|< Day Day Up >|| |
The Windows 2003 topology is quite different from the Windows NT 4 topology. A Windows 2003 domain is a directory and namespace partition, and it is a security boundary defining the scope of policies and groups. The domain can span multiple physical locations and may potentially contain millions of objects (Figure 1.4).
Figure 1.4: Windows 2003 domain. OU, Organizational unit
Domains contain organizational units (OUs). OUs are containers within a domain that enable Active Directory designers to logically group AD objects. OUs contain leaf objects, such as users, groups, and printers, and they allow domains to be subdivided without creating additional domains.
Administration tasks can be delegated using Access Control Lists assigned to the OUs.
A tree is a hierarchical organization of domains linked by a Kerberos trust. All domains within a tree share a common configuration, a common schema, a common Global Catalog, and a contiguous namespace (Figure 1.5).
Figure 1.5: Windows 2003 tree
A forest is a collection of one or more trees joined by a Kerberos trust. Domains within a forest share a common configuration, a common schema, and a common Global Catalog. However, the domains in a forest have a discontiguous namespace (Figure 1.6).
Figure 1.6: Windows 2003 forest
A Windows site reflects locality and is a collection of IP subnets with fast connectivity. The primary purposes of the site definition are to facilitate workstation logons and to determine how directory replication is performed. All site definitions are replicated to all domain controllers. For workstation logon, the site definition helps find a domain controller within the same site as the client workstation.
The Global Catalog contains a replica of selected attributes of every Active Directory object. It contains the object attributes that are most commonly used as search criteria for queries that span domains, such as user names, telephone numbers, and e-mail addresses. The list of attributes included in the Global Catalog is extensible by modifying the Active Directory schema.
An Exchange 5.5 site defines and controls the namespace, the administration boundary, routing, and directory replication. A Windows site is based on IP subnets and topology. Exchange 2003 does not contain a site concept. Instead, it uses Routing Groups to collect servers into groups that have point-to-point, high-bandwidth connections. Exchange Administrative Groups define the administration boundaries.
The breadth of the Windows 2003 environment limits the breadth of the Exchange organization. An Exchange 2003 organization cannot span multiple Active Directory forests because neither Windows nor Exchange contains any tools to replicate Active Directory objects and properties across forests.
Third-party products, such as Hewlett-Packard's Lightweight Directory Access Protocol Directory Synchronization Utility, could be used to perform directory replication across forest boundaries.
|< Day Day Up >|| |