Logical vs Physical Components

The components making up Active Directory can be broken down into logical and physical structures. Logical components in Active Directory allow you to organize resources so that their layout in the directory reflects the logical structure of your company. Physical components in Active Directory are similarly used, but are used to reflect the physical structure of the network. By separating the logical and physical components of a network, users are better able to find resources, and administrators can more effectively manage them.

Many directories are designed to follow the logical structure of an organization.You're probably familiar with organizational charts; maps that show the various departments in a company, and illustrate which departments are accountable to others. In such a map, a Payroll department might appear below the Finance department, even though they are physically in the same office. Just as the chart allows you to find where a department falls in the command structure of a company, the logical structure of a directory allows you to find resources based on a similar logical layout. As we saw earlier, you can organize your network into forests, trees, and domains, and then further organize users and computers into OUs named after areas of your business. A map of the directory structure can be organized to appear identical to the logical structure of the company.

Physical components are used to design a directory structure that reflects the physical layout, or topology, of the network. For example, as we saw earlier, a site is a combination of subnets, and a DC is a server that has a copy of the directory on it. DCs are physically located at specific locations in an organization, while subnets consist of computers using the same grouping of IP addresses. In both cases, you could visit a room or building and find these components. Thus, physical components can be used to mirror the physical structure of an organization in the directory. As illustrated in Figure 1.12, this makes the physical structure considerably different from the logical structure of a network.

Figure 1.12 Logical Structure vs. Physical Structure

The Logical Structure consists of Forests, Domain Trees, Domains, Organizational Units, and Objects

The Logical Structure consists of Forests, Domain Trees, Domains, Organizational Units, and Objects

Domain Forest Structure

Sites and Domain Controllers Are Part of the Physical Structure


Sites and Domain Controllers Are Part of the Physical Structure

Domain Controller Domain Controller

Domain Controller Domain Controller



Domain Controllers

DCs are used to manage domains. As mentioned, the directory on a DC can be modified, allowing network administrators to make changes to user and computer accounts, domain structure, site topology, and control access. When changes are made to these components of the directory, they are then copied to other DCs on the network.

Because a DC is a server that stores a writable copy of Active Directory, not every computer on your network can act as a DC.Windows Server 2003 Active Directory can only be installed on Microsoft Windows Server 2003, Standard Edition;Windows Server 2003, Enterprise Edition; and Windows Server 2003, Datacenter Edition. Servers running other the Web Edition of Windows Server 2003 cannot be DCs, although they can be member servers that provide resources and services to the network.

When a DC is installed on the network, the first domain, forest, and site are created automatically. Additional domains, forests, and sites can be created as needed, just as additional DCs can be added.This allows you to design your network in a way that reflects the structure and needs of your organization.

While only one DC is required to create a domain, multiple DCs can (and usually should) be implemented for fault tolerance and high availability. If more than one DC is used and one fails, users will be able to log on to another DC that is available. This will allow users to continue working while the DC is down. In larger companies, a number of DCs can be added to accommodate significant numbers of users who might log on and log off at the same time of day or need to access resources from these servers.

A Exam Warning

Windows Server 2003 computers can be promoted to DCs by installing Active Directory on them. To install Active Directory, the Active Directory Installation Wizard (invoked by running DCPROMO.EXE) is used. Information provided during the installation is used to add the server to an existing domain, or to create a new domain, forest, and site if the DC is the first one installed on a network.

Master Roles

Certain changes in Active Directory are only replicated to specific DCs on the network. Operations Masters are DCs that have special roles, keeping a master copy of certain data in Active Directory and copying data to other DCs for backup purposes. Because only one machine in a domain or forest can contain the master copy of this data, they are also referred to as Flexible Single Master Operations (FSMO) roles.

Five different types of master roles are used in an Active Directory forest, each providing a specific purpose.Two of these master roles are applied to a single DC in a forest (forestwide roles), while three others must be applied to a DC in each domain (domain-wide roles). In the paragraphs that follow, we will look at each of these roles, and discuss how they are significant to Active Directory's functionality.

Forestwide master roles are unique to one DC in every forest. There are two master roles of this type:

■ Schema Master

■ Domain Naming Master

The Schema Master is a DC that is in charge of all changes to the Active Directory schema.As we'll see in the next section, the schema is used to define what object classes and attributes are used within the forest.The Schema Master is used to write to the directory's schema, which is then replicated to other DCs in the forest. Updates to the schema can be performed only on the DC acting in this role.

The Domain Naming Master is a DC that is in charge of adding new domains and removing unneeded ones from the forest. It is responsible for any changes to the domain namespace. Such changes can only be performed on the Domain Naming Master, thus preventing conflicts that could occur if changes were performed on multiple machines.

In addition to forestwide master roles, there are also domainwide master roles. There are three master roles of this type:

■ Primary domain controller (PDC) Emulator

■ Infrastructure Master

Test Day Tip_

Remember that there is only one forestwide master for each role in a forest, and one domainwide master for each role in a domain. There can only be one Schema Master and Domain Naming Master per forest. In other words, if there were two forests, then there would be one Schema Master and one Domain Naming Master in each forest. In the same way, there can only be one RID Master, PDC Emulator, and Infrastructure Master per domain. Although multiple domains can exist in a forest, there can only be one RID Master, PDC Emulator, and Infrastructure Master in each domain

The RID Master is responsible for creating a unique identifying number for every object in a domain. These numbers are issued to other DCs in the domain. When an object is created, a sequence of numbers that uniquely identifies the object is applied to it.This number consists of two parts: a domain security ID (SID) and a RID. The domain SID is the same for all objects in that domain, while the RID is unique to each object. Instead of using the name of a user, computer, or group, this SID is used by Windows to identify and reference the objects.To avoid potential conflicts of DCs issuing the same number to an object, only one RID Master exists in a domain, to control the allocation of ID numbers to each DC, which the DC can then hand out to objects when they are created.

The PDC Emulator is designed to act like a Windows NT primary DC.This is needed if there are computers running pre-Windows 2000 and XP operating systems, or if Windows NT backup domain controllers (BDCs) still exist on the network.The PDC Emulator is responsible for processing password changes, and replicating these changes to BDCs on the network. It also synchronizes the time on all DCs in a domain so servers don't have time discrepancies between them. Because there can only be one Windows NT PDC in a domain, there can be only one PDC Emulator.

Even if there aren't any servers running as BDCs on the network, the PDC Emulator still has a purpose in each domain.The PDC Emulator receives preferred replication of all password changes performed by other DCs within the domain. When a password is changed on a DC, it is sent to the PDC Emulator.The PDC Emulator is responsible for this because it can take time to replicate password changes to all DCs in a domain. If a user changes his or her password on one DC and then attempts to log on to another, the second DC he or she is logging on to might still have old password information. Because this DC considers it a bad password, it forwards the authentication request to the PDC Emulator to determine whether the password is actually valid. Whenever a logon authentication fails, a DC will always forward it to the PDC Emulator before rejecting it.

The Infrastructure Master is in charge of updating changes made to group memberships. When a user moves to a different domain and his or her group membership changes, it can take time for these changes to be reflected in the group.To remedy this, the infrastructure manager is used to update such changes in its domain. The DC in the Infrastructure Master role compares its data to the GC, which is a subset of directory information for all domains in the forest. When changes occur to group membership, it then updates its group-to-user references and replicates these changes to other DCs in the domain.


The schema is a database that is used to define objects and their attributes. Information in the schema is used to control the types of objects (classes) that can be created in Active Directory, and the additional properties (attributes) associated with each. In other words, the schema determines what you can create in Active Directory, and the data that can be used to configure these objects.

The schema is made up of classes and attributes. Object classes define the type of object, and include a collection of attributes, which are used to describe the object. For example, the User class of object contains attributes made up of information about the user's home directory, first name, last name, address, and so on. While the object class determines the type of object that can be created in Active Directory, the attributes are used to provide information about it. An object's attributes are also known as its properties, and in most cases, you can configure its attributes by editing its properties sheet (usually accessed by right clicking the object and selecting Properties).

Active Directory comes with a wide variety of object classes, but additional ones can be created if needed. Because the schema is so important to Active Directory's structure, extensions (additions and modifications) to the schema can only be made on one DC in the forest. Modifications to the schema can only be made on the DC that's acting in the Schema Master role. Schema information is stored in a directory partition of Active Directory, and is replicated to all DCs in a forest.

Attributes are created using the Active Directory Schema snap-in for the Microsoft Management Console (MMC) (which we'll discuss later in this chapter).When a new class or attribute is added to the schema, it cannot be deleted. If a class or attribute is no longer needed, it can only be deactivated, so it cannot be used anymore. Should the class or attribute be needed later, you can then reactivate it.

Global Catalog

As anyone who's tried to search a large database can attest, the more data that's stored in a database, the longer it will take to search. To improve the performance of searching for objects in a domain or forest, the GC is used. The GC server is a DC that stores a copy of all objects in its host domain, and a partial copy of objects in other domains throughout the forest.The partial copy contains objects that are most commonly searched for. Because the GC contains a subset of information in Active Directory, less information needs to be replicated, and increases performance when users search for specific attributes of an object.

In addition to being used for searches, the GC is also used to resolve UPNs that are used in authentication. As discussed earlier, the UPN has a format like an e-mail address. If a user logs on to a DC in a domain that doesn't contain the account, the DC will use the GC to resolve the name and complete the logon process. For example, if a user logged on with the UPN [email protected] from a computer located in ca.syngress.com, the DC in ca.syngress.com would be unable to find the account in that domain. It would then use the GC to find and authenticate the user's account.

The GC is also used to store information on Universal Group memberships, in which users from any domain can be added and allowed access to any domain.We'll discuss groups in greater detail in Chapter 2. When a user who is a member of such a group logs on to a domain, the DC will retrieve his or her Universal Group membership from the GC. This is only done if there is more than one domain in a forest.

The GC is available on DCs that are configured to be GC servers. Creating a GC server is done by using the Active Directory Sites and Services snap-in for the MMC (which we'll discuss later in this chapter). After a GC server is configured, other DCs can query the GC on this server.

Replication Service

The Windows Server 2003 replication service is used to replicate Active Directory between DCs, so that each DC has an up-to-date copy of the directory database. Because each DC has an identical copy of the directory, they can operate independently, allowing users to be authenticated and use network resources if one of the DCs fails.This allows Windows Server 2003 DCs to be highly reliable and fault tolerant.

Multimaster replication is used to copy changes in the directory to other DCs. With multimaster replication, DCs work as peers to one another, so that any DC accepts and replicates these updates (with the exception of the special types of data for which an Operations Master is assigned). Rather than having to make changes on a primary DC, changes can be made to the directory from any DC.

Replication occurs automatically between DCs, and generally, no additional configuration is required. However, because there are times when network traffic will be higher, such as when employees log on to DCs at the beginning of the workday, replication can be configured to occur at specific times. This will enable you to control replication traffic so it doesn't occur during peak hours.

To replicate the directory effectively, Windows Server 2003 uses the Knowledge Consistency Checker (KCC) to generate a replication topology of the forest. A replication topology refers to the physical connections used by DCs to replicate the directory to other DCs within the site and to DCs in other sites. After initially creating a replication topology, the KCC will review and modify the topology at regular intervals. This allows it to see if certain connections or DCs are unavailable, and if changes need to be made as to how replicated data will be transferred to other DCs.

Replication is handled differently within a site as opposed to when the directory is replicated to other sites. Intra-site replication (in which Active Directory is replicated within a site) is handled by using a ring structure. The KCC builds a bidirectional ring, in which replication data is passed between DCs in two directions. Because the data is only being transferred within the site, the replicated data isn't compressed.

The KCC creates at least two connections to each DC, so if one connection fails, the other can be used. For example, in Figure 1.13, connections that are functional are shown with a straight line, while broken connections are shown with dotted lines. Because one of the four servers in Figure 1.13 has failed, replication data cannot be passed through it, so another connection between the servers is used. Using multiple connections provides fault tolerance.

Figure 1.13 Replication Topology

Domain Controller

Figure 1.13 Replication Topology

Domain Controller

Multimaster Replication Topology

Intra-site replication is automated to occur at regular intervals, and only occurs when DCs are notified of a change. By default, when a change is made on a DC, it will wait 15 seconds and then send notification to its closest replication partner. If it has more than one replication partner, it will send out notifications in three-second intervals to each additional partner.When a partner receives this notification, it will send out a request for updated directory information to the original DC, which then responds by sending the updated data.The exception to this process is when an account is locked out, the DC account is changed, or there are changes in account lockout policy or domain password policy. In these circumstances, there is no 15-second waiting period, and replication occurs immediately.

Replication between sites is called inter-site replication. Because the bandwidth between sites might be slower than that within a site, inter-site replication occurs less frequently and is handled differently. Rather than informing other DCs shortly after a change occurs, replication occurs at scheduled times. Information about site link objects is used to determine the best link to use for passing this data between sites.

Site links are used to define how sites replicate Active Directory information between one another. These objects store data controlling which sites are to replicate traffic between one another, and which should be used over others. For example, you might have an ISDN connection between your offices and one located overseas. If the overseas link were slower and more costly to use than others, you could configure the link so it is only used as a last resort.Through the site link object, the fastest and least expensive connection between sites is used for replication.

A DC acts in the role of an inter-site topology generator in each site, and serves the purpose of building this topology. It considers the cost of different connections, whether DCs are available, and whether DCs have been added to sites. By gathering this information, the KCC can then update the topology as needed, and provide the method of passing data between the sites.

How often replication occurs is configurable, so that it occurs as frequently or infrequently as your needs dictate. By default, inter-site replication occurs every 180 minutes (three hours), and will use the site link to meet this schedule 24 hours a day, 7 days a week. The frequency of replications can be modified as needed to occur at certain times and days of the week.

Just as organizations have the tendency to grow and change, so do the networks they use. In a Windows Server 2003 network, the number of domains, sites, OUs, users, computers, and other objects populating Active Directory can grow exponentially with a business. Every new employee needs a new account, and every new computer added to the network means another object added to the directory. Even when growth is limited, there can be a considerable amount of maintenance to these objects, such as when users change jobs, addresses, or other issues that involve changes to information and access. To aid administrators with these tasks, Active Directory provides a number of tools that make management easier.

Two types of administrative tools can be used to manage Active Directory.Windows Server 2003 provides a variety of new command-line tools that individually administer different aspects of the directory and its objects. By clicking on the Windows Start menu and clicking Programs | Accessories | Command Prompt (or simply clicking Start | Run and typing cmd), a prompt will appear allowing you to enter these commands and control objects and elements of Active Directory.The other method of managing Active Directory is with tools using a graphical user interface (GUI).These tools allow you to point and click through objects, and modify them using a graphical display. Most of the graphical tools are available through the Start | Programs | Administrative Tools menu.

EXAM 70-294

EXAM 70-294

Was this article helpful?

+1 -1
The Ultimate Computer Repair Guide

The Ultimate Computer Repair Guide

Read how to maintain and repair any desktop and laptop computer. This Ebook has articles with photos and videos that show detailed step by step pc repair and maintenance procedures. There are many links to online videos that explain how you can build, maintain, speed up, clean, and repair your computer yourself. Put the money that you were going to pay the PC Tech in your own pocket.

Get My Free Ebook


  • robert
    What are the differences between active directory’s physical structure and its logical structure.?
    7 years ago
  • Riitta
    What are the uses physical components in active directory?
    7 years ago
  • mari
    What are the physical and logical active directory windows 2003?
    7 years ago
  • Sabrina
    What are the physical & logical components of ads?
    7 years ago
  • harri rinne
    What id the difference between physical and logical structure in active directory?
    7 years ago
  • danait
    What are the logical components that make up AD?
    5 years ago
  • Makda
    What are the physical and logical component of active direvtory?
    4 years ago
  • Poppy
    What is physical structure in active directory in Windows?
    4 years ago
  • macaria
    What is active directory and physical copmponent ,logical component?
    4 years ago
  • benjamin
    What are the logical components of Active Directory?
    4 years ago
  • fethawi
    What are the physical and logical components of active directory?
    4 years ago
    What is a logical partition and physical partition in active directory?
    4 years ago
  • sabrina
    What are the logical components of a network?
    4 years ago
  • evelyn
    Which of are phiysical components of ad?
    4 years ago
  • thorsten frankfurter
    Are domains and sites logical or physical?
    3 years ago
  • semret
    Which are pbysical componets of active directoty?
    3 years ago
  • Ottavio
    What is phisical and logical components of ads?
    3 years ago
  • annabel boyle
    What is logical and physical structure of the AD enviroment?
    3 years ago
  • Kaylin
    Which are locical and phisical component of data store?
    3 years ago
  • leah
    What is active directory domain service physical components?
    3 years ago
  • mildred
    What is physical adds server?
    3 years ago
  • markus
    What do you understand by physical and logical components of active directory?
    3 years ago
  • dudo
    What is physical components in ADDS?
    3 years ago
  • stefania milani
    Which is not part of physical structure of ad?
    3 years ago
  • medhanit
    How can active directory help u manage your corporate network ,logically and physically?
    3 years ago
  • ronnie robertson
    Why separate an active directory into logical and physical structure?
    2 years ago
  • Virginia
    What are the main components of active directory that mostly used in companies?
    2 years ago
  • finlay
    How to logical segregatoin of AD?
    2 years ago
  • anya
    Which is not a part of physcial structure in active AD?
    2 years ago
    What is the difference between phisical and logical active director?
    2 years ago
  • Sophia
    What is a logical move in Active Directory?
    2 years ago
  • susanne
    How components are physically and logically connected?
    1 year ago
  • Elisha
    What is different between logical and phyisical of active directory in windows server?
    1 year ago
  • Leonie
    What is the physical and dogical stru cture rat an a d?
    1 year ago
  • Ralf Trommler
    How does physical domain differ from logical domain?
    1 year ago
  • karita rauhala
    What is the difference between physical and logical components?
    1 year ago
  • dorothy
    Which of the following are logical components of an Active Directory structure?
    1 year ago
  • Kiros
    What is logical infrastructure?
    1 year ago
    Why active directory is logically partitioned?
    1 year ago
  • venla
    What are physical and logical units in active directory?
    1 year ago
  • Kaitlin
    What are the3 physical componets of active directory?
    12 months ago
  • william
    Is active directory a physical technology or application component in architecture?
    9 months ago
  • Ottone
    What is the difference in logial and physical structures of active directory?
    7 months ago
  • jimmie
    Which active directory schema components are not purely logical?
    6 months ago
  • Conall
    What physical and logical component of ADDS?
    6 months ago
    Which network components is purely logical?
    6 months ago
    What are the logical or physcial structures of the AD environment?
    5 months ago
  • daniel
    Do physical schema contain a description of the attributes?
    3 months ago
  • rasmus
    What are the logical components that make up active directory?
    2 months ago

Post a comment