Active DirectoryMicrosoft Technologies

Active Directory Topology

In an infrastructure when you place domain controllers and related services it is important to identify exactly where it should logically locate. It will directly make impact on performances and security.
There are mainly four types of servers and roles when consider about AD topology design.

1)    Forest root domain controller
2)    Regional domain controller
3)    Global catalog server
4)    Operation master role


Forest root domain controller

This is usually used in multi domain network setup. This is the domain controller which will use to create trust paths between domains. In a network some time connections are made from unreliable connections from domain to domain, in such scenario it’s recommended to place forest root domain controller in the location or create shortcut trust.


Regional domain controller

As the name explain these domain controllers are placed in hub locations. This reduce the bandwidth usage between hub locations and main office, improve reliability, reduce support cost etc. writable regional domain controllers can place in hub location only if physical security guarantee. Otherwise it’s recommended to keep them as read only domain controllers (RODC).


Global Catalog Server

Global catalog server holds all the objects in forest. It keeps full copy of the objects in its own domain and read-only copy of objects for all other domains in same forest. The placement of global catalog server is crucial for multi forest environment. In such environment global catalog server should place at following locations,

1)    A location with more the 100 users
2)    A place that hosting applications which required global catalog server.
3)    A place with unreliable connection
4)    A place with Roaming users
5)    A place with slow log on performance

If it’s not one of above you can place domain controller with universal group membership caching.


Operation master role

In an active directory some of the data only can be written by operation master role servers. As we know there is 5 roles (FSMO). 3 of them remain in domain level and those are call as flexible single master operations (FSMO) roles.
1.    Primary Domain Controller (PDC) Emulator – This role responsible for password updates
2.    Relative ID (RID) Operation Master – this role maintains the global RID pool and allocates local RID to other DC
3.    Infrastructure Operation Master – It is responsible for maintain list of security principles from other domains that have membership of local domain


Forest level roles

1.    Schema Operations Master – This is responsible for schema changes
2.    Domain naming operation master – This responsible for changes in directory partition such as adding and removing domains from the forest

When you place operation master roles need to consider following,
•    PDC and RID responsibilities should place in sites with reliable network connectivity
•    Operation master role automatically will assign to first domain controller, but if need we can change it
•    PDC should place nearest the largest number of users.
•    Infrastructure master role should not place in same server as global catalog server. This role is important only in multi-domain forest.

If you have any question about post feel free to contact me on rebeladm@live.com

Related posts
Cyber SecurityMicrosoft Entra IDMicrosoft Technologies

Microsoft Entra lifecycle workflows Part 02 - How to synchronize value for employeeHireDate attribute from on-premises Active Directory ?

In my previous blog post, I explained how we can automate JML (Joiners/Movers/Leavers) process by…
Read more
Azure servicesMicrosoft Entra IDMicrosoft Technologies

Step-by-Step Guide : Automate JML(Joiners/Movers/Leavers) process with Microsoft Entra lifecycle workflows

JML (Joiners/Movers/Leavers) process of an organization has a major impact on its security and…
Read more
Cyber SecurityMicrosoft DefenderMicrosoft Technologies

Microsoft Defender for Identity Part 02 – Create Directory Service Account

In Part 01 of Microsoft Defender for Identity blog series, I have explained about Microsoft Defender…
Read more
Newsletter
Become a Trendsetter

Sign up and get the best of RebelAdmin, tailored for you.

Leave a Reply

Your email address will not be published. Required fields are marked *