300 likes | 435 Views
(Skill 1). Examining a Windows NT Infrastructure (2). Number and configuration of domains and trusts Defines the domain model in use Of utmost concern when upgrading rather than restructuring Types of domain models used in Windows NT Single master Multi-master Mesh (full trust).
E N D
(Skill 1) Examining a Windows NT Infrastructure (2) • Number and configuration of domains and trusts • Defines the domain model in use • Of utmost concern when upgrading rather than restructuring • Types of domain models used in Windows NT • Single master • Multi-master • Mesh (full trust)
(Skill 1) Examining a Windows NT Infrastructure (3) • Single master domain model • Consists of one account domain trusted by one or more resource domains • User accounts are contained in the account domain (also called master domain) • Resources are administered from the resource domain • Advantage: centralized model with well-defined administrative boundary • Disadvantages: reduced user limits and potential for excessive WAN traffic
(Skill 1) Examining a Windows NT Infrastructure (4) • Multi-master domain model • Consists of multiple account and resource domains, with master domains all trusting each other and resource domains trusting all master domains • Accounts are contained in all master domains • Resources are administered in the resource domain • Advantages: fairly well-centralized, strong administrative boundaries, and higher account limits than single master • Disadvantages: increased complexity and still some potential for excessive WAN traffic
(Skill 1) Examining a Windows NT Infrastructure (5) • Mesh (full trust) domain model • Contains multiple domains that all trust all other domains • Accounts and resources are administered in each domain • Advantages: unlimited account limits and few traffic problems • Disadvantages: very complex administrative structure, difficult to administer if more than four domains, requires defining and administering an excessive number of trust relationships
(Skill 1) Examining a Windows NT Infrastructure (6) • Administrative model • Normally follows domain structure • Important to understand because the model helps define administrative boundaries in new network • Most accurate way to determine is to examine daily functions of each member of administrative team • Other methods • Interviewing administrative or IT management • Examining permissions, rights, and group memberships • Helpful to create diagram once examination is complete
(Skill 1) Examining a Windows NT Infrastructure (7) • Replication • Almost entirely dependent on domain model chosen and domain controller layout • Windows NT uses replicator service to replicate file and folder structures to specific servers • In Windows Server 2003 and Windows 2000 Server, this function has been taken over by the File Replication Service (FRS) • During design process, you must know which folders will need to be replicated by FRS, which almost always includes a subset of the files currently replicated by the replicator service
(Skill 1) Examining a Windows NT Infrastructure (8) • System policies • Currently configured system policies provide a good starting point on which to base Group Policies • System policies also define rights assignments, which are important when designing the security and administrative structure of the new network
(Skill 1) Examining a Windows NT Infrastructure (9) • Group structure • Must take into account global and local group memberships • In many Windows NT networks, global groups are used almost exclusively, which leads to a large number of global groups • Rearrange group structure to utilize both global and local groups and follow the Microsoft rule • Microsoft rule (A-G-DL-P): Put user accounts (A) into global groups (G), put global groups into domain local groups (DL), and then grant permissions (P)
(Skill 1) Examining a Windows NT Infrastructure (10) • Domain controller configuration • If reusing existing domain controllers, hardware specifications become critical • Check compatibility and ability to scale • Perform a pilot upgrade if possible • If a pilot is not possible, use Performance Monitor or third-party tools to determine peak number of interactive logins that must be supported by each domain controller (primary metric) • RAM, disk, and network requirements fairly static • Processor requirements depend on number of users interactively logging in during peak period • Take other services into account
(Skill 1) Examining a Windows NT Infrastructure (11) • Domain controller placement • Analysis of current placement helps determine the areas of the network that may be prone to performance or reliability constraints
(Skill 1) Figure 3-1 Single master domain model
(Skill 1) Figure 3-2 Multi-master domain model
(Skill 1) Figure 3-3 Mesh domain model
(Skill 1) Figure 3-4 A diagram of a simple administrative model
(Skill 1) Figure 3-5 The Microsoft Rule
(Skill 2) Examining a Windows 2000 Infrastructure • Redesigning a Windows 2000 Active Directory-based infrastructure typically requires a more thorough examination of the existing infrastructure than when redesigning a Windows NT infrastructure • Active Directory adds significant complexity to the environment
(Skill 2) Examining a Windows 2000 Infrastructure (2) • Factors to consider when designing an Active Directory-based network • Forest and tree design • Existing manual trust relationships • DNS configuration • Site configuration • Schema modifications • Organizational unit (OU) design
(Skill 2) Examining a Windows 2000 Infrastructure (3) • Factors to consider when designing an Active Directory-based network • Active Directory security settings • Group Policy • Sysvol requirements • Global catalog server requirements • Security and distribution group configuration • Flexible Single Master of Operations (FSMO) role configuration
(Skill 2) Examining a Windows 2000 Infrastructure (4) • Forest and tree design • Forest design affects number of schemas, administrative model, number of global catalogs, and trust design • If a network contains more than one forest, you should know the reasoning behind that decision • Importance of tree design • It describes the network’s domain naming model • It defines the configuration of default trust relationships within the forest(s)
(Skill 2) Examining a Windows 2000 Infrastructure (5) • Existing manual trust relationships • Types of manual trusts • Shortcut trusts (manual two-way transitive trusts, also known as explicit trusts) • One-way trusts (typically established between Windows NT and Active Directory domains or different Active Directory forests) • Must understand reasoning behind why they exist, because it may influence new design
(Skill 2) Examining a Windows 2000 Infrastructure (7) • Site configuration • Sites are commonly misconfigured • Pay special attention to site links and the relationship between physical topology and site topology • Mistakes can lead to significantly higher WAN link usage
(Skill 2) Examining a Windows 2000 Infrastructure (8) • Schema modifications • Of concern because schema modifications can make drastic changes to the functionality of Active Directory • Examine the number and type of schema modifications, organization’s schema modification guidelines, and reasoning • Failure to take schema modifications into account can lead to last minute schema modifications, which can cause massive Active Directory replication and other problems
(Skill 2) Examining a Windows 2000 Infrastructure (9) • Organizational unit (OU) design • One of most significant factors in Active Directory design • Affects administrative delegation, object organization, and Group Policy application within each domain
(Skill 2) Examining a Windows 2000 Infrastructure (10) • Organizational unit (OU) design • Need to analyze the certain facets • Structure of the OU design • Number of levels present in the OU design • Organization (or lack thereof) in the design • Delegation of permissions • Group Policies applied to OUs • Use of Block Inheritance and No Override permissions • Contents of each OU
(Skill 2) Examining a Windows 2000 Infrastructure (11) • Active Directory security settings • Related to OU design • Typically applied to one or more groups within the structure in the form of delegated permissions applied to the OU • Sometimes applied to individual objects • All should be examined thoroughly
(Skill 2) Examining a Windows 2000 Infrastructure (12) • Group Policy • Settings have a significant impact on operation of systems within the network • Note which Group Policy Objects (GPOs) are applied at site, domain, and OU levels. • Examine each GPO to determine their configured settings • Examine use of No Override and Block Inheritance • Examine permissions configured on each Group Policy
(Skill 2) Examining a Windows 2000 Infrastructure (14) • Global catalog server requirements • Examine locations, paying special attention to locations that do not contain any global catalog servers • Examine the configuration of each existing global catalog server • Examine reliability and performance statistics • Examine network traffic related to global catalog replication and queries
(Skill 2) Examining a Windows 2000 Infrastructure (16) • Flexible Single Master of Operations (FSMO) role configuration • Examine placement of these roles closely, because they are so important • Make sure in new design that you transfer roles as necessary to achieve maximum level of reliability and redundancy
(Skill 2) Examining a Windows 2000 Infrastructure (17) • FSMO role configuration • Obtain the following information on servers currently hosting FSMO roles • Server hardware configuration • Server performance and reliability statistics • Backup records or logs • Other services configured • Security settings • Whether the server is a global catalog server • Whether the server hosts more than one FSMO role
(Skill 2) Figure 3-9 Analyzing Group Policy application