Planning an Active Directory Deployment Lesson 1

Directory Service A directory service is a repository of information about the resources — hardware, software, and human — that are connected to a network. Users, computers, and applications throughout the network can access the repository for a variety of purposes, including user authentication, storage of configuration data, and even simple white pages–style information lookups.

Active Directory Active Directory is the directory service that Microsoft first introduced in Windows 2000 Server, and which they have upgraded in each successive server operating system release, including Windows Server – Active Directory makes services and resources available. – Provide authentication and authorization Authentication is the process of verifying a user’s identity. Authorization is the process of granting the user access only to the resources he or she is permitted to use.

Active Directory Components ITMT 2302 – Window Server 2008 Active Directory Configuration 4

Domain A domain is a logical container of each network component over which you have control and organize in one respective entity. Each domain was hosted by at least one server designated as a domain controller.

Active Directory Objects An Active Directory domain is a hierarchical structure that takes the form of a tree, much like a file system. The domain consists of objects, each of which represents a logical or physical resource. There are two basic classes of objects: container objects and leaf objects. – A container object, including domains, is one that can have other objects subordinate to it. – A leaf object can represent users, computers, groups, applications, and other resources on the network.

Active Directory Attributes Every object consists of attributes, which store information about the object. A container object has, as one of its attributes, a list of all the other objects it contains. Leaf objects have attributes that contain specific information about the specific resource the object represents. Some attributes are created automatically, such as the globally unique identifier (GUID) that the domain controller assigns to each object when it creates it, while administrators must supply information for other attributes manually.

Active Directory Attributes

Directory Schema Different object types have different sets of attributes, depending on their functions. The attributes each type of object can possess, both required and optional, the type of data that can be stored in each attribute, and the object’s place in the directory tree are all defined in the directory schema. In Active Directory, unlike Windows NT domains, the directory schema elements are extensible, enabling applications to add their own object types to the directory, or add attributes to existing object types.

Additional User Attributes for Microsoft Exchange

Organizational Unit (OU) A container object that functions in a subordinate capacity to a domain, something like a subdomain, but without the complete separation of security policies. As a container object, OUs can contain other OUs, as well as leaf objects. You can apply separate Group Policy to an OU, and delegate the administration of an OU as needed. However, an OU is still part of the domain and still inherits policies and permissions from its parent objects.

Organizational Units

Groups Active Directory supports groups with varying capabilities, as defined by the group type and the group scope. There are two group types in Active Directory: – Security groups — Administrators use security groups to assign permissions and user rights to a collection of objects. In the vast majority of cases, the term “group” refers to a security group. – Distribution groups — Applications use distribution groups for non-security–related functions, such as sending messages to a collection of users.

Security Groups The security group is the type you use most often when designing an Active Directory infrastructure. Within the security group type, there are three group scopes: – Domain local groups — Most often used to assign permissions to resources in the same domain. – Global groups — Most often used to organize users who share similar network access requirements. – Universal groups — Most often used to assign permissions to related resources in multiple domains.

Group Nesting

AGULP A traditional mnemonic for remembering the nesting capabilities of Active Directory groups. AGULP stands for: – A ccounts – G lobal groups – U niversal groups – domain L ocal groups – P ermissions

Domain Tree When designing an Active Directory infrastructure, you might, in some cases, want to create multiple domains. Active Directory scales upward from the domain just as easily as it scales downward.

Internal Active Directory Domain Tree

Active Directory Domain Tree using an Internet Domain Name

Forest An Active Directory forest consists of one or more separate domain trees, which have the same two- way trust relationships between them as two domains in the same tree. When you create the first domain on an Active Directory network, you are in fact creating a new forest, and that first domain becomes the forest root domain.

Global Catalog Domains function as the hierarchical boundaries for the Active Database as well. A domain controller maintains only the part of the Active Directory database that defines that domain and its objects. Active Directory clients still need a way to locate and access the resources of other domains in the same forest. To make this possible, each forest has a global catalog, which is a list of all of the objects in the forest, along with a subset of each object’s attributes.

Functional Levels Every Active Directory forest has a functional level, as does every domain. Functional levels are designed to provide backwards compatibility in Active Directory installations running domain controllers with various versions of the Windows Server operating system.

Domain Controllers Each domain on an Active Directory network should have at least two domain controllers, to ensure that the Active Directory database is available to clients at all times, and to provide clients with ready access to a nearby domain controller. How many domain controllers you install for each of your domains, and where you locate them, is an important part of designing an Active Directory infrastructure. Also important is an understanding of how and why the domain controllers communicate — with each other and with clients.

Lightweight Directory Access Protocol (LDAP) The standard communications protocol for directory service products, including Active Directory. LDAP defines the format of the queries that Active Directory clients send to domain controllers, as well as providing a naming structure for uniquely identifying objects in the directory.

Active Directory Replication Active Directory uses multiple-master replication. When a change is made to a domain object on any domain controller, that change is replicated to all of the other domain controllers.

Active Directory Replication

Read-Only Domain Controllers One of the new Active Directory features in Windows Server 2008 is the ability to create a Read-Only Domain Controller (RODC), which is a domain controller that supports only incoming replication traffic. As a result, it is not possible to create, modify, or delete Active Directory objects using the RODC.

Sites To facilitate the replication process, Active Directory includes another administrative division called the site. A site is defined as a collection of subnets that have good connectivity between them. Good connectivity is understood to be at least T-1 speed (1.544 megabits per second). Generally speaking, this means that a site consists of all the local area networks (LANs) at a specific location. A different site would be a network at a remote location, connected to the other site using a T-1 or slower WAN technology.

Sites A site topology consists of three Active Directory object types: – Sites — A site object represents the group of subnets at a single location, with good connectivity. – Subnets — A subnet object represents an IP network at a particular site. – Site links — A site link object represents a WAN connection between two sites.

Designing an Active Directory Infrastructure The process of designing an Active Directory infrastructure consists of the following basic phases: – Designing the domain name space. – Designing the internal domain structure. – Designing a site topology. – Designing a Group Policy strategy.

Additional Active Directory Domains Reasons to Create: – Isolated replication – Unique domain policy – Domain upgrades Reasons Not to Create: – Size – Administration

Designing a Tree Structure Includes how you are going to arrange the domains to form a tree and deciding how you are going to name your domains and which domain will be the forest root.

Designing a Tree Structure If you plan to create domains corresponding to remote sites or organizational divisions, the most common practice is to make them all subdomains in the same tree, with a single root domain at the top. The first domain you create in an Active Directory forest — the forest root domain — is critical, because it has special capabilities. – The Schema Administrators group exists only in the forest root domain, and the members of that group have the ability to modify the Active Directory schema, which affects all of the domains in the forest.

Internal Domain Structure Once you create a design for your Active Directory domains and the trees and forests superior to them, it is time to zoom in on each domain and consider the hierarchy you want to create inside it.

Organizational Units Creating OUs should be based on: – Duplicating organization divisions. – Assigning Group Policy Settings. – Delegating administration.

Group Policies Group Policy is one of the most powerful features of Active Directory. Using Group Policy, you can deploy hundreds of configuration settings to large collections of users at once. To deploy Group Policy settings, you must create group policy objects (GPOs) and link them to Active Directory domains, organizational units, or sites. Every object in the container to which the GPO is linked receives the settings you configure in it.

Deploying Active Directory Domain Services Although it does not actually convert the computer into a domain controller, installing the Active Directory Domain Services role prepares the computer for the conversion process.

Summary A directory service is a repository of information about the resources — hardware, software, and human — that are connected to a network. Active Directory is the directory service that Microsoft first introduced in Windows 2000 Server and that they have upgraded in each successive server operating system release, including Windows Server 2008.

Summary Users that are joined to an Active Directory domain log on to the domain, not to an individual computer or application, and are able to access any resources in that domain for which administrators have granted them the proper permissions.

Summary In Active Directory, you can subdivide a domain into organizational units and populate it with objects. – You can also create multiple domains and group them into sites, trees, and forests. An organizational unit (OU) is a container object that functions in a subordinate capacity to a domain. – OUs can contain other OUs, as well as leaf objects. You can apply separate Group Policy to an OU and delegate the administration of an OU as needed.

Summary Like organizational units, group objects are containers, but groups are not full-fledged security divisions as OUs are. – You cannot apply Group Policy settings to a group object. When you create your first domain on an Active Directory network, you are, in essence, creating the root of a domain tree. – You can populate the tree with additional domains as long as they are part of the same contiguous namespace.

Summary An Active Directory forest consists of two or more separate domain trees, which have the same two- way trust relationships between them as two domains in the same tree. To facilitate the replication process, Active Directory includes another administrative division called the site. A site is defined as a collection of subnets that have good connectivity between them.

Summary The overall objective in your Active Directory design process should be to create as few domains as possible.

Summary The design of a domain namespace should be based on the structure of your organization. The most common structural paradigms used in Active Directory designs are the geographic, in which the domain structure is representative of the organization’s physical locations, and the political, in which the structure conforms to the divisions or departments within your organization.

Summary A critical difference between a domain tree hierarchy and the OU hierarchy within a domain is inheritance. When you assign Group Policy settings to a domain, the settings apply to all leaf objects in that domain, but not to the subdomains that are subordinate to it. When you assign Group Policy settings to an OU, those settings apply to all leaf objects in the OU, and the settings are inherited by any subordinate OUs it contains.

Summary GPOs can contain Computer settings, which are applied as the client computer boots, and User settings, which are applied as the user logs on to the domain. The application of Group Policy settings at too many levels can slow down the boot and/or logon processes substantially.

Summary Part of the internal domain design process consists of deciding where you are going to deploy GPOs and creating a hierarchy that does not apply too many GPOs to individual leaf objects.