Vikram ThakurVikram Thakur

Introduction to Active Introduction to Active Directory StructureDirectory Structure

AgendaAgenda Introduction to Active DirectoryIntroduction to Active Directory FSMO RolesFSMO Roles ReplicationReplication Active Directory deployment planningActive Directory deployment planning Guiding principlesGuiding principles Structure planningStructure planning More informationMore information

Introduction to Active Introduction to Active DirectoryDirectory

What is it?What is it? How does it help?How does it help? How is it stored?How is it stored? Where is it stored?Where is it stored? Can it’s scope be extended?Can it’s scope be extended?

Domain ControllerDomain Controller

These are ‘Logon’ or These are ‘Logon’ or ‘Authenticating’ servers with the ‘Authenticating’ servers with the NTDS DirectoryNTDS Directory

Under any circumstances there Under any circumstances there should be at least 2 of these DCsshould be at least 2 of these DCs

They check for DB ConsistencyThey check for DB Consistency They maintain the domain They maintain the domain

informationinformation

AD PropertiesAD Properties

It doesn’t require the PDC/BDC It doesn’t require the PDC/BDC structure anymore….that went away structure anymore….that went away with NT4with NT4

‘‘Delegation’ is possible…more laterDelegation’ is possible…more later It provides an LDAP interface to It provides an LDAP interface to

other applicationsother applications Multiple Domains can be a part of a Multiple Domains can be a part of a

single AD with Inter Site Trust single AD with Inter Site Trust (Forests)(Forests)

Storage Structure of ADStorage Structure of AD

Comprises of 2 partsComprises of 2 parts Transaction LogsTransaction Logs DatabaseDatabase

SYSVOL (old NETLOGON)SYSVOL (old NETLOGON)

FSMOFSMO

FSMO – Flexible Single Master of FSMO – Flexible Single Master of OperationsOperations

SchemaSchema PDCPDC RIDRID Domain NamingDomain Naming InfrastructureInfrastructure

Global Catalogs (GCs)Global Catalogs (GCs)

Hold limited form of ADHold limited form of AD Can be modified by using the Can be modified by using the

SCHMGMT.DLLSCHMGMT.DLL Used for location of resourcesUsed for location of resources

ReplicationReplication

AD works in Multi-Master mode by AD works in Multi-Master mode by defaultdefault

Happens every 5 minutesHappens every 5 minutes Default – Every DC replicates with 2 Default – Every DC replicates with 2

other DCsother DCs KCC is part of LSASS (Monitoring KCC is part of LSASS (Monitoring

that will tell you when you need that will tell you when you need another DC)another DC)

USN (Update Sequence Number)USN (Update Sequence Number)

Planning and DeploymentPlanning and Deployment

Deployment PlanningDeployment Planning Three stepsThree steps

Assess your environmentAssess your environment Create Active Directory structure planCreate Active Directory structure plan Create migration planCreate migration plan

2. Plan2. Plan

3. Migrate3. Migrate

1. Assess1. Assess

Guiding PrinciplesGuiding Principles Keep it simpleKeep it simple Aim for the ideal designAim for the ideal design Evaluate several alternativesEvaluate several alternatives Anticipate changeAnticipate change

Structure PlanningStructure Planning

Deliverable: planning Deliverable: planning documentsdocuments

Forest planForest plan

Domain planDomain plan

OU planOU plan

Forest PlanningForest Planning

Start with a forest planStart with a forest planForest planForest planForest planForest plan

Domain planDomain plan

OU planOU plan

Site topologySite topology

ConfigurationConfiguration Site topologySite topology Domain hierarchyDomain hierarchy

SchemaSchema Class definitionsClass definitions Attribute definitionsAttribute definitions

Forest PlanningForest PlanningConceptsConcepts

ForestForest

User Principal NameUser Principal Name““bob@domain.com”bob@domain.com”

GlobalGlobalcatalogcatalog

Forest PlanningForest PlanningMethodologyMethodology

Start with a single forestStart with a single forest Create change control policyCreate change control policy Schema Admins and Enterprise Admins Schema Admins and Enterprise Admins

group membershipgroup membership

Multiple forests may be requiredMultiple forests may be required Cannot agree on change controlCannot agree on change control Division requires own schema or configDivision requires own schema or config Complete trust undesirableComplete trust undesirable

Forest PlanningForest PlanningInter-forest ConsiderationsInter-forest Considerations

Users must be aware of structureUsers must be aware of structure Explicit query to domain outside forestExplicit query to domain outside forest Import objects from other forestsImport objects from other forests

Config, schema managed separatelyConfig, schema managed separately One-way, non-transitive trust onlyOne-way, non-transitive trust only

Domain PlanningDomain Planning

Create a domain plan Create a domain plan for each forestfor each forest

Forest planForest plan

Domain planDomain planDomain planDomain plan

OU planOU plan

Domain PlanningDomain PlanningConceptsConcepts

A domain is a partition of a forestA domain is a partition of a forest Unit of partitioning for replicationUnit of partitioning for replication Administrative and policy boundaryAdministrative and policy boundary

Scope of authority of Domain AdminsScope of authority of Domain Admins Policy and access control do not flow Policy and access control do not flow

between domainsbetween domains

Domain PlanningDomain PlanningMethodologyMethodology

Forest planForest plan

Domain planDomain planDomain planDomain plan

OU planOU plan

SelectSelectForest RootForest Root

SelectSelectForest RootForest Root

CreateCreateHierarchyHierarchy

CreateCreateHierarchyHierarchy

DNS SupportDNS SupportDNS SupportDNS Support

PartitionPartitionPartitionPartition

Domain PlanningDomain PlanningPartitioningPartitioning

Start with a single domainStart with a single domain Justify each additional domainJustify each additional domain Example justificationExample justification

Administrative partitioning Administrative partitioning (admin/policy)(admin/policy)

Physical partitioning (replication)Physical partitioning (replication)

Upgrade existing domain in-placeUpgrade existing domain in-place

Domain PlanningDomain PlanningObsolete Reasons to PartitionObsolete Reasons to Partition

WinNT 4.0: 40,000 object limitWinNT 4.0: 40,000 object limit Active Directory tests: 1,500,000+Active Directory tests: 1,500,000+

Primary Domain Controller (PDC) Primary Domain Controller (PDC) availability requirementsavailability requirements Active Directory is multi-masterActive Directory is multi-master

Delegation of administrationDelegation of administration Resource domains no longer neededResource domains no longer needed Delegate within a domain using OUsDelegate within a domain using OUs

OU PlanningOU Planning

Create an OU plan for Create an OU plan for each domaineach domain

Forest planForest plan

Domain planDomain plan

OU planOU planOU planOU plan

OU PlanningOU PlanningConceptsConcepts

An Organizational Unit (OUs) is a An Organizational Unit (OUs) is a container inside a domaincontainer inside a domain Nested to create hierarchical structureNested to create hierarchical structure Not a security principalNot a security principal

Easily changedEasily changed Typically not exposed to usersTypically not exposed to users Depth does not impact performanceDepth does not impact performance

OU PlanningOU PlanningMethodologyMethodology

Forest planForest plan

Domain planDomain plan

OU planOU planOU planOU plan

DelegateDelegateAdministrationAdministration

DelegateDelegateAdministrationAdministration

Apply GroupApply GroupPolicyPolicy

Apply GroupApply GroupPolicyPolicy

OU PlanningOU PlanningDelegate AdministrationDelegate Administration

Objects can be permission on a Objects can be permission on a per-attribute basisper-attribute basis

Very flexible delegation possibleVery flexible delegation possible Minimize number of Domain AdminsMinimize number of Domain Admins

Example procedureExample procedure1.1. Delegate full controlDelegate full control

2.2. Delegate full control per-object classDelegate full control per-object class

3.3. Delegate control of specific attributeDelegate control of specific attribute

OU PlanningOU PlanningApply Group PolicyApply Group Policy

Group policy is used to control Group policy is used to control desktop configurationsdesktop configurations Applied to Users and ComputersApplied to Users and Computers Associated with Sites, Domains, or Associated with Sites, Domains, or

Organizational UnitsOrganizational Units

Create OUs to apply unique policyCreate OUs to apply unique policy Filter application of policy using Filter application of policy using

access controlaccess control

SummarySummary Deployment planningDeployment planning

Assess current environmentAssess current environment Structure planningStructure planning Migration planningMigration planning

Start with structure planningStart with structure planning Forest, domain, OUForest, domain, OU

Guiding principlesGuiding principles Keep it simpleKeep it simple Anticipate changeAnticipate change

For More InformationFor More Information Read the Windows 2003 Deployment Read the Windows 2003 Deployment

Guide (on the Windows 2003 CD)Guide (on the Windows 2003 CD) Read the Distributed Systems book Read the Distributed Systems book

in the Windows 2003 Resource Kitin the Windows 2003 Resource Kit Watch for whitepapers on the Watch for whitepapers on the

Windows 2003 Server home pageWindows 2003 Server home pagehttp://www.microsoft.com/windows/server/http://www.microsoft.com/windows/server/

Scenario Discussion – Scenario Discussion – time permittingtime permitting