chap4 implementing active directory

8/4/2019 Chap4 Implementing Active Directory

1/32

IMPLEMENTING

ACTIVE DIRECTORY

Chapter 4


2/32

Outline

Planning Stage

Design Stage

Install AD Stage

Plan

Domain structure Domain namespace

OU structure Site structure


3/32

Plan a Domain

Structure

As a core unit of logical structure in AD, it need to be

planned carefully

It must consider a company:

Logical and physical environment

Administrative requirements

Domain requirements Domain organization needs

Plan




4/32

Logical Structure

Understand how your

company conducts daily

operations to determine

the logical structure of

your organization.

Consider how the company

operates functionally and

geographically.


5/32

Physical Structure

Determine the technicalrequirements forimplementing ActiveDirectory

Must consider yourcompany's user andnetwork requirements so

you can determine thelogical requirements forimplementing ActiveDirectory


6/32

To assess user requirements,for each functional andgeographical divisiondetermine:

The number of employees

The growth rate

Plans for expansion

To assess network requirements,for each geographicaldivision determine:

How network connections areorganized

Network connection speed

How network connections areutilized

TCP/IP subnets


7/32

Administrative requirements

Identify the method of network administration used by yourcompany:

Centralized administration.

A single administrative team provides network services.Smaller companies with fewer locations or business functionsoften use this method.

Decentralized administration.

A number of administrators or administrative teams providenetwork services. Teams may be divided by location orbusiness function.

Customized administration.

The administration of some resources is centralized and it is

decentralized for others, depending on business needs.


8/32

Domain Requirements

The easiest domain structure to administer is a single domain.

Should start with a single domain and only add domains whenthe single domain model no longer meets your needs.

One domain can span multiple sites and contain millions ofobjects


9/32

A single domain can span multiple geographical sites, and a

single site can include users and computers belonging to

multiple domains

Each domain, you can model your organization's management

hierarchy for delegation or administration using OUs for this

purpose, which will act as logical containers for other objects.

You can then assign group policy and place users, groups, and

computers into the OUs


10/32

There are some reasons to create more than one domain:

Decentralized network administration

Replication control

Different password requirements between organizations Massive numbers of objects

Different Internet domain names

International requirements

Internal political requirements


11/32

Domain Organization Needs

Must organize the domains into a hierarchy that fits the needs

of the organization if the organization need more than 1

domain.

Arrange domains into a tree or a forest depending on the

Company's business needs.

As domains are placed in a tree or forest hierarchy, the two-way transitive trust relationship allows the domains to share

resources.


12/32

Planning Domain

Namespace

Must first choose and register a unique parent DNS name can

be used for hosting your organization on the Internet.

Perform a search to see if the name is already registered toanother entity

Once you have chosen your parent DNS name, you can

combine this name with a location or organizational name usedwithin your organization to form other subdomain names.

Example microsoft.com and denver.microsoft.com

Plan




13/32

Same Internal and External namespace.

Example : Microsoft.com can be used internal and external company

Separate Internal and external namespace.

Example : Inside firewallmsn.com

Outside Firewallmicrosoft.com


14/32

Domain Naming Requirement and

guidelines

Select a root domain name that will remain static

Use simple and unique names

Use standard DNS characters and Unicode characters.

Limit the number of domain levels. no more than five levels down the hierarchy.

Avoid lengthy domain names

Domain names can be up to 63 characters, including the periods


15/32

Plan an OU

Structure

OUs allow you to model your organization in a meaningful

and manageable way and to assign an appropriate local

authority as administrator at any hierarchical level

Consider creating an OU if you want to do the following:

Reflect your company's structure and organization within

a domain. Without OUs, all users are maintained anddisplayed in a single list, regardless of a user's

department, location, or role.

Plan




16/32

Delegate administrative control over network resources, but

maintain the ability to manage them. You can grant

administrative permissions to users or groups of users at the

OU level.

Accommodate potential changes in your company's

organizational structure. You can reorganize users between

OUs easily, whereas reorganizing users between domains

generally requires more time and effort.


17/32

Group objects to allow administrators to locate similar

network resources easily, to simplify security, and to perform

any administrative tasks. For example, you could group all

user accounts for temporary employees into an OU called

TempEmployees.

Restrict visibility of network resources in Active Directory.

Users can view only the objects for which they have access.


18/32

Planning an OU hierarchy:

There are many ways to structure OUs for your company.

It is important to determine what model will be used as a basefor the OU hierarchy.

Consider the following models for classifying OUs in the OU

hierarchy:


19/32

Business Function-based OU Geographical-based OU

Business Function and Geographical- based OU


20/32

Plan a Site

Structure

A single domain can include multiple sites, and a single site

can include multiple domains or parts of multiple domains

The way in which you set up your sites affects Windows2000 in two ways:

Workstation logon and authentication.

When a user logs on, Windows 2000 will try to find a DC in the same site

as the user's computer to service the user's logon request and subsequent

requests for network information. Directory replication.

You can configure the schedule and path for replication of a domain's

directory differently for inter-site replication, as opposed to replication

within a site. Generally, you should set replication between sites to be less

frequent than replication within a site.

Plan




21/32

Optimizing Workstation Logon Traffic

When planning sites, consider which domain controller(s) the

workstations on a given subnet should use.

To have a particular workstation only log on to a specific setof domain controllers, define the sites so that only those

domain controllers are in the same subnet as that workstation


22/32

Optimizing Directory Replication

When planning sites, consider where the domain controllersand the network connections between the domain controllerswill be located.

Because each domain controller must participate in directoryreplication with the other domain controllers in its domain,configure sites so that replication occurs at times and intervalsthat will not interfere with network performance


23/32

Designing a Site Structure

Follow these steps to design a site structure for an organization

with multiple physical locations:

Assess the physical environment Review the information you gathered when determining domain

structure, including site locations, network speed, how network

connections are organized, network connection speed, how network

connections are utilized, and TCP/IP subnets.

Determine the physical locations that form domains

Determine which physical locations are involved in each domain.


24/32

Determine which areas of the network should be sites

If the network area requires workstation logon controls or directory

replication, the area should be set up as a site.

Identify the physical links connecting sites

Identify the link types, speeds, and utilization that exist so the links can

be determined as site link objects. A site link objectcontains the schedule

that determines when replication can occur between the sites that it

connects.


25/32

For each site link object, determine the cost and schedule

The lowest cost site link performs replication; determine the priority ofeach link by setting the cost (default cost is 100; lower cost provides ahigher priority). Replication occurs every 3 hours by default; set theschedule according to your needs.

Provide redundancy by configuring a site link bridge

A site link bridge provides fault tolerance for replication.


26/32

Installing AD

Domain mode can be divided into:

Mixed mode

Native mode

Mixed mode

When you first install or upgrade a domain controller to

Windows 2000 Server, the domain controller is set to run in

mixed mode. Mixed mode allows the domain controller tointeract with any domain controllers in the domain that are

running previous versions of Windows NT.


27/32

Native Mode

When all the domain controllers in the domain run Windows

2000 Server, and you do not plan to add any more pre-

Windows 2000 domain controllers to the domain, you can switch

the domain from mixed mode to native mode.

During the conversion from mixed mode to native mode

Support for pre-Windows 2000 replication ceases. Because pre-Windows 2000

replication is gone, you can no longer have any domain controllers in your domainthat are not running Windows 2000 Server.

You can no longer add new pre-Windows 2000 domain controllers to the domain.

The server that served as the primary domain controller during migration is no

longer the domain master; all domain controllers begin acting as peers.


28/32

Operation Masters

An operation master refers to a domain controller that isresponsible for a particular role.

Multimaster replication happens when some changes arereplicated across all of the domains in the forest. To avoid

replication conflicts, assign a single domain controller as asingle master replication.

In any Active Directory forest, five operations master roles mustbe assigned to one or more domain controllers. Some rolesmust appear in every forest. Other roles must appear in every

domain in the forest.


29/32

Five roles:

Schema master

Domain naming master

Primary domain controller emulator (PDC) Relative identifier master

Infrastructure master


30/32

Forest-wide roles

Schema master

Controls all updates to the schema which contains the master list of

object classes and attributes

Domain naming master

Controls the addition or removal of domains in the forest

Only one schema and one domain naming master in the entire

forest


31/32

Domain-wide roles

Primary domain controller emulator (PDC) Acts as a Windows NT PDC to support any backup domain controllers

(BDCs) running MS Windows NT within a mixed-mode domain.

This type of domain has DCs that run Windpows NT 4.0

PDC emulator is the first DC that you create in a new domain

Relative identifier master (RID master) Whenever a domain controller creates a user, group, or computer object,

it assigns the object a unique security ID. The security ID consists of adomain security ID (which is the same for all security IDs created in thedomain), and a relative ID that is unique for each security ID created inthe domain


32/32

Infrastructure master

When an objects are moved from one domain to another, theinfrastructure master updates object references in its domain that pointto the object in the other domain.

The object reference contains the objects globally unique identifier

(GUID), distinguished name and a SID.

AD periodically updates the distinguished name and a SID wheneverobject moves within and between domain and the deletion of the object.

Each domain in a forest has its own PDC emulator, RID masterand infrastructure master.

chap4 implementing active directory

Documents