1 / 19

Active Directory Domain Structure and Concepts

Active Directory Domain Structure and Concepts. Concepts. Active Directory Domain Services (AD DS) Logical structure Physical structure Organizational units Delegation of control Groups. Active Directory Domain Services. Logical Structure

glen
Download Presentation

Active Directory Domain Structure and Concepts

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Active Directory Domain Structure and Concepts

  2. Concepts • Active Directory Domain Services (AD DS) • Logical structure • Physical structure • Organizational units • Delegation of control • Groups

  3. Active Directory Domain Services • Logical Structure • Forest; Tree; Domain; Organizational Unit; Groups • Physical Structure • Physical layout of your domain which can determine replication • Multiple sites (remote offices) • Multiple domain controllers (DCs) • How Replication occurs • Replication of updates to Active Directory objects are transmitted between multiple domain controllers to keep replicas of directory partitions synchronized. Multiple domains are common in large organizations, as are multiple sites in disparate locations. In addition, domain controllers for the same domain are commonly placed in more than one site. • HUH? • Replication makes sure that all DCs have an “up to date” copy of the Active Directory database

  4. Active Directory Domain Services • Replication can be managed through Active Directory Sites and Services

  5. Active Directory Domain Services • By default, replication occurs every 180 minutes. • Replication can be forced between DC’s • Replication schedule can be modified • Large domains should have regular replication • Many changes within the domain • Small (static) domains do not require a high frequency of replications • Very little change on the domain

  6. Active Directory Domain Services

  7. Active Directory Domain Services • Active Directory replication topology has the following dependencies: • Routable IP infrastructure. The replication topology is dependent upon a routable IP infrastructure from which you can map IP subnet address ranges to site objects. This mapping generates the information that is used by client workstations to communicate with domain controllers that are close by, when there is a choice, rather than those that are located across WAN links. • DNS. The Domain Name System (DNS) resolves DNS names to IP addresses. Active Directory replication topology requires that DNS is properly designed and deployed so that domain controllers can correctly resolve the DNS names of replication partners. • DNS also stores service (SRV) resource records that provide site affinity information to clients searching for domain controllers, including domain controllers that are searching for replication partners. Every domain controller registers these records so that they can be located according to site.

  8. Active Directory Domain Services • Active Directory replication topology has the following dependencies(cont): • Net Logon service. Net Logon is required for DNS registrations. • Remote Procedure Call (RPC). Active Directory replication requires IP connectivity and RPC to transfer updates between replication partners within sites • Inter-site Messaging. Inter-site Messaging is required for SMTP intersite replication and for site coverage calculations

  9. Active Directory Domain Services • Domains • Domains are units of replication. All of the domain controllers in a particular domain can receive changes and replicate those changes to all other domain controllers in the domain. Each domain in Active Directory is identified by a Domain Name System (DNS) domain name and requires one or more domain controllers. • One or more domains that share a common schema and global catalog are referred to as a forest. The first domain in a forest is referred to as the forest root domain. • A single domain can span multiple physical locations or sites and can contain millions of objects. Site structure and domain structure are separate and flexible. A single domain can span multiple geographical sites, and a single site can include users and computers belonging to multiple domains.

  10. Active Directory Domain Services • A domain provides several benefits: • Organizing ObjectsUsing organizational units helps you manage the accounts and resources in the domain. You can then assign Group Policy settings and place users, groups, and computers into the organizational units. Using a single domain greatly simplifies administrative overhead. • Publishing resources and information about domain objectsA domain stores only the information about objects located in that domain, so by creating multiple domains, you are partitioning or segmenting the directory to better serve a disparate user base. When using multiple domains, you can scale the Active Directory service to accommodate your administrative and directory publishing requirementsApplying a Group Policy object to the domain consolidates resource and security management A domain defines a scope or unit of policy. A Group Policy object (GPO) establishes how domain resources can be accessed, configured, and used. These policies are applied only within the domain and not across domains

  11. Active Directory Domain Services • A domain provides several benefits: • Delegating authority eliminates the need for a number of administrators with broad administrative authority. Using delegated authority in conjunction with Group Policy objects and group memberships enables you to assign an administrator rights and permissions to manage objects in an entire domain or in one or more organizational units within the domain. • Security policies and settings (such as user rights and password policies) do not cross from one domain to another. Each domain has its own security policies and trust relationships with other domains. However, the forest is the final security boundary. • Each domain stores only the information about the objects located in that domain. By partitioning the directory this way, Active Directory can scale to very large numbers of objects.

  12. How many domains? • Simple is best – use one if you can • Plus • Single “Security Boundary” • Central Administration • Minus • All roles (schema master, RID master, etc) in “exposed” domain • Need physical structure (sites, site-links, subnets) if have WAN links

  13. Multiple Domains • Some reasons to create more than one domain are: • Different password requirements between departments or divisions • Massive numbers of objects • Decentralized network administration • More control of replication • Although using a single domain for an entire network has several advantages, to meet additional scalability, security, or replication requirements you may consider creating one or more domains for your organization.

  14. Organizational Units • Organizational units are Active Directory containers into which you can place users, groups, computers, and other organizational units. An organizational unit cannot contain objects from other domains. • An organizational unit is the smallest scope or unit to which you can assign Group Policy settings or delegate administrative authority. Using organizational units, you can create containers within a domain that represent the hierarchical, logical structures within your organization. You can then manage the configuration and use of accounts and resources based on your organizational model.

  15. Organizational Units • You can use organizational units to create an administrative model that can be scaled to any size. A user can have administrative authority for all organizational units in a domain or for a single organizational unit. An administrator of an organizational unit does not need to have administrative authority for any other organizational units in the domain.

  16. Groups • Domain Local • Used to assign rights/permissions to resources in that domain • Can contain users/DL/Global groups from any domain in forest • Global • Groups users in that domain together logically • Added to member list of Domain Local to get rights • Universal • Groups users from any domain in forest together • Assign rights to resources in any domain in forest

  17. Groups

  18. Terms to research • Function Levels • Operations roles • Flexible Single Master of Operations (FIZZMO) or Operations Masters/Roles • Site links

  19. Additional Resources • http://technet.microsoft.com/en-us/library/cc780856(WS.10).aspx • http://technet.microsoft.com

More Related