Tài liệu Active Directory Physical Structure pptx

But this is no longer sufficient, because Windows 2000’sphysical structure and its multi-master replication technology,global catalog services, public key infrastructure, directorysynchr

Active Directory Physical

Structure

This chapter reviews the physical structures of Active

Directory This chapter also introduces you to therelationships between domain controllers, the various roles of domain controllers, global catalogs, and sites

Past, Present, and Future

Past operating systems had no awareness of the underlyingphysical network structure on which they were deployed Forsmall companies, even reasonably sized ones, the networklayout, interconnection points and subnets, remote offices, and

so on were either laid out long before Windows NT becamepervasive or were installed independently of the networkoperating systems that depended on it

We typically build networks on which the servers reside

on 100Mbps media, the backbone There is 100Mbps mediabetween floors, and then this network is extended into a10Mbps network down to the users Windows NT does notcare if the network is 10Mbps or 10,000Mbps it has nobuilt-in means of catering to the available resources

But this is no longer sufficient, because Windows 2000’sphysical structure and its multi-master replication technology,global catalog services, public key infrastructure, directorysynchronization, Kerberos authentication, and more do need

to be sensibly and carefully built according to the physicalnetwork resources Fortunately, the OS also allows you to build

a logical network and map it to a present or future physicalnetwork With Active Directory services, you can tailor yourWindows 2000 deployment to the available network and mergethe two structures into a unified cooperative The reason forthis is Active Directory and its host domain controller server

Active DirectoryTopology

Windows NT and Windows 2000 network requirements are very different Windows

NT depends on a single primary domain controller, the PDC, which holds the masterdatabase of the domain configuration, accounts, security, and so on This PDC is asingle master domain controller, meaning that only the database on the PDC machinecan be written to If this machine begins to shake or freak out, the network is frozen, interms of its ability to make changes to the domain Clearly, this is not a pleasant idea.Backup domain controllers, or BDCs, back up the PDC The BDCs can service thedomain, in terms of logon authentication, security, and the like But its registrydatabases cannot be edited In order to do that, you must promote the BDC to the role

of PDC Thus, the PDC and BDC exist in a single-master or master-slave arrangement

No matter where you are on a Windows NT network, changes you make to the domainare saved to the PDC, and the PDC then replicates this information out to the BDCswherever they are The PDC does this automatically, or you can force the BDC and thePDC to synchronize their databases Other than this forced synchronization, there islittle else you can do to manage or customize this synchronization

In Windows NT, there is typically one BDC for every remote location and one or two onthe local segment, and all reside on the same network In other words, if the PDC is inMiami and the BDC is in Portland, Windows NT does not know that The PDC functionsindependently of the BDC on the other side of the country Naturally, if the BDC inPortland went down, the Portland users would have a hard time getting authenticated

or using network resources, and if their segment lost connectivity to the office inMiami, they would be in trouble This Windows NT single-master physical domainstructure is illustrated in Figure 8-1

Windows 2000 is very different While the concept of domain controllers and backup domain controllers remains the same, these services operate as masters,

or in a multi-master peer arrangement There is no PDC; all domain controllers can be edited and updated Active Directory makes sure that any changes oradditions made to one domain controller directory are distributed to the otherdomain controllers This is known as multi-master replication technology (and youcould call it a philosophy as well) The multi-master arrangement is illustrated inFigure 8-2

To deploy an ongoing administrative approach in Windows 2000, you must firstdesign the logical structures based on the enterprise’s present and future needs, asdiscussed in Chapter 7 Then map that model to the physical network and ensurethat you have the necessary structures to support it, in terms of bandwidth, subnetdesign, network routes, and so on It is also possible, as you will see, to cater toareas of your network that do not ideally fit into any logical structures you have.Windows 2000 and Active Directory allow you to map your logical network model tothe physical network with domain controllers (DC), global catalogs (GC), and sites.And Windows 2000 ties everything together between the DCs, the GCs, and the siteswith links, bridges, and connection objects to comprise a highly sophisticateddirectory, directory replication, and directory synchronization service Before weget down to the railroad work, we should talk about DCs, GCs, and sites in lessabstract terms than we have in the previous chapters

Figure 8-1: The network single-master domain structure

of the Windows NT domain

Figure 8-2: The network multi-master domain structure of the Windows

Domain Controllers and Global Catalogs

The three components of Windows 2000 and Active Directory networks are domaincontrollers (the directory hosts), global catalogs, and sites They are all interrelated,

so a discussion of each individually and then collectively is warranted Let’s kick offwith the DCs you have been reading so much about

of enterprise information, a place where you can place “signposts” that point orredirect users to information and objects of functionality anywhere on the local orwide area network It is also a place where you can go to find people, places, andthings In the future, Active Directory will become the local “hangout” for allapplications

In addition, Active Directory also stores information about the physical structure ofyour network To use the brain analogy again, Active Directory knows how yournetwork is structured and what is required to keep it in good health and service itcorrectly

But the one thing we cannot do with our brains is replicate the information in them

If we could, life would be very different Also, imagine blowing out your brains andthen just replacing them with a “hot” standby, a la Plug and Play Fortunately for us,our brains, left alone, look after themselves pretty well for a period of 70 to 100years Active Directory brains are not as fortunate; they can be carried off, fused,trashed, and corrupted

Imagine that the only DC running a Windows 2000 domain gets fried Knowing whatyou do now, the network will be frozen until the DC can be restored This is not afortunate position to be in For starters, your backups (usually taken the night before)are only able to restore you to the state you were in 8 to 12 hours ago Second, whatwill now authenticate the restore service writing to the new machine? While weexplain how to restore a single Active Directory in Chapter 17, losing the domaincontroller is not a pleasant event, akin to a human going into a coma and not returningfor a few weeks or years, if ever

So, having another “equal partner” domain controller is essential, even for a smalloffice It need not cost an arm and a leg, as we discuss in Chapter 9, but you shouldhave one all the same

The number one rule about Active Directory availability on a Windows 2000 network

is to place the DC as close as possible to users In larger companies, it makes sense

to place domain controllers on remote sites, segments, separated offices, or largeoffices, because the nearer your clients are to the DCs, the quicker they will be able

to authenticate and gain access to resources, printers, and communications Having

more than one DC also spreads the load around, a practice called load balancing An

office of more than a thousand people all hitting one lonely DC does not make sense

All the DCs in an enterprise coexist as a “cluster” of sorts, each one backing up theothers They are all responsible for maintaining the identical information about acertain domain, as well as any information that that directory has concerning theother elements and domains in the forest The DCs keep each other abreast ofchanges and additions through an extensive, complex, and complicated replicationtopology It is certainly far too complicated to grasp at its DNA level And it is bothwith tongue in cheek and a design style we will soon discuss that we refer to aWindows 2000 network as a matrix

The matrix, however, becomes a growing consumer of network bandwidth thelarger and more complex the enterprise becomes, or the more it begins to depend

on directory services So, one of the first tasks you or your administrators will have

in the management of the domains and directories is the replication provisioningthat must take place The global catalog service (GC) also uses bandwidth andActive Directory and DC resources, as we will soon discuss

As discussed earlier, this intra-cooperation between all DCs on the matrix is what wecall a multi-master arrangement And if the packets are routed over limited bandwidth,you will see that the router or gateway is a lot more vulnerable to bottlenecks than inthe Windows NT domain philosophy of single-master operations

Let’s look at some core facts about DCs that cannot be ignored; we’ll besummarizing as we go:

✦ Each domain must have a DC (or one copy of the Active Directory) Like thebrain, if the last DC goes into a coma, the network comes to a dead stop

✦ DCs provide users with the means to function in a workplace, to communicate,and to keep the enterprise alive Take that away and you have a lot of unhappypeople

✦ You need more than one DC in a domain (or a very good backup/restore plan,

or even RAID in a small office)

✦ The various parts of the DC that must get replicated to the other domain

controllers, in the same domain, are schema changes, configuration changes, and the naming contexts The naming contexts are essentially the tree

namespaces, the names of the actual objects on the tree, and so on

By now, you have probably realized that your domain controller can only serviceone domain How much more sensible and easier would it be if a good machinewith tons of resources could be used to host multiple domains? We hope to seethis emerge in future generations of Active Directory.

While the Active Directory replicates everything to the other domain controllers, ithas some built-in features that facilitate replication Before we discuss them, look atthe illustration in Figure 8-3 Imagine if you poured water in either side of the tube.Your knowledge of science tells you that gravity and other forces in the cosmos act

to balance the two sides It does not matter which side you pour the water into,nature still acts to create equilibrium This is how Active Directory works; it hasautomatic built-in mechanisms that ensure that if there is more than one DC on thematrix, it receives the share of information it needs or deserves

However, if you limit the width of the U-piece, or the tunnel, it will take longer to createthe balance And, naturally, if you block the U-piece, the balance will not occur

Figure 8-3: Active Directory replication

is automatic and for the most part transparent

Specifically, the Active Directory acts in the following manner to make sure that the replication occurs and that it occurs as painlessly as possible First, only thechanges to objects or new objects get replicated to the other DCs Second, you canspecify how the replication is handled For example, you can schedule how oftenand when replication occurs

Note

By using these features, you can control the bandwidth usage between domaincontrollers And if you have remote sites, sensible use of replication services andbandwidth might obviate the need for a separate domain, especially if you arecatering to a small office and you do not have a lot of network traffic hitting that U-piece on your network

The main purposes of the GC are as follows:

✦ It provides the point of contact and interface for authentication of users intoActive Directory domains, which means it holds a full replica of all user accounts

in its custodian domain

✦ It provides fast intra- and inter-domain searches of the Active Directory withoutactually iterating the trees, or performing what is known in directory servicelanguage as “deep searches.”

For all intents and purposes, the GC is a subset of the domain that for searchpurposes holds only the attributes or property information necessary to find anobject belonging in a domain other than the one it directly serves That may soundconfusing, because philosophically the GC sits above the domain hierarchy In fact,the GC is not a hierarchy at all and is not part of the Active Directory domainnamespace

When you search the Active Directory, you either know what you are looking for or

you have a vague idea And by you, we also mean any application that needs to look

up an object for some reason As we discussed in Chapter 2, a user object is a leaf

or end node on the Active Directory domain tree that is read from right to left (orbottom to top) The user object jeffreyshapiro.genesis.mcity.orgtells youthat if you start at the top of the namespace and from orgyou work your way downthree domain levels, you will find jeffreyshapiro You will, of course, also find

other objects at the end of this namespace, but at least you have limited yoursearch to a contiguous namespace

But what if you do not have any information about the root domains? What if you orthe application has no entry point (a LDAP shallow search needs at least a root fromwhich to start a search) from which to begin? You would have to commit to a deep

search of the forest to find the object By deep search, we mean that you or your

application has to traverse every tree in the forest to find the object you are lookingfor, and this is done through a system of referrals

A directory service with the potential of MCITY and all its departments would be verylong and tiresome to search That’s where the GC comes in We know this seems like a

deep explanation, but many have found it confusing at first why there is a catalog

when you can, theoretically, search the domain trees The illustration in Figure 8-4demonstrates how easy it is to search the GC from an application like Outlook

Figure 8-4: Searching for a user in Active Directory from Outlook

The GC contains a partial replica of every domain in the forest and a copy of theschema and configuration-naming contexts used in each forest In other words, the

GC holds a copy of every object in the forest However, it only holds the key attributes

of each object that will be useful for searching You can thus easily find an object or

a collection of objects just by specifying an attribute of an object In Figure 8-4, weprovided a letter and the search returned several objects In this manner, a user orapplication can locate an object without having to know in which domain the objectresides

The GC is built in such a way that it is optimized for queries The query mechanism

is built on the LDAP system but uses basic queries that do not return referrals LDAP

referrals pass the search flow from tree to tree, but the GC is not hierarchical It is aflat database The following attributes are important considerations:

✦ A GC is located using DNS

✦ A GC is created in a domain tree; it is housed on a domain controller

✦ You should install at least one GC per DC site

✦ The members of universal groups are stored in the GC; however, local andglobal groups are stored in the GC, but their members are not Universalgroups are only available to native-mode domains Mixed-mode domains

do not need a GC for authentication

By the way, the GC also holds the access control information of the objects so thatsecurity is not compromised in any way

The GC network carries an overhead separate from the DC network Remember that they are not integrated; they are separate resources The GC, in fact, has nounderstanding of how a domain works, nor does it care Here are some specifics

to keep in mind:

✦ The GC generates replication and query traffic within a site and between sites

So, keep in mind that your network is now going to be hit with both DC and

GC traffic Also, a GC is required for logging onto a native-mode domain Ifthere is no GC on the local segment, a GC on a remote segment will be usedfor authentication

✦ Users may need to be shown how to query the GC, which is an administrativeoverhead Or, you will have to make sure your objects are populated withrelevant information For example, if you only store the e-mail address of aperson in his or her respective object, and someone looking up this person’se-mail address submits only what he or she knows, such as a last name or firstname, there is a chance, albeit remote, that the search will return NULL

✦ You need at least one GC in a domain, but if that domain is spread far andwide, which is possible, you can add the GC to other domain controllers (wediscuss doing exactly that in Chapter 9) Get used to the idea of managing orworking with more than one GC, because down the road many applicationswill begin taking advantage of a permanent catalog service on the network,and we are not talking only BackOffice stuff like Exchange and SQL Server

GCs are built by the Active Directory replication service, and we will talk about that shortly

The DC and GC Locator Services

You may have been wondering, with all this superficial discussion of DCs and GCs,how a user locates the correct domain controller to log on to and how the user locates

a GC to search After all, you would imagine that you at least need an IP address orsome means of locating the domain, because NetBEUI or other NetBIOS services are

no longer a requirement on a Windows 2000 network The answer is simple, but thearchitecture is a little arcane and thus may appear difficult to understand On a verysmall network, you might be forgiven if you opt out, for now, of trying to understandthe locator services; but on a reasonably sized network that extends beyond morethan a handful of offices and network segments, understanding this is very important

Network clients deploy a special set of algorithms called a locator service that

performs the function of locating DCs and GCs The latest version of the Windowslocator service services both Windows 2000 clients and legacy Windows clients.Thus, both clients are able to use DNS and NetBIOS APIs to locate the DC and GCservers How do they do this?

If the client can resolve DCs in DNS, which is what all Windows 2000 clients areempowered to do, the client’s locator service will search for the DC that is positioned

closest to it In other words, if the client is located on network segment 100.50.xxx.xxx,

it will check a DNS server provided to it for a DC on the same network segment,regardless of whether the DC it gets is its “home” domain

If the domain the client is searching for is an NT 4.0 domain, the client will log on tothe first DC it finds, which will either be a PDC or any of the BDCs The upshot of allthis locating is that the client first logs onto a site-specific DC and not a domain-specific DC The next steps that the client takes are worth paying attention to

If the DC closest to the client (on the same subnet) is the home DC of the client,then well and good, and no further referral or buck-passing is required But what ifthe client is located in another network segment, far away from the home DC? Agood example is a busy executive who spends every week in a different location,and therefore attaches to a different network each time The notebook computerthe executive is carrying around will receive an IP address of a new networksegment that could be many “hops” away from the last segment containing theexecutive’s original domain

In this case, the client contacts the nearest DC (A) The DC will look up the client’shome site and then compare the client’s current IP address with the IP address ofthe closest site containing a domain controller that hosts the client’s domain Withthat information, the client is then referred (B) to the DC in that nearest domain andobtains service This is illustrated in Figure 8-5

This entire matrix of DCs and GCs, replication, and referral services for logon is

acc-omplished by a sophisticated built-in mechanism in Windows 2000, known as sites.

Figure 8-5: The locator service used by clients to look up their domain

controllers

Sites

A site is a representation of a network location or a group of network locations

abstracted as an Active Directory object above one or more TCP/IP networksegments It is managed as a logical unit within the Windows 2000 domaincontroller matrix

A site is identified or addressed in Active Directory according to the TCP/IP subnet

on which it resides, and it is resolved to that segment via DNS A site is directlyrelated to a domain as far as intra- and inter-site replication is concerned But a site is also indirectly related to the other elements in the forest, with respect to theother naming contexts such as the global catalog, the schema, and so on A site isalso a logical container that is totally independent of the domain namespace

Active Directory requires that a site be “well connected.” That term may be relativeand somewhat obscure in that a well-connected site, for example, in Swaziland, may

be a disaster in the United States Nevertheless, the definition, according to Microsoft,

is that the site should also be accessible via a reliable connection, which would thus

preclude the term site being used to refer to a machine hanging off the end of a

28.8Kbps modem You will find that in the real world, you might have to deal with sites of 56 Kbps and 64 Kbps, which is not a lot of bandwidth

Windows 2000 also requires that the site be fast enough to obtain domain replication

in a timely and reliable manner By defining a site according to a TCP/IP subnet, you can quickly structure an Active Directory network and map it to the physicalstructure of the underlying network

Most important, however, is that a site is used for determining replicationrequirements between networks that contain domain controllers, and for thatmatter all other replication services, such as WINS, DNS, Exchange, NDS, and more All computers and networks that are connected and addressed to the same IP subnet are, in fact, part of this site

A site is used to control several things:

✦ Authentication: A site is used to assist clients in locating the DC and GC

that are situated closest to them As discussed earlier, the DC maintains a list of sites and determines which one is closest to the client based on the IPaddress information it has on hand

✦ Replication: When changes occur in directories, the site configuration

decides when the change will be made to other DCs and GCs

✦ Collateral Active Directory Services and Applications: Services such as

Dfs can be made site-aware and can be configured according to the siteinformation they obtain from the Active Directory Applications may also

in the future look up specific site information

A site is also a conveyor of group policy, as discussed in Chapter 11

Replication within Sites

Windows 2000 supports a process known as the Knowledge Consistency Checker (KCC) This technology has been adapted from Exchange Server, which uses it to

replicate between Exchange servers In this case, KCC is used for the replicationservices between domain controllers within a site

Cross-Reference

The KCC essentially sets up replication paths between the DCs in a site in such away that at least two replication paths exist from one DC to another and a DC isnever more than three hops away from the origination of the replication Thistopology ensures that even if one DC is down, the replication will continue to flow to the other DCs

The KCC also sets up additional paths to DCs, but in such a way that there are nomore than three connections to any DC The additional connections only swinginto action when the number of DCs in a site reaches seven, thus ensuring that thereplication three-hop rule is enforced This is illustrated in Figure 8-6 The site onthe left contains six domain controllers, and each DC supports two replication orKCC connections The site on the right contains more than six DCs, and so the KCCmakes additional direct connections to the DCs to ensure the three-hop rule

Figure 8-6: KCC connections enforcing the three-hop rule

Active Directory also allows you to define connection objects These are essentially

manually configured points of replication between domain controllers The KCCsets up connection objects automatically; however, these objects have been madeavailable for administrator access so that you can create a specialized replicationtopology of your own if you need to For the most part, you can leave the KCC to itsown devices and have it set up the connection and replication environment for you

Site Links

Site links connect two or more sites together Site links are similar to Exchange

connectors and are configured similarly The links are unidirectional and, likeExchange and WINS, are used to set up the replication network topology