AD Child Domains By: Joan Carter 05/29/2003. Who can bring up a child domain in AD.ASU.EDU? ...
-
Upload
alanna-stuckey -
Category
Documents
-
view
214 -
download
0
Transcript of AD Child Domains By: Joan Carter 05/29/2003. Who can bring up a child domain in AD.ASU.EDU? ...
Who can bring up a child domain in AD.ASU.EDU? Campus/college/VP level units Considerations:
Is there a business purpose that requires the creation of another domain in the forest?
Would there be a better use of resources?
Do we want a child domain? We:
Need to manage our own accounts Have particular needs for password or security settings
that are different from ASURITE domain’s settings Are geographically or network challenged Want our users to use/access resources anywhere in
AD.ASU.EDU without an additional logon. Want the ability to utilize the university structure and
processes in place (e.g., ASURITE accounts, Student accounts, administrative processes used in the ASU AD forest, etc.).
What would my responsibilities be? Maintain 2 domain controllers with current hardware service
agreements, in a secure location Provide 7/24 support (on-call for non-business hours) Provide a list of DC administrators with contact info to IT-
Main Demonstrate ability to backup/restore AD components. Coordinate scheduled maintenance on DC’s.
Bring one DC down during any maintenance in the event a problem occurs.
Run DCDIAG prior to and immediately after any maintenance to verify that communication with the rest of the domain is intact
What would my responsibilities be? Provide immediate notification to IT-Main of
unscheduled DC outages Provide appropriate support during AD.ASU.EDU
Active Directory schema updates as follows: Be on-call. Bring one DC down during update
Keep DC’s and Servers up-to-date (security and anti-virus)
Use secure account management practices
What would my responsibilities be? Comply with restriction on Generic (lab or multiple-
users-per-account) domain accounts. Generic accounts can be created on member servers or
locally on individual workstations Test, Administrator, and Guest accounts can be handled
through Computer Accounts "Exception" process. Service accounts can be created locally or domain-wide.NOTE: If a unit has a need for generic accounts that cannot be handled via the above methods, they may want to create their own forest to accommodate this need.
What would my responsibilities be? Perform all local domain administration and
maintenance Perform authoritative Active Directory restore
for objects in their domain.
What are IT’s responsibilities? Information Technology is responsible for
maintaining the stability and integrity of the AD.ASU.EDU, ASURITE.AD.ASU.EDU and STUDENT.AD.ASU.EDU domains for the University.
What are IT’s responsibilities? Hardware/software maintenance and support Troubleshooting problems Backup/restore of AD objects Schema changes Performance and event monitoring DNS support Account administration Delegation of authority 7/24 on-call support
Which functions are controlled by Enterprise Admins only? DCPROMO DC DNS authority (ad.asu.edu zone) Schema updates Enterprise-wide service accounts DFS root? Site Creation IAS/RAS Authorization RIS Authorization DHCP authorization
What about the other child-domain administrator’s – can they be trusted? Domain administrators don’t inherently have
rights to other domains. There are a few security holes that can be
exploited only by domain administrators, but…All are university employees that have been given
this authority by their college/campus/VP unit.
Decision Points Do I have the resources available for a child-
domain (i.e., the extra hardware and manpower for managing it)?
Do I have the resources available for a child-domain in the development environment (i.e., the extra hardware and manpower for managing it)?
Decision Points What level to join the domain? (i.e., child to AD,
child to another domain, peer to AD). What will I name the domain? (i.e.,
xxx.ad.asu.edu) Which DC’s will have which FSMO roles? Which DC’s will be Global Catalog servers Will we need to change the DNS suffix on any of
our servers/workstations? How will we accomplish this?
Decision Points Upgrade DC’s in-place or rebuild and
migrate? Migrate groups from resource domains, or
re-create? Create a separate Site or join the Main Site? What will the OU Structure look like?
Decision Points Delegation issues:
User account delegation – who has permissions to manage user account attributes, what can and can’t they do?
Computer object delegation – who has permissions to manage computer objects?
Decision Points OU delegation – what should OU admins be able to
do in their own OU? Create/delete computer objects? Create/delete contact objects? Create/delete Group objects (Local Domain, Global,
Universal -- all as a Distribution or Security group)? Create/delete sub OU’s ?
Note: OU’s are created with the ability to create user accounts. A script can be written to create sub-OU’s with proper delegated permissions
Decision Points Create/delete printer objects (publishes print shares)? Create/delete user objects? Create/delete shared folder objects (publishes existing
shares in their OU)? Create/delete Group Policy objects? Assign others the rights/privileges to manage objects in
their OU (i.e., add others to their OUAdmin group)? Have different levels of permissions for different
OUAdmins?
Decision Points What default settings will we need on user accounts
and computer objects? What will our naming convention be for user
accounts, OU’s, groups, computer objects, etc.? Will I need to use GPO’s for anything? If so, will I
use loopback GPO’s or will all my domain users reside in the same OU’s as the computers they use?
Do I use NetID for DHCP or Microsoft DHCP? If I use Microsoft DHCP, will I want integrated dynamic DNS?
Decision Points What scripts are needed? Now? Later?
User account management Computer object management User ACL’s User attribute changes (i.e., UPN, W2K login name,
others?) OU creation (with correct security for OUAdmins,
others) Sub-OU creation.
Use monitoring tools or manual processes?
Upgrade or build new? Upgrade benefits -
keep existing accounts/group memberships no effect on users (i.e., they keep their
accounts/passwords) Upgrade problems –
SID history information is everywhere (some associated latency)
Some systems may have misc unexplainable problems?
Upgrade or build new? Build new benefits –
No SID histories, unless ADMT is used. No unexplained system problems due to upgrade
Build new problems – User impact (i.e., accounts/passwords) Re-creation of groups & memberships unless
ADMT is used.
What’s the plan? A general overview Scenario 1 – Authentication and Resource
domain migration Upgrade Authentication domain BDC DCPROMO – make new child domain Build new DC for second DC (replaces old PDC) Move FSMO roles to re-built DC, and now
rebuild original DC Select DC’s for FSMO roles and GC placement Re-create trusts to resource domains
What’s the plan? A general overview Use ADMT to migrate groups and/or local
resource domain users to new child domain Upgrade/rebuild member servers and join to new
child domain If upgrade of resource domain DC’s is necessary
rather than rebuild (in order to keep data, permissions, attributes, etc), upgrade and place in a FAKE W2K forest. Then DCPROMO out of the forest and make the system a member server.
What’s the plan? A general overview Scenario 2 – Single NT domain (authentication
and resources) Upgrade BDC to W2K DCPROMO – make new child domain Build new DC for second DC Upgrade/rebuild member servers Move FSMO roles to re-built DC, and now rebuild
original DC Select DC’s for FSMO roles and GC
placement
Test, test, test Set up a copy of your domain(s) in the
development environment to test your migration.
(xxx.tad.asu.edu) Test all facets of the upgrade/migration before
you work on your production environment!
Prepare, Coordinate, and DCPROMO Create a task list to make sure you don’t
forget anything! Be sure to coordinate all functions with IT-
Main!
Verify and Monitor - Tools ClonePrincipal - A command-line tool used
for user, group, and computer object migration.
Active Directory Migration Tool (ADMT) – A GUI based Active Directory Migration tool (ADMT) to migrate users, groups, and computers from one domain to another, and to analyze the migration impact both before and after the actual migration process.
Verify and Monitor - Tools NETDIAG - Tests the state and functionality of
various network connectivity and components on a network client.
DCDIAG – Tests the state of various Domain Controller functions and communication.
NETDOM - Enables administrators to remotely add, delete, and reset computer objects in a domain.
REPLMON - Displays replication topology, status and performance of Active Directory domain controllers.
Verify and Monitor - Tools GPResult - This command-line tool displays
information about the result Group Policy has had on the current computer and logged-on user.
GPOTool - This command-line tool allows you to check the health of the Group Policy objects on domain controllers.
Management and Maintenance Replication monitoring Object maintenance Delegation of authority - http://
www.west.asu.edu/it/faculty_staff/windows_ou/
Why would I want my own forest? High security
No other domains have access to your resources Total control
Enterprise Admin functions (e.g., schema updates) Little coordination needed with IT
DNS Kerberos LDAP
What’s the down side? No trust with ad.asu.edu
Exchange users would need to have separate credentials No cross-forest authentication, i.e., resources in
ad.asu.edu forest may not be available to your users. No automated user/group management provided by
IT Additional management/resources are needed to
maintain