Active Directory
Physical
Structure
T
his chapter reviews the physical structures of Active
Directory. This chapter also introduces you to the
relationships between domain controllers, the various
roles of domain controllers, global catalogs, and sites.
Past, Present, and Future
Past operating systems had no awareness of the underlying
physical network structure on which they were deployed. For
small companies, even reasonably sized ones, the network
layout, interconnection points and subnets, remote offices, and
so on were either laid out long before Windows NT became
pervasive or were installed independently of the network
operating systems that depended on it.
We typically build networks on which the servers reside
on 100Mbps media, the backbone. There is 100Mbps media
between floors, and then this network is extended into a
10Mbps network down to the users. Windows NT does not
care if the network is 10Mbps or 10,000Mbps . . . it has no
built-in means of catering to the available resources.
But this is no longer sufficient, because Windows 2000’s
physical structure and its multi-master replication technology,
global catalog services, public key infrastructure, directory
synchronization, Kerberos authentication, and more do need
to be sensibly and carefully built according to the physical
network resources. Fortunately, the OS also allows you to build
a logical network and map it to a present or future physical
network. With Active Directory services, you can tailor your
Windows 2000 deployment to the available network and merge

little else you can do to manage or customize this synchronization.
In Windows NT, there is typically one BDC for every remote location and one or two on
the local segment, and all reside on the same network. In other words, if the PDC is in
Miami and the BDC is in Portland, Windows NT does not know that. The PDC functions
independently of the BDC on the other side of the country. Naturally, if the BDC in
Portland went down, the Portland users would have a hard time getting authenticated
or using network resources, and if their segment lost connectivity to the office in
Miami, they would be in trouble. This Windows NT single-master physical domain
structure is illustrated in Figure 8-1.
Windows 2000 is very different. While the concept of domain controllers and
backup domain controllers remains the same, these services operate as masters,
or in a multi-master peer arrangement. There is no PDC; all domain controllers
can be edited and updated. Active Directory makes sure that any changes or
additions made to one domain controller directory are distributed to the other
domain controllers. This is known as multi-master replication technology (and you
could call it a philosophy as well). The multi-master arrangement is illustrated in
Figure 8-2.
To deploy an ongoing administrative approach in Windows 2000, you must first
design the logical structures based on the enterprise’s present and future needs, as
discussed in Chapter 7. Then map that model to the physical network and ensure
that you have the necessary structures to support it, in terms of bandwidth, subnet
design, network routes, and so on. It is also possible, as you will see, to cater to
areas of your network that do not ideally fit into any logical structures you have.
Windows 2000 and Active Directory allow you to map your logical network model to
the physical network with domain controllers (DC), global catalogs (GC), and sites.
And Windows 2000 ties everything together between the DCs, the GCs, and the sites
with links, bridges, and connection objects to comprise a highly sophisticated
directory, directory replication, and directory synchronization service. Before we
get down to the railroad work, we should talk about DCs, GCs, and sites in less
abstract terms than we have in the previous chapters.

your network. To use the brain analogy again, Active Directory knows how your
network is structured and what is required to keep it in good health and service it
correctly.
But the one thing we cannot do with our brains is replicate the information in them.
If we could, life would be very different. Also, imagine blowing out your brains and
then just replacing them with a “hot” standby, a la Plug and Play. Fortunately for us,
our brains, left alone, look after themselves pretty well for a period of 70 to 100
years. Active Directory brains are not as fortunate; they can be carried off, fused,
trashed, and corrupted.
Imagine that the only DC running a Windows 2000 domain gets fried. Knowing what
you do now, the network will be frozen until the DC can be restored. This is not a
fortunate position to be in. For starters, your backups (usually taken the night before)
are only able to restore you to the state you were in 8 to 12 hours ago. Second, what
will now authenticate the restore service writing to the new machine? While we
explain how to restore a single Active Directory in Chapter 17, losing the domain
controller is not a pleasant event, akin to a human going into a coma and not returning
for a few weeks or years, if ever.
So, having another “equal partner” domain controller is essential, even for a small
office. It need not cost an arm and a leg, as we discuss in Chapter 9, but you should
have one all the same.
4667-8 ch08.f.qc 5/15/00 2:00 PM Page 268
269
Chapter 8 ✦ Active Directory Physical Structure
The number one rule about Active Directory availability on a Windows 2000 network
is to place the DC as close as possible to users. In larger companies, it makes sense
to place domain controllers on remote sites, segments, separated offices, or large
offices, because the nearer your clients are to the DCs, the quicker they will be able
to authenticate and gain access to resources, printers, and communications. Having
more than one DC also spreads the load around, a practice called load balancing. An
office of more than a thousand people all hitting one lonely DC does not make sense.

namespaces, the names of the actual objects on the tree, and so on.
4667-8 ch08.f.qc 5/15/00 2:00 PM Page 269
270
Part III ✦ Active Directory Services
By now, you have probably realized that your domain controller can only service
one domain. How much more sensible and easier would it be if a good machine
with tons of resources could be used to host multiple domains? We hope to see
this emerge in future generations of Active Directory.
While the Active Directory replicates everything to the other domain controllers, it
has some built-in features that facilitate replication. Before we discuss them, look at
the illustration in Figure 8-3. Imagine if you poured water in either side of the tube.
Your knowledge of science tells you that gravity and other forces in the cosmos act
to balance the two sides. It does not matter which side you pour the water into,
nature still acts to create equilibrium. This is how Active Directory works; it has
automatic built-in mechanisms that ensure that if there is more than one DC on the
matrix, it receives the share of information it needs or deserves.
However, if you limit the width of the U-piece, or the tunnel, it will take longer to create
the balance. And, naturally, if you block the U-piece, the balance will not occur.
Figure 8-3: Active Directory replication
is automatic and for the most part
transparent.
Specifically, the Active Directory acts in the following manner to make sure that
the replication occurs and that it occurs as painlessly as possible. First, only the
changes to objects or new objects get replicated to the other DCs. Second, you can
specify how the replication is handled. For example, you can schedule how often
and when replication occurs.
Note
4667-8 ch08.f.qc 5/15/00 2:00 PM Page 270
271
Chapter 8 ✦ Active Directory Physical Structure

that if you start at the top of the namespace and from
org
you work your way down
three domain levels, you will find
jeffreyshapiro
. You will, of course, also find
other objects at the end of this namespace, but at least you have limited your
search to a contiguous namespace.
But what if you do not have any information about the root domains? What if you or
the application has no entry point (a LDAP shallow search needs at least a root from
which to start a search) from which to begin? You would have to commit to a deep
search of the forest to find the object. By deep search, we mean that you or your
application has to traverse every tree in the forest to find the object you are looking
for, and this is done through a system of referrals.
4667-8 ch08.f.qc 5/15/00 2:00 PM Page 271
272
Part III ✦ Active Directory Services
A directory service with the potential of MCITY and all its departments would be very
long and tiresome to search. That’s where the GC comes in. We know this seems like a
deep explanation, but many have found it confusing at first why there is a catalog
when you can, theoretically, search the domain trees. The illustration in Figure 8-4
demonstrates how easy it is to search the GC from an application like Outlook.
Figure 8-4: Searching for a user in Active Directory from Outlook
The GC contains a partial replica of every domain in the forest and a copy of the
schema and configuration-naming contexts used in each forest. In other words, the
GC holds a copy of every object in the forest. However, it only holds the key attributes
of each object that will be useful for searching. You can thus easily find an object or
a collection of objects just by specifying an attribute of an object. In Figure 8-4, we
provided a letter and the search returned several objects. In this manner, a user or
application can locate an object without having to know in which domain the object

e-mail address submits only what he or she knows, such as a last name or first
name, there is a chance, albeit remote, that the search will return NULL.
✦ You need at least one GC in a domain, but if that domain is spread far and
wide, which is possible, you can add the GC to other domain controllers (we
discuss doing exactly that in Chapter 9). Get used to the idea of managing or
working with more than one GC, because down the road many applications
will begin taking advantage of a permanent catalog service on the network,
and we are not talking only BackOffice stuff like Exchange and SQL Server.
GCs are built by the Active Directory replication service, and we will talk about
that shortly.
4667-8 ch08.f.qc 5/15/00 2:00 PM Page 273
274
Part III ✦ Active Directory Services
The DC and GC Locator Services
You may have been wondering, with all this superficial discussion of DCs and GCs,
how a user locates the correct domain controller to log on to and how the user locates
a GC to search. After all, you would imagine that you at least need an IP address or
some means of locating the domain, because NetBEUI or other NetBIOS services are
no longer a requirement on a Windows 2000 network. The answer is simple, but the
architecture is a little arcane and thus may appear difficult to understand. On a very
small network, you might be forgiven if you opt out, for now, of trying to understand
the locator services; but on a reasonably sized network that extends beyond more
than a handful of offices and network segments, understanding this is very important.
Network clients deploy a special set of algorithms called a locator service that
performs the function of locating DCs and GCs. The latest version of the Windows
locator service services both Windows 2000 clients and legacy Windows clients.
Thus, both clients are able to use DNS and NetBIOS APIs to locate the DC and GC
servers. How do they do this?
If the client can resolve DCs in DNS, which is what all Windows 2000 clients are
empowered to do, the client’s locator service will search for the DC that is positioned