Active Directory Implementation Class 4 CSIS 165 – Week 2B Exams 70-217 & 70-294 Copyright Scott Wallihan, 2005.

Active Directory Implementation

Class 4

CSIS 165 – Week 2BExams 70-217 & 70-294

Copyright Scott Wallihan, 2005

Active Directory – Class 4 Ch 5 – AD Logical Design Ch 6 – AD Physical Design

Ch 5 – AD Logical Design

Ch 5 – AD Logical Design Choosing DNS Names Justifying Additional Forests Justifying Additional Domains Identifying Trust Requirements Designing Organizational Units Domain Functional Levels Upgrading from Windows NT

Choosing DNS Names Two primary role of domain names

External Internet presence AD & Internal resource identification

Three DNS namespace design options Use one DNS namespace for Internet & AD Use discontinuous DNS Namespace for AD Use a subdomain of Internet Namespace for

AD

Using a single DNS namespace Advantages:

Requires only one domain Naming for email addresses is seamless

Disadvantages: Manually maintained DNS server for Internet

Solution: Ideal for companies desiring simplicity Use a subset DNS server in a DMZ to service

Internet name resolutions

Discontinuous DNS Namespace Advantages

Totally obfuscates internal namespace Disadvantages:

Typically requires DNS forwarder – But this solution is typically used in closed environments

Remark: An uncommon solution Used in high security environments

Subdomain DNS Namespace Advantages:

Ideal support for forest root domain Supports AD-aware dynamic DNS for the Internet

presence – an uncommon requirement Easily replicates existing DNS topology

Disadvantages: More domains = more domain controllers = $$$

Solution: The only choice for larger companies Don’t use a Windows Domain on the Internet

unless AD-aware DNS is required – Use zone files

Justifying Additional Forests Forests contain:

A single AD schema A single physical configuration A single global catalog A single Enterprise Admins group Trusts between all domains

Factors justifying an additional forest: The need to support incompatible schemas The need to totally separate Enterprise Admins The need for trust isolation – maximum security

Justifying Additional Domains Domains define:

Security principals Account policies Domain Administrators

Factors justifying additional domains: The need for differing account policies The need to separate domain

administrators

Trusts Default two-way, transitive trusts Shortcut trusts Forest trusts Realm trusts External trusts (Windows NT)

Organizational Units Organizational units permit:

Application of group policy Delegation of sub administration

Designing Organizational Units Common uses of organizational

units: Geographical location Department

Domain & Forest Functional Levels Windows 2000 mixed mode Windows 2000 native Windows Server 2003 interim Windows Server 2003

Upgrading Windows NT Domains In-place upgrade Domain consolidation

Ch 6 – AD Physical Design

Ch 6 – AD Physical Design Understanding & Managing

Replication Sites & Subnets Site Links Locating Domain Controllers Site Link Bridges Locating Domain Controllers Locating Global Catalog Servers

Managing Replication By default, all domain controllers:

Are members of the same site Replicate with all other DC’s in a ring

Problems: DC’s determine replication randomly DC’s replicate frequently By default, replication traffic is not

compressed. Solution:

Create sites to define replication boundaries

Sites & Subnets Sites defined:

A collection of one or more well-connected subnets

Sites direct clients’ access to resources: Global catalog servers DFS servers Domain Controllers

Default-First-Site-Name site Domain controllers are placed in here by

default

Site Links Site links define replication paths

between subnets Site links define a replication

schedule and method

Site Link Bridges By default, all site links are

bridged. This permits replication to occur between all sites

In non-fully routed environments, site link bridges define which sites can communicate with each other

Locating Domain Controllers Every domain should have at least

two domain controllers Large sites should have two or

more DC’s Small sites should have one DC

Locating Global Catalog Servers Every domain MUST have one global catalog

server Global catalog and Infrastructure master role

should be on separate domain controllers Every site that processes logons must have

one global catalog server To circumvent this requirement:

Run domain in “Windows Server 2003” mode Enable Universal group caching – site object

In organizations with one domain, place a global catalog on every domain controller

Review Ch 5 – AD Logical Design Ch 6 – AD Physical Design