC servers.

The functions of the GC server are discussed in the following section. The functions performed by the GC server can be summarized as follows:

• GC servers are crucial for Active Directory's UPN functionality because they resolve user principal names (UPNs) when the domain controller handling the authentication request is unable to authenticate the user account because the user account actually exists in another domain. The authenticating domain controller would have no knowledge of the particular user account. The GC server in this case assists in locating the user account so that the authenticating domain controller can proceed with the logon request for the user.
  
• The GC server deals with all search requests of users searching for information in Active Directory. It can find all Active Directory data irrespective of the domain in which the data is held. The GC server deals with requests for the entire forest.
  
• The GC also makes it possible for users to provide Universal Group membership information to the domain controller for network logon requests.
  

Universal Groups are available when the domain functional level is raised or set to least Windows 2000 Native. Universal Groups can contain members that belong to different domains within the forest, and their Universal Group membership information is only stored in the GC. What this means is that only those domain controllers configured as GC servers would contain Universal Group membership information. The remainder of the domain controllers would not hold Universal Group membership information.

The universal group membership caching feature introduced in Windows Server 2003 Active Directory, enables a site that has no GC server to cache universal group membership information for users who log on to domain controllers within the site. In this manner, a domain controller can serve logon requests for directory information when a GC server is unavailable. The settings of the Active Directory replication schedule determine how often the cache is refreshed.

Configure a New Global Catalog Server

To configure a Windows 2000/2003 Domain Controller as a GC server, perform the following steps:

1. Start the Microsoft Management Console (MMC) Active Directory Sites and Services Manager. (From the Start menu, select Programs, Administrative Tools, Active Directory Sites and Services Manager).
2. Select the Sites branch.
3. Select the site that owns the server, and expand the Servers branch.
4. Select the server you want to configure.
5. Right-click NTDS Settings, and select Properties.

1. Select or clear the Global Catalog Server checkbox, which the Screen shows.

1. Click Apply, OK.

You must allow for the GC to replicate itself throughout the forest. This process might take anywhere between 10-15 minutes to even several days, all depending on your AD infrastructure.

The Active Directory database is logically separated into directory partitions:

• Schema partition
• Configuration partition
• Domain partition
• Application partition

Each partition is a unit of replication, and each partition has its own replication topology. Replication occurs between replicas of directory partition. Minimum two directory partitions are common among all domain controllers in the same forest: the schema and configuration partitions. All domain controllers which are in the same domain, in addition, share a common domain partition.

Schema Partition

Only one schema partition exists per forest. The schema partition is stored on all domain controllers in a forest. The schema partition contains definitions of all objects and attributes that you can create in the directory, and the rules for creating and manipulating them. Schema information is replicated to all domain controllers in the attribute definitions.

Configuration Partition

There is only one configuration partition per forest. Second on all domain controllers in a forest, the configuration partition contains information about the forest-wide active directory structure including what domains and sites exist, which domain controllers exist in each forest, and which services are available. Configuration information is replicated to all domain controllers in a forest.

Domain Partition

Many domain partitions can exist per forest. Domain partitions are stored on each domain controller in a given domain. A domain partition contains information about users, groups, computers and organizational units. The domain partition is replicated to all domain controllers of that domain. All objects in every domain partition in a forest are stored in the global catalog with only a subset of their attribute values.

Application Partition

Application partitions store information about application in Active Directory. Each application determines how it stores, categorizes, and uses application specific information. To prevent unnecessary replication to specific application partitions, you can designate which domain controllers in a forest host specific application partitions. Unlike a domain partitions, an application partition cannot store security principal objects, such as user accounts. In addition, the data in an application partition is not stored in the global catalog.

As an example of application partition, if you use a Domain Name System (DNS) that is integrated with Active Directory you have two application partitions for DNS zones — ForestDNSZones and DomainDNSZones:

• ForestDNSZones is part of a forest. All domain controllers and DNS servers in a forest receive a replica of this partition. A forest-wide application partition stores the forest zone data.
• DomainDNSZones is unique for each domain. All domain controllers that are DNS servers in that domain receive a replica of this partition. The application partitions store the domain DNS zone in the DomainDNSZones.

Each domain has a DomainDNSZones partition, but there is only one ForestDNSZones partition. No DNS data is replicated to the global catalog server.