Designing an Active Directory Implementation Plan

Previous page
Table of content
Next page

In Windows Server 2003, Active Directory replication is essential to proper functioning of the network. Active Directory replication is based on a multiple-master model rather than the single-master model used in Windows NT Server. That means each domain controller is a peer domain controller and each must have an almost identical copy of the latest database.

The reason we have to use the word almost is that each domain controller's copy is only as accurate as its latest replication. This is referred to as loose convergence. With loose convergence, even though all domain controllers have a readable and writeable copy of the database, they are not alike in every way. Each has its own latest changes that the others will not have until the next replication.

Windows Server 2003 domain controllers can have many roles in the forest and in their own domain. These roles determine the additional information the domain controllers contain and transfer and the information for which they are responsible. Those roles include the following:

  • Global Catalog servers

  • Flexible Single Master Operation

We now discuss each of these roles and their effect on the physical design of Active Directory.

Global Catalog Servers

Servers designated as Global Catalog servers replicate a database containing all the objects in the Active Directory and a subset of the attributes of the objects. These servers are used when a person or an application performs a search of the Active Directory. Global Catalog servers contain only the attributes that are most likely to be used in a search of the Active Directory performed by a user, an administrator, or an application. You can control the list of attributes in the Global Catalog servers by modifying the attribute's properties in the schema.

By default, the first domain controller in the forest becomes a Global Catalog server. You can set any domain controller to be a Global Catalog server by using the Active Directory Sites and Services tool. Figure 6.3 illustrates the setting for the Global Catalog server in the NTDS Settings Properties dialog of a server using the Active Directory Sites and Services tool.

Figure 6.3. You can set any domain controller to be a Global Catalog server.

graphics/06fig03.gif

A site is a group of IP subnets that are connected by a fast and reliable link. Because Global Catalog servers are used for searches, at least one Global Catalog server should exist in each site in an Active Directory forest. This enables users to perform searches without using the relatively slower links between sites.

graphics/alert_icon.gif

You should be aware that each site should contain at least one Global Catalog server to facilitate searches over faster links.


graphics/note_icon.gif

You should take great care when modifying the schema because modifying one object can potentially affect others.


Flexible Single Master Operation

Although most of the Windows Server 2003 Active Directory operates in a multi-master model, some functions require that one server be in charge. The Flexible Single Master Operation (FSMO) roles establish a particular server that has to be contacted when certain changes are made in the Active Directory. These roles include the following:

  • Schema Master

  • Domain Naming Master

  • PDC Emulator

  • RID Master

  • Infrastructure Master

Let's now discuss each of these roles and their effect on the physical design of the Active Directory.

Schema Master

By default, the first domain controller in the forest takes on the role of the schema master. The schema master is the authority on changes to the schema. The schema admin must have connectivity to the schema master to make changes to the schema.

This role can be moved to another domain controller, but there can be only one schema master per forest. If the domain controller performing the role of Schema Master fails, the role can be seized and moved to another domain controller, but this should be done only as a last resort. It's better to fix the original server if it's possible to do so.

Because the schema is rarely changed, the location of the schema master is not critical to the design of the Active Directory. It is acceptable and common practice to leave the schema master in its default location.

Domain Naming Master

The first domain controller in the forest also takes on the role of the domain naming master. The domain naming master makes sure that all the domains in a forest are uniquely named. The enterprise admin must have connectivity with this server before a domain can be added to or deleted from a forest. Because the domain naming master needs to know all the domains in the forest, it should therefore also be a Global Catalog server.

This role can also be moved to another domain controller, but there can only be one domain naming master per forest. If the domain controller performing the role of domain naming master fails, the role can be seized and moved to another domain controller, but this should be done only as a last resort. It's better to fix the original server if it's possible to do so.

Because the addition or removal of a domain happens infrequently, the location of the domain naming master is not critical to the physical design of the Active Directory. It's acceptable to leave the domain naming master at its default location.

PDC Emulator

There is one PDC emulator per domain. The PDC emulator provides many functions to the Windows Server 2003 network design. By default, the first domain controller in each domain takes on the role of the PDC emulator. The functions it provides depend on which functional level the domain is in and whether Windows NT domain controllers (BDCs) are still present.

In Windows NT Server, domain controllers function in a single master model with the primary domain controller (PDC) as the single master. In other words, changes can be made only to the PDC and must then be replicated to all the backup domain controllers (BDCs). A BDC's database is not writeable, except for replication. When Windows Server 2003 is in the Windows 2000 mixed functional level and Windows NT BDCs are still in the domain, the BDCs will look for a PDC to replicate changes to them. Because there is no real PDC, the PDC emulator plays the role of (emulates) the PDC and replicates changes to the BDCs.

The PDC emulator still performs many functions when all Windows NT domain controllers have been upgraded and the Windows Server 2003 domain is in Windows Server 2003 functional level. These functions include being the final authority on password changes, which means that the PDC emulator must be contacted whenever a user's password is changed. The PDC emulator is also, by default, the domain master browser for the NetBIOS system that is essential for legacy clients and applications. In addition, the PDC emulator coordinates the time with other domain controllers. Because some of the PDC emulator's roles are closely tied to frequent changes that affect users, the PDC emulator should be located as close to the users as possible.

RID Master

There is one relative id (RID) master per domain. The RID master assures that all domain security IDs (domain SIDs) remain unique for each domain. A domain SID is comprised of two parts. The first part is the same for every object in the domain this is called the SID. The second part is unique to each object in the domain this is called the relative ID or RID.

Domain controllers must have RIDs to create objects. When a domain controller is initially created, it is given 500 RIDs by the RID master. Each object created on the domain controller uses one RID. When there are 50 RIDs remaining, the RID master refreshes the RID pool by sending the domain controller another 500 RIDs.

In a dynamic environment, the RID master should be as close to the users as possible. However, if this isn't possible, the issue is not critical the RID pool traffic isn't bandwidth intensive.

Infrastructure Master

There is one infrastructure master per domain. The infrastructure master is responsible for keeping track of group-to-name references. Active Directory uses many different types of names to identify an object. One of those names is the LDAP name. The LDAP name of an object changes when the object is moved from one OU to another. However, the DNS name does not change nor does the object's globally unique ID (GUID). The infrastructure master keeps track of the real name of the object by using its GUID and relates that information back to all its other names depending on where it is in the Active Directory. Because of the infrastructure master, we can easily move an object from one OU to another without losing track of the object. The infrastructure master needs to focus on its own domain, so it should never be a Global Catalog server in a multi-domain network.

graphics/alert_icon.gif

You should know that there is only one schema master and domain naming master per forest and only 1 PDC emulator, RID master, and infrastructure master per domain.



Previous page
Table of content
Next page
MCSE Designing a Microsoft Windows Server 2003 Active Directory and Network Infrastructure Exam Cram 2
MCSE Designing a Microsoft Windows Server 2003 Active Directory and Network Infrastructure Exam Cram 2 (Exam Cram 70-297)
ISBN: 0789730154
EAN: 2147483647
Year: 2003
Pages: 152
Authors: Bill Ferguson, Diana Huggins, Ed Tittel
BUY ON AMAZON
ADO.NET 3.5 Cookbook (Cookbooks (OReilly))
ERP and Data Warehousing in Organizations: Issues and Challenges
Lotus Notes and Domino 6 Development (2nd Edition)
A+ Fast Pass
SQL Hacks
Visual Studio Tools for Office(c) Using C# with Excel, Word, Outlook, and InfoPath
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy