70-240 in 15 minutes a week: Introduction to Windows 2000 Server and Active Directory Page 4

Physical Structure

The physical structure of Active Directory relates to two main types of objects - sites and domain controllers. 


Unlike NT 4, Windows 2000 Active Directory provides for the concept of physical locations within its design. In Active Directory, a site is a collection of TCP/IP subnets connected at high speed. Though 'high-speed' is relative, usually it refers to a collection of subnets connected at LAN-type speeds. You define sites in Active Directory to control replication, authentication, and the location of services. Once sites have been defined, a client computer will attempt to authenticate to a domain controller that is part of the same site, instead of sending the request over the WAN.

Sites also allow you to control when replication can occur between domain controllers. For example, in NT 4, all BDCs replicated with their PDC using a 5-minute interval change notification process. Since there wasn't any easy way to control replication between physical locations (it was possible by batch scripting to the registry), replication traffic often saturated links and degraded performance. Once you have defined sites in Active Directory, you can also specify the times and days at which replication between sites can occur, how often during these times, and the preferred path that replication should follow. You should note, however, that only one site exists by default, and until you define more sites, replication will continue to occur on the same old 5-minute change notification interval. It is also important to note that sites are another element that allow large companies to have only a single domain - since there is no correlation between the logical and physical structures of Active Directory, you could have one domain and hundred of sites. The ability to control replication traffic is a big part of what makes this more manageable than in the past.

Domain Controllers

Of course, you can't have a domain without at least one domain controller, since this is where the Active Directory database is stored. Unlike Windows NT, which had only one writable copy of the domain database (stored on the PDC), in Windows 2000 every domain controller has a writable copy of the Active Directory database. As such, all domain controllers in an Active Directory environment are more or less equal. This makes things more complex however, since any domain controller can make an update, instead of everything being done on one system. As in NT 4, you should have at least two domain controllers in a domain for the purpose of redundancy, and usually many more, depending on the size of the organization.

You create a domain controller in Windows 2000 by running the Active Directory Installation Wizard, dcpromo.exe. This tool not only allows you to create new domain controllers, but also new domains, trees, and forests. It will also allow you to change a domain controller back into a member server if you change your mind. An example of the choices available when running dcpromo.exe is shown below:

After a domain controller is created, it will hold a copy of the Active Directory database (ntds.dit), and will be capable of authenticating users from that domain. The Active Directory database is actually made up of what is referred to as 3 partitions, as outlined below:

Welcome to article 8 in my 70-240 in 15 minutes a week series. This week's article is the first in our look at the Windows 2000 Server portion of the exam - it covers an introduction to both Windows 2000 Server as well as Active Directory concepts...

The domain partition is replicated amongst domain controllers in the same domain only, while the configuration and schema partitions get replicated to every single domain controller in the entire forest.

Although I will get into this in much more detail later in the series, you should be aware that some domain controllers differ from others in terms of special roles that they can hold. I have briefly outlined the basics of each role below:

Global Catalog Server - A global catalog server is a domain controller that knows about every single object that exists within Active Directory, from all domains. However, it stores only a subset of the attributes of every object, those that are considered most important. By default only one domain controller in the entire forest carries this role - the first domain controller created in the forest. More global catalog servers can (and should) be created throughout the forest. If a domain controller were acting as a global catalog server, then it would have a fourth partition as part of its Active Directory database - the Global Catalog partition.

Besides the Global Catalog server role, there are 5 special roles that a domain controller might have, referred to as Operations Masters. These are outlined below:

Schema Master - In a forest, one domain controller holds the role of the Schema Master. The Schema Master maintains the Active Directory schema, and holds the only writable copy of the schema. There is only one Schema Master per forest, and by default it will be the first domain controller created in the root domain of the forest.

Domain Naming Master - This domain controller keeps track of domains that are added or removed from the forest, ensuring integrity of the forest structure as these changes take place. There is only one Domain Naming Master per forest, and by default it will be the first domain controller created in the root domain of the forest.

PDC Emulator - The PDC emulator exists for a couple of reasons, one of which is backwards compatibility with NT 4 domain controllers. When upgrading a domain to Windows 2000, the first system upgraded should be the PDC, and this new Windows 2000 DC emulates the old PDC for remaining NT 4 BDCs. The PDC Emulator is also preferentially passed password changes, and is consulted prior to failing a client logon request. By default downlevel clients such as those running NT 4 and Windows 9x will continue to make password changes at the PDC Emulator (unless they have the Active Directory client installed). There is one PDC Emulator per domain, by default the first domain controller created in the domain.

Relative Identifier (RID) Master - In Windows NT 4, the PDC was responsible for creating all SIDs, since it was responsible for creating all security principals. In Windows 2000, any domain controller can create a security principal. A SID is actually made up of two parts, a SID (which identifies the domain) and a RID (which identifies a unique object within that domain). In order to ensure that all SIDs are unique, one domain controller per domain is assigned the role of the RID Master, who is responsible for creating the domain pool of RIDs, and allocating these RIDs to other domain controllers in the domain. This helps ensure that no duplication of object SIDs will occur. Each Active Directory domain will have one RID Master, by default the first domain controller created in that domain.

Infrastructure Master - The infrastructure Master is responsible for keeping track of which users (from another domain) are members of groups in a domain, and keeping track of any changes that may take place. This ensures consistency of user to group references in Active Directory. Each Active Directory domain will have one Infrastructure Master, by default the first domain controller created in that domain.

Looking for a more in-depth overview of Active Directory? Click here

This article was originally published on Mar 26, 2001

Thanks for your registration, follow us on our social networks to keep up-to-date