planning an active directory server deployment

8/4/2019 Planning an Active Directory Server Deployment

http://slidepdf.com/reader/full/planning-an-active-directory-server-deployment 1/64



Directory ServiceDirectory Service

• A directory service is a repository of information about the resources —hardware, software, and human —

that are connected to a network.• Users, computers, and applicationsthroughout the network can accessthe repository for a variety of purposes, including userauthentication, storage of configuration data, and even simplewhite pages–style informationlookups.



Active DirectoryActive Directory

• Active Directory is the directory servicethat Microsoft first introduced in Windows2000 Server, and which they haveupgraded in each successive serveroperating system release, includingWindows Server 2008.– Active Directory makes services and

resources available.– Provide authentication and authorization

• Authentication is the process of verifyinga user’s identity.

• Authorization is the process of grantingthe user access only to the resources he orshe is permitted to use.



DomainDomain

• A domain is a logical container of each network component over whichyou have control and organize in one

respective entity.• Each domain was hosted by at least

one server designated as a domain

controller .



Active Directory ObjectsActive Directory Objects

• An Active Directory domain is ahierarchical structure that takes the formof a tree, much like a file system.

• The domain consists of objects, each of which represents a logical or physicalresource.

• There are two basic classes of objects:container objects and leaf objects.– A container object , including domains, is

one that can have other objectssubordinate to it.

– A leaf object can represent users,computers, groups, applications, and other



Active Directory AttributesActive Directory Attributes



Directory SchemaDirectory Schema

• Different object types have different setsof attributes, depending on their functions.

• The attributes each type of object canpossess, both required and optional, thetype of data that can be stored in eachattribute, and the object’s place in thedirectory tree are all defined in thedirectory schema.

• In Active Directory, unlike Windows NTdomains, the directory schema elementsare extensible, enabling applications toadd their own object types to thedirectory, or add attributes to existing



Additional User Attributes for MicrosoftAdditional User Attributes for MicrosoftExchangeExchange



Organizational Unit (OU)Organizational Unit (OU)

• A container object that functions in asubordinate capacity to a domain,something like a subdomain, but withoutthe complete separation of securitypolicies.

• As a container object, OUs can containother OUs, as well as leaf objects.

• You can apply separate Group Policy to anOU, and delegate the administration of anOU as needed.

• However, an OU is still part of the domainand still inherits policies and permissionsfrom its parent objects.



GroupsGroups

• Active Directory supports groups withvarying capabilities, as defined by thegroup type and the group scope.

• There are two group types in ActiveDirectory:– Security groups — Administrators use

security groups to assign permissions anduser rights to a collection of objects. In thevast majority of cases, the term “group”refers to a security group.

– Distribution groups — Applications usedistribution groups for non-security–related

functions, such as sending email messagesto a collection of users.



Group NestingGroup Nesting



Domain TreeDomain Tree

• When designing an Active Directoryinfrastructure, you might, in somecases, want to create multiple

domains.• Active Directory scales upward from

the domain just as easily as it scales

downward.



Internal Active Directory Domain TreeInternal Active Directory Domain Tree



Active Directory Domain Tree using anActive Directory Domain Tree using anInternet Domain NameInternet Domain Name



ForestForest

• An Active Directory forest consistsof one or more separate domaintrees, which have the same two-way

trust relationships between them astwo domains in the same tree.

• When you create the first domain on

an Active Directory network, you arein fact creating a new forest, andthat first domain becomes the forest

root domain .



Global CatalogGlobal Catalog

• Domains function as the hierarchicalboundaries for the Active Database aswell.

• A domain controller maintains only thepart of the Active Directory database thatdefines that domain and its objects.

• Active Directory clients still need a way tolocate and access the resources of otherdomains in the same forest.

• To make this possible, each forest has aglobal catalog, which is a list of all of theobjects in the forest, along with a subsetof each object’s attributes.



Functional LevelsFunctional Levels

• Every Active Directory forest has afunctional level, as does everydomain.

• Functional levels are designed toprovide backwards compatibility inActive Directory installations running

domain controllers with variousversions of the Windows Serveroperating system.



Domain ControllersDomain Controllers

• Each domain on an Active Directorynetwork should have at least two domaincontrollers, to ensure that the ActiveDirectory database is available to clients

at all times, and to provide clients withready access to a nearby domaincontroller.

• How many domain controllers you installfor each of your domains, and where youlocate them, is an important part of designing an Active Directoryinfrastructure.

• Also important is an understanding of how



Lightweight Directory Access ProtocolLightweight Directory Access Protocol(LDAP)(LDAP)

• The standard communicationsprotocol for directory serviceproducts, including Active Directory.

• LDAP defines the format of thequeries that Active Directory clientssend to domain controllers, as well

as providing a naming structure foruniquely identifying objects in thedirectory.



Active Directory ReplicationActive Directory Replication

• Active Directory uses multiple-master replication.

• When a change is made to a domainobject on any domain controller, thatchange is replicated to all of theother domain controllers.



Read-Only Domain ControllersRead-Only Domain Controllers

• One of the new Active Directoryfeatures in Windows Server 2008 isthe ability to create a Read-Only

Domain Controller (RODC) , whichis a domain controller that supportsonly incoming replication traffic.

• As a result, it is not possible tocreate, modify, or delete ActiveDirectory objects using the RODC.



SitesSites

• To facilitate the replication process, ActiveDirectory includes another administrativedivision called the site.

• A site is defined as a collection of subnets

that have good connectivity betweenthem.• Good connectivity is understood to be at

least T-1 speed (1.544 megabits persecond).

• Generally speaking, this means that a siteconsists of all the local area networks(LANs) at a specific location.

• A different site would be a network at aremote location, connected to the other-



SitesSites

• A site topology consists of threeActive Directory object types:– Sites — A site object represents the

group of subnets at a single location,with good connectivity.

– Subnets — A subnet object represents

an IP network at a particular site.– Site links — A site link object

represents a WAN connection betweentwo sites.



Designing an Active DirectoryDesigning an Active DirectoryInfrastructureInfrastructure

• The process of designing an ActiveDirectory infrastructure consists of the following basic phases:

– Designing the domain name space.– Designing the internal domain

structure.

– Designing a site topology.– Designing a Group Policy strategy.



Additional Active Directory DomainsAdditional Active Directory Domains

• Reasons to Create:– Isolated

replication–

Unique domainpolicy– Domain upgrades

• Reasons Not toCreate:– Size

– Administration



Designing a Tree StructureDesigning a Tree Structure

• Includes how you are going toarrange the domains to form a treeand deciding how you are going toname your domains and whichdomain will be the forest root.



Designing a Tree StructureDesigning a Tree Structure

• If you plan to create domainscorresponding to remote sites ororganizational divisions, the most commonpractice is to make them all subdomains in

the same tree, with a single root domainat the top.• The first domain you create in an Active

Directory forest — the forest root domain

— is critical, because it has specialcapabilities.– The Schema Administrators group exists only

in the forest root domain, and the members

of that group have the ability to modify theActive Director schema, which affects all of



Internal Domain StructureInternal Domain Structure

• Once you create a design for yourActive Directory domains and thetrees and forests superior to them, it

is time to zoom in on each domainand consider the hierarchy you wantto create inside it.



Organizational UnitsOrganizational Units

• Creating OUs should be based on:– Duplicating organization divisions.– Assigning Group Policy Settings.– Delegating administration.



Group PoliciesGroup Policies

• Group Policy is one of the most powerfulfeatures of Active Directory.

• Using Group Policy, you can deploy

hundreds of configuration settings to largecollections of users at once.• To deploy Group Policy settings, you must

create group policy objects (GPOs) and

link them to Active Directory domains,organizational units, or sites.

• Every object in the container to which theGPO is linked receives the settings youconfi ure in it.



Deploying Active Directory DomainDeploying Active Directory DomainServicesServices

• Although it does not actually convertthe computer into a domaincontroller, installing the Active

Directory Domain Services roleprepares the computer for theconversion process.



Active Directory Domain Services RoleActive Directory Domain Services Role



Active Directory Domain ServicesActive Directory Domain ServicesInstallation WizardInstallation Wizard



The Choose a Deployment The Choose a DeploymentConfiguration PageConfiguration Page



The Name the Forest Root Domain The Name the Forest Root DomainPagePage



The Domain NetBIOS Name Page The Domain NetBIOS Name Page



The Set Forest Functional Level Page The Set Forest Functional Level Page



The Location for Database, Log Files The Location for Database, Log Filesand SYSVOL Pageand SYSVOL Page



The Directory Services Restore The Directory Services RestoreMode Administrator Password PageMode Administrator Password Page



The Summary Page The Summary Page



The Choose a Deployment The Choose a DeploymentConfiguration PageConfiguration Page



The Network Credentials Page The Network Credentials Page



The Name the New Domain Page The Name the New Domain Page



The Select a Site Page The Select a Site Page



The Select a Domain Page The Select a Domain Page



SummarySummary

• A directory service is a repository of information about the resources —hardware, software, and human —

that are connected to a network.• Active Directory is the directory

service that Microsoft first introduced

in Windows 2000 Server and thatthey have upgraded in eachsuccessive server operating systemrelease, including Windows Server



SummarySummary

• Users that are joined to an ActiveDirectory domain log on to thedomain, not to an individual

computer or application, and are ableto access any resources in thatdomain for which administratorshave granted them the properpermissions.



SummarySummary

• In Active Directory, you can subdivide adomain into organizational units andpopulate it with objects.– You can also create multiple domains and

group them into sites, trees, and forests.• An organizational unit (OU) is a container

object that functions in a subordinate

capacity to a domain.– OUs can contain other OUs, as well as leaf

objects. You can apply separate GroupPolicy to an OU and delegate the

administration of an OU as needed.



SummarySummary

• Like organizational units, group objectsare containers, but groups are not full-fledged security divisions as OUs are.– You cannot apply Group Policy settings to a

group object.• When you create your first domain on an

Active Directory network, you are, in

essence, creating the root of a domaintree.– You can populate the tree with additional

domains as long as they are part of the

same contiguous namespace.



SummarySummary

• An Active Directory forest consists of two or more separate domain trees,which have the same two-way trust

relationships between them as twodomains in the same tree.• To facilitate the replication process,

Active Directory includes anotheradministrative division called thesite.

• A site is defined as a collection of



SummarySummary

• A critical difference between a domaintree hierarchy and the OU hierarchy withina domain is inheritance.

• When you assign Group Policy settings toa domain, the settings apply to all leaf objects in that domain, but not to thesubdomains that are subordinate to it.

• When you assign Group Policy settings toan OU, those settings apply to all leaf objects in the OU, and the settings areinherited by any subordinate OUs itcontains.



SummarySummary

• Part of the internal domain designprocess consists of deciding whereyou are going to deploy GPOs and

creating a hierarchy that does notapply too many GPOs to individualleaf objects.

planning an active directory server deployment

Documents