Advanced Active Directory Deployments Rick Claus IT Pro Advisor Microsoft Canada...
-
Upload
claude-freeman -
Category
Documents
-
view
217 -
download
0
Transcript of Advanced Active Directory Deployments Rick Claus IT Pro Advisor Microsoft Canada...
![Page 1: Advanced Active Directory Deployments Rick Claus IT Pro Advisor Microsoft Canada rclaus@microsoft.com .](https://reader035.fdocuments.in/reader035/viewer/2022062321/56649dbc5503460f94aae8bc/html5/thumbnails/1.jpg)
Advanced Active Directory Deployments
Rick ClausIT Pro Advisor
Microsoft Canada
[email protected]://blogs.technet.com/rclaus
![Page 2: Advanced Active Directory Deployments Rick Claus IT Pro Advisor Microsoft Canada rclaus@microsoft.com .](https://reader035.fdocuments.in/reader035/viewer/2022062321/56649dbc5503460f94aae8bc/html5/thumbnails/2.jpg)
What Will We Cover?
• Multiple Forest Design
• Multiple Domain Design
• Site Design
![Page 3: Advanced Active Directory Deployments Rick Claus IT Pro Advisor Microsoft Canada rclaus@microsoft.com .](https://reader035.fdocuments.in/reader035/viewer/2022062321/56649dbc5503460f94aae8bc/html5/thumbnails/3.jpg)
Helpful Experience
Level 200
• Experience with Active Directory concepts
• Experience administering Active Directory
• Experience supporting TCP/IP networks
![Page 4: Advanced Active Directory Deployments Rick Claus IT Pro Advisor Microsoft Canada rclaus@microsoft.com .](https://reader035.fdocuments.in/reader035/viewer/2022062321/56649dbc5503460f94aae8bc/html5/thumbnails/4.jpg)
Agenda
• Designing Multiple Forests
• Implementing Multiple Forests
• Designing Multiple Domains
• Designing a Site Topology
![Page 5: Advanced Active Directory Deployments Rick Claus IT Pro Advisor Microsoft Canada rclaus@microsoft.com .](https://reader035.fdocuments.in/reader035/viewer/2022062321/56649dbc5503460f94aae8bc/html5/thumbnails/5.jpg)
Designing Forests
• Shared directory
• Security boundary
• Identify business requirements
• Determine number of forests
Forests
Forest Design
![Page 6: Advanced Active Directory Deployments Rick Claus IT Pro Advisor Microsoft Canada rclaus@microsoft.com .](https://reader035.fdocuments.in/reader035/viewer/2022062321/56649dbc5503460f94aae8bc/html5/thumbnails/6.jpg)
Service Administrator Authority
Service administrators have full access
You should ensure they can be trusted
![Page 7: Advanced Active Directory Deployments Rick Claus IT Pro Advisor Microsoft Canada rclaus@microsoft.com .](https://reader035.fdocuments.in/reader035/viewer/2022062321/56649dbc5503460f94aae8bc/html5/thumbnails/7.jpg)
Generic Reasons
Reasons for Multiple Forests
Operational
Legal
Autonomy Asset isolation
Structure
Organizational Reasons
![Page 8: Advanced Active Directory Deployments Rick Claus IT Pro Advisor Microsoft Canada rclaus@microsoft.com .](https://reader035.fdocuments.in/reader035/viewer/2022062321/56649dbc5503460f94aae8bc/html5/thumbnails/8.jpg)
Autonomy vs. Isolation
Autonomy
Isolation
Service Autonomy
Service isolation
Data Autonomy
Data isolation
![Page 9: Advanced Active Directory Deployments Rick Claus IT Pro Advisor Microsoft Canada rclaus@microsoft.com .](https://reader035.fdocuments.in/reader035/viewer/2022062321/56649dbc5503460f94aae8bc/html5/thumbnails/9.jpg)
Forest Design Considerations
• Isolation requirements limit choices
• Allow enough negotiation time
• Consider the cost benefit
• Avoid co-ownership by two IT orgs
• Avoid outsourcing to multiple partners
![Page 10: Advanced Active Directory Deployments Rick Claus IT Pro Advisor Microsoft Canada rclaus@microsoft.com .](https://reader035.fdocuments.in/reader035/viewer/2022062321/56649dbc5503460f94aae8bc/html5/thumbnails/10.jpg)
User accounts
Resource servers
Key
Organizational Forest Model
Forest trust
Organizational Forest Organizational Forest
![Page 11: Advanced Active Directory Deployments Rick Claus IT Pro Advisor Microsoft Canada rclaus@microsoft.com .](https://reader035.fdocuments.in/reader035/viewer/2022062321/56649dbc5503460f94aae8bc/html5/thumbnails/11.jpg)
Resource Forest
Resource Forest
Resource Forest Model
Organizational Forest
User accounts
Resource servers
Key
Service accounts
Alternate user accounts
Forest Trust
Forest Trust
![Page 12: Advanced Active Directory Deployments Rick Claus IT Pro Advisor Microsoft Canada rclaus@microsoft.com .](https://reader035.fdocuments.in/reader035/viewer/2022062321/56649dbc5503460f94aae8bc/html5/thumbnails/12.jpg)
User accounts
Resource servers
Key
Servers with classified dataRestricted-Access
Forest
Organizational Forest
Restricted-Access Forest Model
Forest Trust
![Page 13: Advanced Active Directory Deployments Rick Claus IT Pro Advisor Microsoft Canada rclaus@microsoft.com .](https://reader035.fdocuments.in/reader035/viewer/2022062321/56649dbc5503460f94aae8bc/html5/thumbnails/13.jpg)
Scenario: Same Corporation
Dedicated Connection
Application that requires a
different schema
hr.contoso.comContoso.com
Plant.contoso.com
Physically unsecured
domain controllers
![Page 14: Advanced Active Directory Deployments Rick Claus IT Pro Advisor Microsoft Canada rclaus@microsoft.com .](https://reader035.fdocuments.in/reader035/viewer/2022062321/56649dbc5503460f94aae8bc/html5/thumbnails/14.jpg)
Scenario: Different Corporations
Fabrikam.comContoso.com
Firewall Firewall
Internet
![Page 15: Advanced Active Directory Deployments Rick Claus IT Pro Advisor Microsoft Canada rclaus@microsoft.com .](https://reader035.fdocuments.in/reader035/viewer/2022062321/56649dbc5503460f94aae8bc/html5/thumbnails/15.jpg)
Contoso.com
Firewall
Internal
DMZ.Contoso.com
Firewall
Perimeter
Scenario: Perimeter Network
InternetPassport
Web App
![Page 16: Advanced Active Directory Deployments Rick Claus IT Pro Advisor Microsoft Canada rclaus@microsoft.com .](https://reader035.fdocuments.in/reader035/viewer/2022062321/56649dbc5503460f94aae8bc/html5/thumbnails/16.jpg)
Mapping Requirements to Models
Limited Connectivity
Data Isolation
Data Autonomy
Service Isolation
Service Autonomy
No No Yes No No
Solution: Join an existing forest for data autonomy
Requirements:
![Page 17: Advanced Active Directory Deployments Rick Claus IT Pro Advisor Microsoft Canada rclaus@microsoft.com .](https://reader035.fdocuments.in/reader035/viewer/2022062321/56649dbc5503460f94aae8bc/html5/thumbnails/17.jpg)
Mapping Requirements to Models
Limited Connectivity
Data Isolation
Data Autonomy
Service Isolation
Service Autonomy
No No N/A Yes N/A
Solution: Use an organizational or resource forest for service isolation
Requirements:
![Page 18: Advanced Active Directory Deployments Rick Claus IT Pro Advisor Microsoft Canada rclaus@microsoft.com .](https://reader035.fdocuments.in/reader035/viewer/2022062321/56649dbc5503460f94aae8bc/html5/thumbnails/18.jpg)
Mapping Requirements to Models
Limited Connectivity
Data Isolation
Data Autonomy
Service Isolation
Service Autonomy
Yes No N/A No Yes
Solution: Use an organizational forest or domain and reconfigure the firewall for service autonomy with limited connectivity
Requirements:
![Page 19: Advanced Active Directory Deployments Rick Claus IT Pro Advisor Microsoft Canada rclaus@microsoft.com .](https://reader035.fdocuments.in/reader035/viewer/2022062321/56649dbc5503460f94aae8bc/html5/thumbnails/19.jpg)
Agenda
• Designing Multiple Forests
• Implementing Multiple Forests
• Designing Multiple Domains
• Designing a Site Topology
![Page 20: Advanced Active Directory Deployments Rick Claus IT Pro Advisor Microsoft Canada rclaus@microsoft.com .](https://reader035.fdocuments.in/reader035/viewer/2022062321/56649dbc5503460f94aae8bc/html5/thumbnails/20.jpg)
Forest Trusts
Corp.Contoso.com
Corp.Fabrikam.com
Requirements
• Domain controllers running Windows Server 2003
• Windows Server 2003 Forest Functional Level
• DNS infrastructure
• Enterprise Admin privileges
![Page 21: Advanced Active Directory Deployments Rick Claus IT Pro Advisor Microsoft Canada rclaus@microsoft.com .](https://reader035.fdocuments.in/reader035/viewer/2022062321/56649dbc5503460f94aae8bc/html5/thumbnails/21.jpg)
Authentication across Forests
Corp.Contoso.com
Corp.Fabrikam.com
DC1
DC2
GC
DC3
DC4
![Page 22: Advanced Active Directory Deployments Rick Claus IT Pro Advisor Microsoft Canada rclaus@microsoft.com .](https://reader035.fdocuments.in/reader035/viewer/2022062321/56649dbc5503460f94aae8bc/html5/thumbnails/22.jpg)
Authorization across Forests
Windows XP SP2 and Windows Server 2003
Windows 2000
Windows NT 4.0 and earlier
Exchange Server 5.5 and SQL Server 2000
Can browse and search principals
Use UPN or NT 4.0 name
Use NT 4.0 name
Use NT 4.0 name
![Page 23: Advanced Active Directory Deployments Rick Claus IT Pro Advisor Microsoft Canada rclaus@microsoft.com .](https://reader035.fdocuments.in/reader035/viewer/2022062321/56649dbc5503460f94aae8bc/html5/thumbnails/23.jpg)
Restricting Forest Scope: Scenario 1
Contoso.com
Fabrikam.com
Not Trusted
Disable DomainInfo or TopLevelName
![Page 24: Advanced Active Directory Deployments Rick Claus IT Pro Advisor Microsoft Canada rclaus@microsoft.com .](https://reader035.fdocuments.in/reader035/viewer/2022062321/56649dbc5503460f94aae8bc/html5/thumbnails/24.jpg)
Restricting Forest Scope: Scenario 2
Forest Trust
Contoso.com Fabrikam.com
Allowed to authenticate
![Page 25: Advanced Active Directory Deployments Rick Claus IT Pro Advisor Microsoft Canada rclaus@microsoft.com .](https://reader035.fdocuments.in/reader035/viewer/2022062321/56649dbc5503460f94aae8bc/html5/thumbnails/25.jpg)
Other Forest Considerations
Forest Trust
Contoso.com Fabrikam.com
Recommended
Not Recommended
Contoso.com Plant.contoso.com
![Page 26: Advanced Active Directory Deployments Rick Claus IT Pro Advisor Microsoft Canada rclaus@microsoft.com .](https://reader035.fdocuments.in/reader035/viewer/2022062321/56649dbc5503460f94aae8bc/html5/thumbnails/26.jpg)
Smart Cards and Forest Trusts
Contoso.com Fabrikam.com
Forest Trust
PKI Trust
![Page 27: Advanced Active Directory Deployments Rick Claus IT Pro Advisor Microsoft Canada rclaus@microsoft.com .](https://reader035.fdocuments.in/reader035/viewer/2022062321/56649dbc5503460f94aae8bc/html5/thumbnails/27.jpg)
Agenda
• Designing Multiple Forests
• Implementing Multiple Forests
• Designing Multiple Domains
• Designing a Site Topology
![Page 28: Advanced Active Directory Deployments Rick Claus IT Pro Advisor Microsoft Canada rclaus@microsoft.com .](https://reader035.fdocuments.in/reader035/viewer/2022062321/56649dbc5503460f94aae8bc/html5/thumbnails/28.jpg)
Active Directory Domains
Domain
Active Directory Partition
Administrative Functions
• User identity
• Authentication
• Trust relationships
• Replication
![Page 29: Advanced Active Directory Deployments Rick Claus IT Pro Advisor Microsoft Canada rclaus@microsoft.com .](https://reader035.fdocuments.in/reader035/viewer/2022062321/56649dbc5503460f94aae8bc/html5/thumbnails/29.jpg)
Factors that Impact Domain Model
Network Capacity Number of Users
T1128K ISDN
![Page 30: Advanced Active Directory Deployments Rick Claus IT Pro Advisor Microsoft Canada rclaus@microsoft.com .](https://reader035.fdocuments.in/reader035/viewer/2022062321/56649dbc5503460f94aae8bc/html5/thumbnails/30.jpg)
Reasons for Multiple Domains
• Administrative considerations (politics)• Unique policies• Network traffic • Network connectivity• Capacity• International differences• In-place upgrade of existing domains
![Page 31: Advanced Active Directory Deployments Rick Claus IT Pro Advisor Microsoft Canada rclaus@microsoft.com .](https://reader035.fdocuments.in/reader035/viewer/2022062321/56649dbc5503460f94aae8bc/html5/thumbnails/31.jpg)
Design Recommendations
Minimize Number of domains
Minimize Depth of the domain hierarchy
Choose A reorganization-proof design
Deploy At least two DCs per domain
Deploy Transient domains during migration
If deploying more than one domain, remember:
![Page 32: Advanced Active Directory Deployments Rick Claus IT Pro Advisor Microsoft Canada rclaus@microsoft.com .](https://reader035.fdocuments.in/reader035/viewer/2022062321/56649dbc5503460f94aae8bc/html5/thumbnails/32.jpg)
Domain Cost Implications
• Management
• Consistency
• User moves
![Page 33: Advanced Active Directory Deployments Rick Claus IT Pro Advisor Microsoft Canada rclaus@microsoft.com .](https://reader035.fdocuments.in/reader035/viewer/2022062321/56649dbc5503460f94aae8bc/html5/thumbnails/33.jpg)
Domain Models: Single Domain
![Page 34: Advanced Active Directory Deployments Rick Claus IT Pro Advisor Microsoft Canada rclaus@microsoft.com .](https://reader035.fdocuments.in/reader035/viewer/2022062321/56649dbc5503460f94aae8bc/html5/thumbnails/34.jpg)
Domain Models: RegionalForest Root
Regional Domain
Regional Domain
Regional Domain
![Page 35: Advanced Active Directory Deployments Rick Claus IT Pro Advisor Microsoft Canada rclaus@microsoft.com .](https://reader035.fdocuments.in/reader035/viewer/2022062321/56649dbc5503460f94aae8bc/html5/thumbnails/35.jpg)
Domain Models: OrganizationalCorp
Division 2 Division 3Division 1
Central IT Team
Enterprise Admins
Domain Admins
Schema Admins
Div 1 IT Team
Domain Admins
Div 2 IT Team
Domain Admins
Div 3 IT Team
Domain Admins
![Page 36: Advanced Active Directory Deployments Rick Claus IT Pro Advisor Microsoft Canada rclaus@microsoft.com .](https://reader035.fdocuments.in/reader035/viewer/2022062321/56649dbc5503460f94aae8bc/html5/thumbnails/36.jpg)
Determining the Number of Domains
Slowest link connecting a DC (KBps)
Max users by % bandwidth available
1% 5% 10%
28.8K 10,000 25,000 40,000
56K 10,000 50,000 100,000
256 50,000 100,000 100,000
1500 (T1) 100,000 100,000 100,000
![Page 37: Advanced Active Directory Deployments Rick Claus IT Pro Advisor Microsoft Canada rclaus@microsoft.com .](https://reader035.fdocuments.in/reader035/viewer/2022062321/56649dbc5503460f94aae8bc/html5/thumbnails/37.jpg)
Agenda
• Designing Multiple Forests
• Implementing Multiple Forests
• Designing Multiple Domains
• Designing a Site Topology
![Page 38: Advanced Active Directory Deployments Rick Claus IT Pro Advisor Microsoft Canada rclaus@microsoft.com .](https://reader035.fdocuments.in/reader035/viewer/2022062321/56649dbc5503460f94aae8bc/html5/thumbnails/38.jpg)
Site Functions
Domain
Site 1
Site 2
Site 3
![Page 39: Advanced Active Directory Deployments Rick Claus IT Pro Advisor Microsoft Canada rclaus@microsoft.com .](https://reader035.fdocuments.in/reader035/viewer/2022062321/56649dbc5503460f94aae8bc/html5/thumbnails/39.jpg)
Typical Network Topologies
Site Site
SiteSite
Ring Topology Hub and Spoke Topology
Site
SiteSite
Site
HubSite
Complex Topology
HubHub Site
SiteSite
![Page 40: Advanced Active Directory Deployments Rick Claus IT Pro Advisor Microsoft Canada rclaus@microsoft.com .](https://reader035.fdocuments.in/reader035/viewer/2022062321/56649dbc5503460f94aae8bc/html5/thumbnails/40.jpg)
Active Directory ReplicationLondon Site
Tilbury Site
DC-1
DC-2DC-3
DC-4 DC-5Intersite replication connection over WAN
Intrasite replication connection over LAN
![Page 41: Advanced Active Directory Deployments Rick Claus IT Pro Advisor Microsoft Canada rclaus@microsoft.com .](https://reader035.fdocuments.in/reader035/viewer/2022062321/56649dbc5503460f94aae8bc/html5/thumbnails/41.jpg)
DC Placement: Forest Root
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/DepKit/4af3271a-4407-4ca5-9cd5-e05b79046d08.mspx
Root DC
Hub and Spoke Site Topology
Hub Site
Network Hub Datacenter
Spoke SiteSpoke Site
Root DC
![Page 42: Advanced Active Directory Deployments Rick Claus IT Pro Advisor Microsoft Canada rclaus@microsoft.com .](https://reader035.fdocuments.in/reader035/viewer/2022062321/56649dbc5503460f94aae8bc/html5/thumbnails/42.jpg)
Logon good?
DC Placement: Regional
Yes
Are DCs physically secure?
Place DC
Do not place
DC
No
Yes Yes Yes
No
Admin for DCs? No
WAN link stable?
24x7 required?
Yes
No
No
![Page 43: Advanced Active Directory Deployments Rick Claus IT Pro Advisor Microsoft Canada rclaus@microsoft.com .](https://reader035.fdocuments.in/reader035/viewer/2022062321/56649dbc5503460f94aae8bc/html5/thumbnails/43.jpg)
Global Catalog Placement
No
App that requires a
GC?
Place GC
Place DC and enable UGMC
No No No
> 100 Users? Yes
WAN link to GC
Roaming users?
YesDo not place GCYes Yes
![Page 44: Advanced Active Directory Deployments Rick Claus IT Pro Advisor Microsoft Canada rclaus@microsoft.com .](https://reader035.fdocuments.in/reader035/viewer/2022062321/56649dbc5503460f94aae8bc/html5/thumbnails/44.jpg)
Operations Masters Review
PDC Emulator
RID Master
Infrastructure
Domain Roles Forest Roles
Schema Master
Domain Name Master
![Page 45: Advanced Active Directory Deployments Rick Claus IT Pro Advisor Microsoft Canada rclaus@microsoft.com .](https://reader035.fdocuments.in/reader035/viewer/2022062321/56649dbc5503460f94aae8bc/html5/thumbnails/45.jpg)
Operations Masters Guidelines
Server/Role Rule
All Place on highly reliable networks
First Server Place near largest number of users
Standby Designate one immediately
Infrastructure Master
Do not place it on a GC*
PDC Emulator Place near largest number of users
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/DepKit/edeba401-7f51-4717-91bd-ddb1dca8a327.mspx
![Page 46: Advanced Active Directory Deployments Rick Claus IT Pro Advisor Microsoft Canada rclaus@microsoft.com .](https://reader035.fdocuments.in/reader035/viewer/2022062321/56649dbc5503460f94aae8bc/html5/thumbnails/46.jpg)
Operations Masters Placement
• Single-domain forestMake all DCs into GCs
Leave roles on first DC
• Forest root domain (multiple domains)Move roles to second DC
Don’t make the second DC a GC
• Regional child domainLeave roles on first DC
Don’t make the second DC a GC
![Page 47: Advanced Active Directory Deployments Rick Claus IT Pro Advisor Microsoft Canada rclaus@microsoft.com .](https://reader035.fdocuments.in/reader035/viewer/2022062321/56649dbc5503460f94aae8bc/html5/thumbnails/47.jpg)
Creating Sites
No
Is DC at location?
Create site for location
Include subnet of location in the
closest site
No
Yes
Site required by apps?
Yes
![Page 48: Advanced Active Directory Deployments Rick Claus IT Pro Advisor Microsoft Canada rclaus@microsoft.com .](https://reader035.fdocuments.in/reader035/viewer/2022062321/56649dbc5503460f94aae8bc/html5/thumbnails/48.jpg)
Default-First-Site-Link
Site Links
Site 1
Site 2
Site 3
Site1-Site2
Site1-Site3 Site2-Site3
Connection Transports
• RPC over IP
• SMTP
![Page 49: Advanced Active Directory Deployments Rick Claus IT Pro Advisor Microsoft Canada rclaus@microsoft.com .](https://reader035.fdocuments.in/reader035/viewer/2022062321/56649dbc5503460f94aae8bc/html5/thumbnails/49.jpg)
Site Link Cost
Site1-Site2Available KBps Cost
9.6 1042
19.2 798
38.4 644
56 586
64 567
128 486
256 425
512 378
1024 340
2048 309
4096 283
Site1-Site3
Site2-Site3
KBps: 256
Cost: 425
KBps: 9.6
Cost: 1024
KBps: 256
Cost: 425
![Page 50: Advanced Active Directory Deployments Rick Claus IT Pro Advisor Microsoft Canada rclaus@microsoft.com .](https://reader035.fdocuments.in/reader035/viewer/2022062321/56649dbc5503460f94aae8bc/html5/thumbnails/50.jpg)
Site Link Schedule
Site 1
Site 2
Site 3
Site1-Site2
Cost: 425
Site1-Site3
Cost: 1024 Site2-Site3
Cost: 425Not available from 8:00 A.M. to 6:00 P.M.
![Page 51: Advanced Active Directory Deployments Rick Claus IT Pro Advisor Microsoft Canada rclaus@microsoft.com .](https://reader035.fdocuments.in/reader035/viewer/2022062321/56649dbc5503460f94aae8bc/html5/thumbnails/51.jpg)
Site Link Interval
Site 1 Site 2
Schedule: 8:00AM-10:00AM
Interval: 30 minutes
Replication occurs:
4 times
![Page 52: Advanced Active Directory Deployments Rick Claus IT Pro Advisor Microsoft Canada rclaus@microsoft.com .](https://reader035.fdocuments.in/reader035/viewer/2022062321/56649dbc5503460f94aae8bc/html5/thumbnails/52.jpg)
Site Links Transitivity
• IP network is not fully routed• You wish to control replication traffic
Disable if:
Site C Hub Site A
Site D Site E
A-C
A-D A-E
Site HHub Site B
Site F Site G
B-H
B-F B-GA-B
West Coast East Coast
![Page 53: Advanced Active Directory Deployments Rick Claus IT Pro Advisor Microsoft Canada rclaus@microsoft.com .](https://reader035.fdocuments.in/reader035/viewer/2022062321/56649dbc5503460f94aae8bc/html5/thumbnails/53.jpg)
Site Link Bridge Design
Site C Hub Site A
Site D Site E
A-C
A-D A-E
Site HHub Site B
Site F Site G
B-H
B-F B-GA-B
West Site Link Bridge East Site Link Bridge
West Coast East Coast
![Page 54: Advanced Active Directory Deployments Rick Claus IT Pro Advisor Microsoft Canada rclaus@microsoft.com .](https://reader035.fdocuments.in/reader035/viewer/2022062321/56649dbc5503460f94aae8bc/html5/thumbnails/54.jpg)
Session Summary• Keep designs as simple as possible.
• Weigh benefits versus costs.
• Plan carefully.
![Page 55: Advanced Active Directory Deployments Rick Claus IT Pro Advisor Microsoft Canada rclaus@microsoft.com .](https://reader035.fdocuments.in/reader035/viewer/2022062321/56649dbc5503460f94aae8bc/html5/thumbnails/55.jpg)
For More Information
www.microsoft.com/technet/ADD-03
Visit TechNet at www.microsoft.ca/technet
Visit the following URL for additional information