Advanced Active Directory Deployments

Advanced Active Directory Deployments Rick Claus IT Pro Advisor Microsoft Canada rclaus@microsoft.com http://blogs.technet.com/rclaus

What Will We Cover? • Multiple Forest Design • Multiple Domain Design • Site Design

Helpful Experience • Experience with Active Directory concepts • Experience administering Active Directory • Experience supporting TCP/IP networks Level 200

Agenda • Designing Multiple Forests • Implementing Multiple Forests • Designing Multiple Domains • Designing a Site Topology

Designing Forests • Shared directory • Security boundary Forests • Identify business requirements • Determine number of forests Forest Design

Service Administrator Authority Service administrators have full access You should ensure they can be trusted

Reasons for Multiple Forests Generic Reasons Legal Asset isolation Autonomy Operational Structure Organizational Reasons

Autonomy vs. Isolation Autonomy Isolation Service Autonomy Data Autonomy Service isolation Data isolation

Forest Design Considerations • Isolation requirements limit choices • Allow enough negotiation time • Consider the cost benefit • Avoid co-ownership by two IT orgs • Avoid outsourcing to multiple partners

Organizational Forest Model Key Forest trust User accounts Resource servers Organizational Forest Organizational Forest

Resource Forest Model Key User accounts Forest Trust Forest Trust Resource servers Organizational Forest Resource Forest Service accounts Alternate user accounts Resource Forest

Restricted-Access Forest Model Key Forest Trust User accounts Resource servers Organizational Forest Servers with classified data Restricted-Access Forest

Scenario: Same Corporation Plant.contoso.com Contoso.com hr.contoso.com Physically unsecured domain controllers Application that requires a different schema Dedicated Connection

Scenario: Different Corporations Internet Firewall Firewall Contoso.com Fabrikam.com

Scenario: Perimeter Network Firewall Passport Internet Web App Perimeter Firewall DMZ.Contoso.com Internal Contoso.com

Mapping Requirements to Models Requirements: Solution: Join an existing forest for data autonomy

Mapping Requirements to Models Requirements: Solution: Use an organizational or resource forest for service isolation

Mapping Requirements to Models Requirements: Solution: Use an organizational forest or domain and reconfigure the firewall for service autonomy with limited connectivity

Forest Trusts Corp.Fabrikam.com Corp.Contoso.com Requirements • Domain controllers running Windows Server 2003 • DNS infrastructure • Windows Server 2003 Forest Functional Level • Enterprise Admin privileges

Authentication across Forests Corp.Fabrikam.com Corp.Contoso.com DC3 DC2 DC4 GC DC1

Authorization across Forests Windows XP SP2 and Windows Server 2003 Windows 2000 Windows NT 4.0 and earlier Exchange Server 5.5 and SQL Server 2000 Can browse and search principals Use UPN or NT 4.0 name Use NT 4.0 name Use NT 4.0 name

Restricting Forest Scope: Scenario 1 Fabrikam.com Contoso.com Disable DomainInfo or TopLevelName Not Trusted

Restricting Forest Scope: Scenario 2 Forest Trust Allowed to authenticate Contoso.com Fabrikam.com

Other Forest Considerations Forest Trust Recommended Contoso.com Fabrikam.com Not Recommended Plant.contoso.com Contoso.com

Smart Cards and Forest Trusts PKI Trust Forest Trust Contoso.com Fabrikam.com

Active Directory Domains Active Directory Partition Administrative Functions • User identity • Authentication • Trust relationships • Replication Domain

Factors that Impact Domain Model Network Capacity Number of Users 128K ISDN T1

Reasons for Multiple Domains • Administrative considerations (politics) • Unique policies • Network traffic • Network connectivity • Capacity • International differences • In-place upgrade of existing domains

Design Recommendations If deploying more than one domain, remember:

Domain Cost Implications • Management • Consistency • User moves

Domain Models: Single Domain

Domain Models: Regional Forest Root Regional Domain Regional Domain Regional Domain

Domain Models: Organizational Central IT Team Enterprise Admins Domain Admins Schema Admins Div 1 IT Team Div 2 IT Team Div 3 IT Team Domain Admins Domain Admins Domain Admins Corp Division 1 Division 2 Division 3

Determining the Number of Domains

Site Functions Domain Site 1 Site 3 Site 2

Typical Network Topologies Site Site Site Site Site Hub Site Site Site Site Ring Topology Hub and Spoke Topology Site Hub Hub Site Site Complex Topology

Active Directory Replication DC-1 DC-2 DC-3 Intrasite replication connection over LAN DC-4 DC-5 Intersite replication connection over WAN London Site Tilbury Site

DC Placement: Forest Root Root DC Root DC Hub Site Network Hub Datacenter Hub and Spoke Site Topology Spoke Site Spoke Site http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/DepKit/4af3271a-4407-4ca5-9cd5-e05b79046d08.mspx

DC Placement: Regional No No Yes Do not place DC Yes Yes Yes WAN link stable? Logon good? Are DCs physically secure? Admin for DCs? No No No 24x7 required? Yes Place DC

Global Catalog Placement No Do not place GC No No No Place DC and enable UGMC WAN link to GC Roaming users? App that requires a GC? > 100 Users? Yes Yes Yes Yes Place GC

Operations Masters Review Domain Roles Forest Roles PDC Emulator Schema Master RID Master Domain Name Master Infrastructure

Operations Masters Guidelines http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/DepKit/edeba401-7f51-4717-91bd-ddb1dca8a327.mspx

Operations Masters Placement • Single-domain forest • Make all DCs into GCs • Leave roles on first DC • Forest root domain (multiple domains) • Move roles to second DC • Don’t make the second DC a GC • Regional child domain • Leave roles on first DC • Don’t make the second DC a GC

Creating Sites Include subnet of location in the closest site No No Yes Yes Is DC at location? Site required by apps? Create site for location

Site Links Site 2 Site 1 Default-First-Site-Link Connection Transports • RPC over IP • SMTP Site 3 Site1-Site2 Site1-Site3 Site2-Site3

Site Link Cost Site1-Site2 Site1-Site3 Site2-Site3 KBps: 256 Cost: 425 KBps: 9.6 Cost: 1024 KBps: 256 Cost: 425

Site Link Schedule Site 2 Site 1 Not available from 8:00 A.M. to 6:00 P.M. Site 3 Site1-Site2 Cost: 425 Site1-Site3 Cost: 1024 Site2-Site3 Cost: 425

Advanced Active Directory Deployments

Advanced Active Directory Deployments

Presentation Transcript

Active Directory

Active Directory

Active Directory

Active Directory

Active Directory

Active Directory

Active Directory

Active Directory

Active Directory

Active Directory

Active Directory

Active directory

Active Directory

ACTIVE DIRECTORY

Active Directory