70-297: mcse guide to designing a microsoft windows server 2003 active directory and network...

70-297: MCSE Guide to Designing a Microsoft Windows Server 2003 Active Directory and Network Infrastructure

Chapter 2: Developing the Active

Directory Infrastructure Design


2

Exam Objectives

• 1.5 Design the Active Directory infrastructure to meet business and technical requirements– 1.5.1 Design the envisioned administration model

– 1.5.2 Create the conceptual design of the Active Directory forest structure

– 1.5.3 Create the conceptual design of the Active Directory domain structure

– 1.5.5 Create the conceptual design of the organizational unit (OU) structure

– 1.5.4 Design the Active Directory replication strategy


3

Introduction

• Active Directory designs are developed after the environment has been assessed and fully documented

• During the initial stages of the Active Directory services infrastructure design, identify the administrative model that will be implemented


4

Assessing and Designing the Administrative Model

• Service administrators are responsible for:– Maintaining the Active Directory infrastructure

– Ensuring that the infrastructure provides the necessary functions and services to end users

– Not the same people performing the data administrator role


5

The Role of the Service Administrator

• The service administrator is responsible for:– Management and maintenance of domain controllers (DCs)

– Management and maintenance of a Domain Name System (DNS)

– Management and maintenance of forestwide components

– Management and maintenance of Active Directory replication within the forest

– Deployment of Active Directory infrastructure throughout the organization

– Management and maintenance of trusts within the forest

– Management and maintenance of trusts with external domains, forests, and Kerberos realms


6

The Role of the Data Administrator

• The data administrator is responsible for:– Management of user objects

– Management of group objects

– Management of machine objects

– Management of printer objects

– Management of NTFS file and share access control lists (ACLs)

– Management of member servers and workstations


7

Understanding Isolation and Autonomy

• Autonomy:– Implies a degree of independence

– Can be achieved at the service admin level

– Can be achieved at the data administrator level

• Isolation:– Only administrators of the resource have access


8

Autonomy and Isolation Flow Chart


9

Assessing and Defining the Forest Design

• Forest design factors:– Organizational– Operational– Legal– Naming considerations– Timescales– Management overhead– Test environments– External facing environments


10

Forest Models

• Multiple forest scenarios:– The Service Provider model

– The Restricted Access model

– The Resource model

– The Organizational model

– The Single-Forest model


11

The Service Provider Model


12

The Restricted Access Model


13

The Resource Model


14

The Organizational Forest Model


15

The Single Forest Model

• Simplest to design, engineer, and deploy• Cheapest option to deploy and the cheapest to own• Isolation requires a separate forest to be

established• Autonomy needs a separate domain to be

established


16

Ownership, Accountability, and Change Management

• Sponsors are responsible for ensuring that:– Each business’s requirements are voiced during the

design phase

– Designs are appropriate and relevant to each participating business

• Owners are responsible for assigning the appropriate people to the appropriate roles


17

Assessing and Creating the Domain Design

• Decision to deploy additional domains is influenced by:– Geographic separation

– Network limitations

– Service autonomy


18

Maximum Number of Users Supported in a Single Domain


19

Names and Hierarchies

• When designing Active Directory forests and domains– Each domain has two names: a NetBIOS name and a

DNS name

• Dedicated root domain– When deploying the first domain in a forest, the DNS

name chosen is used as the suffix for all other domains


20

Using a Dedicated Root Domain

• Deployed simply to exist as the root domain• Advantages:

– Forest service admins are separated from domain service admins

– Simpler to reconfigure the forest

– Politically neutral


21

The Dedicated Root Domain Model


22

The Nondedicated Domain


23

Regional Domains

• Regional model implies that a separate domain is created for each distinct region within the organization

• Disadvantages associated with introducing additional regional domains:– Multiple service admin groups

– Additional overhead in duplicating settings

– Interdomain object moves


24

The Regional Domain Model


25

Functional Domains

• Established per functional group or business group within the organization

• Within the functional domain model:– Forest might be home to multiple, disparate,

autonomous businesses

– Degree of collaboration is required


26

The Functional Domain Model


27

Comparing Trees with Domains

• Advantages of the single tree approach:– Only one namespace needs to be created and managed– No interoperability issues exist between disparate

namespaces

• Disadvantages of the single tree approach:– Disparate, autonomous businesses are constrained to

using the first namespace– Businesses do not have autonomy within their own

namespace


28

A Single Tree


29

Multiple Trees

• Advantages:– Disparate businesses can use their own different

namespaces

– Autonomy within the business namespace

• Disadvantages:– Multiple DNS names

– Increased DNS maintenance


30

A Forest with Multiple Trees


31

Single Domain Forest

• Houses all objects, including:– Forest service admins

– Domain service admins

– Users

– Groups

– Computers

– DCs


32

Advantages and Disadvantages of a Single Domain Forest


33

Developing the OU Model

• OU design factors are dictated by:– The way in which the business is administered

– The way in which group policy needs to be

– The need to hide sensitive objects from users


34

OU Design Models

• Geographic models– Start by creating geography-based OUs at the root of

the domain

• Functional models– Start by creating functional-based OUs at the root of

the domain

• Object type models– Start by creating object type-based OUs at the root of

the domain


35

The Geographic OU Model


36

The Functional OU Model


37

The Object Type OU Model


38

Developing the Replication Design

• Principles and concepts surrounding replication:– Sites

– Subnets

– Site links

– Site link bridges

– Connection objects

– Multimaster replication


39

Developing the Replication Design (continued)

• Principles and concepts surrounding replication:– Knowledge Consistency Checker (KCC)

– Inter Site Topology Generator and bridgehead servers

– SYSVOL

– File Replication System (FRS)

– Topology options

– Ownership


40

Sites and Costs


41

Site Link Bridging


42

The Bridgehead and ISTG Roles


43

Summary

• Service administrators manage the Active Directory infrastructure

• Data administrators manage data contained within Active Directory and member computers

• If service or data isolation is required, create a separate forest

• If disparate schemas or Configuration partition data is required, create a separate forest


44

Summary (continued)

• Consider geographic domains to better manage replication

• Consider functional domains for service autonomy• OU design influences:

– Administrative models

– Group policy

– Protection of sensitive objects

• Be conversant with replication concepts

70-297: mcse guide to designing a microsoft windows server 2003 active directory and network...

Documents

microsoft windows server

mcse guide

network infrastructure

forest management

organization management

conceptual design

data administrator role

access slide