Post on 24-Dec-2015
Vikram ThakurVikram Thakur
Introduction to Active Introduction to Active Directory StructureDirectory Structure
AgendaAgenda Introduction to Active DirectoryIntroduction to Active Directory FSMO RolesFSMO Roles ReplicationReplication Active Directory deployment planningActive Directory deployment planning Guiding principlesGuiding principles Structure planningStructure planning More informationMore information
Introduction to Active Introduction to Active DirectoryDirectory
What is it?What is it? How does it help?How does it help? How is it stored?How is it stored? Where is it stored?Where is it stored? Can it’s scope be extended?Can it’s scope be extended?
Domain ControllerDomain Controller
These are ‘Logon’ or These are ‘Logon’ or ‘Authenticating’ servers with the ‘Authenticating’ servers with the NTDS DirectoryNTDS Directory
Under any circumstances there Under any circumstances there should be at least 2 of these DCsshould be at least 2 of these DCs
They check for DB ConsistencyThey check for DB Consistency They maintain the domain They maintain the domain
informationinformation
AD PropertiesAD Properties
It doesn’t require the PDC/BDC It doesn’t require the PDC/BDC structure anymore….that went away structure anymore….that went away with NT4with NT4
‘‘Delegation’ is possible…more laterDelegation’ is possible…more later It provides an LDAP interface to It provides an LDAP interface to
other applicationsother applications Multiple Domains can be a part of a Multiple Domains can be a part of a
single AD with Inter Site Trust single AD with Inter Site Trust (Forests)(Forests)
Storage Structure of ADStorage Structure of AD
Comprises of 2 partsComprises of 2 parts Transaction LogsTransaction Logs DatabaseDatabase
SYSVOL (old NETLOGON)SYSVOL (old NETLOGON)
FSMOFSMO
FSMO – Flexible Single Master of FSMO – Flexible Single Master of OperationsOperations
SchemaSchema PDCPDC RIDRID Domain NamingDomain Naming InfrastructureInfrastructure
Global Catalogs (GCs)Global Catalogs (GCs)
Hold limited form of ADHold limited form of AD Can be modified by using the Can be modified by using the
SCHMGMT.DLLSCHMGMT.DLL Used for location of resourcesUsed for location of resources
ReplicationReplication
AD works in Multi-Master mode by AD works in Multi-Master mode by defaultdefault
Happens every 5 minutesHappens every 5 minutes Default – Every DC replicates with 2 Default – Every DC replicates with 2
other DCsother DCs KCC is part of LSASS (Monitoring KCC is part of LSASS (Monitoring
that will tell you when you need that will tell you when you need another DC)another DC)
USN (Update Sequence Number)USN (Update Sequence Number)
Planning and DeploymentPlanning and Deployment
Deployment PlanningDeployment Planning Three stepsThree steps
Assess your environmentAssess your environment Create Active Directory structure planCreate Active Directory structure plan Create migration planCreate migration plan
2. Plan2. Plan
3. Migrate3. Migrate
1. Assess1. Assess
Guiding PrinciplesGuiding Principles Keep it simpleKeep it simple Aim for the ideal designAim for the ideal design Evaluate several alternativesEvaluate several alternatives Anticipate changeAnticipate change
Structure PlanningStructure Planning
Deliverable: planning Deliverable: planning documentsdocuments
Forest planForest plan
Domain planDomain plan
OU planOU plan
Forest PlanningForest Planning
Start with a forest planStart with a forest planForest planForest planForest planForest plan
Domain planDomain plan
OU planOU plan
Site topologySite topology
ConfigurationConfiguration Site topologySite topology Domain hierarchyDomain hierarchy
SchemaSchema Class definitionsClass definitions Attribute definitionsAttribute definitions
Forest PlanningForest PlanningConceptsConcepts
ForestForest
User Principal NameUser Principal Name““bob@domain.com”bob@domain.com”
GlobalGlobalcatalogcatalog
Forest PlanningForest PlanningMethodologyMethodology
Start with a single forestStart with a single forest Create change control policyCreate change control policy Schema Admins and Enterprise Admins Schema Admins and Enterprise Admins
group membershipgroup membership
Multiple forests may be requiredMultiple forests may be required Cannot agree on change controlCannot agree on change control Division requires own schema or configDivision requires own schema or config Complete trust undesirableComplete trust undesirable
Forest PlanningForest PlanningInter-forest ConsiderationsInter-forest Considerations
Users must be aware of structureUsers must be aware of structure Explicit query to domain outside forestExplicit query to domain outside forest Import objects from other forestsImport objects from other forests
Config, schema managed separatelyConfig, schema managed separately One-way, non-transitive trust onlyOne-way, non-transitive trust only
Domain PlanningDomain Planning
Create a domain plan Create a domain plan for each forestfor each forest
Forest planForest plan
Domain planDomain planDomain planDomain plan
OU planOU plan
Domain PlanningDomain PlanningConceptsConcepts
A domain is a partition of a forestA domain is a partition of a forest Unit of partitioning for replicationUnit of partitioning for replication Administrative and policy boundaryAdministrative and policy boundary
Scope of authority of Domain AdminsScope of authority of Domain Admins Policy and access control do not flow Policy and access control do not flow
between domainsbetween domains
Domain PlanningDomain PlanningMethodologyMethodology
Forest planForest plan
Domain planDomain planDomain planDomain plan
OU planOU plan
SelectSelectForest RootForest Root
SelectSelectForest RootForest Root
CreateCreateHierarchyHierarchy
CreateCreateHierarchyHierarchy
DNS SupportDNS SupportDNS SupportDNS Support
PartitionPartitionPartitionPartition
Domain PlanningDomain PlanningPartitioningPartitioning
Start with a single domainStart with a single domain Justify each additional domainJustify each additional domain Example justificationExample justification
Administrative partitioning Administrative partitioning (admin/policy)(admin/policy)
Physical partitioning (replication)Physical partitioning (replication)
Upgrade existing domain in-placeUpgrade existing domain in-place
Domain PlanningDomain PlanningObsolete Reasons to PartitionObsolete Reasons to Partition
WinNT 4.0: 40,000 object limitWinNT 4.0: 40,000 object limit Active Directory tests: 1,500,000+Active Directory tests: 1,500,000+
Primary Domain Controller (PDC) Primary Domain Controller (PDC) availability requirementsavailability requirements Active Directory is multi-masterActive Directory is multi-master
Delegation of administrationDelegation of administration Resource domains no longer neededResource domains no longer needed Delegate within a domain using OUsDelegate within a domain using OUs
OU PlanningOU Planning
Create an OU plan for Create an OU plan for each domaineach domain
Forest planForest plan
Domain planDomain plan
OU planOU planOU planOU plan
OU PlanningOU PlanningConceptsConcepts
An Organizational Unit (OUs) is a An Organizational Unit (OUs) is a container inside a domaincontainer inside a domain Nested to create hierarchical structureNested to create hierarchical structure Not a security principalNot a security principal
Easily changedEasily changed Typically not exposed to usersTypically not exposed to users Depth does not impact performanceDepth does not impact performance
OU PlanningOU PlanningMethodologyMethodology
Forest planForest plan
Domain planDomain plan
OU planOU planOU planOU plan
DelegateDelegateAdministrationAdministration
DelegateDelegateAdministrationAdministration
Apply GroupApply GroupPolicyPolicy
Apply GroupApply GroupPolicyPolicy
OU PlanningOU PlanningDelegate AdministrationDelegate Administration
Objects can be permission on a Objects can be permission on a per-attribute basisper-attribute basis
Very flexible delegation possibleVery flexible delegation possible Minimize number of Domain AdminsMinimize number of Domain Admins
Example procedureExample procedure1.1. Delegate full controlDelegate full control
2.2. Delegate full control per-object classDelegate full control per-object class
3.3. Delegate control of specific attributeDelegate control of specific attribute
OU PlanningOU PlanningApply Group PolicyApply Group Policy
Group policy is used to control Group policy is used to control desktop configurationsdesktop configurations Applied to Users and ComputersApplied to Users and Computers Associated with Sites, Domains, or Associated with Sites, Domains, or
Organizational UnitsOrganizational Units
Create OUs to apply unique policyCreate OUs to apply unique policy Filter application of policy using Filter application of policy using
access controlaccess control
SummarySummary Deployment planningDeployment planning
Assess current environmentAssess current environment Structure planningStructure planning Migration planningMigration planning
Start with structure planningStart with structure planning Forest, domain, OUForest, domain, OU
Guiding principlesGuiding principles Keep it simpleKeep it simple Anticipate changeAnticipate change
For More InformationFor More Information Read the Windows 2003 Deployment Read the Windows 2003 Deployment
Guide (on the Windows 2003 CD)Guide (on the Windows 2003 CD) Read the Distributed Systems book Read the Distributed Systems book
in the Windows 2003 Resource Kitin the Windows 2003 Resource Kit Watch for whitepapers on the Watch for whitepapers on the
Windows 2003 Server home pageWindows 2003 Server home pagehttp://www.microsoft.com/windows/server/http://www.microsoft.com/windows/server/
Scenario Discussion – Scenario Discussion – time permittingtime permitting