Physical Structure  «Prev 

Types of Active Directory Domain Controllers

1) Domain, 2) Global Catalog Server, 3) Operations Master

Domain Controller Roles

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2
A domain controller is a server that is running a version of the Windows Server operating system and has Active Directory Domain Services installed.

Global Catalog Servers

Every domain controller stores the objects for the domain in which it is installed. However, a domain controller designated as a global catalog server stores the objects from all domains in the forest. For each object that is not in the domain for which the global catalog server is authoritative as a domain controller, a limited set of attributes is stored in a partial replica of the domain. Therefore, a global catalog server stores its own full, writable domain replica (all objects and all attributes) plus a partial, read-only replica of every other domain in the forest. The global catalog is built and updated automatically by the AD DS replication system. The object attributes that are replicated to global catalog servers are the attributes that are most likely to be used to search for the object in AD DS. The attributes that are replicated to the global catalog are identified in the schema as the partial attribute set (PAS) and are defined by default by Microsoft. However, to optimize searching, you can edit the schema by adding or removing attributes that are stored in the global catalog.
The global catalog makes it possible for clients to search AD DS without having to be referred from server to server until a domain controller that has the domain directory partition storing the requested object is found. By default, AD DS searches are directed to global catalog servers.
The first domain controller in a forest is automatically created as a global catalog server. Thereafter, you can designate other domain controllers to be global catalog servers if they are needed.

Windows Group Policy

Prepare Forest for Windows Server 2008 Active Directory Domain Services

The forest itself must be prepared for Windows Server 2008 Active Directory Domain Services. Thereafter, each domain that will contain domain controllers running Windows Server 2008 also needs to be prepared. Lastly, if you plan to deploy (RODCs) read-only domain controllers into the forest, additional preparation is required.
Problem: If your environment consists of an existing Windows 2000 Server or Windows Server 2003 Active Directory Domain Services forest, you must prepare the existing forest for Windows Server 2008 before you can add a domain controller that has Windows Server 2008 installed. Preparing an existing forest consists of updating the AD DS schema.
Solution: The schema update consists of extending the existing AD DS schema to include the attributes and classes that are new in Windows Server 2008. The Windows Server 2008 installation media includes the ADPrep command-line tool, which is used to prepare an existing forest for Windows Server 2008 AD DS. The schema update must be completed on the domain controller that holds the schema master operations master role. To find the domain controller that holds the schema master operations master role, type the following command into a command prompt window:

There are three roles domain controllers can fill: 1) Domain Controller, 2) Global Catalog Server, and 3) Operations Master. A specific domain controller can fill one or more roles simultaneously.

The domain controller can be described as a Windows OS based server holding a copy of the Active Directory partition for the domain.

Global Catalog Server: This is a Windows domain controller that holds a copy of the global catalog for the forest. Usually the first Domain Controller is also the Global Catalog Server. There can be more than one Global Catalog Server.

Operations master: This is a Windows domain controller that currently owns one or more of five master roles for a given operation. We will discuss these roles in future lessons.

Azure Active Directory

Highlighting the planning points for an AD service

The most important task that you need to focus on before any other task is the network topology of your services. For our Active Directory services to provide a resilient service, we need to be effective in creating a simple and scalable architecture that will fit our environment's needs and requirements.
Active Directory Domain Controller can provide us with a centralized management point for our network devices and thus gives us full control over a large number of objects (for example, users and machines). This is the key to achieving a lower cost in administrative tasks, resource control, and security (authentication and authorization) management in a specific network. To organize users and resources in a way that is simple to manage and is scalable (for example, facilitates delegation) is the key. On top of that, there is no reason to have a Domain Controller in our network if the applications are not able to integrate themselves with it. Thus, we cannot use all the features and facilities that an AD/DC can provide. Designing the proper architecture for a specific site is a complex and extensive task and is outside the scope of this book. However, we will discuss some general points and show you an example configuration and topology, so that you can use it as a base for future installations. As in any installation, the administrator needs to think about users, machines, organizational units, domains, forests, and services.
We will present a simple but effective architecture to the user for our domain, with a structure that will help you understand important concepts and serve as a starting point for the readers to work upon and evolve to more complex environments. General advice is to focus on your specific topology and requirements, extract the essential concepts, and work similar structures in your design that fit your organization environment. Do not copy an existing design from the Internet thinking that it will fit your network out of the box just because it handles all departments or definitions possible in the software. If you do not need that level of complexity, do not use it. I could see many sites that were designed based on general rules that were not intended to be used in that particular case but provide a simple and scalable environment instead. They also create a network environment that is too complex and really inefficient from the most basic administrative perspective. This is the exact opposite of what a well-planned Active Directory Domain controller should be.
One analogy for such an inefficient architecture can be, for example, a file system directory structure. Sometimes, we are compelled to create a really complex directory hierarchy with many subdirectories and a nested, and deep tree that, in the end, just keeps us away from the right file instead of helping us access it in a fast and simple way.