Active Directory Infrastructure
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Contoso has chosen to deploy Active Directory based on the Regional Domain Model. There is one regional domain each for the two major geographic locations (North America and Europe), connected by a Wide Area Network (WAN). The regional domain model enables Contoso to maintain a stable environment over time. This model consists of a forest root domain and two regional domains, as shown in Figure 9.
.gif "1a1e56fe-d710-4ce2-9e92-072adbd17c4c")
Site Topology
The Contoso site topology consists of six logical Active Directory sites, one for each of the six physical locations, as shown in Figure 10.
.gif "09047974-0b87-4e50-8fa5-a96eb959dcf6")
Domain Controller Placement
Contoso has deployed a total of 17 domain controllers — two domain controllers per site and three additional controllers for the forest root domain.
Table 10 shows the distribution of domain controllers per domain across sites.
Table 10 Domain Controllers Per Domain in Each Site
| Site | Concorp.contoso.com | NOAM.concorp.contoso.com | Europe.concorp.contoso.com |
|---|---|---|---|
Chicago |
3 |
2 |
2 |
Atlanta |
2 |
||
New York |
2 |
||
London |
2 |
||
Paris |
2 |
||
Rome |
2 |
Domain Controller Placement
Domain controllers for each domain are placed in the sites as shown in Table 11. The letter "G" indicates that the domain controller is a global catalog server.
Table 11 Domain Controllers in Contoso sites
| Domain Controller | Chicago | Atlanta | New York | London | Paris | Rome |
|---|---|---|---|---|---|---|
CONTOSO-DC1 |
G |
|||||
CONTOSO-DC2 |
X |
|||||
CONTOSO-DC3 |
X |
|||||
NOAM-DC1 |
X |
|||||
NOAM-DC2 |
G |
|||||
NOAM-DC3 |
G |
|||||
NOAM-DC4 |
X |
|||||
NOAM-DC5 |
G |
|||||
NOAM-DC6 |
X |
|||||
EUROPE-DC1 |
X |
|||||
EUROPE-DC2 |
X |
|||||
EUROPE-DC3 |
G |
|||||
EUROPE-DC4 |
X |
|||||
EUROPE-DC5 |
G |
|||||
EUROPE-DC6 |
X |
|||||
EUROPE-DC7 |
G |
|||||
EUROPE-DC8 |
X |
All domain controllers are placed in highly secure physical locations to which only authorized personnel are granted access. All domain controllers in remote locations are equipped with a remote administration solution, such as Remote Insight Lights-Out (RILO), so that administrators can control both hardware and software on domain controllers remotely to manage systems where no IT staff is stationed.
DNS Server Placement
To provide fault tolerance, the DNS Server service runs on every domain controller in the Contoso forest. Zones are distributed as follows:
Domain controllers in the forest root domain host the forest root DNS name.
Domain controllers for each regional domain host the DNS zone that corresponds to the DNS name of the domain.
The zone containing the forest-wide domain controller locator records replicates to every DNS server in the forest by using the forest-wide DNS application directory partition, ForestDnsZones.
Global Catalog Server Placement
All sites in the Contoso environment have at least 100 users. To facilitate user logon requests and forest-wide searches, Contoso follows the general Windows Server 2003 deployment recommendation for placing a global catalog server in any site where there are at least 100 users. Two global catalog servers are placed in Chicago to accommodate the large number of users in that site.
For more information about global catalog server placement, see "Designing the Site Topology" in Designing and Deploying Directory and Security Services of the Windows Server 2003 Deployment Kit (or see "Designing the Site Topology" on the Web at https://go.microsoft.com/fwlink/?LinkId=4724).
Operations Master Roles Placement
Contoso places the operations master roles according to the best practices that are recommended in the Active Directory Operations Guide Version 1.5, on the Web at https://go.microsoft.com/fwlink/?LinkId=19827.
Forest-wide Role Placement
The two forest-wide roles are domain naming master and schema master. By default, all operations master roles (including the domain-wide roles) are placed on the first domain controller that is installed in the forest root domain.
Contoso assigns the two forest-wide operations master roles to the original forest root domain controller, CONTOSO-DC1. Both roles are compatible with a global catalog server.
Note
In Windows 2000, the domain naming master must be placed on a global catalog server.
Domain-wide Role Placement
The first domain controller that is installed in a domain has the three domain-wide roles by default. Because the concorp.contoso.com domain is the forest root domain, the first domain controller that is installed to create the forest root domain contains the three domain roles and is also a global catalog server. Because the infrastructure master must not be located on a global catalog server, Contoso moves that role, as well as the other two domain-wide roles, to CONTOSO-DC2, which is not a global catalog server.
The first domain controllers that are installed in noam.concorp.contoso.com and in europe.concorp.contoso.com are not global catalog servers. Therefore, the domain-level roles are left on these domain controllers, as shown in Table 12.
Table 12 Domain-Wide Operations Master Role Placement
| Domain | PDC Master | Infrastructure Master | RID Master |
|---|---|---|---|
concorp.contoso.com |
CONTOSO-DC2 |
CONTOSO-DC2 |
CONTOSO-DC2 |
noam.concorp.contoso.com |
NOAM-DC1 |
NOAM-DC1 |
NOAM-DC1 |
europe.concorp.contoso.com |
EUROPE-DC1 |
EUROPE-DC1 |
EUROPE-DC1 |
Domain Modes and Functional Levels
The Contoso environment does not use domain controllers that are running Windows NT 4.0 or Windows 2000, and therefore can run all domain controllers in native mode. The following functional levels are in effect:
Domain functional level — Windows Server 2003 in all domains
Forest Functional Level — Windows Server 2003
At these functional levels, all new features in Windows Server 2003 are available throughout the forest. For more information about domain and forest functional levels, see "Enabling Advanced Windows Server 2003 Active Directory Features" in Designing and Deploying Directory and Security Services of the Microsoft® Windows® Server 2003 Deployment Kit (or see "Enabling Advanced Windows Server 2003 Active Directory Features" on the Web at https://go.microsoft.com/fwlink/?LinkID=6937).