Active Directory
Physical
Structure
T
his chapter reviews the physical structures of Active
Directory. This chapter also introduces you to the
relationships between domain controllers, the various
roles of domain controllers, global catalogs, and sites.
Past, Present, and Future
Past operating systems had no awareness of the underlying
physical network structure on which they were deployed. For
small companies, even reasonably sized ones, the network
layout, interconnection points and subnets, remote offices, and
so on were either laid out long before Windows NT became
pervasive or were installed independently of the network
operating systems that depended on it.
We typically build networks on which the servers reside
on 100Mbps media, the backbone. There is 100Mbps media
between floors, and then this network is extended into a
10Mbps network down to the users. Windows NT does not
care if the network is 10Mbps or 10,000Mbps . . . it has no
built-in means of catering to the available resources.
But this is no longer sufficient, because Windows 2000’s
physical structure and its multi-master replication technology,
global catalog services, public key infrastructure, directory
synchronization, Kerberos authentication, and more do need
to be sensibly and carefully built according to the physical
network resources. Fortunately, the OS also allows you to build
a logical network and map it to a present or future physical
network. With Active Directory services, you can tailor your
Windows 2000 deployment to the available network and merge

the two structures into a unified cooperative. The reason for
this is Active Directory and its host domain controller server.
8
8
CHAPTER
✦✦✦✦
In This Chapter
The Concept of Sites
Active Directory
Replication
Active Directory
Topology
✦✦✦✦
4667-8 ch08.f.qc 5/15/00 2:00 PM Page 265
266
Part III ✦ Active Directory Services
Windows NT and Windows 2000 network requirements are very different. Windows
NT depends on a single primary domain controller, the PDC, which holds the master
database of the domain configuration, accounts, security, and so on. This PDC is a
single master domain controller, meaning that only the database on the PDC machine
can be written to. If this machine begins to shake or freak out, the network is frozen, in
terms of its ability to make changes to the domain. Clearly, this is not a pleasant idea.
Backup domain controllers, or BDCs, back up the PDC. The BDCs can service the
domain, in terms of logon authentication, security, and the like. But its registry
databases cannot be edited. In order to do that, you must promote the BDC to the role
of PDC. Thus, the PDC and BDC exist in a single-master or master-slave arrangement.
No matter where you are on a Windows NT network, changes you make to the domain
are saved to the PDC, and the PDC then replicates this information out to the BDCs
wherever they are. The PDC does this automatically, or you can force the BDC and the
PDC to synchronize their databases. Other than this forced synchronization, there is

little else you can do to manage or customize this synchronization.
In Windows NT, there is typically one BDC for every remote location and one or two on
the local segment, and all reside on the same network. In other words, if the PDC is in
Miami and the BDC is in Portland, Windows NT does not know that. The PDC functions
independently of the BDC on the other side of the country. Naturally, if the BDC in
Portland went down, the Portland users would have a hard time getting authenticated
or using network resources, and if their segment lost connectivity to the office in
Miami, they would be in trouble. This Windows NT single-master physical domain
structure is illustrated in Figure 8-1.
Windows 2000 is very different. While the concept of domain controllers and
backup domain controllers remains the same, these services operate as masters,
or in a multi-master peer arrangement. There is no PDC; all domain controllers
can be edited and updated. Active Directory makes sure that any changes or
additions made to one domain controller directory are distributed to the other
domain controllers. This is known as multi-master replication technology (and you
could call it a philosophy as well). The multi-master arrangement is illustrated in
Figure 8-2.
To deploy an ongoing administrative approach in Windows 2000, you must first
design the logical structures based on the enterprise’s present and future needs, as
discussed in Chapter 7. Then map that model to the physical network and ensure
that you have the necessary structures to support it, in terms of bandwidth, subnet
design, network routes, and so on. It is also possible, as you will see, to cater to
areas of your network that do not ideally fit into any logical structures you have.
Windows 2000 and Active Directory allow you to map your logical network model to
the physical network with domain controllers (DC), global catalogs (GC), and sites.
And Windows 2000 ties everything together between the DCs, the GCs, and the sites
with links, bridges, and connection objects to comprise a highly sophisticated
directory, directory replication, and directory synchronization service. Before we
get down to the railroad work, we should talk about DCs, GCs, and sites in less
abstract terms than we have in the previous chapters.

4667-8 ch08.f.qc 5/15/00 2:00 PM Page 266
267
Chapter 8 ✦ Active Directory Physical Structure
Figure 8-1: The network single-master domain structure
of the Windows NT domain
Figure 8-2: The network multi-master domain structure of the Windows
2000 domain
DC DCDC
PDC
BDC BDCBDC
4667-8 ch08.f.qc 5/15/00 2:00 PM Page 267
268
Part III ✦ Active Directory Services
Domain Controllers and Global Catalogs
The three components of Windows 2000 and Active Directory networks are domain
controllers (the directory hosts), global catalogs, and sites. They are all interrelated,
so a discussion of each individually and then collectively is warranted. Let’s kick off
with the DCs you have been reading so much about.
Domain Controllers
A domain controller (DC) houses the Active Directory (AD); it is the Active Directory’s
host. And as you have learned in the previous chapters, Active Directory is the brain
or control center of the central nervous system that authenticates users and manages
security and access control, communications, printing, information access, and so on.
Active Directory is also a lot more than just domain information. It is also a storehouse
of enterprise information, a place where you can place “signposts” that point or
redirect users to information and objects of functionality anywhere on the local or
wide area network. It is also a place where you can go to find people, places, and
things. In the future, Active Directory will become the local “hangout” for all
applications.
In addition, Active Directory also stores information about the physical structure of

your network. To use the brain analogy again, Active Directory knows how your
network is structured and what is required to keep it in good health and service it
correctly.
But the one thing we cannot do with our brains is replicate the information in them.
If we could, life would be very different. Also, imagine blowing out your brains and
then just replacing them with a “hot” standby, a la Plug and Play. Fortunately for us,
our brains, left alone, look after themselves pretty well for a period of 70 to 100
years. Active Directory brains are not as fortunate; they can be carried off, fused,
trashed, and corrupted.
Imagine that the only DC running a Windows 2000 domain gets fried. Knowing what
you do now, the network will be frozen until the DC can be restored. This is not a
fortunate position to be in. For starters, your backups (usually taken the night before)
are only able to restore you to the state you were in 8 to 12 hours ago. Second, what
will now authenticate the restore service writing to the new machine? While we
explain how to restore a single Active Directory in Chapter 17, losing the domain
controller is not a pleasant event, akin to a human going into a coma and not returning
for a few weeks or years, if ever.
So, having another “equal partner” domain controller is essential, even for a small
office. It need not cost an arm and a leg, as we discuss in Chapter 9, but you should
have one all the same.
4667-8 ch08.f.qc 5/15/00 2:00 PM Page 268
269
Chapter 8 ✦ Active Directory Physical Structure
The number one rule about Active Directory availability on a Windows 2000 network
is to place the DC as close as possible to users. In larger companies, it makes sense
to place domain controllers on remote sites, segments, separated offices, or large
offices, because the nearer your clients are to the DCs, the quicker they will be able
to authenticate and gain access to resources, printers, and communications. Having
more than one DC also spreads the load around, a practice called load balancing. An
office of more than a thousand people all hitting one lonely DC does not make sense.

All the DCs in an enterprise coexist as a “cluster” of sorts, each one backing up the
others. They are all responsible for maintaining the identical information about a
certain domain, as well as any information that that directory has concerning the
other elements and domains in the forest. The DCs keep each other abreast of
changes and additions through an extensive, complex, and complicated replication
topology. It is certainly far too complicated to grasp at its DNA level. And it is both
with tongue in cheek and a design style we will soon discuss that we refer to a
Windows 2000 network as a matrix.
The matrix, however, becomes a growing consumer of network bandwidth the
larger and more complex the enterprise becomes, or the more it begins to depend
on directory services. So, one of the first tasks you or your administrators will have
in the management of the domains and directories is the replication provisioning
that must take place. The global catalog service (GC) also uses bandwidth and
Active Directory and DC resources, as we will soon discuss.
As discussed earlier, this intra-cooperation between all DCs on the matrix is what we
call a multi-master arrangement. And if the packets are routed over limited bandwidth,
you will see that the router or gateway is a lot more vulnerable to bottlenecks than in
the Windows NT domain philosophy of single-master operations.
Let’s look at some core facts about DCs that cannot be ignored; we’ll be
summarizing as we go:
✦ Each domain must have a DC (or one copy of the Active Directory). Like the
brain, if the last DC goes into a coma, the network comes to a dead stop.
✦ DCs provide users with the means to function in a workplace, to communicate,
and to keep the enterprise alive. Take that away and you have a lot of unhappy
people.
✦ You need more than one DC in a domain (or a very good backup/restore plan,
or even RAID in a small office).
✦ The various parts of the DC that must get replicated to the other domain
controllers, in the same domain, are schema changes, configuration changes,
and the naming contexts. The naming contexts are essentially the tree

namespaces, the names of the actual objects on the tree, and so on.
4667-8 ch08.f.qc 5/15/00 2:00 PM Page 269
270
Part III ✦ Active Directory Services
By now, you have probably realized that your domain controller can only service
one domain. How much more sensible and easier would it be if a good machine
with tons of resources could be used to host multiple domains? We hope to see
this emerge in future generations of Active Directory.
While the Active Directory replicates everything to the other domain controllers, it
has some built-in features that facilitate replication. Before we discuss them, look at
the illustration in Figure 8-3. Imagine if you poured water in either side of the tube.
Your knowledge of science tells you that gravity and other forces in the cosmos act
to balance the two sides. It does not matter which side you pour the water into,
nature still acts to create equilibrium. This is how Active Directory works; it has
automatic built-in mechanisms that ensure that if there is more than one DC on the
matrix, it receives the share of information it needs or deserves.
However, if you limit the width of the U-piece, or the tunnel, it will take longer to create
the balance. And, naturally, if you block the U-piece, the balance will not occur.
Figure 8-3: Active Directory replication
is automatic and for the most part
transparent.
Specifically, the Active Directory acts in the following manner to make sure that
the replication occurs and that it occurs as painlessly as possible. First, only the
changes to objects or new objects get replicated to the other DCs. Second, you can
specify how the replication is handled. For example, you can schedule how often
and when replication occurs.
Note
4667-8 ch08.f.qc 5/15/00 2:00 PM Page 270
271
Chapter 8 ✦ Active Directory Physical Structure

By using these features, you can control the bandwidth usage between domain
controllers. And if you have remote sites, sensible use of replication services and
bandwidth might obviate the need for a separate domain, especially if you are
catering to a small office and you do not have a lot of network traffic hitting that
U-piece on your network.
Global Catalogs
The global catalog (GC) is not something that Shop-Till-You-Drop, Inc. sends you
every month. But if that’s what you thought, we will not hold it against you, especially
if you thought for a minute we were talking about mail order, because the GC is a
totally new concept on Windows networks.
The main purposes of the GC are as follows:
✦ It provides the point of contact and interface for authentication of users into
Active Directory domains, which means it holds a full replica of all user accounts
in its custodian domain.
✦ It provides fast intra- and inter-domain searches of the Active Directory without
actually iterating the trees, or performing what is known in directory service
language as “deep searches.”
For all intents and purposes, the GC is a subset of the domain that for search
purposes holds only the attributes or property information necessary to find an
object belonging in a domain other than the one it directly serves. That may sound
confusing, because philosophically the GC sits above the domain hierarchy. In fact,
the GC is not a hierarchy at all and is not part of the Active Directory domain
namespace.
When you search the Active Directory, you either know what you are looking for or
you have a vague idea. And by you, we also mean any application that needs to look
up an object for some reason. As we discussed in Chapter 2, a user object is a leaf
or end node on the Active Directory domain tree that is read from right to left (or
bottom to top). The user object
jeffreyshapiro.genesis.mcity.org
tells you

that if you start at the top of the namespace and from
org
you work your way down
three domain levels, you will find
jeffreyshapiro
. You will, of course, also find
other objects at the end of this namespace, but at least you have limited your
search to a contiguous namespace.
But what if you do not have any information about the root domains? What if you or
the application has no entry point (a LDAP shallow search needs at least a root from
which to start a search) from which to begin? You would have to commit to a deep
search of the forest to find the object. By deep search, we mean that you or your
application has to traverse every tree in the forest to find the object you are looking
for, and this is done through a system of referrals.
4667-8 ch08.f.qc 5/15/00 2:00 PM Page 271
272
Part III ✦ Active Directory Services
A directory service with the potential of MCITY and all its departments would be very
long and tiresome to search. That’s where the GC comes in. We know this seems like a
deep explanation, but many have found it confusing at first why there is a catalog
when you can, theoretically, search the domain trees. The illustration in Figure 8-4
demonstrates how easy it is to search the GC from an application like Outlook.
Figure 8-4: Searching for a user in Active Directory from Outlook
The GC contains a partial replica of every domain in the forest and a copy of the
schema and configuration-naming contexts used in each forest. In other words, the
GC holds a copy of every object in the forest. However, it only holds the key attributes
of each object that will be useful for searching. You can thus easily find an object or
a collection of objects just by specifying an attribute of an object. In Figure 8-4, we
provided a letter and the search returned several objects. In this manner, a user or
application can locate an object without having to know in which domain the object

resides.
The GC is built in such a way that it is optimized for queries. The query mechanism
is built on the LDAP system but uses basic queries that do not return referrals. LDAP
4667-8 ch08.f.qc 5/15/00 2:00 PM Page 272
273
Chapter 8 ✦ Active Directory Physical Structure
referrals pass the search flow from tree to tree, but the GC is not hierarchical. It is a
flat database. The following attributes are important considerations:
✦ A GC is located using DNS.
✦ A GC is created in a domain tree; it is housed on a domain controller.
✦ You should install at least one GC per DC site.
✦ The members of universal groups are stored in the GC; however, local and
global groups are stored in the GC, but their members are not. Universal
groups are only available to native-mode domains. Mixed-mode domains
do not need a GC for authentication.
By the way, the GC also holds the access control information of the objects so that
security is not compromised in any way.
The GC network carries an overhead separate from the DC network. Remember
that they are not integrated; they are separate resources. The GC, in fact, has no
understanding of how a domain works, nor does it care. Here are some specifics
to keep in mind:
✦ The GC generates replication and query traffic within a site and between sites.
So, keep in mind that your network is now going to be hit with both DC and
GC traffic. Also, a GC is required for logging onto a native-mode domain. If
there is no GC on the local segment, a GC on a remote segment will be used
for authentication.
✦ Users may need to be shown how to query the GC, which is an administrative
overhead. Or, you will have to make sure your objects are populated with
relevant information. For example, if you only store the e-mail address of a
person in his or her respective object, and someone looking up this person’s

e-mail address submits only what he or she knows, such as a last name or first
name, there is a chance, albeit remote, that the search will return NULL.
✦ You need at least one GC in a domain, but if that domain is spread far and
wide, which is possible, you can add the GC to other domain controllers (we
discuss doing exactly that in Chapter 9). Get used to the idea of managing or
working with more than one GC, because down the road many applications
will begin taking advantage of a permanent catalog service on the network,
and we are not talking only BackOffice stuff like Exchange and SQL Server.
GCs are built by the Active Directory replication service, and we will talk about
that shortly.
4667-8 ch08.f.qc 5/15/00 2:00 PM Page 273
274
Part III ✦ Active Directory Services
The DC and GC Locator Services
You may have been wondering, with all this superficial discussion of DCs and GCs,
how a user locates the correct domain controller to log on to and how the user locates
a GC to search. After all, you would imagine that you at least need an IP address or
some means of locating the domain, because NetBEUI or other NetBIOS services are
no longer a requirement on a Windows 2000 network. The answer is simple, but the
architecture is a little arcane and thus may appear difficult to understand. On a very
small network, you might be forgiven if you opt out, for now, of trying to understand
the locator services; but on a reasonably sized network that extends beyond more
than a handful of offices and network segments, understanding this is very important.
Network clients deploy a special set of algorithms called a locator service that
performs the function of locating DCs and GCs. The latest version of the Windows
locator service services both Windows 2000 clients and legacy Windows clients.
Thus, both clients are able to use DNS and NetBIOS APIs to locate the DC and GC
servers. How do they do this?
If the client can resolve DCs in DNS, which is what all Windows 2000 clients are
empowered to do, the client’s locator service will search for the DC that is positioned

closest to it. In other words, if the client is located on network segment 100.50.xxx.xxx,
it will check a DNS server provided to it for a DC on the same network segment,
regardless of whether the DC it gets is its “home” domain.
If the domain the client is searching for is an NT 4.0 domain, the client will log on to
the first DC it finds, which will either be a PDC or any of the BDCs. The upshot of all
this locating is that the client first logs onto a site-specific DC and not a domain-
specific DC. The next steps that the client takes are worth paying attention to.
If the DC closest to the client (on the same subnet) is the home DC of the client,
then well and good, and no further referral or buck-passing is required. But what if
the client is located in another network segment, far away from the home DC? A
good example is a busy executive who spends every week in a different location,
and therefore attaches to a different network each time. The notebook computer
the executive is carrying around will receive an IP address of a new network
segment that could be many “hops” away from the last segment containing the
executive’s original domain.
In this case, the client contacts the nearest DC (A). The DC will look up the client’s
home site and then compare the client’s current IP address with the IP address of
the closest site containing a domain controller that hosts the client’s domain. With
that information, the client is then referred (B) to the DC in that nearest domain and
obtains service. This is illustrated in Figure 8-5.
This entire matrix of DCs and GCs, replication, and referral services for logon is acc-
omplished by a sophisticated built-in mechanism in Windows 2000, known as sites.
4667-8 ch08.f.qc 5/15/00 2:00 PM Page 274