Post on 24-Dec-2015
Advanced Active Directory Deployments
Rick ClausIT Pro Advisor
Microsoft Canada
rclaus@microsoft.comhttp://blogs.technet.com/rclaus
What Will We Cover?
• Multiple Forest Design
• Multiple Domain Design
• Site Design
Helpful Experience
Level 200
• Experience with Active Directory concepts
• Experience administering Active Directory
• Experience supporting TCP/IP networks
Agenda
• Designing Multiple Forests
• Implementing Multiple Forests
• Designing Multiple Domains
• Designing a Site Topology
Designing Forests
• Shared directory
• Security boundary
• Identify business requirements
• Determine number of forests
Forests
Forest Design
Service Administrator Authority
Service administrators have full access
You should ensure they can be trusted
Generic Reasons
Reasons for Multiple Forests
Operational
Legal
Autonomy Asset isolation
Structure
Organizational Reasons
Autonomy vs. Isolation
Autonomy
Isolation
Service Autonomy
Service isolation
Data Autonomy
Data isolation
Forest Design Considerations
• Isolation requirements limit choices
• Allow enough negotiation time
• Consider the cost benefit
• Avoid co-ownership by two IT orgs
• Avoid outsourcing to multiple partners
User accounts
Resource servers
Key
Organizational Forest Model
Forest trust
Organizational Forest Organizational Forest
Resource Forest
Resource Forest
Resource Forest Model
Organizational Forest
User accounts
Resource servers
Key
Service accounts
Alternate user accounts
Forest Trust
Forest Trust
User accounts
Resource servers
Key
Servers with classified dataRestricted-Access
Forest
Organizational Forest
Restricted-Access Forest Model
Forest Trust
Scenario: Same Corporation
Dedicated Connection
Application that requires a
different schema
hr.contoso.comContoso.com
Plant.contoso.com
Physically unsecured
domain controllers
Scenario: Different Corporations
Fabrikam.comContoso.com
Firewall Firewall
Internet
Contoso.com
Firewall
Internal
DMZ.Contoso.com
Firewall
Perimeter
Scenario: Perimeter Network
InternetPassport
Web App
Mapping Requirements to Models
Limited Connectivity
Data Isolation
Data Autonomy
Service Isolation
Service Autonomy
No No Yes No No
Solution: Join an existing forest for data autonomy
Requirements:
Mapping Requirements to Models
Limited Connectivity
Data Isolation
Data Autonomy
Service Isolation
Service Autonomy
No No N/A Yes N/A
Solution: Use an organizational or resource forest for service isolation
Requirements:
Mapping Requirements to Models
Limited Connectivity
Data Isolation
Data Autonomy
Service Isolation
Service Autonomy
Yes No N/A No Yes
Solution: Use an organizational forest or domain and reconfigure the firewall for service autonomy with limited connectivity
Requirements:
Agenda
• Designing Multiple Forests
• Implementing Multiple Forests
• Designing Multiple Domains
• Designing a Site Topology
Forest Trusts
Corp.Contoso.com
Corp.Fabrikam.com
Requirements
• Domain controllers running Windows Server 2003
• Windows Server 2003 Forest Functional Level
• DNS infrastructure
• Enterprise Admin privileges
Authentication across Forests
Corp.Contoso.com
Corp.Fabrikam.com
DC1
DC2
GC
DC3
DC4
Authorization across Forests
Windows XP SP2 and Windows Server 2003
Windows 2000
Windows NT 4.0 and earlier
Exchange Server 5.5 and SQL Server 2000
Can browse and search principals
Use UPN or NT 4.0 name
Use NT 4.0 name
Use NT 4.0 name
Restricting Forest Scope: Scenario 1
Contoso.com
Fabrikam.com
Not Trusted
Disable DomainInfo or TopLevelName
Restricting Forest Scope: Scenario 2
Forest Trust
Contoso.com Fabrikam.com
Allowed to authenticate
Other Forest Considerations
Forest Trust
Contoso.com Fabrikam.com
Recommended
Not Recommended
Contoso.com Plant.contoso.com
Smart Cards and Forest Trusts
Contoso.com Fabrikam.com
Forest Trust
PKI Trust
Agenda
• Designing Multiple Forests
• Implementing Multiple Forests
• Designing Multiple Domains
• Designing a Site Topology
Active Directory Domains
Domain
Active Directory Partition
Administrative Functions
• User identity
• Authentication
• Trust relationships
• Replication
Factors that Impact Domain Model
Network Capacity Number of Users
T1128K ISDN
Reasons for Multiple Domains
• Administrative considerations (politics)• Unique policies• Network traffic • Network connectivity• Capacity• International differences• In-place upgrade of existing domains
Design Recommendations
Minimize Number of domains
Minimize Depth of the domain hierarchy
Choose A reorganization-proof design
Deploy At least two DCs per domain
Deploy Transient domains during migration
If deploying more than one domain, remember:
Domain Cost Implications
• Management
• Consistency
• User moves
Domain Models: Single Domain
Domain Models: RegionalForest Root
Regional Domain
Regional Domain
Regional Domain
Domain Models: OrganizationalCorp
Division 2 Division 3Division 1
Central IT Team
Enterprise Admins
Domain Admins
Schema Admins
Div 1 IT Team
Domain Admins
Div 2 IT Team
Domain Admins
Div 3 IT Team
Domain Admins
Determining the Number of Domains
Slowest link connecting a DC (KBps)
Max users by % bandwidth available
1% 5% 10%
28.8K 10,000 25,000 40,000
56K 10,000 50,000 100,000
256 50,000 100,000 100,000
1500 (T1) 100,000 100,000 100,000
Agenda
• Designing Multiple Forests
• Implementing Multiple Forests
• Designing Multiple Domains
• Designing a Site Topology
Site Functions
Domain
Site 1
Site 2
Site 3
Typical Network Topologies
Site Site
SiteSite
Ring Topology Hub and Spoke Topology
Site
SiteSite
Site
HubSite
Complex Topology
HubHub Site
SiteSite
Active Directory ReplicationLondon Site
Tilbury Site
DC-1
DC-2DC-3
DC-4 DC-5Intersite replication connection over WAN
Intrasite replication connection over LAN
DC Placement: Forest Root
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/DepKit/4af3271a-4407-4ca5-9cd5-e05b79046d08.mspx
Root DC
Hub and Spoke Site Topology
Hub Site
Network Hub Datacenter
Spoke SiteSpoke Site
Root DC
Logon good?
DC Placement: Regional
Yes
Are DCs physically secure?
Place DC
Do not place
DC
No
Yes Yes Yes
No
Admin for DCs? No
WAN link stable?
24x7 required?
Yes
No
No
Global Catalog Placement
No
App that requires a
GC?
Place GC
Place DC and enable UGMC
No No No
> 100 Users? Yes
WAN link to GC
Roaming users?
YesDo not place GCYes Yes
Operations Masters Review
PDC Emulator
RID Master
Infrastructure
Domain Roles Forest Roles
Schema Master
Domain Name Master
Operations Masters Guidelines
Server/Role Rule
All Place on highly reliable networks
First Server Place near largest number of users
Standby Designate one immediately
Infrastructure Master
Do not place it on a GC*
PDC Emulator Place near largest number of users
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/DepKit/edeba401-7f51-4717-91bd-ddb1dca8a327.mspx
Operations Masters Placement
• Single-domain forestMake all DCs into GCs
Leave roles on first DC
• Forest root domain (multiple domains)Move roles to second DC
Don’t make the second DC a GC
• Regional child domainLeave roles on first DC
Don’t make the second DC a GC
Creating Sites
No
Is DC at location?
Create site for location
Include subnet of location in the
closest site
No
Yes
Site required by apps?
Yes
Default-First-Site-Link
Site Links
Site 1
Site 2
Site 3
Site1-Site2
Site1-Site3 Site2-Site3
Connection Transports
• RPC over IP
• SMTP
Site Link Cost
Site1-Site2Available KBps Cost
9.6 1042
19.2 798
38.4 644
56 586
64 567
128 486
256 425
512 378
1024 340
2048 309
4096 283
Site1-Site3
Site2-Site3
KBps: 256
Cost: 425
KBps: 9.6
Cost: 1024
KBps: 256
Cost: 425
Site Link Schedule
Site 1
Site 2
Site 3
Site1-Site2
Cost: 425
Site1-Site3
Cost: 1024 Site2-Site3
Cost: 425Not available from 8:00 A.M. to 6:00 P.M.
Site Link Interval
Site 1 Site 2
Schedule: 8:00AM-10:00AM
Interval: 30 minutes
Replication occurs:
4 times
Site Links Transitivity
• IP network is not fully routed• You wish to control replication traffic
Disable if:
Site C Hub Site A
Site D Site E
A-C
A-D A-E
Site HHub Site B
Site F Site G
B-H
B-F B-GA-B
West Coast East Coast
Site Link Bridge Design
Site C Hub Site A
Site D Site E
A-C
A-D A-E
Site HHub Site B
Site F Site G
B-H
B-F B-GA-B
West Site Link Bridge East Site Link Bridge
West Coast East Coast
Session Summary• Keep designs as simple as possible.
• Weigh benefits versus costs.
• Plan carefully.
For More Information
www.microsoft.com/technet/ADD-03
Visit TechNet at www.microsoft.ca/technet
Visit the following URL for additional information
Questions?
Rick ClausIT Pro Advisor
Microsoft Canada
rclaus@microsoft.comhttp://blogs.technet.com/rclaus