510 likes | 728 Views
Chapter 5: Active Directory Logical Design. Objectives. Choose the best DNS name for a domain Make Active Directory forest design decisions Make Active Directory domain design decisions Understand the roles and describe the characteristics of trusts
E N D
Objectives • Choose the best DNS name for a domain • Make Active Directory forest design decisions • Make Active Directory domain design decisions • Understand the roles and describe the characteristics of trusts • Describe the role and characteristics of organizational units • Understand the different functionality levels of Active Directory and how to upgrade Windows NT and 2000 domains
1. CHOOSING A DNS NAME FOR ACTIVE DIRECTORY • DNS defines namespace used by Active Directory • Choosing DNS name of domain • Not a decision to take lightly • Don’t put off until last minute • DNS name • Used extensively throughout domain • Affects every member of domain
What Makes a Good DNS Name? • Meaningful • Scalable • Should represent entire business • Support current and future plans
Making the Name Meaningful and Scalable • DNS name chosen for first domain created in tree • Part of DNS names for all child domains • Represent whole of enterprise • Allow for future growth
Two Common Uses for DNS: Internet Presence and Active Directory • Namespace used by Active Directory • Internet presence: • Web site • email • e-commerce
Choosing How DNS Names for Internet and Active Directory Are Related • Choices: • Use the same DNS name for both • Use completely different names altogether • Delegate subdomain from Internet name for Active Directory
Using the Same DNS Name for Active Directory and Internet Presence • CHOICE A • Requires complicated steps to prevent confidential data from being made available publicly • Not recommended • Can use technique called split DNS
Using Completely Different Names for Active Directory and Internet Presence • CHOICE B • No possibility of conflict • Management of names and hosts for Internet is completely separate from Active Directory • Designers must ensure that internal clients can resolve both: • Internal names to support Active Directory • External names to access Internet resources
Using Completely Different Names for Active Directory and Internet Presence (continued)
Delegating a Subdomain from the Internet Presence Subdomain for ActiveDirectory • CHOICE C • Uses separate zones to keep Active Directory and Internet presence apart • Subdomain is delegated from existing Internet presence name • Simple to set up • No client configuration required
Delegating a Subdomain from the Internet Presence Subdomain for Active Directory (continued)
Best Practices for Choosing a DNS Name • Delegated subdomain recommended • Windows 2000 Server: • Microsoft recommended that all domain controllers act as DNS servers • Mostly true with Windows Server 2003 as well • DomainDnsZones Active Directory application partition in Windows Server 2003 • Can affect DNS server placement
2. DESIGNING FORESTS • Start with forests • Work down to domains • Tackle most important issues first
Activity 5-1: Demoting a domain controller • Objective: Learn how a domain controller can be demoted back to a standalone server • Demote the domain controller • Required for other chapter Activities
Characteristics of a Forest • Implementation of Active Directory • Represents one single Active Directory installation • Viewed as collection of domains • Security and administrative boundary
Characteristics of a Forest (continued) • All domains in a forest share: • Centrally controlled schema • Common configuration • Single global catalog • Complete trust relationships
How Many Forests? • Not usually need to create more than one forest for an organization • Create multiple forests: • Only when one of items shared within a forest cannot be shared without violating a business objective
3. DESIGNING DOMAINS • Important part of planning Active Directory deployment: • Determining number of domains that are needed • Reasons for creating more than one domain: • Organizational • Administrative • Technical
Functions of a Domain • Most important characteristic of a domain: • Replication boundary • Main functions of a domain include: • Authentication • Policy-based administration • Setting account policies for user accounts • Directory for publishing shared resources • Administrative boundary
Is It a Security Boundary? • User is authenticated only by his or her own domain • Domain is only part of a forest • Shares information about security principals • Do not depend on domain as security boundary
Which Works Better: Single or Multiple Domains? • Advantages of a single domain: • Easier to manage • Easier to delegate authority and apply group policies on organizational units • Requires fewer hardware resources • Such as domain controllers • Requires fewer domain administrators • Less work for current staff
Which Works Better: Single or Multiple Domains? (continued) • Advantages of multiple domains: • Each can have distinct set of • Administrators • Policies • Data owners • Provide tighter administrative control • Support a decentralized administrative structure • Organizational reasons • Technical reasons
Using a Dedicated Forest Root • Microsoft recommends: • Forest root domain completely dedicated to managing the infrastructure of forest • No regular users should be created in the forest root domain • Single child domain created under forest root • Handles all user and resource objects
Using a Dedicated Forest Root (continued) • Microsoft recommends that an organization use one domain • Unless business needs dictate otherwise • Create domains based on geography • Microsoft views Active Directory from point of view of large corporations • Best practices not always best for small organizations
Activity 5-3: Promoting an Additional Domain Controller in an Existing Domain • Objective: Learn how to promote an additional domain controller in an existing Active Directory domain • Promote another domain controller to promote redundancy and performance
4. UNDERSTANDING AND IMPLEMENTING TRUST RELATIONSHIPS • Trust relationship • Gives user in one domain the ability to access resource in another • No need for separate credentials for each domain • Terminology • Trusting domain trusts the trusted domain to authenticate a user
Transitive Trusts • Used to determine if trust extends outside two domains in which trust is formed • A trusts B, B trusts C, therefore A trusts C
Transitive Trusts (continued) • Two-way, transitive trust • Domain A trusts domain B, and domain B trusts domain A • Created automatically between domains in forest • Cannot be removed • Trusts are established on a domain-to-domain level
Transitive Trusts (continued) • Shortcut Trusts • Allow quicker authentication of security credentials • Points one domain directly to another • Forest trusts • Allow trust relationship to be established between two forests • Can be one-way or two-way • Transitive
Transitive Trusts (continued) • Realm Trusts • Used to create trust relationship between: • Non-Windows Kerberos realm • Windows domain • Transitive or nontransitive • One-way or two-way
Nontransitive Trusts • Trust between two domains • Does not extend outside two domains trust is directly between • External Trusts • Used between Windows Server 2003 domain and Windows NT domain • One-way by default
5. DESIGNING ORGANIZATIONAL UNITS • Organizational unit (OU) • Used to group objects within domain into hierarchical structure • Not administrative or replication boundary • Division within directory structure • Allows for delegation of administration • Controls scope of policy application
Best Practices for Designing Organizational Units • OUs comparatively easy to restructure • Use organizational units to organize objects • Can be nested within one another • Microsoft recommends that nesting not be more than 10 levels deep
Activity 5-4: Creating Organizational Units • Objective: Learn how to create new organizational units and nested organizational units • Use the Active Directory Users and Computers console to create a new OU
Best Practices for Designing Organizational Units • Organizing Organizational Units by location • Works best when administrative authority is different between locations • Organizing Organizational Units by function • Works best when each department or division of company has its own administrative control
Best Practices for Designing Organizational Units (continued) • Organizing Organizational Units by location and function • Allows for benefits of location-based and function-based hierarchies
6. UPGRADING WINDOWS NT OR WINDOWS 2000 DOMAINS • Number of different methods for integrating Windows Server 2003 into existing network • Should understand each in order to choose best method for a given situation
Active Directory Functional Levels • Active Directory functionality varies • Depending on version of Windows used on domain controllers • Domain functional levels: • Windows 2000 mixed • Windows 2000 native • Windows Server 2003 interim • Windows Server 2003
Active Directory Functional Levels (continued) • Forest functional levels: • Windows 2000 • Windows Server 2003 interim • Windows Server 2003
Upgrading Windows NT Domains • Windows NT domains • Not organized in tree structure like Active Directory domains • Independent of one another • Trust relationships are one-way, nontransitive trusts • Does not perform replication between domains • Replication within domain is automatic
Upgrading Windows NT Domains (continued) • Migrating to Active Directory • Must decide whether existing domain structure is adequate for needs • If not, create new design • Migrate existing information • First domain upgraded becomes forest root domain • Must be PDC
Upgrading Windows 2000 Domains • Easy • Because Active Directory has already been designed and implemented • May also decide to restructure existing domains • Use ADMT to migrate: • Users • Groups • Computer accounts
Summary • DNS name should be meaningful and represent entire operation • Forest is an “instance” of Active Directory • Domain is replication and administrative boundary • Forest root domain is central point for trust relationships
Summary (continued) • Trusts automatically established between domains in a forest are only created between a child domain and its parent • They are two-way and transitive • They can be followed up and down tree structures in forest • Active Directory is capable of different functionality levels at domain and forest levels