active directory concepts ii: namespace planning for the active directory stuart kwan program...

Active Directory Active Directory Concepts II: Concepts II: Namespace Planning Namespace Planning For The Active DirectoryFor The Active Directory

Stuart KwanStuart KwanProgram Manager Program Manager Windows NT Distributed SystemsWindows NT Distributed SystemsMicrosoft CorporationMicrosoft Corporation

AgendaAgenda

ObjectivesObjectives Overview of example companyOverview of example company Active Directory namespace designActive Directory namespace design SummarySummary Call to actionCall to action

ObjectivesObjectives

Ensure your software is a good citizenEnsure your software is a good citizen Practical examples of Active Practical examples of Active

Directory conceptsDirectory concepts Understand how namespace design Understand how namespace design

impacts performance, managementimpacts performance, management

Understand customer scenariosUnderstand customer scenarios Identify opportunities…Identify opportunities…

HeadquartersHeadquarters

Remote offices and hubRemote offices and hub

SubsidiarySubsidiary

PartnerPartnerTest Test sitesite

Arcadia BayArcadia BayPhysical viewPhysical view

Arcadia BayArcadia BayCompany informationCompany information

Parent company: Arcadia Bay Inc.Parent company: Arcadia Bay Inc. Registered DNS name: arcadiabay.comRegistered DNS name: arcadiabay.com Headquarters:Headquarters:

Three buildings, multiple LANs, MANThree buildings, multiple LANs, MAN Per-building IT administrationPer-building IT administration Thousands of usersThousands of users

Arcadia BayArcadia BayCompany InformationCompany Information

Arcadia Bay Inc.Arcadia Bay Inc. Three remote offices:Three remote offices:

Tens of users, central administrationTens of users, central administration Reliable WAN link to hub, HQReliable WAN link to hub, HQ

Test siteTest site Visited by HQ personnelVisited by HQ personnel Sensitive resources and dataSensitive resources and data Reliable WAN link to HQReliable WAN link to HQ

Arcadia BayArcadia BayCompany informationCompany information

Subsidiary: Ellipsis Software Ltd.Subsidiary: Ellipsis Software Ltd. Acquired companyAcquired company Registered DNS name: ellipsis.dotRegistered DNS name: ellipsis.dot Independent IT administrationIndependent IT administration Hundreds of usersHundreds of users

Partner: Three Dots Inc.Partner: Three Dots Inc. Close partner, separate managementClose partner, separate management Registered DNS name: 3dots.dotRegistered DNS name: 3dots.dot

The NetworkThe Network

ResourcesResources

Mobile usersMobile users

UsersUsers

GroupsGroups

Arcadia BayArcadia BayLogical viewLogical view

Active Directory Active Directory Namespace DesignNamespace Design Active Directory namespace:Active Directory namespace:

Domain namespaceDomain namespace DNS namespaceDNS namespace Organizational Unit namespaceOrganizational Unit namespace Site topologySite topology

Each namespace has Each namespace has unique characteristicsunique characteristics

Domain NamespaceDomain NamespaceConsiderationsConsiderations

How many forests?How many forests? How many domains in each forest?How many domains in each forest? How will domains be arranged How will domains be arranged

into structures?into structures? What will the domains be named?What will the domains be named?

Forest =Forest =

Number Of ForestsNumber Of ForestsDefinition of forestDefinition of forest

What is a forest?What is a forest? Unit of schemaUnit of schema Unit of site configurationUnit of site configuration Administrative scopeAdministrative scope Default scope for security principalsDefault scope for security principals Scope of global catalogScope of global catalog

Number Of ForestsNumber Of ForestsSchema and global catalogSchema and global catalog

SchemaSchema Attribute definitionsAttribute definitions Object definitionsObject definitions ExtensibleExtensible

Global catalog (GC)Global catalog (GC) Partial copy of all objects in forestPartial copy of all objects in forest Used for fast, forest-wide searchUsed for fast, forest-wide search

HQ’s HQ’s objectsobjects

Partner’s Partner’s objectsobjects

Number Of ForestsNumber Of ForestsMethodologyMethodology

Usually determined by number Usually determined by number of schemasof schemas Partner running directory-enabled Partner running directory-enabled

software not certified by Headquarterssoftware not certified by Headquarters Two distinct schemas requiredTwo distinct schemas required

HQ HQ forestforest

Partner Partner forestforest

Number Of ForestsNumber Of ForestsArcadia Bay exampleArcadia Bay example

Two forests for Arcadia BayTwo forests for Arcadia Bay Headquarters and PartnerHeadquarters and Partner

Domain =Domain =

Number Of DomainsNumber Of DomainsDefinition of DomainDefinition of Domain

What is a Domain?What is a Domain? Unit of partitioningUnit of partitioning Unit of authenticationUnit of authentication Administrative scopeAdministrative scope Unit of domain account policyUnit of domain account policy

Manifested by domain controllers (DCs)Manifested by domain controllers (DCs) ReplicatedReplicated

Number Of DomainsNumber Of DomainsMethodologyMethodology

Put all objects in one domainPut all objects in one domain Justify additional domainsJustify additional domains

Partition to scope replication of objectsPartition to scope replication of objects Business unit demands admin ownershipBusiness unit demands admin ownership Unique domain account policy requiredUnique domain account policy required

Password/acct lockout/Kerberos policyPassword/acct lockout/Kerberos policy

Emphasize stabilityEmphasize stability Do not to create domains that will lose Do not to create domains that will lose

meaning after reorganizationmeaning after reorganization

Number Of DomainsNumber Of DomainsPartitioning methodologyPartitioning methodology

Consider a remote officeConsider a remote office User must communicate with DC to loginUser must communicate with DC to login Trust WAN for login?Trust WAN for login?

Yes: DCs in central locationYes: DCs in central location No: place DC in remote siteNo: place DC in remote site

If DC in remote office, for what domain?If DC in remote office, for what domain? Can WAN handle replication traffic?Can WAN handle replication traffic?

Yes: put first domain DC in officeYes: put first domain DC in office No: new domain for remote officeNo: new domain for remote office

HQHQ

HQHQ HubHub Remote siteRemote site

HQHubHub

Number Of DomainsNumber Of DomainsArcadia Bay exampleArcadia Bay example

First domain: headquartersFirst domain: headquarters Remote officesRemote offices

Trust WAN to hub for loginTrust WAN to hub for login Don’t want to replicate HQ domain to hubDon’t want to replicate HQ domain to hub Create new domain for hub and remotesCreate new domain for hub and remotes

HQHQ

HQHQ Test site

HQHQ


Test siteTest site Do not trust WAN for loginDo not trust WAN for login Predominantly mobile users from HQPredominantly mobile users from HQ Replicate HQ domain to test siteReplicate HQ domain to test site

HQHQ

HQHQ SubsidiarySubsidiary

SubSub


SubsidiarySubsidiary Refuse to have HQ administrators Refuse to have HQ administrators

as domain administratorsas domain administrators Create new domain for subsidiaryCreate new domain for subsidiary

HQHQ

HubHub

SubSub


The Arcadia Bay forestThe Arcadia Bay forest

Arranging And NamingArranging And NamingConceptsConcepts

What is the Domain Name System?What is the Domain Name System? Hierarchical distributed databaseHierarchical distributed database Fast, lightweightFast, lightweight Replicated: highly available, fault tolerantReplicated: highly available, fault tolerant

DNS is the Active Directory locatorDNS is the Active Directory locator Domains have DNS namesDomains have DNS names Clients find DCs via DNS queriesClients find DCs via DNS queries

Arranging And NamingArranging And NamingMethodologyMethodology

Assign first domain a DNS nameAssign first domain a DNS name Incorporate registered Internet nameIncorporate registered Internet name Ensures global uniquenessEnsures global uniqueness

Assign each additional domain Assign each additional domain a DNS namea DNS name Child domain: name is immediately Child domain: name is immediately

subordinate to an existing domainsubordinate to an existing domain New tree: name is a peer New tree: name is a peer

of existing domainsof existing domains

Arranging And NamingArranging And NamingA word on choosing namesA word on choosing names

Prefer Internet standard charactersPrefer Internet standard characters ‘‘A’-’Z’, ‘a’-’z’, ‘0’-’9’, and ‘-’ (RFC 1123, A’-’Z’, ‘a’-’z’, ‘0’-’9’, and ‘-’ (RFC 1123,

which references RFC 952)which references RFC 952) If you intend to use Microsoft DNSIf you intend to use Microsoft DNS

All NetBIOS chars allowed (i.e. ‘_’)All NetBIOS chars allowed (i.e. ‘_’) Includes Unicode (via UTF-8)Includes Unicode (via UTF-8)

DNS names can be up to 253 bytes longDNS names can be up to 253 bytes long Up to 63 bytes per label (dot-separated)Up to 63 bytes per label (dot-separated)

arcadiabay.comarcadiabay.com

HubHub

SubSub

Arranging And NamingArranging And NamingArcadia Bay exampleArcadia Bay example

First domain (and tree): headquartersFirst domain (and tree): headquarters Arcadiabay.comArcadiabay.com


office.arcadiabay.comoffice.arcadiabay.com

SubSub


Child domain: hubChild domain: hub Office.arcadiabay.comOffice.arcadiabay.com


arcadiabay.comarcadiabay.com ellipsis.dotellipsis.dot


Sibling tree: subsidiarySibling tree: subsidiary Insist on using ellipsis.dotInsist on using ellipsis.dot


arcadiabay.comarcadiabay.com ellipsis.dotellipsis.dot

Arranging And NamingArranging And NamingTrustsTrusts

All domains in forest connected All domains in forest connected by transitive trustby transitive trust Security principals valid anywhere Security principals valid anywhere

in forestin forest

Forests AgainForests AgainLoose endsLoose ends

What is the name of a forest?What is the name of a forest? Name of the first installed domainName of the first installed domain First domain is called the “forest root”First domain is called the “forest root” The forest root cannot be removedThe forest root cannot be removed

How do multiple forests interact?How do multiple forests interact? Explicit trusts between domainsExplicit trusts between domains Dirsync so that objects from other forests Dirsync so that objects from other forests

show up in your global catalogshow up in your global catalog

DNS NamespaceDNS NamespaceConceptsConcepts

Why DNS?Why DNS? Globally recognized namespaceGlobally recognized namespace Standard, well-understood protocolStandard, well-understood protocol Proven scalability on the InternetProven scalability on the Internet Scalable locator + scalable domains = Scalable locator + scalable domains =

highly scalable directory highly scalable directory

DNS data consists of recordsDNS data consists of records (name, type, data) tuple(name, type, data) tuple dns1.microsoft.com. A 131.107.1.7dns1.microsoft.com. A 131.107.1.7

DNS NamespaceDNS NamespaceThe LocatorThe Locator

Domain controllers dynamically register Domain controllers dynamically register Service Location recordsService Location records SRV resource record (RFC 2052)SRV resource record (RFC 2052) Maps (service) --> (hosts offering service)Maps (service) --> (hosts offering service) General rendezvous mechanismGeneral rendezvous mechanism Analogous to SMTP and the MX recordAnalogous to SMTP and the MX record

NETLOGON service sends updatesNETLOGON service sends updates Dynamic update protocol (RFC 2136)Dynamic update protocol (RFC 2136)

DNS NamespaceDNS NamespaceLocator recordsLocator records

SRV records are named likeSRV records are named like ldap.tcp.<domain name>.ldap.tcp.<domain name>. i.e. ldap.tcp.arcadiabay.com.i.e. ldap.tcp.arcadiabay.com. Plenty more like that, all ending Plenty more like that, all ending

in <domain name>in <domain name>

DNS server that owns <domain name>DNS server that owns <domain name> MUST support the SRV recordMUST support the SRV record SHOULD support dynamic updateSHOULD support dynamic update

DNS NamespaceDNS NamespaceDNS Server requirementsDNS Server requirements

No pre-existing DNS infrastructureNo pre-existing DNS infrastructure Easy! Deploy Microsoft DNS ServerEasy! Deploy Microsoft DNS Server

Pre-existing DNS infrastructurePre-existing DNS infrastructure Does server that owns <domain name> Does server that owns <domain name>

support SRV RR, dynamic update?support SRV RR, dynamic update? Ownership = name falls within zone Ownership = name falls within zone

loaded by serverloaded by server Zone = a partition of the DNS databaseZone = a partition of the DNS database

DNS NamespaceDNS NamespaceDNS Server requirementsDNS Server requirements

Yes, it meets requirementsYes, it meets requirements Dynamic updates will affect DNS Dynamic updates will affect DNS

replication trafficreplication traffic

No, it does not meet requirementsNo, it does not meet requirements Choice one: Upgrade serverChoice one: Upgrade server Choice two: Migrate to MicrosoftChoice two: Migrate to Microsoft®® DNS DNS Choice three:Choice three:

Select a new nameSelect a new name Delegate name to Microsoft DNSDelegate name to Microsoft DNS

DNS NamespaceDNS NamespaceArcadia Bay exampleArcadia Bay example

Arcadiabay.com: Windows NTArcadiabay.com: Windows NT®® 4.0 4.0 Microsoft DNSMicrosoft DNS Straight upgrade to Windows NT 5.0 Straight upgrade to Windows NT 5.0

Microsoft DNSMicrosoft DNS Ellipsis.dot: BIND 4.9.7Ellipsis.dot: BIND 4.9.7

Supports SRV RR, but not dynamic updateSupports SRV RR, but not dynamic update Unwilling touch existing serversUnwilling touch existing servers Select new name, “polka.ellipsis.dot”Select new name, “polka.ellipsis.dot” Delegate name to Windows NT 5.0 Delegate name to Windows NT 5.0

Microsoft DNSMicrosoft DNS

‘‘.’ (root).’ (root)

ellipsis.dotellipsis.dot

polka.ellipsis.dotpolka.ellipsis.dot



3dots.dot3dots.dot


DNS partitioning (zones)DNS partitioning (zones)

DNS NamespaceDNS NamespaceRecommended deploymentRecommended deployment

Run Microsoft DNS Run Microsoft DNS on domain controllerson domain controllers

Use Active Directory integrated DNSUse Active Directory integrated DNS Zone files stored and replicated in the DSZone files stored and replicated in the DS Setup/maintain single replication topologySetup/maintain single replication topology Multi-master dynamic updateMulti-master dynamic update

Standard DNS is single-masterStandard DNS is single-master Enables secure dynamic updatesEnables secure dynamic updates


arcadiabay.comarcadiabay.com polka.ellipsis.dotpolka.ellipsis.dot

ellipsis.dotellipsis.dot 3dots.dot3dots.dot

‘‘.’ (root).’ (root)


Zones stored in Active DirectoryZones stored in Active Directory

DNS NamespaceDNS NamespaceNo dynamic updateNo dynamic update

If no dynamic update supportIf no dynamic update support Hand enter records from DC into DNSHand enter records from DC into DNS

%systemroot%\system32\config\netlogon.dns%systemroot%\system32\config\netlogon.dns Re-enter/remove records if any of the Re-enter/remove records if any of the

following change:following change: Domain controller nameDomain controller name Role (GC, PDC)Role (GC, PDC) Site configuration (moved to new site)Site configuration (moved to new site) IP addressIP address DC is demotedDC is demoted

DNS NamespaceDNS NamespaceComputer namesComputer names

Primary DNS namePrimary DNS name <comp_name>.<pri_DNS_domain><comp_name>.<pri_DNS_domain> By default, <pri_DNS_domain> = By default, <pri_DNS_domain> =

<member_domain><member_domain> GetComputerNameEx()GetComputerNameEx()

Per-adapter DNS namePer-adapter DNS name <comp_name>.<adapter_DNS_domain><comp_name>.<adapter_DNS_domain> <adapter_DNS_domain> from IP config<adapter_DNS_domain> from IP config gethostbyname(NULL)gethostbyname(NULL)

DNS NamespaceDNS NamespaceA word about WINSA word about WINS

WINS and NetBIOS are not required WINS and NetBIOS are not required in a pure Windows NT 5.0 environmentin a pure Windows NT 5.0 environment

WINS *is* required for 4.0 <--> 5.0 WINS *is* required for 4.0 <--> 5.0 interoperabilityinteroperability ADS domains also have NetBIOS namesADS domains also have NetBIOS names W9x and Windows NT 4.0 clients/servers W9x and Windows NT 4.0 clients/servers

find 5.0 servers using WINSfind 5.0 servers using WINS Windows NT 5.0 clients/servers find 4.0 Windows NT 5.0 clients/servers find 4.0

servers using WINSservers using WINS

OU NamespaceOU NamespaceConceptsConcepts

Hierarchy within a domainHierarchy within a domain Easy to create, move, rename, and deleteEasy to create, move, rename, and delete

Create meaningful structure for adminsCreate meaningful structure for admins Delegate administration or accessDelegate administration or access Scope the application of policyScope the application of policy

Specific justification for each OUSpecific justification for each OU Meaningless OUs create work, add Meaningless OUs create work, add

no valueno value

OU NamespaceOU NamespaceMethodologyMethodology

Delegation of admin/access, examplesDelegation of admin/access, examples Group X can reset user passwordsGroup X can reset user passwords Group Y has full controlGroup Y has full control Group Z can read home tele# attributeGroup Z can read home tele# attribute

Scoping policy, examplesScoping policy, examples Users get applications published/deployedUsers get applications published/deployed Machines use specified IPSEC policyMachines use specified IPSEC policy

DC=arcadiabay,DC=arcadiabay,DC=comDC=com

OU=OU=St. PaulinSt. Paulin

OU=OU=MizithraMizithra

OU=OU=MeckelsMeckels

OU=OU=GroupsGroups

OU=OU=PrintersPrinters

OU=OU=UsersUsers

OU NamespaceOU NamespaceArcadia Bay exampleArcadia Bay example

HQ: admin per building, per resourceHQ: admin per building, per resource OU per building, per resourceOU per building, per resource

OU NamespaceOU NamespaceConflicting needsConflicting needs

Delegation and policy can clashDelegation and policy can clash Want all engineers to get CAD applicationWant all engineers to get CAD application Engineers work in every buildingEngineers work in every building How apply policy to engineers only?How apply policy to engineers only?

Use policy filteringUse policy filtering Apply permissions to policyApply permissions to policy Only members of Engineering security Only members of Engineering security

group can read policygroup can read policy Apply policy at domain levelApply policy at domain level

Site TopologySite TopologyConceptsConcepts

What is a Site?What is a Site? Set of well-connected IP subnetsSet of well-connected IP subnets Clients prefer DCs in their siteClients prefer DCs in their site Inter-site replication is schedulableInter-site replication is schedulable

Sites are connected with Site LinksSites are connected with Site Links Connects to or more sitesConnects to or more sites Cost parameterCost parameter

Site Link Bridges connect site linksSite Link Bridges connect site links

Site TopologySite TopologyMethodologyMethodology

Group subnets into sitesGroup subnets into sites Place DCs into sitesPlace DCs into sites Rules of thumbRules of thumb

At least one GC in every siteAt least one GC in every site At least two DNS servers in every siteAt least two DNS servers in every site If no DC in a site, then remove the siteIf no DC in a site, then remove the site

Connect sites with site links according Connect sites with site links according to network characteristicsto network characteristics

HubHub

22 33

Test siteTest site

HubHub

SubsidiarySubsidiary

RemoteRemoteRemoteRemote

RemoteRemote

HQHQ

HQHQ

11

HQHQ

HQHQHubHub

HubHub

SubSub

HQHQ

BridgeBridge

Site TopologySite TopologyArcadia Bay exampleArcadia Bay example

Users And The NamespaceUsers And The NamespaceUsers are obliviousUsers are oblivious

Users not exposed to namespacesUsers not exposed to namespaces Never have to type a domain name, LDAP Never have to type a domain name, LDAP

DN, or site nameDN, or site name E-mail style login names can be unrelated E-mail style login names can be unrelated

to actual domain namesto actual domain names Main interaction is to query global catalogMain interaction is to query global catalog

Admins see the namespaceAdmins see the namespace

SummarySummaryRemember these key pointsRemember these key points

Domains are for partitioningDomains are for partitioning OUs are forOUs are for

Delegation of administrationDelegation of administration Application of policyApplication of policy

Sites are forSites are for DC selection by clientsDC selection by clients Scheduling of replicationScheduling of replication

DNS is the domain and DNS is the domain and computer locatorcomputer locator

Call To ActionCall To ActionMarketing made me add this slideMarketing made me add this slide

Validate your software Validate your software in customer scenariosin customer scenarios

Other talks: “Developing Directory Other talks: “Developing Directory Enabled Applications”Enabled Applications” Part I: How to Write a Directory-Part I: How to Write a Directory-

Enabled ApplicationEnabled Application Part II: Designing Distributed Applications Part II: Designing Distributed Applications

for Active Directoryfor Active Directory http://msdn.microsoft.com/developer/http://msdn.microsoft.com/developer/

windowsnt5/adsi/default.htmwindowsnt5/adsi/default.htm

active directory concepts ii: namespace planning for the active directory stuart kwan program...

Documents

domain dc

new domain

remote siteif dc

active directory concepts

directoryenabled software

remote officeuser

logintrust wan

datareliable wan link