1 / 49

Chapter 5: Active Directory Logical Design

Chapter 5: Active Directory Logical Design. Objectives. Choose the best DNS name for a domain Make Active Directory forest design decisions Make Active Directory domain design decisions Understand the roles and describe the characteristics of trusts

derry
Download Presentation

Chapter 5: Active Directory Logical Design

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Chapter 5: Active Directory Logical Design

  2. Objectives • Choose the best DNS name for a domain • Make Active Directory forest design decisions • Make Active Directory domain design decisions • Understand the roles and describe the characteristics of trusts • Describe the role and characteristics of organizational units • Understand the different functionality levels of Active Directory and how to upgrade Windows NT and 2000 domains

  3. 1. CHOOSING A DNS NAME FOR ACTIVE DIRECTORY • DNS defines namespace used by Active Directory • Choosing DNS name of domain • Not a decision to take lightly • Don’t put off until last minute • DNS name • Used extensively throughout domain • Affects every member of domain

  4. What Makes a Good DNS Name? • Meaningful • Scalable • Should represent entire business • Support current and future plans

  5. Making the Name Meaningful and Scalable • DNS name chosen for first domain created in tree • Part of DNS names for all child domains • Represent whole of enterprise • Allow for future growth

  6. Two Common Uses for DNS: Internet Presence and Active Directory • Namespace used by Active Directory • Internet presence: • Web site • email • e-commerce

  7. Choosing How DNS Names for Internet and Active Directory Are Related • Choices: • Use the same DNS name for both • Use completely different names altogether • Delegate subdomain from Internet name for Active Directory

  8. Using the Same DNS Name for Active Directory and Internet Presence • CHOICE A • Requires complicated steps to prevent confidential data from being made available publicly • Not recommended • Can use technique called split DNS

  9. Split DNS

  10. Using Completely Different Names for Active Directory and Internet Presence • CHOICE B • No possibility of conflict • Management of names and hosts for Internet is completely separate from Active Directory • Designers must ensure that internal clients can resolve both: • Internal names to support Active Directory • External names to access Internet resources

  11. Using Completely Different Names for Active Directory and Internet Presence (continued)

  12. Delegating a Subdomain from the Internet Presence Subdomain for ActiveDirectory • CHOICE C • Uses separate zones to keep Active Directory and Internet presence apart • Subdomain is delegated from existing Internet presence name • Simple to set up • No client configuration required

  13. Delegating a Subdomain from the Internet Presence Subdomain for Active Directory (continued)

  14. Best Practices for Choosing a DNS Name • Delegated subdomain recommended • Windows 2000 Server: • Microsoft recommended that all domain controllers act as DNS servers • Mostly true with Windows Server 2003 as well • DomainDnsZones Active Directory application partition in Windows Server 2003 • Can affect DNS server placement

  15. 2. DESIGNING FORESTS • Start with forests • Work down to domains • Tackle most important issues first

  16. Activity 5-1: Demoting a domain controller • Objective: Learn how a domain controller can be demoted back to a standalone server • Demote the domain controller • Required for other chapter Activities

  17. Characteristics of a Forest • Implementation of Active Directory • Represents one single Active Directory installation • Viewed as collection of domains • Security and administrative boundary

  18. Characteristics of a Forest (continued) • All domains in a forest share: • Centrally controlled schema • Common configuration • Single global catalog • Complete trust relationships

  19. How Many Forests? • Not usually need to create more than one forest for an organization • Create multiple forests: • Only when one of items shared within a forest cannot be shared without violating a business objective

  20. 3. DESIGNING DOMAINS • Important part of planning Active Directory deployment: • Determining number of domains that are needed • Reasons for creating more than one domain: • Organizational • Administrative • Technical

  21. Functions of a Domain • Most important characteristic of a domain: • Replication boundary • Main functions of a domain include: • Authentication • Policy-based administration • Setting account policies for user accounts • Directory for publishing shared resources • Administrative boundary

  22. Is It a Security Boundary? • User is authenticated only by his or her own domain • Domain is only part of a forest • Shares information about security principals • Do not depend on domain as security boundary

  23. Which Works Better: Single or Multiple Domains? • Advantages of a single domain: • Easier to manage • Easier to delegate authority and apply group policies on organizational units • Requires fewer hardware resources • Such as domain controllers • Requires fewer domain administrators • Less work for current staff

  24. Which Works Better: Single or Multiple Domains? (continued) • Advantages of multiple domains: • Each can have distinct set of • Administrators • Policies • Data owners • Provide tighter administrative control • Support a decentralized administrative structure • Organizational reasons • Technical reasons

  25. Using a Dedicated Forest Root • Microsoft recommends: • Forest root domain completely dedicated to managing the infrastructure of forest • No regular users should be created in the forest root domain • Single child domain created under forest root • Handles all user and resource objects

  26. Using a Dedicated Forest Root (continued) • Microsoft recommends that an organization use one domain • Unless business needs dictate otherwise • Create domains based on geography • Microsoft views Active Directory from point of view of large corporations • Best practices not always best for small organizations

  27. Activity 5-3: Promoting an Additional Domain Controller in an Existing Domain • Objective: Learn how to promote an additional domain controller in an existing Active Directory domain • Promote another domain controller to promote redundancy and performance

  28. 4. UNDERSTANDING AND IMPLEMENTING TRUST RELATIONSHIPS • Trust relationship • Gives user in one domain the ability to access resource in another • No need for separate credentials for each domain • Terminology • Trusting domain trusts the trusted domain to authenticate a user

  29. Transitive Trusts • Used to determine if trust extends outside two domains in which trust is formed • A trusts B, B trusts C, therefore A trusts C

  30. Transitive Trusts (continued) • Two-way, transitive trust • Domain A trusts domain B, and domain B trusts domain A • Created automatically between domains in forest • Cannot be removed • Trusts are established on a domain-to-domain level

  31. Trust Relationships

  32. Transitive Trusts (continued) • Shortcut Trusts • Allow quicker authentication of security credentials • Points one domain directly to another • Forest trusts • Allow trust relationship to be established between two forests • Can be one-way or two-way • Transitive

  33. Forest Trusts

  34. Transitive Trusts (continued) • Realm Trusts • Used to create trust relationship between: • Non-Windows Kerberos realm • Windows domain • Transitive or nontransitive • One-way or two-way

  35. Nontransitive Trusts • Trust between two domains • Does not extend outside two domains trust is directly between • External Trusts • Used between Windows Server 2003 domain and Windows NT domain • One-way by default

  36. Example External Trust

  37. 5. DESIGNING ORGANIZATIONAL UNITS • Organizational unit (OU) • Used to group objects within domain into hierarchical structure • Not administrative or replication boundary • Division within directory structure • Allows for delegation of administration • Controls scope of policy application

  38. Best Practices for Designing Organizational Units • OUs comparatively easy to restructure • Use organizational units to organize objects • Can be nested within one another • Microsoft recommends that nesting not be more than 10 levels deep

  39. Activity 5-4: Creating Organizational Units • Objective: Learn how to create new organizational units and nested organizational units • Use the Active Directory Users and Computers console to create a new OU

  40. Best Practices for Designing Organizational Units • Organizing Organizational Units by location • Works best when administrative authority is different between locations • Organizing Organizational Units by function • Works best when each department or division of company has its own administrative control

  41. Best Practices for Designing Organizational Units (continued) • Organizing Organizational Units by location and function • Allows for benefits of location-based and function-based hierarchies

  42. 6. UPGRADING WINDOWS NT OR WINDOWS 2000 DOMAINS • Number of different methods for integrating Windows Server 2003 into existing network • Should understand each in order to choose best method for a given situation

  43. Active Directory Functional Levels • Active Directory functionality varies • Depending on version of Windows used on domain controllers • Domain functional levels: • Windows 2000 mixed • Windows 2000 native • Windows Server 2003 interim • Windows Server 2003

  44. Active Directory Functional Levels (continued) • Forest functional levels: • Windows 2000 • Windows Server 2003 interim • Windows Server 2003

  45. Upgrading Windows NT Domains • Windows NT domains • Not organized in tree structure like Active Directory domains • Independent of one another • Trust relationships are one-way, nontransitive trusts • Does not perform replication between domains • Replication within domain is automatic

  46. Upgrading Windows NT Domains (continued) • Migrating to Active Directory • Must decide whether existing domain structure is adequate for needs • If not, create new design • Migrate existing information • First domain upgraded becomes forest root domain • Must be PDC

  47. Upgrading Windows 2000 Domains • Easy • Because Active Directory has already been designed and implemented • May also decide to restructure existing domains • Use ADMT to migrate: • Users • Groups • Computer accounts

  48. Summary • DNS name should be meaningful and represent entire operation • Forest is an “instance” of Active Directory • Domain is replication and administrative boundary • Forest root domain is central point for trust relationships

  49. Summary (continued) • Trusts automatically established between domains in a forest are only created between a child domain and its parent • They are two-way and transitive • They can be followed up and down tree structures in forest • Active Directory is capable of different functionality levels at domain and forest levels

More Related