OU Design: Geographic Model With a geographic model, you use OUs to refl ect geographic location. In this model, top-level OUs represent the largest geographic units, such as continents, and the lower-level OUs represent successively smaller geographic units, such as countries (see Fig ure 31-3). There are several advantages to this model. A geographic structure is fairly stable. Many companies reorganize internally frequently, but only rarely change geographic structure. Additionally, when you use a geographic model, it is easy to determine where accounts and resources are physically located. The disadvantages to this model have to do with its scope. For a global company, this design would put all accounts and resources in a single domain. As a result, changes made to Active Directory at any location would be replicated to every offi ce loca- tion. Additionally, the OU structure doesn’t relate to the business structure of the organization. cpandl.com North America Europe USA Canada Mexico UK Germany Spain Figure 31-3 The geographic model. Developing an Organizational Unit Plan 1067 Chapter 31 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. OU Design: The Cost Center Model With a cost center model, you use OUs to refl ect cost centers. In this model, top-level OUs represent the major cost centers within the organization and the lower-level OUs represent geographic locations, projects, or business structures, as shown in Figure 31-4. In a company where budget is the top priority, the cost center model may be an effective way to refl ect this priority. Cost centers could also be independent divisions or business units within the company that have their own management and cost controls. cohowinery.com N.A. Europe S.A. N.A. Europe S.A. Bottling Shipping Figure 31-4 The cost center model. The ability to represent costs and budgets in this way is a defi nite advantage but could also be a disadvantage. Cost center structure is not a structure well known to most administrators, and it may be confusing. Chapter 31 1068 Chapter 31 Organizing Active Directory Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. OU Design: The Administration Model With an administration model, you use OUs to refl ect the way resources and accounts are managed. As this model refl ects the business structure of a company, it is very simi- lar to the division or business unit model. The key difference is that the top-level OU is for administrators and second-level OUs are for business structure (see Figure 31-5). If successive levels are needed, they can be organized by resource type, geographic loca- tion, project type, or some combination of the three. IT Engineering cpandl.com ServicesSales Marketing Figure 31-5 The administration model. In a large company, you may use multiple implementations of this model for each divi- sion or business unit. In this case, the top-level administrative group would be for the division or business unit and the second-level OUs would be for groups within the division. The advantage to this model is that it is designed around the way administrators work and represents the business structure of the company. The disadvantage to this model is that when the company or divisions within the company restructure, you may need to redesign the OU structure. Developing an Organizational Unit Plan 1069 Chapter 31 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. A s part of the design of Active Directory Domain Service, you should examine the network topology and determine if you need to manage network traffi c between subnets or business locations. To manage network traffi c related to Active Directory, you use sites, which can be used to refl ect the physical topology of your network. Every Active Directory implementation has at least one site. An important part of understand- ing sites involves understanding Active Directory replication. Active Directory uses two replication models: one model for replication within sites and one model for replication between sites. You need a solid understanding of these replication models to plan your site structure. Working with Active Directory Sites A site is a group of Transmission Control Protocol/Internet Protocol (TCP/IP) subnets that are implemented to control directory replication traffi c and isolate logon authen- tication traffi c between physical network locations. Each subnet that is part of a site should be connected by reliable, high-speed links. Any business location connected over slow or unreliable links should be part of a separate site. Because of this, indi- vidual sites typically represent the sets of local area networks (LANs) within an orga- nization, and the wide area network (WAN) links between business locations typically mark the boundaries of these sites. However, sites can be used in other ways as well. Sites do not refl ect the Active Directory namespace. Domain and site boundaries are separate. From a network topology perspective, a single site can contain multiple TCP/ IP subnets as well. However, a single subnet can be in only one site. This means that the following conditions apply:  A single site can contain resources from multiple domains.  A single domain can have resources spread out among multiple sites.  A single site can have multiple subnets. As you design site structure, you have many options. Sites can contain a domain or a portion of a domain. A single site can have one subnet or multiple subnets. It is impor- tant to note that replication is handled differently between sites than it is within sites. Replication that occurs within a site is referred to as intrasite replication. Replication between sites is referred to as intersite replication. Each side of a site connection has one or more designated bridgehead servers. Working with Active Directory Sites . . . . . . . . . . . . . . . 1071 Understanding Active Directory Replication . . . . . . . . 1075 Replication Rings and Directory Partitions . . . . . . . . . 1091 Developing or Revising a Site Design . . . . . . . . . . . . . 1096 CHAPTER 32 Confi guring Active Directory Sites and Replication 1071 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. Figure 32-1 shows an example of an organization that has one domain and two sites at the same physical location. Here, the organization has an East Campus site and a West Campus site. As you can see, the organization has multiple domain controllers at each site. The domain controllers in the East Campus site perform intrasite replication with each other, as do the domain controllers in the West Campus site. Designated servers in each site, referred to as site bridgehead servers, perform intersite replication with each other. cpandl.com West Campus site East Campus site Figure 32-1 Multiple sites at the same location. Figure 32-2 shows an example of an organization that has two different physical locations. Here, the organization has decided to use two domains and two sites. The Main site is for the cohowinery.com domain and the Seattle site is for the sea.coho- winery.com domain. Again, replication occurs both within and between the sites. Single Site vs. Multiple Sites One reason to create additional sites at the same physical location is to control replica- tion traffi c. Replication traffi c between sites is automatically compressed, reducing the amount of traffi c passed between sites by 85 to 90 percent of its original size. Because network clients try to log on to network resources within their local site fi rst, this means that you can use sites to isolate logon traffi c as well. Chapter 32 1072 Chapter 32 Configuring Active Directory Sites and Replication Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. sea.cohowinery.com Seattle site Main site cohowinery.com Figure 32-2 Multiple sites at different locations. In most cases, you’ll want to optimize sites for Active Directory replication control. Here, it is recommended that each site have at least one domain controller and one global catalog for client authentication. For name resolution and IP address assignment, it is also recommended that each site have at least one Domain Name System (DNS) server and one Dynamic Host Confi guration Protocol (DHCP) server. Then, by creating multiple sites in the same physical location and establishing a domain controller, global catalog, and DNS and DHCP server within each site, you can closely control the logon process. You can also design sites with other network resources in mind, including distributed fi le system (DFS) fi le shares, certifi cate authorities, and Microsoft Exchange servers. Generally speaking, you want to confi gure sites so that clients’ network queries can be answered within the site. If every client query for a network resource has to be sent to a remote site, there could be substantial network traffi c between sites, which could be a problem over slow WAN links. As part of your site design, you should also con- sider site-aware applications and services. These applications and services will use site boundaries to ensure that clients don’t select resources across a WAN link when a local resource is available and preferable. Working with Active Directory Sites 1073 Chapter 32 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. Note Enterprises often have branch offi ces where each branch offi ce is defi ned as a separate site to control traffi c for high-bandwidth–consuming applications rather than Active Directory replication. Here, traffi c for high-bandwidth–consuming applications, such as DFS or software control and change management (SCCM), is carefully managed but authentication and global catalog traffi c is allowed to cross the WAN because it is less bandwidth-intensive. Replication Within and Between Sites Most organizations implementing Active Directory have multiple domain controllers. The domain controllers may be located in a single server room where they are all con- nected to a fast network or they may be spread out over multiple geographic locations, from which they are connected over a WAN that links the company’s various offi ce locations. All domain controllers in the same forest—regardless of how many domain controllers there are and where domain controllers are located—replicate information with each other either directly or indirectly. Although more replication is performed within a domain than between domains, replication between domains occurs nonetheless. The same replication model is used in both cases. When a change is made to a domain partition in Active Directory, the change is repli- cated to all domain controllers in the domain. If the change is made to an attribute of an object tracked by the global catalog, the change is replicated to all global catalog servers in all domains of the forest. Similarly, if you make a change to the forest-wide confi guration or schema partitions, these changes are replicated to all domain control- lers in all the domains of the forest. Authentication within and between domains is also handled by domain controllers. If a user logs on to his or her home domain, the local domain controller authenticates the logon. If a user logs on to a domain other than the home domain, the logon request is forwarded through the trust tree to a domain controller in the user’s home domain. Active Directory’s replication model is designed for consistency, but the consistency is loosely defi ned. By loosely defi ned, I mean that at any given moment the information on one domain controller can be different from the information on a different domain con- troller. This can happen when Windows Server 2008 has not yet replicated the changes on the fi rst domain controller to the other domain controller. Over time, Windows Server 2008 replicates the changes made to Active Directory on one domain controller to all domain controllers as necessary. When multiple sites are involved, the replication engine uses the Site model to store and then forward changes as necessary between sites. In this case, a domain controller in the site where the changes were originally made forwards the changes to a domain controller in another site. This domain controller in turn stores the changes, and then forwards the changes to all the domain controllers in the second site. In this way, the Note Enterprises often have branch offi ces where each branch offi ce is defi ned as a separate site to control traffi c for high-bandwidth–consuming applications rather than Active Directory replication. Here, traffi c for high-bandwidth–consuming applications, such as DFS or software control and change management (SCCM), is carefully managed but authentication and global catalog traffi c is allowed to cross the WAN because it is less bandwidth-intensive. Chapter 32 1074 Chapter 32 Configuring Active Directory Sites and Replication Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. domain controller on which a change is made doesn’t have to replicate directly with all the other domain controllers. It can instead rely on the store-and-forward technique to ensure that the changes are replicated as necessary. Determining Site Boundaries When trying to determine site boundaries, you should confi gure sites so that they refl ect the physical structure of your network. Use connectivity between network seg- ments to determine where you should locate site boundaries. Areas of the network that are connected with fast connections should all be part of the same site, unless you have specifi c requirements for controlling replication or the logon process. Areas of the net- work that are connected with limited bandwidth or unreliable links should be part of different sites. As you examine each of the organization’s business locations, determine whether plac- ing domain controllers and other network resources at that location is necessary. If you elect not to place a domain controller at a remote location, you can make the location a part of a separate site. This has the following advantages:  No Active Directory replication between the business locations  No remote domain controllers to manage  No additional site infrastructure to manage There are also several disadvantages to this approach:  All logon traffi c must cross the link between the business locations.  Users may experience slow logon and authentication to network resources. In the end, the decision to establish a separate site may come down to the user experi- ence and the available bandwidth. If you have fast connections between sites—which should be dedicated and redundant—you may not want to establish a separate site for the remote business location. If you have limited bandwidth between business loca- tions and want to maintain the user experience, you may want to establish a separate site and place domain controllers and possibly other network resources at the site. This speeds up the logon and authentication process and allows you to better control the network traffi c between sites. Understanding Active Directory Replication When you are planning site structure, it is important that you understand how replica- tion works. As discussed previously, Active Directory uses two replication models, each of which is handled differently. The intrasite replication model is used for replication within sites and is optimized for high-bandwidth connections. The intersite replica- tion model is used for replication between sites and is optimized for limited-bandwidth connections. Before I get into the specifi cs of replication and the replication models, let’s look at the way replication has changed since Active Directory Domain Service was introduced with Microsoft Windows 2000. Understanding Active Directory Replication 1075 Chapter 32 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. Replication Enhancements for Active Directory The replication model used for Microsoft Windows Server 2003 and now Windows Server 2008 has changed in several important ways from the model in Windows 2000. In Windows 2000, the smallest unit of replication is an individual attribute. At fi rst examination, this seems to be what is wanted; after all, you don’t want to have to rep- licate an entire object if only an attribute of that object has changed. The problem with this approach is that some attributes are multivalued. That is, they have multiple values. An example is the membership attribute of a universal group. This attribute represents all the members of the universal group. In Windows 2000, by adding or removing a single user from the group, you caused the entire group membership to be replicated. In large organizations, a signifi cant amount of replication traffi c was often generated because universal groups might have several thousand members. Windows Server 2003 and Windows Server 2008 resolve this prob- lem by replicating only the attribute’s updated value. With universal group member- ship, this means that only the users you’ve added or removed are updated, rather than the entire group membership. As discussed in “Extensible Storage Engine” on page 993, Active Directory uses trans- actional processing. When there are many changes, Active Directory processes the changes in batches of 5,000 at a time. This means that Active Directory processes a single transaction or multiple transactions in sequence until it reaches 5,000 changes, then it stops and checks to see if other processes are waiting for the CPU. Because a transaction must complete before processing stops in this way, this places a practical limit on the number of changes that can be made in a single transaction—that number is 5,000. In Windows 2000, because all the members of a group were processed any time a group’s membership was changed, the limit on transactions also placed a practical limit on the number of members in a group. Again, this value is 5,000. The change in the way Windows Server 2003 and later versions of Windows Server replicate multivalued attri- butes also removes the limitation of 5,000 members for groups. Note When a forest is running at Windows Server 2003 or higher functional level, the mem- bers of the forest can take advantage of the previously discussed replication enhance- ments. For Windows Server 2003 or higher functional level, this means that all domain controllers in all domains within the forest must be running Windows Server 2003 or higher. Other replication enhancements involve intersite replication. Windows Server 2003 and later versions of Windows Server introduce the ability to turn off compression for intersite replication and to enable notifi cation for intersite replication. They also have an improved knowledge consistency checker (KCC), which allows Active Directory to Note When a forest is running at Windows Server 2003 or higher functional level, the mem- bers of the forest can take advantage of the previously discussed replication enhance- ments. For Windows Server 2003 or higher functional level, this means that all domain controllers in all domains within the forest must be running Windows Server 2003 or higher. Chapter 32 1076 Chapter 32 Configuring Active Directory Sites and Replication Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. [...]... replication in the following key ways: In Windows 2000, Windows Server 2003, and Windows Server 2008, replication between sites occurs at scheduled intervals according to the site link configuration With Windows Server 2003 and Windows Server 2008, you can enable notification for intersite replication, which allows the bridgehead server in a site to notify the bridgehead server on the other side of a site link... running at Windows 2000 native or Windows Server 2003 functional level, domain controllers replicate the Sysvol using File Replication Service (FRS) When a domain is running at Windows Server 2008 functional level, domain controllers replicate the Sysvol using distributed file system (DFS) Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark Chapter 32 In Windows 2000, Windows Server. .. allows the other bridgehead server to pull the changes across the site link and thereby get more frequent updates In Windows 2000, the maximum number of sites you can have in a forest is greatly influenced by the knowledge consistency checker (KCC) As a result, the KCC has a practical limit of about 100 sites per forest Because the KCC in Windows Server 2003 and Windows Server 2008 has been revised, the... updates to Active Directory to prepare a domain or forest for Windows Server 2008 installation See Chapter 2, “Planning for Windows Server 2008, ” for more information Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark Understanding Active Directory Replication 1089 Intersite Replication Essentials With designated bridgehead servers, the Inter-Site Topology Generator (ISTG) limits... changes need to propagate throughout the forest before other changes such as resetting passwords can be made to Active Directory The Windows Server 2008 schema adds indexed attributes to the schema directory partition When you upgrade or install the first Windows Server 2008 domain controller, these changes replicate throughout the forest Because of this, it is recommended that you plan your deployment... for intersite replication 1086 Chapter 32 Configuring Active Directory Sites and Replication SIDE OUT Replicating urgent changes The 15-second delay for replication applies to Windows Server 2003 and Windows Server 2008 For Windows 2000, the default delay is 300 seconds In either case, however, the delay is overridden to allow immediate replication of priority changes Priority (urgent) replication... between sites Therefore, if processor utilization on bridgehead servers is a concern, and you have adequate bandwidth connections between sites, you may want to disable compression, which Windows Server 2003 and Windows Server 2008 allow you to do 1078 Chapter 32 Configuring Active Directory Sites and Replication FRS and DFS are replication services that use the Active Directory replication topology to replicate... Chapter 32 In Windows 2000, Windows Server 2003, and Windows Server 2008, all intersite replication traffic is compressed by default Although this significantly reduces the amount of traffic between sites, it increases the processing overhead required on the bridgehead servers to replicate traffic between sites Therefore, if processor utilization on bridgehead servers is a concern, and you have adequate bandwidth... these entries exist, the root server polls the PDC emulator master to obtain the DFS metadata for each domain-based namespace and stores the metadata in memory In the Active Directory data store, the DFS object stores the DFS metadata for a domainbased namespace The DFS object is created in Active Directory when you install a domain at or raise a domain to the Windows Server 2008 domain functional level... OUT Why DFS instead of FRS? When used with Active Directory, DFS has several advantages over FRS DFS was enhanced for Windows Server 2003 Release 2 Not only did these enhancements make DFS easier to manage, they also introduced new replication and compression technologies With Windows Server 2003 Release 2 and later, DFS Replication (DFS-R) and Remote Differential Compression (RDC) are used instead of . compression, which Windows Server 2003 and Windows Server 2008 allow you to do.  In Windows 2000, Windows Server 2003, and Windows Server 2008, replication. used for Microsoft Windows Server 2003 and now Windows Server 2008 has changed in several important ways from the model in Windows 2000. In Windows 2000, the