Active Directory Implementation Class 4 CSIS 165 – Week 2B Exams 70-217 & 70-294 Copyright Scott Wallihan, 2005
Active Directory – Class 4 Ch 5 – AD Logical Design Ch 6 – AD Physical Design
Ch 5 – AD Logical Design
Ch 5 – AD Logical Design Choosing DNS Names Justifying Additional Forests Justifying Additional Domains Identifying Trust Requirements Designing Organizational Units Domain Functional Levels Upgrading from Windows NT
Choosing DNS Names Two primary role of domain names External Internet presence AD & Internal resource identification Three DNS namespace design options Use one DNS namespace for Internet & AD Use discontinuous DNS Namespace for AD Use a subdomain of Internet Namespace for AD
Using a single DNS namespace Advantages: Requires only one domain Naming for email addresses is seamless Disadvantages: Manually maintained DNS server for Internet Solution: Ideal for companies desiring simplicity Use a subset DNS server in a DMZ to service Internet name resolutions
Discontinuous DNS Namespace Advantages Totally obfuscates internal namespace Disadvantages: Typically requires DNS forwarder – But this solution is typically used in closed environments Remark: An uncommon solution Used in high security environments
Subdomain DNS Namespace Advantages: Ideal support for forest root domain Supports AD-aware dynamic DNS for the Internet presence – an uncommon requirement Easily replicates existing DNS topology Disadvantages: More domains = more domain controllers = $$$ Solution: The only choice for larger companies Don’t use a Windows Domain on the Internet unless AD-aware DNS is required – Use zone files
Justifying Additional Forests Forests contain: A single AD schema A single physical configuration A single global catalog A single Enterprise Admins group Trusts between all domains Factors justifying an additional forest: The need to support incompatible schemas The need to totally separate Enterprise Admins The need for trust isolation – maximum security
Justifying Additional Domains Domains define: Security principals Account policies Domain Administrators Factors justifying additional domains: The need for differing account policies The need to separate domain administrators
Trusts Default two-way, transitive trusts Shortcut trusts Forest trusts Realm trusts External trusts (Windows NT)
Organizational Units Organizational units permit: Application of group policy Delegation of sub administration
Designing Organizational Units Common uses of organizational units: Geographical location Department
Domain & Forest Functional Levels Windows 2000 mixed mode Windows 2000 native Windows Server 2003 interim Windows Server 2003
Upgrading Windows NT Domains In-place upgrade Domain consolidation
Ch 6 – AD Physical Design
Ch 6 – AD Physical Design Understanding & Managing Replication Sites & Subnets Site Links Locating Domain Controllers Site Link Bridges Locating Global Catalog Servers
Managing Replication By default, all domain controllers: Problems: Are members of the same site Replicate with all other DC’s in a ring Problems: DC’s determine replication randomly DC’s replicate frequently By default, replication traffic is not compressed. Solution: Create sites to define replication boundaries
Sites & Subnets Sites defined: A collection of one or more well-connected subnets Sites direct clients’ access to resources: Global catalog servers DFS servers Domain Controllers Default-First-Site-Name site Domain controllers are placed in here by default
Site Links Site links define replication paths between subnets Site links define a replication schedule and method
Site Link Bridges By default, all site links are bridged. This permits replication to occur between all sites In non-fully routed environments, site link bridges define which sites can communicate with each other
Locating Domain Controllers Every domain should have at least two domain controllers Large sites should have two or more DC’s Small sites should have one DC
Locating Global Catalog Servers Every domain MUST have one global catalog server Global catalog and Infrastructure master role should be on separate domain controllers Every site that processes logons must have one global catalog server To circumvent this requirement: Run domain in “Windows Server 2003” mode Enable Universal group caching – site object In organizations with one domain, place a global catalog on every domain controller
Review Ch 5 – AD Logical Design Ch 6 – AD Physical Design