Active Directory Structure

 < Day Day Up > 

Active Directory (AD) is a robust, standards-based Light Directory Access Protocol (LDAP) directory developed by Microsoft. In addition to serving as the central directory for Windows Server 2003, AD is also used to store the Exchange Server 2003 directory information. All Exchange attributes, such as email address, mailbox location, home server, and a whole range of other information used by Exchange is directly stored in Active Directory.

Exploring AD Domains

An Active Directory domain is the main logical boundary of Active Directory. In a standalone sense, an AD domain looks very much like a Windows NT domain. Users and computers are all stored and managed from within the boundaries of the domain. However, several major changes have been made to the structure of the domain and how it relates to other domains within the Active Directory structure.

Domains in Active Directory serve as a security boundary for objects and contain their own security policies. For example, different domains can contain different password policies for users. Keep in mind that domains are a logical organization of objects and can easily span multiple physical locations. Consequently, it is no longer necessary to set up multiple domains for different remote offices or sites, because replication concerns can be addressed with the proper use of Active Directory sites, which are described in greater detail later in this chapter.

Exploring AD Trees

An Active Directory tree is composed of multiple domains connected by two-way transitive trusts. Each domain in an Active Directory tree shares a common schema and Global Catalog. The transitive trust relationship between domains is automatic, which is a change from the domain structure of NT 4.0, wherein all trusts had to be manually set up. The transitive trust relationship means that because the asia domain trusts the root companyabc domain, and the europe domain trusts the companyabc domain, the asia domain also trusts the europe domain. The trusts flow through the domain structure.

Exploring AD Forests

Forests are a group of interconnected domain trees. Implicit trusts connect the roots of each tree into a common forest.

The overlying characteristics that tie together all domains and domain trees into a common forest are the existence of a common schema and a common Global Catalog. However, domains and domain trees in a forest do not need to share a common namespace. For example, the domains microsoft.com and msnbc.com could theoretically be part of the same forest, but maintain their own separate namespaces (for obvious reasons).

NOTE

Each separate instance of Exchange Server 2003 requires a completely separate AD Forest. In other words, AD cannot support more than one Exchange organization in a single forest. This is an important factor to bear in mind when examining AD integration concepts.


Understanding AD Replication with Exchange Server 2003

An understanding of the relationship between Exchange and Active Directory is not complete without an understanding of the replication engine within AD itself. This is especially true because any changes made to the structure of Exchange must be replicated across the AD infrastructure.

Active Directory replaced the concept of Primary Domain Controllers (PDCs) and Backup Domain Controllers (BDCs) with the concept of multiple domain controllers that each contain a master read/write copy of domain information. Changes that are made on any domain controller within the environment are replicated to all other domain controllers in what is known as multimaster replication .

Active Directory differs from most directory service implementations in that the replication of directory information is accomplished independently from the actual logical directory design. The concept of Active Directory sites is completely independent from the logical structure of Active Directory forests, trees, and domains. In fact, a single site in Active Directory can actually host domain controllers from different domains or different trees within the same forest. This enables the creation of a replication topology based on your WAN structure, and your directory topology can mirror your organizational structure.

From an Exchange point of view, the most important concept to keep in mind is the delay that replication causes between when a change is made in Exchange and when that change is replicated throughout the entire AD structure. The reason for these types of discrepancies lies in the fact that not all AD changes are replicated immediately. This concept is known as replication latency. Because the overhead required in immediately replicating change information to all domain controllers is large, the default schedule for replication is not as often as you might want. To immediately replicate changes made to Exchange or any AD changes, use the following procedure:

  1. Open Active Directory Sites and Services.

  2. Drill down to Sites, sitename , Servers, servername , NTDS Settings. The server name chosen should be the server you are connected to, and from which the desired change should be replicated.

  3. Right-click each connection object and choose Replicate Now, as illustrated in Figure 8.1.

    Figure 8.1. Forcing AD replication.

    graphics/08fig01.gif

 < Day Day Up > 


Microsoft Exchange Server 2003 Unleashed
Microsoft Exchange Server 2003 Unleashed (2nd Edition)
ISBN: 0672328070
EAN: 2147483647
Year: 2003
Pages: 393
Authors: Rand Morimoto

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net