Session 2: Core Infrastructure DesignAndrew Hill – ConsultantRob Lowe – Consultant

MCS Talks Infrastructure Architecture

Live Meeting Information...

Feedback Panel

Questions & Answers

Blog - http://blogs.technet.com/MCSTalks

Session 2: Core Infrastructure DesignAndrew Hill – ConsultantRob Lowe – Consultant

MCS Talks Infrastructure Architecture

Purpose

Purpose:To provide design guidance for Microsoft Windows Server 2008 Active Directory

AgendaDetermine process for Active Directory designAssist designers in the decision-making process Provide design assistance based on best-practice and real-world experience

Active Directory Design Overview

Forest and domain designOrganizational Units (OUs)Group Policy Objects (GPOs)Security GroupsDomain Controller Placement (inc. RODC)Sites TopologyDomain Controller ConfigurationDNS

Active Directory in Microsoft Infrastructure Optimization

Standardized DynamicRationalizedBasic

Data Protection and Recovery

Identity and Access Management

Security and Networking

Desktop, Device, and Server Management

Windows Server 2008 Active Directory Domain Services

Tips for the Planning Process

Considerations at each design phaseComplexityCostFault TolerancePerformanceScalabilitySecurity

Contoso Network Infrastructure

Ireland1000 UsersDevelopment

London6,000 UsersHead Office

India1500 UsersDevelopment

London LAN

BristolFail Over

Data CentreManchesterData Centre

ManchesterLAN

Manchester25,000 Users

Call Centre

Glasgow LAN

Glasgow25,000 UsersManufacturing

1MB to 8MBADSL

RemoteVPN Users

3,000

York100 Users

Newcastle350 Users

Edinburgh400 Users

Birmingham750 Users

Reading350 Users

Oxford250 Users

Exeter500 Users

Paris20 Users

Tokyo10 Users

New York30 Users

1MB 512KB 512KB

10MB

2MB

1GB

1MB 1MB 1MB

1MB

1MB

10MB

10MB

100MB 1GB

How Many Forests?

Option 1: Single Forest

Option 2: Multiple Forests

Multiple Forest Drivers

Multiple Schemas

Resource Forests

Forest Administrator Distrust

Legal Regulations for Application or Data Access

Requirements to be disconnected for long periods (e.g. Military)

Determine the Number of Forests

Single Organizational Forest Model

Exchange

Users

Workstations

Applications SharePoint

Multiple Organizational Forest Model

Exchange

Users

Workstations

Applications SharePoint

Exchange

Users

Workstations

Applications SharePoint

Forest Trust

Shared Resource Forest Model

Exchange

SharePoint

Users

Workstations Applications

Users

Workstations ApplicationsForest Trust Forest Trust

Shared Account Forest Model

Exchange

Users

Workstations

Applications SharePoint

Restricted Data and Applications Restricted Data and Applications

Forest TrustForest Trust

Determine the Number of Domains

How many Domains?Option 1: Single DomainOption 2: Multiple Domains

Multiple Domain driversLarge number of frequently changing attributesReduced replication trafficControl replication traffic over slow linksPreserve legacy active directory

Forest and Domain Functional Levels

2003 interim FFLLinked Value ReplicationDifferent replication compression ratiosImproved KCC

2003 FFLForest Trusts ( + with Selective Authentication)Deactivation of attributes within the Schema Domain RenameRODC (2008 OS only with schema updates)

2008 DFLFine Grained Password PoliciesDFS-R for Sysvol Last Interactive logon information

Fine-Grained Password Policies

System

Password Settings Object

Password Settings Container User

Group

Exceptional PSO

msDS-PSOAppliesTo msDS-PSOApplied

AttributesmsDS-PasswordSettingsPrecedencemsDS-PasswordReversibleEncryptionEnabledmsDS-PasswordHistoryLengthmsDS-PasswordComplexityEnabledmsDS-MinimumPasswordLengthmsDS-MinimumPasswordAgemsDS-MaximumPasswordAgemsDS-LockoutThresholdmsDS-LockoutObservationWindowmsDS-LockoutDuration

PSO ApplicationLowest Precedence Value or PSO GUIDmsDS-ResultantPso – identifies which PSORSOP CalculationUser and Global Group Links IncludedUser will override group Best to only assign users to 1 PSO Global Group

Assign Domain Names

Assign the NetBIOS NameMaximum effective length of 15 charactersUse a NetBIOS name that is unique across organisation

Assign DNS NameEnsure uniqueness by not duplicating existing registered Internet domain namesRegister all domain names with InternicName should not represent business unit or divisionAvoid using single-label names

Organisational Units

Choose an OU Design:Task 1: Design OU Configuration for Delegation of AdministrationTask 2: Design OU Configuration for Group Policy Application

Other OU (and container) related recommended practices

Do not move DCs out of the Domain Controllers OUDo not move built-in users and groups from users containerOUs and child objects now protected from accidental deletion by default in 2008

Contoso Organisational Unit Design

Group Policy Objects

Very powerful, but consider management of group policies in designBest practices

Specify user and computer settings in separate GPOsUse many small GPOs with few settings each rather than fewer large GPOs with many settingsMake GPO descriptive for its purposeDo not unlink Default Domain and DDC policies

Advanced Group Policy ManagementChange Control WorkflowV3.0 (2008) increases granular permissions

Advanced Group Policy Management

3.0 RTMSeptember

2008

Next version

2.5

Current version

Enable group policy change managementProvides granular administrative controlReduce risk of widespread failure

Versioning, history & rollback of group policy changesRole-based administration & templatesWorkflowOffline editing

What it Does Benefits

Advanced Group Policy Management - Reporting

Difference Reports Settings reports

Group Policy Preferences

Security Groups

Group ScopeAccount groups – for group users and computers

GlobalUniversal

Resource groups – for controlling rights and permissions

Domain LocalBuilt-in Local

Complex Group nesting makes audit and reconciliation more difficult

Domain Controller Placement

Placement of the Domain Controllers:Hub LocationsSatellite (Branch) LocationsHeavily dictated by network and application requirements

Global Catalog (GC)Very few reasons now not to make all DCs a GC

Read-Only Domain ControllersNew in Windows Server 2008 (Read-Only AD and no passwords)Primarily a security feature to mitigate against high risk sites

RODC Deployment

Consider the following:Application needs – Exchange?Applications make Write / Read back calls? Site topology – BASL turned off?Password Replication Policy – which model for you?

Remember no cached accounts means more WAN / HUB DC impactCache computer and User accounts

Deployment:Start with min 2 x 2008 RW Hub DCsAdd 2008 RWDC to NS records (for RSO)Delegate deployment – don’t use Domain Admins

Create the Site Design

Option 1: create a logical site for each physical location

Assign subnets for each physical location to corresponding siteSite coverage

Option 2: create a logical site only for physical locations with domain controllers

Assign subnets for each physical location to most appropriate site depending on underlying network

Create a Site Link Design

Site links map to underlying networkSet cost and schedule

Bridge all site links (on by default)Appropriate if network is fully routable (all domain controllers can communicate with all other domain controllers)Generally not recommended for Branch Office – KCC overheadsUse Repadmin /siteoptions to disable!

Custom Site Link BridgesUse when the network is not fully routed, e.g. when network firewalls restrict communications between domain controllers

Contoso Network Infrastructure Revisited

Ireland1000 UsersDevelopment

London6,000 UsersHead Office

India1500 UsersDevelopment

London LAN

BristolFail Over

Data CentreManchesterData Centre

ManchesterLAN

Manchester25,000 Users

Call Centre

Glasgow LAN

Glasgow25,000 UsersManufacturing

1MB to 8MBADSL

RemoteVPN Users

3,000

York100 Users

Newcastle350 Users

Edinburgh400 Users

Birmingham750 Users

Reading350 Users

Oxford250 Users

Exeter500 Users

Paris20 Users

Tokyo10 Users

New York30 Users

1MB 512KB 512KB

10MB

2MB

1GB

1MB 1MB 1MB

1MB

1MB

10MB

10MB

100MB 1GB

Active Directory Replication Topology

KCC automatically manages based on site link design

Applies to Active Directory and Sysvol replication

Sysvol uses DFS-R for replicating its contents in new Windows Server 2008 native forests

Sysvol can be migrated to DFS-R once DFL is at 2008FRS VVJoins are inherently inefficient DFS-R Sysvol eliminates inefficiency in FRS VVJoinsMigration is simple 4 step process for upgraded forests

Domain Controller Configuration

64-bit supports much larger addressable memory space

Allow enough memory for entire Active Directory database to be cachedThink about 64 bit now, 32 bit will be unavailable in several years time

CPU and query performanceDisk configuration

Keep database and logs on separate physical drives for better performance

Running RODCs on Hyper-VNever snapshot a DC – even RODC

DNS

Critical for Active DirectoryAD-integrated DNS recommended

Consider Forwarding modelRoot hints can introduce additional management overhead.Forwarding is recommended approach for AD

New in Windows Server 2008Storage of Conditional Forwarding settings in Active Directory

What’s Next? Discuss, Rinse, Repeat

Implement your designTest and refine design along the way

Summary and Conclusion

Organizations should base the design of their Active Directory infrastructure on business and technical requirementsConsiderations should include:

The scope of the network and environmentTechnical requirements and considerationsAdditional business requirementsDesigning an Active Directory infrastructure to meet these requirementsValidating the overall approach

Questions and Answers

Please enter your questions using the Q&A panel for the presenters!

Thank you for attending this TechNet Event

Find these slides at:http://www.microsoft.com/uk/technetslides

Visit our blog at:http://blogs.technet.com/mcstalks

Register for the next session, Messaging, at:http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032386416&Culture=en-GB

Please fill out your evaluations!