Vikram Thakur Introduction to Active Directory Structure

Agenda  Introduction to Active Directory  FSMO Roles  Replication  Active Directory deployment planning  Guiding principles  Structure planning  More information

Introduction to Active Directory  What is it?  How does it help?  How is it stored?  Where is it stored?  Can it’s scope be extended?

Domain Controller  These are ‘Logon’ or ‘Authenticating’ servers with the NTDS Directory  Under any circumstances there should be at least 2 of these DCs  They check for DB Consistency  They maintain the domain information

AD Properties  It doesn’t require the PDC/BDC structure anymore….that went away with NT4  ‘Delegation’ is possible…more later  It provides an LDAP interface to other applications  Multiple Domains can be a part of a single AD with Inter Site Trust (Forests)

Storage Structure of AD  Comprises of 2 parts  Transaction Logs  Database  SYSVOL (old NETLOGON)

FSMO FSMO – Flexible Single Master of Operations  Schema  PDC  RID  Domain Naming  Infrastructure

Global Catalogs (GCs)  Hold limited form of AD  Can be modified by using the SCHMGMT.DLL  Used for location of resources

Replication  AD works in Multi-Master mode by default  Happens every 5 minutes  Default – Every DC replicates with 2 other DCs  KCC is part of LSASS (Monitoring that will tell you when you need another DC)  USN (Update Sequence Number)

Planning and Deployment

Deployment Planning  Three steps  Assess your environment  Create Active Directory structure plan  Create migration plan 2. Plan 3. Migrate 1. Assess

Guiding Principles  Keep it simple  Aim for the ideal design  Evaluate several alternatives  Anticipate change

Structure Planning  Deliverable: planning documents Forest plan Domain plan OU plan

Forest Planning  Start with a forest plan Forest plan Domain plan OU plan Site topology

Configuration  Site topology  Domain hierarchy Schema  Class definitions  Attribute definitions Forest Planning Concepts Forest User Principal Name Globalcatalog

Forest Planning Methodology  Start with a single forest  Create change control policy  Schema Admins and Enterprise Admins group membership  Multiple forests may be required  Cannot agree on change control  Division requires own schema or config  Complete trust undesirable

Forest Planning Inter-forest Considerations  Users must be aware of structure  Explicit query to domain outside forest  Import objects from other forests  Config, schema managed separately  One-way, non-transitive trust only

Forest Planning Examples  Central authority  Single forest  Conglomerate, autonomous division  May require multiple forests  ISP or hosting scenario  Multiple forests  No reason to share schema, config or to have complete trust

Domain Planning  Create a domain plan for each forest Forest plan Domain plan OU plan

Domain Planning Concepts  A domain is a partition of a forest  Unit of partitioning for replication  Administrative and policy boundary  Scope of authority of Domain Admins  Policy and access control do not flow between domains

Domain Planning Methodology Forest plan Domain plan OU plan Select Forest Root CreateHierarchy DNS Support Partition

Domain Planning Partitioning  Start with a single domain  Justify each additional domain  Example justification  Administrative partitioning (admin/policy)  Physical partitioning (replication)  Upgrade existing domain in-place

Domain Planning Obsolete Reasons to Partition  WinNT 4.0: 40,000 object limit  Active Directory tests: 1,500,000+  Primary Domain Controller (PDC) availability requirements  Active Directory is multi-master  Delegation of administration  Resource domains no longer needed  Delegate within a domain using OUs

OU Planning  Create an OU plan for each domain Forest plan Domain plan OU plan

OU Planning Concepts  An Organizational Unit (OUs) is a container inside a domain  Nested to create hierarchical structure  Not a security principal  Easily changed  Typically not exposed to users  Depth does not impact performance

OU Planning Methodology Forest plan Domain plan OU plan DelegateAdministration Apply Group Policy

OU Planning Delegate Administration  Objects can be permission on a per- attribute basis  Very flexible delegation possible  Minimize number of Domain Admins  Example procedure 1. Delegate full control 2. Delegate full control per-object class 3. Delegate control of specific attribute

OU Planning Apply Group Policy  Group policy is used to control desktop configurations  Applied to Users and Computers  Associated with Sites, Domains, or Organizational Units  Create OUs to apply unique policy  Filter application of policy using access control

Summary  Deployment planning  Assess current environment  Structure planning  Migration planning  Start with structure planning  Forest, domain, OU  Guiding principles  Keep it simple  Anticipate change

For More Information  Read the Windows 2003 Deployment Guide (on the Windows 2003 CD)  Read the Distributed Systems book in the Windows 2003 Resource Kit  Watch for whitepapers on the Windows 2003 Server home page

Scenario Discussion – time permitting