Posted by arlene

One of the annoyances with Windows NT 4.0 was that to create a PDC or BDC, you had to do so when you first installed the operating system. That is no longer the case with Windows 2000. In fact, there are no primary or backup domain controllers. There are only domain controllers, each of which holds a full copy of the domain’s Active Directory database. Updates, such as adding new users or changing passwords, can be done using any domain controller

in the domain. For Windows NT 4.0, you had to make these changes on a PDC and either wait for the data to be replicated to BDCs or force a push of the data to synchronize the domain controllers. Updates made to domain controllers in Windows 2000 can be made at any domain controller, and updates are propagated using multimaster replication to all other domain controllers in the domain.

Also, remember that in the Active Directory domain names are expressed as DNS-style names. That is, instead of naming a domain acme, for example, you should use a name such as acme . com, which is a DNS-style name. When you create a tree of domains in the Active Directory, you must use a hierarchical DNS naming scheme so that you maintain a contiguous namespace.

Even though your domains now use a DNS-style name, you’re still asked to provide a NetBIOS-style name when you upgrade a server to an Active Directory domain controller. This NetBIOS-style name will be used for down-level clients—for example, any NT 4.0 Workstation systems that are left on the network.

Note

Although you could use a DNS server in a Windows NT 4.0 network, it was not a requirement. Microsoft developed the Windows Internet Naming Service (WINS) that could be used in a similar fashion, although it mapped NetBIOS names to IP addresses, whereas DNS performs mappings of DNS-style names to IP addresses. In Windows 2000/Server 2003 networks, a DNS server (which must be capable of accepting dynamic updates) is required because clients use it to

locate domain controllers, as well as register their own information when they boot. For more information about DNS and WINS, see, “Network Name Resolution.” You still can use WINS in a Windows 2000/Server 2003 network, but it isn’t needed unless you have pre-Windows 2000 clients that depend on NetBIOS name resolution to function on the network. Additionally, some applications, such as System Management Server (SMS), might require WINS. Check your documentation for all applications before deciding on a no-WINS solution.

Each domain in the tree is a subdomain of the topmost domain. The domain tree provides a two-way transitive trust relationship between all domains that exist in a single Windows 2000 tree. In

Windows NT, trust relationships had to be established between domains, with one trust relationship created for each direction that you wanted to trust. In other words, you could trust one domain, or it could trust your domain, or two trust relationships could make the trust relationship mutual.

In the Active Directory, inheritance of security rights flows downward from the top of the tree. So, you can assign users administrative access rights and permissions at a single point in the tree and therefore grant them the same rights for child objects farther down the tree. Access control lists (ACLs) can help you further refine the delegation of authority in the Active Directory.

When you have a network that’s composed of disparate namespaces, you can create separate trees and group them into a forest. Recall that a forest is a collection of domain trees. In this type of organization, each domain tree represents a contiguous namespace, but other disjointed namespaces exist in the network. A domain forest is used in a similar manner to a domain tree, in that users still can be granted access rights in domains that are contained in other domain trees. The main difference between a domain tree and a forest is the disjointed namespaces (that is, different DNS-style names that can exist when you merge two or more businesses together). Additionally, although domains that exist within the same domain tree have implicit transitive trust relationships, you must create trust relationships between domains that exist in different trees in a forest before you can begin to grant users access to resources in other domain trees. This simple feature could be a deciding factor in which version of Windows Server operating systems you choose for your upgrade.

Replication of Directory Information

Active Directory domain controllers replicate, through multimaster replication techniques, all changes to the Active Directory database for their domain to all other domain controllers in the domain. Domain controllers for other domains in the domain tree do not receive these replication updates because they’re responsible only for the portion of the directory database that concerns objects in their respective domains.

However, all domain controllers in a particular domain tree do receive replication updates that concern the metadata, which defines the domain tree. For example, when a new domain joins a domain tree or when a domain is detached from one part of the tree and reattached at another part, this information is replicated to other domain controllers in the domain tree.

Possibly related posts: (automatically generated)
Windows NT Domain Controllers and Member Servers

• What Role Will Your Server Perform?
• What Role Will Your Server Perform?
• The Active Directory and Dynamic DNS continue...
• Inter-domain Trust Relationships
• Active Directory Groups
• Installing Active Directory on a Windows Server 2003 Computer
• The Active Directory and Dynamic DNS
• Active Directory Service Interfaces (ADSI)
• Upgrading to Windows 2000 Server
• Directory Replication