140 likes | 335 Views
Active Directory design recommended practices. Mark Cribben Consultant. Agenda. Forest design principles Domain design principles Name space design recommendations Site / Physical design OU design Base security considerations Branch scenarios Management. Forest design principles.
E N D
Active Directory design recommended practices Mark Cribben Consultant
Agenda • Forest design principles • Domain design principles • Name space design recommendations • Site / Physical design • OU design • Base security considerations • Branch scenarios • Management
Forest design principles • Identify security boundaries • The forest is the security boundary • Start with single forest. Considerations: • Acquisition and divesting pattern of the organisation • Schema ownership • Security • Legal considerations (typical in banking scenarios but by no means exclusive to them.)
Domain design principles • Start with a single domain. Considerations are: • Replication boundaries • Account policy requirements • Political • So what about a placeholder / empty forest root domain? • Design recommendations changed within 18 months of Windows 2000 launching but the message seems to be taking a long time to get out. • There is no additional security to be gained through an empty forest root domain.
Name space design • How to name an AD • So what’s in a name? How important is it after all? • Where to put name servers • Understand the importance of _msdcs.<forest root domain> zone • How to replicate DNS information • Where possible try and use AD integrated as it increases the security and reduces the management of replicating the information • Allows for multi master DNS • How to configure the DC’s and clients • Advice is different for Windows 2000 and Windows Server 2003 DC’s • Clients should be configured to use their local DNS server as the primary. Nearest hub / data centre as the alternate
Site / Physical design (1) • Identify your deployment model: • Centralised • Distributed • Branch • Combination • Define sites and subnets. Consider: • Data Centre failure • Redundancy • Client and application needs
Site / Physical design (2) • Domain controllers: • Location • Security • Function • Administration • Designing for discovery and failover • SRV registration strategy • Autositecoverage decisions
Site / Physical design (3) • Replication: • Load balancing on BH Servers • Schedule and Interval • Compression value • TombstoneLifetime
OU design • OU’s have two primary roles: • Delegation of admin • Application of Group Policy • Most common (sensible!) OU design approaches: • Device / object type • Try to avoid: • Too many OUs / levels of nesting • Following your org chart
Branch Scenarios • Bear in mind that Branch Office does not automatically mean retail banking! • Primarily a scenario where you have lots of remote locations that have users but not necessarily a large number of them or good quality, high bandwidth connections. • Key issues: • Administration • Placement of Domain Controllers / GC’s • Applications at the remote site • Available bandwidth • Replication including BH Server load balancing, replication scheduling, convergence
Management • Do not even think about deploying Active Directory without providing management support. • We have seen too many situations where customers have problems that could so easily have been avoided with even a basic monitoring solution / process! • Managing the Directory Service: • MOM is an option • If MOM cannot be deployed then provide processes, scripts and tools to allow ongoing management • Group Policy • At the very least install GPMC!
©2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
Welcome to this TechNet Event • FREE bi-weekly technical newsletter • FREE regular technical events hosted across the UK • FREE weekly UK & US led technical webcasts • FREE comprehensive technical web site • Monthly CD / DVD subscription with the latest technical tools & resources • FREE quarterly technical magazine We would like to bring your attention to the key elements of the TechNet programme; the central information and community resource for IT professionals in the UK: To subscribe to the newsletter or just to find out more, please visit www.microsoft.com/uk/technet or speak to a Microsoft representative during the break