1 / 14

Active Directory design recommended practices

Active Directory design recommended practices. Mark Cribben Consultant. Agenda. Forest design principles Domain design principles Name space design recommendations Site / Physical design OU design Base security considerations Branch scenarios Management. Forest design principles.

atalanta
Download Presentation

Active Directory design recommended practices

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Active Directory design recommended practices Mark Cribben Consultant

  2. Agenda • Forest design principles • Domain design principles • Name space design recommendations • Site / Physical design • OU design • Base security considerations • Branch scenarios • Management

  3. Forest design principles • Identify security boundaries • The forest is the security boundary • Start with single forest. Considerations: • Acquisition and divesting pattern of the organisation • Schema ownership • Security • Legal considerations (typical in banking scenarios but by no means exclusive to them.)

  4. Domain design principles • Start with a single domain. Considerations are: • Replication boundaries • Account policy requirements • Political • So what about a placeholder / empty forest root domain? • Design recommendations changed within 18 months of Windows 2000 launching but the message seems to be taking a long time to get out. • There is no additional security to be gained through an empty forest root domain.

  5. Name space design • How to name an AD • So what’s in a name? How important is it after all? • Where to put name servers • Understand the importance of _msdcs.<forest root domain> zone • How to replicate DNS information • Where possible try and use AD integrated as it increases the security and reduces the management of replicating the information • Allows for multi master DNS • How to configure the DC’s and clients • Advice is different for Windows 2000 and Windows Server 2003 DC’s • Clients should be configured to use their local DNS server as the primary. Nearest hub / data centre as the alternate

  6. Site / Physical design (1) • Identify your deployment model: • Centralised • Distributed • Branch • Combination • Define sites and subnets. Consider: • Data Centre failure • Redundancy • Client and application needs

  7. Site / Physical design (2) • Domain controllers: • Location • Security • Function • Administration • Designing for discovery and failover • SRV registration strategy • Autositecoverage decisions

  8. Site / Physical design (3) • Replication: • Load balancing on BH Servers • Schedule and Interval • Compression value • TombstoneLifetime

  9. OU design • OU’s have two primary roles: • Delegation of admin • Application of Group Policy • Most common (sensible!) OU design approaches: • Device / object type • Try to avoid: • Too many OUs / levels of nesting • Following your org chart

  10. Branch Scenarios • Bear in mind that Branch Office does not automatically mean retail banking! • Primarily a scenario where you have lots of remote locations that have users but not necessarily a large number of them or good quality, high bandwidth connections. • Key issues: • Administration • Placement of Domain Controllers / GC’s • Applications at the remote site • Available bandwidth • Replication including BH Server load balancing, replication scheduling, convergence

  11. Management • Do not even think about deploying Active Directory without providing management support. • We have seen too many situations where customers have problems that could so easily have been avoided with even a basic monitoring solution / process! • Managing the Directory Service: • MOM is an option • If MOM cannot be deployed then provide processes, scripts and tools to allow ongoing management • Group Policy • At the very least install GPMC!

  12. ©2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

  13. Welcome to this TechNet Event • FREE bi-weekly technical newsletter • FREE regular technical events hosted across the UK • FREE weekly UK & US led technical webcasts • FREE comprehensive technical web site • Monthly CD / DVD subscription with the latest technical tools & resources • FREE quarterly technical magazine We would like to bring your attention to the key elements of the TechNet programme; the central information and community resource for IT professionals in the UK: To subscribe to the newsletter or just to find out more, please visit www.microsoft.com/uk/technet or speak to a Microsoft representative during the break

  14. http://www.microsoft.com/uk/technet

More Related