Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Contoso has chosen to deploy Active Directory based on the Regional Domain Model. There is one regional domain each for the two major geographic locations (North America and Europe), connected by a Wide Area Network (WAN). The regional domain model enables Contoso to maintain a stable environment over time. This model consists of a forest root domain and two regional domains, as shown in Figure 9.
.gif "1a1e56fe-d710-4ce2-9e92-072adbd17c4c")
The Contoso site topology consists of six logical Active Directory sites, one for each of the six physical locations, as shown in Figure 10.
.gif "09047974-0b87-4e50-8fa5-a96eb959dcf6")
Contoso has deployed a total of 17 domain controllers — two domain controllers per site and three additional controllers for the forest root domain.
Table 10 shows the distribution of domain controllers per domain across sites.
| Site | Concorp.contoso.com | NOAM.concorp.contoso.com | Europe.concorp.contoso.com |
|---|---|---|---|
Chicago |
3 |
2 |
2 |
Atlanta |
2 |
||
New York |
2 |
||
London |
2 |
||
Paris |
2 |
||
Rome |
2 |
Domain controllers for each domain are placed in the sites as shown in Table 11. The letter "G" indicates that the domain controller is a global catalog server.
| Domain Controller | Chicago | Atlanta | New York | London | Paris | Rome |
|---|---|---|---|---|---|---|
CONTOSO-DC1 |
G |
|||||
CONTOSO-DC2 |
X |
|||||
CONTOSO-DC3 |
X |
|||||
NOAM-DC1 |
X |
|||||
NOAM-DC2 |
G |
|||||
NOAM-DC3 |
G |
|||||
NOAM-DC4 |
X |
|||||
NOAM-DC5 |
G |
|||||
NOAM-DC6 |
X |
|||||
EUROPE-DC1 |
X |
|||||
EUROPE-DC2 |
X |
|||||
EUROPE-DC3 |
G |
|||||
EUROPE-DC4 |
X |
|||||
EUROPE-DC5 |
G |
|||||
EUROPE-DC6 |
X |
|||||
EUROPE-DC7 |
G |
|||||
EUROPE-DC8 |
X |
All domain controllers are placed in highly secure physical locations to which only authorized personnel are granted access. All domain controllers in remote locations are equipped with a remote administration solution, such as Remote Insight Lights-Out (RILO), so that administrators can control both hardware and software on domain controllers remotely to manage systems where no IT staff is stationed.
To provide fault tolerance, the DNS Server service runs on every domain controller in the Contoso forest. Zones are distributed as follows:
Domain controllers in the forest root domain host the forest root DNS name.
Domain controllers for each regional domain host the DNS zone that corresponds to the DNS name of the domain.
The zone containing the forest-wide domain controller locator records replicates to every DNS server in the forest by using the forest-wide DNS application directory partition, ForestDnsZones.
All sites in the Contoso environment have at least 100 users. To facilitate user logon requests and forest-wide searches, Contoso follows the general Windows Server 2003 deployment recommendation for placing a global catalog server in any site where there are at least 100 users. Two global catalog servers are placed in Chicago to accommodate the large number of users in that site.
For more information about global catalog server placement, see "Designing the Site Topology" in Designing and Deploying Directory and Security Services of the Windows Server 2003 Deployment Kit (or see "Designing the Site Topology" on the Web at https://go.microsoft.com/fwlink/?LinkId=4724).
Contoso places the operations master roles according to the best practices that are recommended in the Active Directory Operations Guide Version 1.5, on the Web at https://go.microsoft.com/fwlink/?LinkId=19827.
The two forest-wide roles are domain naming master and schema master. By default, all operations master roles (including the domain-wide roles) are placed on the first domain controller that is installed in the forest root domain.
Contoso assigns the two forest-wide operations master roles to the original forest root domain controller, CONTOSO-DC1. Both roles are compatible with a global catalog server.
Note
In Windows 2000, the domain naming master must be placed on a global catalog server.
The first domain controller that is installed in a domain has the three domain-wide roles by default. Because the concorp.contoso.com domain is the forest root domain, the first domain controller that is installed to create the forest root domain contains the three domain roles and is also a global catalog server. Because the infrastructure master must not be located on a global catalog server, Contoso moves that role, as well as the other two domain-wide roles, to CONTOSO-DC2, which is not a global catalog server.
The first domain controllers that are installed in noam.concorp.contoso.com and in europe.concorp.contoso.com are not global catalog servers. Therefore, the domain-level roles are left on these domain controllers, as shown in Table 12.
| Domain | PDC Master | Infrastructure Master | RID Master |
|---|---|---|---|
concorp.contoso.com |
CONTOSO-DC2 |
CONTOSO-DC2 |
CONTOSO-DC2 |
noam.concorp.contoso.com |
NOAM-DC1 |
NOAM-DC1 |
NOAM-DC1 |
europe.concorp.contoso.com |
EUROPE-DC1 |
EUROPE-DC1 |
EUROPE-DC1 |
The Contoso environment does not use domain controllers that are running Windows NT 4.0 or Windows 2000, and therefore can run all domain controllers in native mode. The following functional levels are in effect:
Domain functional level — Windows Server 2003 in all domains
Forest Functional Level — Windows Server 2003
At these functional levels, all new features in Windows Server 2003 are available throughout the forest. For more information about domain and forest functional levels, see "Enabling Advanced Windows Server 2003 Active Directory Features" in Designing and Deploying Directory and Security Services of the Microsoft® Windows® Server 2003 Deployment Kit (or see "Enabling Advanced Windows Server 2003 Active Directory Features" on the Web at https://go.microsoft.com/fwlink/?LinkID=6937).