active directory implementation class 4 csis 165 – week 2b exams 70-217 & 70-294 copyright...
TRANSCRIPT
Active Directory Implementation
Class 4
CSIS 165 – Week 2BExams 70-217 & 70-294
Copyright Scott Wallihan, 2005
Ch 5 – AD Logical Design Choosing DNS Names Justifying Additional Forests Justifying Additional Domains Identifying Trust Requirements Designing Organizational Units Domain Functional Levels Upgrading from Windows NT
Choosing DNS Names Two primary role of domain names
External Internet presence AD & Internal resource identification
Three DNS namespace design options Use one DNS namespace for Internet & AD Use discontinuous DNS Namespace for AD Use a subdomain of Internet Namespace for
AD
Using a single DNS namespace Advantages:
Requires only one domain Naming for email addresses is seamless
Disadvantages: Manually maintained DNS server for Internet
Solution: Ideal for companies desiring simplicity Use a subset DNS server in a DMZ to service
Internet name resolutions
Discontinuous DNS Namespace Advantages
Totally obfuscates internal namespace Disadvantages:
Typically requires DNS forwarder – But this solution is typically used in closed environments
Remark: An uncommon solution Used in high security environments
Subdomain DNS Namespace Advantages:
Ideal support for forest root domain Supports AD-aware dynamic DNS for the Internet
presence – an uncommon requirement Easily replicates existing DNS topology
Disadvantages: More domains = more domain controllers = $$$
Solution: The only choice for larger companies Don’t use a Windows Domain on the Internet
unless AD-aware DNS is required – Use zone files
Justifying Additional Forests Forests contain:
A single AD schema A single physical configuration A single global catalog A single Enterprise Admins group Trusts between all domains
Factors justifying an additional forest: The need to support incompatible schemas The need to totally separate Enterprise Admins The need for trust isolation – maximum security
Justifying Additional Domains Domains define:
Security principals Account policies Domain Administrators
Factors justifying additional domains: The need for differing account policies The need to separate domain
administrators
Trusts Default two-way, transitive trusts Shortcut trusts Forest trusts Realm trusts External trusts (Windows NT)
Organizational Units Organizational units permit:
Application of group policy Delegation of sub administration
Designing Organizational Units Common uses of organizational
units: Geographical location Department
Domain & Forest Functional Levels Windows 2000 mixed mode Windows 2000 native Windows Server 2003 interim Windows Server 2003
Ch 6 – AD Physical Design Understanding & Managing
Replication Sites & Subnets Site Links Locating Domain Controllers Site Link Bridges Locating Domain Controllers Locating Global Catalog Servers
Managing Replication By default, all domain controllers:
Are members of the same site Replicate with all other DC’s in a ring
Problems: DC’s determine replication randomly DC’s replicate frequently By default, replication traffic is not
compressed. Solution:
Create sites to define replication boundaries
Sites & Subnets Sites defined:
A collection of one or more well-connected subnets
Sites direct clients’ access to resources: Global catalog servers DFS servers Domain Controllers
Default-First-Site-Name site Domain controllers are placed in here by
default
Site Links Site links define replication paths
between subnets Site links define a replication
schedule and method
Site Link Bridges By default, all site links are
bridged. This permits replication to occur between all sites
In non-fully routed environments, site link bridges define which sites can communicate with each other
Locating Domain Controllers Every domain should have at least
two domain controllers Large sites should have two or
more DC’s Small sites should have one DC
Locating Global Catalog Servers Every domain MUST have one global catalog
server Global catalog and Infrastructure master role
should be on separate domain controllers Every site that processes logons must have
one global catalog server To circumvent this requirement:
Run domain in “Windows Server 2003” mode Enable Universal group caching – site object
In organizations with one domain, place a global catalog on every domain controller