Active Directory Over View Computer Science Essay

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

This report will give a full understanding of how Windows Server 2008r2 creates and manages a Multi Domain Environment. I have focused the reports findings on the following areas. detailing what a Multi Domain Environment is and the logical and physical topologies used to build a Multi Domain Environment. This area covers Active Directory, DNS, domains, groups, trees, forests, sites, trusts, global catalogues, DFS Multi-Master replication, branch cache, schema and synchronisation. Documented in the report are the configuration management tools and strategies used by the Server. The report also examines the new features and enhancements with Windows 2008r2 server.

Finally a conclusion in the report will document my findings from the research carried out with the sources and references used to create this report.


Windows 2008r2 Active directory Domain Service (ADDS) is a distributed database that handles network administration and security. This Server Role provides the network administrator an interactive, hierarchical and secure infrastructure in which to administer resources. Once the Server Role ADDS is installed on the system the server is then promoted to Domain Controller.

The Domain Controller deals with security authentication for all users and devices. Active directory holds all information such as users, groups, computers, printers and files. This information is stored in Objects which are made available within the domain forest (logical security boundary). Objects within a domain are structured in Hierarchal Organisational Units (OUs), allowing network administrators to delegate the relevant security and share permissions for that particular OU or object. This is an efficient method in dealing with many objects in an instance. The advantages with Windows Server 2008r2 running Active Directory Domain Services are:

Domain Naming System (DNS). This maps names to IP addresses aiding human interaction

User identity with password protected logon using AD and LDAP (Light weight directory protocol)

Advanced Encryption with AES 128 and 256

Kerberos V5 Authentication Protocol

NTFS (new technology file system) security and access rights to resources.

Backup services and servers minimising data redundancy.

Integrating DNS zones with multi-master data replication reduces the use of network bandwidth and minimises data redundancy through secure dynamic updates

Access Control Lists

Trusts created to share and delegate information with other domains.


The Windows Domain Naming System is a naming system used to map names to IP (Internet Protocol) addresses. DNS is part of the protocol suite TCP/IP (Transmission Control Protocol) which transports data over LANs and WANs. This protocol suite formats, addresses, transmits and routes data to be sent to the receiver. Windows 2008r2 by default will install DNS when AD DS is installed. AD DS on server 2008r2 however does not install DHCP (dynamic host client protocol) automatically. DNS has a hierarchical structured database system that copies the active directory forest and domains.


Multiple Domains are configured when there is need for more than one Domain on the network. These domains work in a hierarchical structure and are organised in trees and forests. Forests are the logical security boundary of the network infrastructure with trees containing a hierarchical structure of the domains. The first domain on the network is the root domain which then becomes the parent domain for the next domain added. This sub domain of the parent is called the child domain. (SEE FIGURE). With Server 2008 r2 more domains can be added to the forest to replicate data over the network. To enable windows server 2008 to share data with other domains trust are created.







Trusts are authenticated communication links between domains. Trusts allow users from one domain to access information from another domain. Once two domains have been connected the default trust applied to this gateway is a transitive two-way trust. This default trust creates a child domain to its structure. Authentication from the child domains carries upwards to the trusted domain for any changes in the global catalogue. Also when adding a new domain to the domain tree a new trust tree is provided. Other types of trust are:

External non-transitive one and two way trusts. Used to access resources from Windows NT and 4.0 domains.

Realm transitive or non-transitive one and two way trusts. Used to share information between third party severs and window servers.

Forest transitive one and two way trusts. Used to communicate between two forests.

Shortcut transitive one and two way trusts. Used shortcut trust to improve logon times between domains.

Global Catalogue Server

Windows Server 2008r2 servers are set by default to become Global Catalogue Servers (GC) once they have been promoted to Domain Controller. The GC holds information relating to the AD database for that domain. This information is stored in the NTDS.dit file and provides a searchable index for objects within the domain using port 3268. The domain controller does not have information relating to recourses outside that domain. Windows DC uses a GC to contain all the information about objects in the forest. To manage this data the GC only holds enough information about an objects attributes to point to the object in the forest. This allows users from one domain to logon from another domain and access resources from within the forest, provided the necessary permissions are applied. GC servers communicate with other GC servers to:

Locates User logon Information known as a UPN (unique principle name).

Locates Directory Information in the forest.

Provides Forest wide searches.

Provides forest wide services.

Directory database changes when made are updated to the GC servers in the forest. All Domain controllers with writeable attributes save data changes to their GC directory. In order for this replication to take place windows server uses DFS replication (distributed file system).


The DFS service (Dfssvc.exe) is core component of the DFS physical and logical structure. DFS Namespace allows an administrator to group shared folders stored on many servers into a hierarchal structured namespace. This displays to the user the shared root folder with subfolders that relate to that namespace. This DFS namespace structure stores file shares from multiple servers and sites. By using DFS namespace we can expand the availability of resources over the network and connect users automatically to these resources within the AD DS sites.

DFS Replication is a multi-master replication tool which allows an administrator to efficiently replicate shared folders over the network and to multiple servers and sites within the forest. This procedure is an effective way in dealing with limited bandwidth. Remote Differential Compression (RDC) which is a compression algorithm used by Windows Server 2008 which enables the DRC to make any changes to a file that has be edited. This is then replicated to all the GC servers on the network. For bandwidth and server efficiency changes only take place with the actual data thats edited. DFS benefits to a network:

Fault tolerant with the replication of data to multiple locations on a network.

Easy access to shared resources through logical structure.

Load balancing.


Once a change has been made in a DFS folder it is replicated throughout the network to other DFS domain or member servers. Once the initial replication occurs between two servers the master copy is no longer a master copy, it is then multi-master copy distributed to all DFS servers.

DFS Connection Process

Client connects to a domain/ member server storing DFS using UNC.

The Server then responds to the request and gives the location or of the resource to the user.

Client caches the location of the resource and can now access the resource directly without asking the DFS server.

A client will periodically ask the DFS server of any changes to the location. The time to live before a referral is requested is set by default to 300 seconds (5 minutes) with 1800 seconds (30 minutes) for link referrals, the time to live can be altered in


Data Protection Manager (DPM) is the tool used to synchronise changes from a file server to a DPM server. This procedure transfers updates

To transport information between DFS clients, DCs and root servers server 2008r2 uses a Common Internet File System (CIFS). CIFS is an edition to the Server Message Block (SMB). This is a file sharing protocol that



Schema master


Improving security, performance and efficacy from previous server versions.