70-297: mcse guide to designing a microsoft windows server 2003 active directory and network...
TRANSCRIPT
70-297: MCSE Guide to Designing a Microsoft Windows Server 2003 Active Directory and Network Infrastructure
Chapter 2: Developing the Active
Directory Infrastructure Design
70-297: MCSE Guide to Designing a Microsoft Windows Server 2003 Active Directory and Network Infrastructure
2
Exam Objectives
• 1.5 Design the Active Directory infrastructure to meet business and technical requirements– 1.5.1 Design the envisioned administration model
– 1.5.2 Create the conceptual design of the Active Directory forest structure
– 1.5.3 Create the conceptual design of the Active Directory domain structure
– 1.5.5 Create the conceptual design of the organizational unit (OU) structure
– 1.5.4 Design the Active Directory replication strategy
70-297: MCSE Guide to Designing a Microsoft Windows Server 2003 Active Directory and Network Infrastructure
3
Introduction
• Active Directory designs are developed after the environment has been assessed and fully documented
• During the initial stages of the Active Directory services infrastructure design, identify the administrative model that will be implemented
70-297: MCSE Guide to Designing a Microsoft Windows Server 2003 Active Directory and Network Infrastructure
4
Assessing and Designing the Administrative Model
• Service administrators are responsible for:– Maintaining the Active Directory infrastructure
– Ensuring that the infrastructure provides the necessary functions and services to end users
– Not the same people performing the data administrator role
70-297: MCSE Guide to Designing a Microsoft Windows Server 2003 Active Directory and Network Infrastructure
5
The Role of the Service Administrator
• The service administrator is responsible for:– Management and maintenance of domain controllers (DCs)
– Management and maintenance of a Domain Name System (DNS)
– Management and maintenance of forestwide components
– Management and maintenance of Active Directory replication within the forest
– Deployment of Active Directory infrastructure throughout the organization
– Management and maintenance of trusts within the forest
– Management and maintenance of trusts with external domains, forests, and Kerberos realms
70-297: MCSE Guide to Designing a Microsoft Windows Server 2003 Active Directory and Network Infrastructure
6
The Role of the Data Administrator
• The data administrator is responsible for:– Management of user objects
– Management of group objects
– Management of machine objects
– Management of printer objects
– Management of NTFS file and share access control lists (ACLs)
– Management of member servers and workstations
70-297: MCSE Guide to Designing a Microsoft Windows Server 2003 Active Directory and Network Infrastructure
7
Understanding Isolation and Autonomy
• Autonomy:– Implies a degree of independence
– Can be achieved at the service admin level
– Can be achieved at the data administrator level
• Isolation:– Only administrators of the resource have access
70-297: MCSE Guide to Designing a Microsoft Windows Server 2003 Active Directory and Network Infrastructure
8
Autonomy and Isolation Flow Chart
70-297: MCSE Guide to Designing a Microsoft Windows Server 2003 Active Directory and Network Infrastructure
9
Assessing and Defining the Forest Design
• Forest design factors:– Organizational– Operational– Legal– Naming considerations– Timescales– Management overhead– Test environments– External facing environments
70-297: MCSE Guide to Designing a Microsoft Windows Server 2003 Active Directory and Network Infrastructure
10
Forest Models
• Multiple forest scenarios:– The Service Provider model
– The Restricted Access model
– The Resource model
– The Organizational model
– The Single-Forest model
70-297: MCSE Guide to Designing a Microsoft Windows Server 2003 Active Directory and Network Infrastructure
11
The Service Provider Model
70-297: MCSE Guide to Designing a Microsoft Windows Server 2003 Active Directory and Network Infrastructure
12
The Restricted Access Model
70-297: MCSE Guide to Designing a Microsoft Windows Server 2003 Active Directory and Network Infrastructure
13
The Resource Model
70-297: MCSE Guide to Designing a Microsoft Windows Server 2003 Active Directory and Network Infrastructure
14
The Organizational Forest Model
70-297: MCSE Guide to Designing a Microsoft Windows Server 2003 Active Directory and Network Infrastructure
15
The Single Forest Model
• Simplest to design, engineer, and deploy• Cheapest option to deploy and the cheapest to own• Isolation requires a separate forest to be
established• Autonomy needs a separate domain to be
established
70-297: MCSE Guide to Designing a Microsoft Windows Server 2003 Active Directory and Network Infrastructure
16
Ownership, Accountability, and Change Management
• Sponsors are responsible for ensuring that:– Each business’s requirements are voiced during the
design phase
– Designs are appropriate and relevant to each participating business
• Owners are responsible for assigning the appropriate people to the appropriate roles
70-297: MCSE Guide to Designing a Microsoft Windows Server 2003 Active Directory and Network Infrastructure
17
Assessing and Creating the Domain Design
• Decision to deploy additional domains is influenced by:– Geographic separation
– Network limitations
– Service autonomy
70-297: MCSE Guide to Designing a Microsoft Windows Server 2003 Active Directory and Network Infrastructure
18
Maximum Number of Users Supported in a Single Domain
70-297: MCSE Guide to Designing a Microsoft Windows Server 2003 Active Directory and Network Infrastructure
19
Names and Hierarchies
• When designing Active Directory forests and domains– Each domain has two names: a NetBIOS name and a
DNS name
• Dedicated root domain– When deploying the first domain in a forest, the DNS
name chosen is used as the suffix for all other domains
70-297: MCSE Guide to Designing a Microsoft Windows Server 2003 Active Directory and Network Infrastructure
20
Using a Dedicated Root Domain
• Deployed simply to exist as the root domain• Advantages:
– Forest service admins are separated from domain service admins
– Simpler to reconfigure the forest
– Politically neutral
70-297: MCSE Guide to Designing a Microsoft Windows Server 2003 Active Directory and Network Infrastructure
21
The Dedicated Root Domain Model
70-297: MCSE Guide to Designing a Microsoft Windows Server 2003 Active Directory and Network Infrastructure
22
The Nondedicated Domain
70-297: MCSE Guide to Designing a Microsoft Windows Server 2003 Active Directory and Network Infrastructure
23
Regional Domains
• Regional model implies that a separate domain is created for each distinct region within the organization
• Disadvantages associated with introducing additional regional domains:– Multiple service admin groups
– Additional overhead in duplicating settings
– Interdomain object moves
70-297: MCSE Guide to Designing a Microsoft Windows Server 2003 Active Directory and Network Infrastructure
24
The Regional Domain Model
70-297: MCSE Guide to Designing a Microsoft Windows Server 2003 Active Directory and Network Infrastructure
25
Functional Domains
• Established per functional group or business group within the organization
• Within the functional domain model:– Forest might be home to multiple, disparate,
autonomous businesses
– Degree of collaboration is required
70-297: MCSE Guide to Designing a Microsoft Windows Server 2003 Active Directory and Network Infrastructure
26
The Functional Domain Model
70-297: MCSE Guide to Designing a Microsoft Windows Server 2003 Active Directory and Network Infrastructure
27
Comparing Trees with Domains
• Advantages of the single tree approach:– Only one namespace needs to be created and managed– No interoperability issues exist between disparate
namespaces
• Disadvantages of the single tree approach:– Disparate, autonomous businesses are constrained to
using the first namespace– Businesses do not have autonomy within their own
namespace
70-297: MCSE Guide to Designing a Microsoft Windows Server 2003 Active Directory and Network Infrastructure
28
A Single Tree
70-297: MCSE Guide to Designing a Microsoft Windows Server 2003 Active Directory and Network Infrastructure
29
Multiple Trees
• Advantages:– Disparate businesses can use their own different
namespaces
– Autonomy within the business namespace
• Disadvantages:– Multiple DNS names
– Increased DNS maintenance
70-297: MCSE Guide to Designing a Microsoft Windows Server 2003 Active Directory and Network Infrastructure
30
A Forest with Multiple Trees
70-297: MCSE Guide to Designing a Microsoft Windows Server 2003 Active Directory and Network Infrastructure
31
Single Domain Forest
• Houses all objects, including:– Forest service admins
– Domain service admins
– Users
– Groups
– Computers
– DCs
70-297: MCSE Guide to Designing a Microsoft Windows Server 2003 Active Directory and Network Infrastructure
32
Advantages and Disadvantages of a Single Domain Forest
70-297: MCSE Guide to Designing a Microsoft Windows Server 2003 Active Directory and Network Infrastructure
33
Developing the OU Model
• OU design factors are dictated by:– The way in which the business is administered
– The way in which group policy needs to be
– The need to hide sensitive objects from users
70-297: MCSE Guide to Designing a Microsoft Windows Server 2003 Active Directory and Network Infrastructure
34
OU Design Models
• Geographic models– Start by creating geography-based OUs at the root of
the domain
• Functional models– Start by creating functional-based OUs at the root of
the domain
• Object type models– Start by creating object type-based OUs at the root of
the domain
70-297: MCSE Guide to Designing a Microsoft Windows Server 2003 Active Directory and Network Infrastructure
35
The Geographic OU Model
70-297: MCSE Guide to Designing a Microsoft Windows Server 2003 Active Directory and Network Infrastructure
36
The Functional OU Model
70-297: MCSE Guide to Designing a Microsoft Windows Server 2003 Active Directory and Network Infrastructure
37
The Object Type OU Model
70-297: MCSE Guide to Designing a Microsoft Windows Server 2003 Active Directory and Network Infrastructure
38
Developing the Replication Design
• Principles and concepts surrounding replication:– Sites
– Subnets
– Site links
– Site link bridges
– Connection objects
– Multimaster replication
70-297: MCSE Guide to Designing a Microsoft Windows Server 2003 Active Directory and Network Infrastructure
39
Developing the Replication Design (continued)
• Principles and concepts surrounding replication:– Knowledge Consistency Checker (KCC)
– Inter Site Topology Generator and bridgehead servers
– SYSVOL
– File Replication System (FRS)
– Topology options
– Ownership
70-297: MCSE Guide to Designing a Microsoft Windows Server 2003 Active Directory and Network Infrastructure
40
Sites and Costs
70-297: MCSE Guide to Designing a Microsoft Windows Server 2003 Active Directory and Network Infrastructure
41
Site Link Bridging
70-297: MCSE Guide to Designing a Microsoft Windows Server 2003 Active Directory and Network Infrastructure
42
The Bridgehead and ISTG Roles
70-297: MCSE Guide to Designing a Microsoft Windows Server 2003 Active Directory and Network Infrastructure
43
Summary
• Service administrators manage the Active Directory infrastructure
• Data administrators manage data contained within Active Directory and member computers
• If service or data isolation is required, create a separate forest
• If disparate schemas or Configuration partition data is required, create a separate forest
70-297: MCSE Guide to Designing a Microsoft Windows Server 2003 Active Directory and Network Infrastructure
44
Summary (continued)
• Consider geographic domains to better manage replication
• Consider functional domains for service autonomy• OU design influences:
– Administrative models
– Group policy
– Protection of sensitive objects
• Be conversant with replication concepts