1. © Wiley Inc. 2006. All Rights Reserved. MCSE: Windows Server 2003 Active Directory Planning, Implementation, and Maintenance Study Guide, Second Edition (70-294) Chapter 3: Installing and Managing Trees and Forests

2. Reasons for Using Multiple Domains 2 © Wiley Inc. 2006. All Rights Reserved. Scalability Reducing replication traffic Political and organizational reasons Many levels of hierarchy Varying security policies Decentralized administration Multiple DNS or domain names

3. Drawbacks of Multiple Domains 3 © Wiley Inc. 2006. All Rights Reserved. Administrative inconsistency Difficult management of resources Decreased flexibility

4. Basing Multiple Domains on Business Requirements 4 © Wiley Inc. 2006. All Rights Reserved. Use a Single Tree Use a Forest – all domains share: –Schema –Global Catalog –Configuration information

5. Promotion Process 5 © Wiley Inc. 2006. All Rights Reserved. Active Directory Installation Wizard (DCPROMO) used to create new domains New domains created by promoting a Windows Server 2003 stand-alone or member server to a domain controller

6. Information Needed to Create Child Domain 6 © Wiley Inc. 2006. All Rights Reserved. Name of the parent domain Name of the child domain File system locations for Active Directory database, logs, and shared system volume DNS configuration information Domain administrator username and password

7. Joining New Domain Tree to a Forest 7 © Wiley Inc. 2006. All Rights Reserved. Forest is formed by joining two or more domains or trees that do not share a contiguous namespace Any two independent domains can be joined to create a forest Process requires simply promoting a server to a domain controller for a new domain that does not share a namespace with an existing AD domain

8. Two Reasons for Adding Additional Domain Controllers 8 © Wiley Inc. 2006. All Rights Reserved. Fault tolerance and reliability Performance

9. Demoting a Domain Controller 9 © Wiley Inc. 2006. All Rights Reserved. Done with Active Directory Installation Wizard Can be done to change the server’s role or to move machine between domains

10. Before Removing Last Domain Controller 10 © Wiley Inc. 2006. All Rights Reserved. Ensure that computers no longer log on to this domain Make certain no user accounts are needed Ensure all encrypted data is decrypted Back up all cryptographic keys

11. Single Master Operations Roles for Entire Forest 11 © Wiley Inc. 2006. All Rights Reserved. Schema Master Domain Naming Master

12. Single Master Operations Roles for Each Domain 12 © Wiley Inc. 2006. All Rights Reserved. Relative ID (RID) Master Primary Domain Controller (PDC) Emulator Infrastructure Master

13. Two Main Characteristics of Trusts 13 © Wiley Inc. 2006. All Rights Reserved. Transitive – by default, Active Directory trusts are transitive One-way versus two-way – can be configured either way

14. Special Trusts 14 © Wiley Inc. 2006. All Rights Reserved. External trusts Realm trusts Cross-forest trusts Shortcut trusts

15. UPN Suffixes 15 © Wiley Inc. 2006. All Rights Reserved. User principal name (UPN) suffixes appear after @ in the user’s name By default, UPN suffix is determined by the name of the domain in which the user is created Can be useful to provide an alternative UPN suffix to consolidate UPNs forestwide

16. Global Catalog Servers 16 © Wiley Inc. 2006. All Rights Reserved. You can configure any number of domain controllers to host a copy of the Global Catalog. GC contains all of the schema information and a subset of all the attributes for all domains within the AD environment.