The physical structure of Active Directory refers to the use of sites and location of domain controllers, which are used to manage network traffic and conserve bandwidth. The way you structure Active Directory physically determines where and when logon authentication traffic and directory replication traffic will occur. This can have a profound effect on the performance of the network. As you know, the physical structure is completely separate from the logical structure of the directory, which consists of domains, trees, and forests organized on your network.
By the end of this module, you will be able to:
- Define sites and site links
- List reasons for creating Active Directory sites
- Recognize the effect of replication traffic on a slow link
- Define the relationship between sites and subnets
- Define the replication components and the purpose of each
- List two ways to create connection objects
- Define the difference between intrasite and intersite replication
- List the characteristics of site link costs
- Monitor replication traffic
In the next lesson, we will start by discussing replication and the physical structure of Active Directory.
The Active Directory site topology is the map that describes the network connectivity, Active Directory replication guidelines, and locations for resources as they relate to the Active Directory forest.
The major components of this topology are
- site links,
- site link bridges, and
- connection objects.
These are all Active Directory objects that are maintained in the forest's Configuration container; this allows the information to be locally available on all domain controllers so the DCs can communicate properly.
Active Directory sites allow you to separate your physical network topology from your logical Active Directory design. This
lets you configure domains and forests according to your administrative and security requirements, without being restricted by geography or bandwidth limitations. You can deploy a single domain in a single site, multiple domains in a single site, or a single domain that spans multiple physical locations.
Once you have created your logical Active Directory structure, you will then configure sites to control how replication takes place on your network. Active Directory uses sites and site links
to figure out the most efficient path to replicate data to all of the domain controllers and Global Catalog servers that need to receive updates, so it is critical to the performance of your network that you design your site topology correctly.
You will also use sites to control how your clients log on to your network: AD will use site information to pick the closest domain controller to any
client that’s logging on to the domain. This will allow your clients to authenticate against a domain controller in the same subnet, rather than going across a slow or expensive WAN link in order to log onto Active Directory. There are also other Active Directory aware applications that will use site information to direct clients to servers that are located physically close to the client requesting the resource.
You will configure sites and subnets using the Active Directory Sites & Services MMC snap-in. When a client logs on to your domain, Active Directory will automatically figure out which site it needs to belong to based on its IP address and subnet mask. Site information for your domain controllers gets determined by the machine’s location within Active Directory. When you first install Active Directory, your new domain controller gets placed into a new site called (imaginatively enough) Default-First-Site. (You can rename this just by right-clicking the site and selecting Rename.) Until you create additional sites, every domain controller you install will be placed into this
default site, regardless of its location.
Within each site, you will configure one or more subnets to correspond with the physical addressing scheme of your network. It’s important to configure subnet objects correctly so that your clients will contact the appropriate domain controllers, since clients will first attempt to contact a DC within the same subnet for authentication.