Tài liệu hạn chế xem trước, để xem đầy đủ mời bạn chọn Tải xuống
1
/ 26 trang
THÔNG TIN TÀI LIỆU
Thông tin cơ bản
Định dạng
Số trang
26
Dung lượng
174,52 KB
Nội dung
ActiveDirectoryPhysicalStructure T his chapter reviews the physical structures of Active Directory. This chapter also introduces you to the relationships between domain controllers, the various roles of domain controllers, global catalogs, and sites. Past, Present, and Future Past operating systems had no awareness of the underlying physical network structure on which they were deployed. For small companies, even reasonably sized ones, the network layout, interconnection points and subnets, remote offices, and so on were either laid out long before Windows NT became pervasive or were installed independently of the network operating systems that depended on it. We typically build networks on which the servers reside on 100Mbps media, the backbone. There is 100Mbps media between floors, and then this network is extended into a 10Mbps network down to the users. Windows NT does not care if the network is 10Mbps or 10,000Mbps . . . it has no built-in means of catering to the available resources. But this is no longer sufficient, because Windows 2000’s physicalstructure and its multi-master replication technology, global catalog services, public key infrastructure, directory synchronization, Kerberos authentication, and more do need to be sensibly and carefully built according to the physical network resources. Fortunately, the OS also allows you to build a logical network and map it to a present or future physical network. With ActiveDirectory services, you can tailor your Windows 2000 deployment to the available network and merge the two structures into a unified cooperative. The reason for this is ActiveDirectory and its host domain controller server. 8 8 CHAPTER ✦✦✦✦ In This Chapter The Concept of Sites ActiveDirectory Replication ActiveDirectory Topology ✦✦✦✦ 4667-8 ch08.f.qc 5/15/00 2:00 PM Page 265 266 Part III ✦ ActiveDirectory Services Windows NT and Windows 2000 network requirements are very different. Windows NT depends on a single primary domain controller, the PDC, which holds the master database of the domain configuration, accounts, security, and so on. This PDC is a single master domain controller, meaning that only the database on the PDC machine can be written to. If this machine begins to shake or freak out, the network is frozen, in terms of its ability to make changes to the domain. Clearly, this is not a pleasant idea. Backup domain controllers, or BDCs, back up the PDC. The BDCs can service the domain, in terms of logon authentication, security, and the like. But its registry databases cannot be edited. In order to do that, you must promote the BDC to the role of PDC. Thus, the PDC and BDC exist in a single-master or master-slave arrangement. No matter where you are on a Windows NT network, changes you make to the domain are saved to the PDC, and the PDC then replicates this information out to the BDCs wherever they are. The PDC does this automatically, or you can force the BDC and the PDC to synchronize their databases. Other than this forced synchronization, there is little else you can do to manage or customize this synchronization. In Windows NT, there is typically one BDC for every remote location and one or two on the local segment, and all reside on the same network. In other words, if the PDC is in Miami and the BDC is in Portland, Windows NT does not know that. The PDC functions independently of the BDC on the other side of the country. Naturally, if the BDC in Portland went down, the Portland users would have a hard time getting authenticated or using network resources, and if their segment lost connectivity to the office in Miami, they would be in trouble. This Windows NT single-master physical domain structure is illustrated in Figure 8-1. Windows 2000 is very different. While the concept of domain controllers and backup domain controllers remains the same, these services operate as masters, or in a multi-master peer arrangement. There is no PDC; all domain controllers can be edited and updated. ActiveDirectory makes sure that any changes or additions made to one domain controller directory are distributed to the other domain controllers. This is known as multi-master replication technology (and you could call it a philosophy as well). The multi-master arrangement is illustrated in Figure 8-2. To deploy an ongoing administrative approach in Windows 2000, you must first design the logical structures based on the enterprise’s present and future needs, as discussed in Chapter 7. Then map that model to the physical network and ensure that you have the necessary structures to support it, in terms of bandwidth, subnet design, network routes, and so on. It is also possible, as you will see, to cater to areas of your network that do not ideally fit into any logical structures you have. Windows 2000 and ActiveDirectory allow you to map your logical network model to the physical network with domain controllers (DC), global catalogs (GC), and sites. And Windows 2000 ties everything together between the DCs, the GCs, and the sites with links, bridges, and connection objects to comprise a highly sophisticated directory, directory replication, and directory synchronization service. Before we get down to the railroad work, we should talk about DCs, GCs, and sites in less abstract terms than we have in the previous chapters. 4667-8 ch08.f.qc 5/15/00 2:00 PM Page 266 267 Chapter 8 ✦ ActiveDirectoryPhysicalStructure Figure 8-1: The network single-master domain structure of the Windows NT domain Figure 8-2: The network multi-master domain structure of the Windows 2000 domain DC DCDC PDC BDC BDCBDC 4667-8 ch08.f.qc 5/15/00 2:00 PM Page 267 268 Part III ✦ ActiveDirectory Services Domain Controllers and Global Catalogs The three components of Windows 2000 and ActiveDirectory networks are domain controllers (the directory hosts), global catalogs, and sites. They are all interrelated, so a discussion of each individually and then collectively is warranted. Let’s kick off with the DCs you have been reading so much about. Domain Controllers A domain controller (DC) houses the ActiveDirectory (AD); it is the Active Directory’s host. And as you have learned in the previous chapters, ActiveDirectory is the brain or control center of the central nervous system that authenticates users and manages security and access control, communications, printing, information access, and so on. ActiveDirectory is also a lot more than just domain information. It is also a storehouse of enterprise information, a place where you can place “signposts” that point or redirect users to information and objects of functionality anywhere on the local or wide area network. It is also a place where you can go to find people, places, and things. In the future, ActiveDirectory will become the local “hangout” for all applications. In addition, ActiveDirectory also stores information about the physicalstructure of your network. To use the brain analogy again, ActiveDirectory knows how your network is structured and what is required to keep it in good health and service it correctly. But the one thing we cannot do with our brains is replicate the information in them. If we could, life would be very different. Also, imagine blowing out your brains and then just replacing them with a “hot” standby, a la Plug and Play. Fortunately for us, our brains, left alone, look after themselves pretty well for a period of 70 to 100 years. ActiveDirectory brains are not as fortunate; they can be carried off, fused, trashed, and corrupted. Imagine that the only DC running a Windows 2000 domain gets fried. Knowing what you do now, the network will be frozen until the DC can be restored. This is not a fortunate position to be in. For starters, your backups (usually taken the night before) are only able to restore you to the state you were in 8 to 12 hours ago. Second, what will now authenticate the restore service writing to the new machine? While we explain how to restore a single ActiveDirectory in Chapter 17, losing the domain controller is not a pleasant event, akin to a human going into a coma and not returning for a few weeks or years, if ever. So, having another “equal partner” domain controller is essential, even for a small office. It need not cost an arm and a leg, as we discuss in Chapter 9, but you should have one all the same. 4667-8 ch08.f.qc 5/15/00 2:00 PM Page 268 269 Chapter 8 ✦ ActiveDirectoryPhysicalStructure The number one rule about ActiveDirectory availability on a Windows 2000 network is to place the DC as close as possible to users. In larger companies, it makes sense to place domain controllers on remote sites, segments, separated offices, or large offices, because the nearer your clients are to the DCs, the quicker they will be able to authenticate and gain access to resources, printers, and communications. Having more than one DC also spreads the load around, a practice called load balancing. An office of more than a thousand people all hitting one lonely DC does not make sense. All the DCs in an enterprise coexist as a “cluster” of sorts, each one backing up the others. They are all responsible for maintaining the identical information about a certain domain, as well as any information that that directory has concerning the other elements and domains in the forest. The DCs keep each other abreast of changes and additions through an extensive, complex, and complicated replication topology. It is certainly far too complicated to grasp at its DNA level. And it is both with tongue in cheek and a design style we will soon discuss that we refer to a Windows 2000 network as a matrix. The matrix, however, becomes a growing consumer of network bandwidth the larger and more complex the enterprise becomes, or the more it begins to depend on directory services. So, one of the first tasks you or your administrators will have in the management of the domains and directories is the replication provisioning that must take place. The global catalog service (GC) also uses bandwidth and ActiveDirectory and DC resources, as we will soon discuss. As discussed earlier, this intra-cooperation between all DCs on the matrix is what we call a multi-master arrangement. And if the packets are routed over limited bandwidth, you will see that the router or gateway is a lot more vulnerable to bottlenecks than in the Windows NT domain philosophy of single-master operations. Let’s look at some core facts about DCs that cannot be ignored; we’ll be summarizing as we go: ✦ Each domain must have a DC (or one copy of the Active Directory). Like the brain, if the last DC goes into a coma, the network comes to a dead stop. ✦ DCs provide users with the means to function in a workplace, to communicate, and to keep the enterprise alive. Take that away and you have a lot of unhappy people. ✦ You need more than one DC in a domain (or a very good backup/restore plan, or even RAID in a small office). ✦ The various parts of the DC that must get replicated to the other domain controllers, in the same domain, are schema changes, configuration changes, and the naming contexts. The naming contexts are essentially the tree namespaces, the names of the actual objects on the tree, and so on. 4667-8 ch08.f.qc 5/15/00 2:00 PM Page 269 270 Part III ✦ ActiveDirectory Services By now, you have probably realized that your domain controller can only service one domain. How much more sensible and easier would it be if a good machine with tons of resources could be used to host multiple domains? We hope to see this emerge in future generations of Active Directory. While the ActiveDirectory replicates everything to the other domain controllers, it has some built-in features that facilitate replication. Before we discuss them, look at the illustration in Figure 8-3. Imagine if you poured water in either side of the tube. Your knowledge of science tells you that gravity and other forces in the cosmos act to balance the two sides. It does not matter which side you pour the water into, nature still acts to create equilibrium. This is how ActiveDirectory works; it has automatic built-in mechanisms that ensure that if there is more than one DC on the matrix, it receives the share of information it needs or deserves. However, if you limit the width of the U-piece, or the tunnel, it will take longer to create the balance. And, naturally, if you block the U-piece, the balance will not occur. Figure 8-3: ActiveDirectory replication is automatic and for the most part transparent. Specifically, the ActiveDirectory acts in the following manner to make sure that the replication occurs and that it occurs as painlessly as possible. First, only the changes to objects or new objects get replicated to the other DCs. Second, you can specify how the replication is handled. For example, you can schedule how often and when replication occurs. Note 4667-8 ch08.f.qc 5/15/00 2:00 PM Page 270 271 Chapter 8 ✦ ActiveDirectoryPhysicalStructure By using these features, you can control the bandwidth usage between domain controllers. And if you have remote sites, sensible use of replication services and bandwidth might obviate the need for a separate domain, especially if you are catering to a small office and you do not have a lot of network traffic hitting that U-piece on your network. Global Catalogs The global catalog (GC) is not something that Shop-Till-You-Drop, Inc. sends you every month. But if that’s what you thought, we will not hold it against you, especially if you thought for a minute we were talking about mail order, because the GC is a totally new concept on Windows networks. The main purposes of the GC are as follows: ✦ It provides the point of contact and interface for authentication of users into ActiveDirectory domains, which means it holds a full replica of all user accounts in its custodian domain. ✦ It provides fast intra- and inter-domain searches of the ActiveDirectory without actually iterating the trees, or performing what is known in directory service language as “deep searches.” For all intents and purposes, the GC is a subset of the domain that for search purposes holds only the attributes or property information necessary to find an object belonging in a domain other than the one it directly serves. That may sound confusing, because philosophically the GC sits above the domain hierarchy. In fact, the GC is not a hierarchy at all and is not part of the ActiveDirectory domain namespace. When you search the Active Directory, you either know what you are looking for or you have a vague idea. And by you, we also mean any application that needs to look up an object for some reason. As we discussed in Chapter 2, a user object is a leaf or end node on the ActiveDirectory domain tree that is read from right to left (or bottom to top). The user object jeffreyshapiro.genesis.mcity.org tells you that if you start at the top of the namespace and from org you work your way down three domain levels, you will find jeffreyshapiro . You will, of course, also find other objects at the end of this namespace, but at least you have limited your search to a contiguous namespace. But what if you do not have any information about the root domains? What if you or the application has no entry point (a LDAP shallow search needs at least a root from which to start a search) from which to begin? You would have to commit to a deep search of the forest to find the object. By deep search, we mean that you or your application has to traverse every tree in the forest to find the object you are looking for, and this is done through a system of referrals. 4667-8 ch08.f.qc 5/15/00 2:00 PM Page 271 272 Part III ✦ ActiveDirectory Services A directory service with the potential of MCITY and all its departments would be very long and tiresome to search. That’s where the GC comes in. We know this seems like a deep explanation, but many have found it confusing at first why there is a catalog when you can, theoretically, search the domain trees. The illustration in Figure 8-4 demonstrates how easy it is to search the GC from an application like Outlook. Figure 8-4: Searching for a user in ActiveDirectory from Outlook The GC contains a partial replica of every domain in the forest and a copy of the schema and configuration-naming contexts used in each forest. In other words, the GC holds a copy of every object in the forest. However, it only holds the key attributes of each object that will be useful for searching. You can thus easily find an object or a collection of objects just by specifying an attribute of an object. In Figure 8-4, we provided a letter and the search returned several objects. In this manner, a user or application can locate an object without having to know in which domain the object resides. The GC is built in such a way that it is optimized for queries. The query mechanism is built on the LDAP system but uses basic queries that do not return referrals. LDAP 4667-8 ch08.f.qc 5/15/00 2:00 PM Page 272 273 Chapter 8 ✦ ActiveDirectoryPhysicalStructure referrals pass the search flow from tree to tree, but the GC is not hierarchical. It is a flat database. The following attributes are important considerations: ✦ A GC is located using DNS. ✦ A GC is created in a domain tree; it is housed on a domain controller. ✦ You should install at least one GC per DC site. ✦ The members of universal groups are stored in the GC; however, local and global groups are stored in the GC, but their members are not. Universal groups are only available to native-mode domains. Mixed-mode domains do not need a GC for authentication. By the way, the GC also holds the access control information of the objects so that security is not compromised in any way. The GC network carries an overhead separate from the DC network. Remember that they are not integrated; they are separate resources. The GC, in fact, has no understanding of how a domain works, nor does it care. Here are some specifics to keep in mind: ✦ The GC generates replication and query traffic within a site and between sites. So, keep in mind that your network is now going to be hit with both DC and GC traffic. Also, a GC is required for logging onto a native-mode domain. If there is no GC on the local segment, a GC on a remote segment will be used for authentication. ✦ Users may need to be shown how to query the GC, which is an administrative overhead. Or, you will have to make sure your objects are populated with relevant information. For example, if you only store the e-mail address of a person in his or her respective object, and someone looking up this person’s e-mail address submits only what he or she knows, such as a last name or first name, there is a chance, albeit remote, that the search will return NULL. ✦ You need at least one GC in a domain, but if that domain is spread far and wide, which is possible, you can add the GC to other domain controllers (we discuss doing exactly that in Chapter 9). Get used to the idea of managing or working with more than one GC, because down the road many applications will begin taking advantage of a permanent catalog service on the network, and we are not talking only BackOffice stuff like Exchange and SQL Server. GCs are built by the ActiveDirectory replication service, and we will talk about that shortly. 4667-8 ch08.f.qc 5/15/00 2:00 PM Page 273 274 Part III ✦ ActiveDirectory Services The DC and GC Locator Services You may have been wondering, with all this superficial discussion of DCs and GCs, how a user locates the correct domain controller to log on to and how the user locates a GC to search. After all, you would imagine that you at least need an IP address or some means of locating the domain, because NetBEUI or other NetBIOS services are no longer a requirement on a Windows 2000 network. The answer is simple, but the architecture is a little arcane and thus may appear difficult to understand. On a very small network, you might be forgiven if you opt out, for now, of trying to understand the locator services; but on a reasonably sized network that extends beyond more than a handful of offices and network segments, understanding this is very important. Network clients deploy a special set of algorithms called a locator service that performs the function of locating DCs and GCs. The latest version of the Windows locator service services both Windows 2000 clients and legacy Windows clients. Thus, both clients are able to use DNS and NetBIOS APIs to locate the DC and GC servers. How do they do this? If the client can resolve DCs in DNS, which is what all Windows 2000 clients are empowered to do, the client’s locator service will search for the DC that is positioned closest to it. In other words, if the client is located on network segment 100.50.xxx.xxx, it will check a DNS server provided to it for a DC on the same network segment, regardless of whether the DC it gets is its “home” domain. If the domain the client is searching for is an NT 4.0 domain, the client will log on to the first DC it finds, which will either be a PDC or any of the BDCs. The upshot of all this locating is that the client first logs onto a site-specific DC and not a domain- specific DC. The next steps that the client takes are worth paying attention to. If the DC closest to the client (on the same subnet) is the home DC of the client, then well and good, and no further referral or buck-passing is required. But what if the client is located in another network segment, far away from the home DC? A good example is a busy executive who spends every week in a different location, and therefore attaches to a different network each time. The notebook computer the executive is carrying around will receive an IP address of a new network segment that could be many “hops” away from the last segment containing the executive’s original domain. In this case, the client contacts the nearest DC (A). The DC will look up the client’s home site and then compare the client’s current IP address with the IP address of the closest site containing a domain controller that hosts the client’s domain. With that information, the client is then referred (B) to the DC in that nearest domain and obtains service. This is illustrated in Figure 8-5. This entire matrix of DCs and GCs, replication, and referral services for logon is acc- omplished by a sophisticated built-in mechanism in Windows 2000, known as sites. 4667-8 ch08.f.qc 5/15/00 2:00 PM Page 274 [...]... Summary In this chapter, we introduced you to the physicalstructure of ActiveDirectory We looked at the three concepts in this physical world that make up ActiveDirectory s physical structures These are domain controller servers, global catalog servers, and sites We also discussed how essential it is, even for a small company, to either back up the ActiveDirectory regularly or maintain a redundant (hot)... 289 Chapter 8 ✦ ActiveDirectoryPhysicalStructure You can also install a DNS server on the actual DC and have it integrated with ActiveDirectory The advantages are that the DNS and the DC are “co-located,” which saves the cost of additional equipment; ActiveDirectory will automatically keep DNS well fed, and the DC’s replication service will be ideal for DNS replication DNS -Active Directory specific... replica current Note Directory synchronization is no small matter We recommend that you tread carefully here until the tools and techniques mature before you burn up time synchronizing or converting 4667-8 ch08.f.qc 5/15/00 2:00 PM Page 283 Chapter 8 ✦ ActiveDirectoryPhysicalStructure For example: If you wish to exchange information between Novell Directory Services and Active Directory, the technology... for LDAP Directory Exchange.) It is worth noting that you can write SQL code against the LDAP directory and move information between LDAP directories 3 Deploy more than one directory: This option is worth considering if you are a while away from deploying Active Directory, you have a huge investment in your current directory services, or your existing systems depend far too much on your current directory. .. directory infrastructure You may consider just deploying more than one directory, each one serving a special need, until you are ready to convert or synchronize Whatever your decision, if you already deploy a directory service other than ActiveDirectory or a BackOffice tool, you will need to take into account the synchronization and replication traffic that will also be added to your new Active Directory. .. also be added to your new ActiveDirectory traffic ActiveDirectory Site Design and Configuration The first thing you will find out when you start ActiveDirectory inter- and intrasite design is how well or how poorly your TCP/IP network has been designed But before you start configuring anything in Active Directory, you first have to make sure the physical network is optimized, in terms of addressing,... no matter how bad it is, you have to start somewhere If the links between the sites are reliable, you should map your ActiveDirectorystructure to this network as a foundation Changes can be made later 4667-8 ch08.f.qc 5/15/00 2:00 PM Page 285 Chapter 8 ✦ ActiveDirectoryPhysicalStructure DNS Domain ORG (DNS ROOT) AD Domain ISP-Internet MCITY.ORG 207.209.XXX.XXX Internet Firewall Network Address... and you are unlikely to encounter any errors relating to the operations 4667-8 ch08.f.qc 5/15/00 2:00 PM Page 281 Chapter 8 ✦ ActiveDirectoryPhysicalStructure How Replication Works Replication has been well designed, because it is so important to an ActiveDirectory infrastructure, and Microsoft has gone to great lengths to ensure that the most upto-date changes are distributed as efficiently and... the technology to enable this is a directory synchronization tool There are three ways to consider the interoperation of different directories: 1 Convert existing directories to Active Directory: In case you decide to convert your existing directories to Active Directory, you will need to obtain a directory conversion tool One such tool for NetWare is the Microsoft Directory Migration snap-in The result... whole soup one DC site 4667-8 ch08.f.qc 5/15/00 2:00 PM Page 287 Chapter 8 ✦ ActiveDirectoryPhysicalStructure Deploying Domain Controllers Using the information you assembled in the logical design plan discussed in Chapter 7, place your domain controllers in the sites selected in the following manner: 1 Place the root ActiveDirectory DC in the so-called home site In the example in this book, this . Active Directory Physical Structure T his chapter reviews the physical structures of Active Directory. This chapter also introduces. ✦ Active Directory Physical Structure How Replication Works Replication has been well designed, because it is so important to an Active Directory infrastructure,