Session 2: Core Infrastructure Design Andrew Hill – Consultant Rob Lowe – Consultant MCS Talks...
-
date post
21-Dec-2015 -
Category
Documents
-
view
216 -
download
1
Transcript of Session 2: Core Infrastructure Design Andrew Hill – Consultant Rob Lowe – Consultant MCS Talks...
![Page 1: Session 2: Core Infrastructure Design Andrew Hill – Consultant Rob Lowe – Consultant MCS Talks Infrastructure Architecture.](https://reader036.fdocuments.in/reader036/viewer/2022062516/56649d605503460f94a415f2/html5/thumbnails/1.jpg)
Session 2: Core Infrastructure DesignAndrew Hill – ConsultantRob Lowe – Consultant
MCS Talks Infrastructure Architecture
![Page 2: Session 2: Core Infrastructure Design Andrew Hill – Consultant Rob Lowe – Consultant MCS Talks Infrastructure Architecture.](https://reader036.fdocuments.in/reader036/viewer/2022062516/56649d605503460f94a415f2/html5/thumbnails/2.jpg)
Live Meeting Information...
Feedback Panel
Questions & Answers
Blog - http://blogs.technet.com/MCSTalks
![Page 3: Session 2: Core Infrastructure Design Andrew Hill – Consultant Rob Lowe – Consultant MCS Talks Infrastructure Architecture.](https://reader036.fdocuments.in/reader036/viewer/2022062516/56649d605503460f94a415f2/html5/thumbnails/3.jpg)
Session 2: Core Infrastructure DesignAndrew Hill – ConsultantRob Lowe – Consultant
MCS Talks Infrastructure Architecture
![Page 4: Session 2: Core Infrastructure Design Andrew Hill – Consultant Rob Lowe – Consultant MCS Talks Infrastructure Architecture.](https://reader036.fdocuments.in/reader036/viewer/2022062516/56649d605503460f94a415f2/html5/thumbnails/4.jpg)
Purpose
Purpose:To provide design guidance for Microsoft Windows Server 2008 Active Directory
AgendaDetermine process for Active Directory designAssist designers in the decision-making process Provide design assistance based on best-practice and real-world experience
![Page 5: Session 2: Core Infrastructure Design Andrew Hill – Consultant Rob Lowe – Consultant MCS Talks Infrastructure Architecture.](https://reader036.fdocuments.in/reader036/viewer/2022062516/56649d605503460f94a415f2/html5/thumbnails/5.jpg)
Active Directory Design Overview
Forest and domain designOrganizational Units (OUs)Group Policy Objects (GPOs)Security GroupsDomain Controller Placement (inc. RODC)Sites TopologyDomain Controller ConfigurationDNS
![Page 6: Session 2: Core Infrastructure Design Andrew Hill – Consultant Rob Lowe – Consultant MCS Talks Infrastructure Architecture.](https://reader036.fdocuments.in/reader036/viewer/2022062516/56649d605503460f94a415f2/html5/thumbnails/6.jpg)
Active Directory in Microsoft Infrastructure Optimization
Standardized DynamicRationalizedBasic
Data Protection and Recovery
Identity and Access Management
Security and Networking
Desktop, Device, and Server Management
Windows Server 2008 Active Directory Domain Services
![Page 7: Session 2: Core Infrastructure Design Andrew Hill – Consultant Rob Lowe – Consultant MCS Talks Infrastructure Architecture.](https://reader036.fdocuments.in/reader036/viewer/2022062516/56649d605503460f94a415f2/html5/thumbnails/7.jpg)
Tips for the Planning Process
Considerations at each design phaseComplexityCostFault TolerancePerformanceScalabilitySecurity
![Page 8: Session 2: Core Infrastructure Design Andrew Hill – Consultant Rob Lowe – Consultant MCS Talks Infrastructure Architecture.](https://reader036.fdocuments.in/reader036/viewer/2022062516/56649d605503460f94a415f2/html5/thumbnails/8.jpg)
Contoso Network Infrastructure
Ireland1000 UsersDevelopment
London6,000 UsersHead Office
India1500 UsersDevelopment
London LAN
BristolFail Over
Data CentreManchesterData Centre
ManchesterLAN
Manchester25,000 Users
Call Centre
Glasgow LAN
Glasgow25,000 UsersManufacturing
1MB to 8MBADSL
RemoteVPN Users
3,000
York100 Users
Newcastle350 Users
Edinburgh400 Users
Birmingham750 Users
Reading350 Users
Oxford250 Users
Exeter500 Users
Paris20 Users
Tokyo10 Users
New York30 Users
1MB 512KB 512KB
10MB
2MB
1GB
1MB 1MB 1MB
1MB
1MB
10MB
10MB
100MB 1GB
![Page 9: Session 2: Core Infrastructure Design Andrew Hill – Consultant Rob Lowe – Consultant MCS Talks Infrastructure Architecture.](https://reader036.fdocuments.in/reader036/viewer/2022062516/56649d605503460f94a415f2/html5/thumbnails/9.jpg)
How Many Forests?
Option 1: Single Forest
Option 2: Multiple Forests
Multiple Forest Drivers
Multiple Schemas
Resource Forests
Forest Administrator Distrust
Legal Regulations for Application or Data Access
Requirements to be disconnected for long periods (e.g. Military)
Determine the Number of Forests
![Page 10: Session 2: Core Infrastructure Design Andrew Hill – Consultant Rob Lowe – Consultant MCS Talks Infrastructure Architecture.](https://reader036.fdocuments.in/reader036/viewer/2022062516/56649d605503460f94a415f2/html5/thumbnails/10.jpg)
Single Organizational Forest Model
Exchange
Users
Workstations
Applications SharePoint
![Page 11: Session 2: Core Infrastructure Design Andrew Hill – Consultant Rob Lowe – Consultant MCS Talks Infrastructure Architecture.](https://reader036.fdocuments.in/reader036/viewer/2022062516/56649d605503460f94a415f2/html5/thumbnails/11.jpg)
Multiple Organizational Forest Model
Exchange
Users
Workstations
Applications SharePoint
Exchange
Users
Workstations
Applications SharePoint
Forest Trust
![Page 12: Session 2: Core Infrastructure Design Andrew Hill – Consultant Rob Lowe – Consultant MCS Talks Infrastructure Architecture.](https://reader036.fdocuments.in/reader036/viewer/2022062516/56649d605503460f94a415f2/html5/thumbnails/12.jpg)
Shared Resource Forest Model
Exchange
SharePoint
Users
Workstations Applications
Users
Workstations ApplicationsForest Trust Forest Trust
![Page 13: Session 2: Core Infrastructure Design Andrew Hill – Consultant Rob Lowe – Consultant MCS Talks Infrastructure Architecture.](https://reader036.fdocuments.in/reader036/viewer/2022062516/56649d605503460f94a415f2/html5/thumbnails/13.jpg)
Shared Account Forest Model
Exchange
Users
Workstations
Applications SharePoint
Restricted Data and Applications Restricted Data and Applications
Forest TrustForest Trust
![Page 14: Session 2: Core Infrastructure Design Andrew Hill – Consultant Rob Lowe – Consultant MCS Talks Infrastructure Architecture.](https://reader036.fdocuments.in/reader036/viewer/2022062516/56649d605503460f94a415f2/html5/thumbnails/14.jpg)
Determine the Number of Domains
How many Domains?Option 1: Single DomainOption 2: Multiple Domains
Multiple Domain driversLarge number of frequently changing attributesReduced replication trafficControl replication traffic over slow linksPreserve legacy active directory
![Page 15: Session 2: Core Infrastructure Design Andrew Hill – Consultant Rob Lowe – Consultant MCS Talks Infrastructure Architecture.](https://reader036.fdocuments.in/reader036/viewer/2022062516/56649d605503460f94a415f2/html5/thumbnails/15.jpg)
Forest and Domain Functional Levels
2003 interim FFLLinked Value ReplicationDifferent replication compression ratiosImproved KCC
2003 FFLForest Trusts ( + with Selective Authentication)Deactivation of attributes within the Schema Domain RenameRODC (2008 OS only with schema updates)
2008 DFLFine Grained Password PoliciesDFS-R for Sysvol Last Interactive logon information
![Page 16: Session 2: Core Infrastructure Design Andrew Hill – Consultant Rob Lowe – Consultant MCS Talks Infrastructure Architecture.](https://reader036.fdocuments.in/reader036/viewer/2022062516/56649d605503460f94a415f2/html5/thumbnails/16.jpg)
Fine-Grained Password Policies
System
Password Settings Object
Password Settings Container User
Group
Exceptional PSO
msDS-PSOAppliesTo msDS-PSOApplied
AttributesmsDS-PasswordSettingsPrecedencemsDS-PasswordReversibleEncryptionEnabledmsDS-PasswordHistoryLengthmsDS-PasswordComplexityEnabledmsDS-MinimumPasswordLengthmsDS-MinimumPasswordAgemsDS-MaximumPasswordAgemsDS-LockoutThresholdmsDS-LockoutObservationWindowmsDS-LockoutDuration
PSO ApplicationLowest Precedence Value or PSO GUIDmsDS-ResultantPso – identifies which PSORSOP CalculationUser and Global Group Links IncludedUser will override group Best to only assign users to 1 PSO Global Group
![Page 17: Session 2: Core Infrastructure Design Andrew Hill – Consultant Rob Lowe – Consultant MCS Talks Infrastructure Architecture.](https://reader036.fdocuments.in/reader036/viewer/2022062516/56649d605503460f94a415f2/html5/thumbnails/17.jpg)
Assign Domain Names
Assign the NetBIOS NameMaximum effective length of 15 charactersUse a NetBIOS name that is unique across organisation
Assign DNS NameEnsure uniqueness by not duplicating existing registered Internet domain namesRegister all domain names with InternicName should not represent business unit or divisionAvoid using single-label names
![Page 18: Session 2: Core Infrastructure Design Andrew Hill – Consultant Rob Lowe – Consultant MCS Talks Infrastructure Architecture.](https://reader036.fdocuments.in/reader036/viewer/2022062516/56649d605503460f94a415f2/html5/thumbnails/18.jpg)
Organisational Units
Choose an OU Design:Task 1: Design OU Configuration for Delegation of AdministrationTask 2: Design OU Configuration for Group Policy Application
Other OU (and container) related recommended practices
Do not move DCs out of the Domain Controllers OUDo not move built-in users and groups from users containerOUs and child objects now protected from accidental deletion by default in 2008
![Page 19: Session 2: Core Infrastructure Design Andrew Hill – Consultant Rob Lowe – Consultant MCS Talks Infrastructure Architecture.](https://reader036.fdocuments.in/reader036/viewer/2022062516/56649d605503460f94a415f2/html5/thumbnails/19.jpg)
Contoso Organisational Unit Design
![Page 20: Session 2: Core Infrastructure Design Andrew Hill – Consultant Rob Lowe – Consultant MCS Talks Infrastructure Architecture.](https://reader036.fdocuments.in/reader036/viewer/2022062516/56649d605503460f94a415f2/html5/thumbnails/20.jpg)
Group Policy Objects
Very powerful, but consider management of group policies in designBest practices
Specify user and computer settings in separate GPOsUse many small GPOs with few settings each rather than fewer large GPOs with many settingsMake GPO descriptive for its purposeDo not unlink Default Domain and DDC policies
Advanced Group Policy ManagementChange Control WorkflowV3.0 (2008) increases granular permissions
![Page 21: Session 2: Core Infrastructure Design Andrew Hill – Consultant Rob Lowe – Consultant MCS Talks Infrastructure Architecture.](https://reader036.fdocuments.in/reader036/viewer/2022062516/56649d605503460f94a415f2/html5/thumbnails/21.jpg)
Advanced Group Policy Management
3.0 RTMSeptember
2008
Next version
2.5
Current version
Enable group policy change managementProvides granular administrative controlReduce risk of widespread failure
Versioning, history & rollback of group policy changesRole-based administration & templatesWorkflowOffline editing
What it Does Benefits
![Page 22: Session 2: Core Infrastructure Design Andrew Hill – Consultant Rob Lowe – Consultant MCS Talks Infrastructure Architecture.](https://reader036.fdocuments.in/reader036/viewer/2022062516/56649d605503460f94a415f2/html5/thumbnails/22.jpg)
Advanced Group Policy Management - Reporting
Difference Reports Settings reports
![Page 23: Session 2: Core Infrastructure Design Andrew Hill – Consultant Rob Lowe – Consultant MCS Talks Infrastructure Architecture.](https://reader036.fdocuments.in/reader036/viewer/2022062516/56649d605503460f94a415f2/html5/thumbnails/23.jpg)
Group Policy Preferences
![Page 24: Session 2: Core Infrastructure Design Andrew Hill – Consultant Rob Lowe – Consultant MCS Talks Infrastructure Architecture.](https://reader036.fdocuments.in/reader036/viewer/2022062516/56649d605503460f94a415f2/html5/thumbnails/24.jpg)
Security Groups
Group ScopeAccount groups – for group users and computers
GlobalUniversal
Resource groups – for controlling rights and permissions
Domain LocalBuilt-in Local
Complex Group nesting makes audit and reconciliation more difficult
![Page 25: Session 2: Core Infrastructure Design Andrew Hill – Consultant Rob Lowe – Consultant MCS Talks Infrastructure Architecture.](https://reader036.fdocuments.in/reader036/viewer/2022062516/56649d605503460f94a415f2/html5/thumbnails/25.jpg)
Domain Controller Placement
Placement of the Domain Controllers:Hub LocationsSatellite (Branch) LocationsHeavily dictated by network and application requirements
Global Catalog (GC)Very few reasons now not to make all DCs a GC
Read-Only Domain ControllersNew in Windows Server 2008 (Read-Only AD and no passwords)Primarily a security feature to mitigate against high risk sites
![Page 26: Session 2: Core Infrastructure Design Andrew Hill – Consultant Rob Lowe – Consultant MCS Talks Infrastructure Architecture.](https://reader036.fdocuments.in/reader036/viewer/2022062516/56649d605503460f94a415f2/html5/thumbnails/26.jpg)
RODC Deployment
Consider the following:Application needs – Exchange?Applications make Write / Read back calls? Site topology – BASL turned off?Password Replication Policy – which model for you?
Remember no cached accounts means more WAN / HUB DC impactCache computer and User accounts
Deployment:Start with min 2 x 2008 RW Hub DCsAdd 2008 RWDC to NS records (for RSO)Delegate deployment – don’t use Domain Admins
![Page 27: Session 2: Core Infrastructure Design Andrew Hill – Consultant Rob Lowe – Consultant MCS Talks Infrastructure Architecture.](https://reader036.fdocuments.in/reader036/viewer/2022062516/56649d605503460f94a415f2/html5/thumbnails/27.jpg)
Create the Site Design
Option 1: create a logical site for each physical location
Assign subnets for each physical location to corresponding siteSite coverage
Option 2: create a logical site only for physical locations with domain controllers
Assign subnets for each physical location to most appropriate site depending on underlying network
![Page 28: Session 2: Core Infrastructure Design Andrew Hill – Consultant Rob Lowe – Consultant MCS Talks Infrastructure Architecture.](https://reader036.fdocuments.in/reader036/viewer/2022062516/56649d605503460f94a415f2/html5/thumbnails/28.jpg)
Create a Site Link Design
Site links map to underlying networkSet cost and schedule
Bridge all site links (on by default)Appropriate if network is fully routable (all domain controllers can communicate with all other domain controllers)Generally not recommended for Branch Office – KCC overheadsUse Repadmin /siteoptions to disable!
Custom Site Link BridgesUse when the network is not fully routed, e.g. when network firewalls restrict communications between domain controllers
![Page 29: Session 2: Core Infrastructure Design Andrew Hill – Consultant Rob Lowe – Consultant MCS Talks Infrastructure Architecture.](https://reader036.fdocuments.in/reader036/viewer/2022062516/56649d605503460f94a415f2/html5/thumbnails/29.jpg)
Contoso Network Infrastructure Revisited
Ireland1000 UsersDevelopment
London6,000 UsersHead Office
India1500 UsersDevelopment
London LAN
BristolFail Over
Data CentreManchesterData Centre
ManchesterLAN
Manchester25,000 Users
Call Centre
Glasgow LAN
Glasgow25,000 UsersManufacturing
1MB to 8MBADSL
RemoteVPN Users
3,000
York100 Users
Newcastle350 Users
Edinburgh400 Users
Birmingham750 Users
Reading350 Users
Oxford250 Users
Exeter500 Users
Paris20 Users
Tokyo10 Users
New York30 Users
1MB 512KB 512KB
10MB
2MB
1GB
1MB 1MB 1MB
1MB
1MB
10MB
10MB
100MB 1GB
![Page 30: Session 2: Core Infrastructure Design Andrew Hill – Consultant Rob Lowe – Consultant MCS Talks Infrastructure Architecture.](https://reader036.fdocuments.in/reader036/viewer/2022062516/56649d605503460f94a415f2/html5/thumbnails/30.jpg)
Active Directory Replication Topology
KCC automatically manages based on site link design
Applies to Active Directory and Sysvol replication
Sysvol uses DFS-R for replicating its contents in new Windows Server 2008 native forests
Sysvol can be migrated to DFS-R once DFL is at 2008FRS VVJoins are inherently inefficient DFS-R Sysvol eliminates inefficiency in FRS VVJoinsMigration is simple 4 step process for upgraded forests
![Page 31: Session 2: Core Infrastructure Design Andrew Hill – Consultant Rob Lowe – Consultant MCS Talks Infrastructure Architecture.](https://reader036.fdocuments.in/reader036/viewer/2022062516/56649d605503460f94a415f2/html5/thumbnails/31.jpg)
Domain Controller Configuration
64-bit supports much larger addressable memory space
Allow enough memory for entire Active Directory database to be cachedThink about 64 bit now, 32 bit will be unavailable in several years time
CPU and query performanceDisk configuration
Keep database and logs on separate physical drives for better performance
Running RODCs on Hyper-VNever snapshot a DC – even RODC
![Page 32: Session 2: Core Infrastructure Design Andrew Hill – Consultant Rob Lowe – Consultant MCS Talks Infrastructure Architecture.](https://reader036.fdocuments.in/reader036/viewer/2022062516/56649d605503460f94a415f2/html5/thumbnails/32.jpg)
DNS
Critical for Active DirectoryAD-integrated DNS recommended
Consider Forwarding modelRoot hints can introduce additional management overhead.Forwarding is recommended approach for AD
New in Windows Server 2008Storage of Conditional Forwarding settings in Active Directory
![Page 33: Session 2: Core Infrastructure Design Andrew Hill – Consultant Rob Lowe – Consultant MCS Talks Infrastructure Architecture.](https://reader036.fdocuments.in/reader036/viewer/2022062516/56649d605503460f94a415f2/html5/thumbnails/33.jpg)
What’s Next? Discuss, Rinse, Repeat
Implement your designTest and refine design along the way
![Page 34: Session 2: Core Infrastructure Design Andrew Hill – Consultant Rob Lowe – Consultant MCS Talks Infrastructure Architecture.](https://reader036.fdocuments.in/reader036/viewer/2022062516/56649d605503460f94a415f2/html5/thumbnails/34.jpg)
Summary and Conclusion
Organizations should base the design of their Active Directory infrastructure on business and technical requirementsConsiderations should include:
The scope of the network and environmentTechnical requirements and considerationsAdditional business requirementsDesigning an Active Directory infrastructure to meet these requirementsValidating the overall approach
![Page 35: Session 2: Core Infrastructure Design Andrew Hill – Consultant Rob Lowe – Consultant MCS Talks Infrastructure Architecture.](https://reader036.fdocuments.in/reader036/viewer/2022062516/56649d605503460f94a415f2/html5/thumbnails/35.jpg)
Questions and Answers
Please enter your questions using the Q&A panel for the presenters!
![Page 36: Session 2: Core Infrastructure Design Andrew Hill – Consultant Rob Lowe – Consultant MCS Talks Infrastructure Architecture.](https://reader036.fdocuments.in/reader036/viewer/2022062516/56649d605503460f94a415f2/html5/thumbnails/36.jpg)
Thank you for attending this TechNet Event
Find these slides at:http://www.microsoft.com/uk/technetslides
Visit our blog at:http://blogs.technet.com/mcstalks
Register for the next session, Messaging, at:http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032386416&Culture=en-GB
Please fill out your evaluations!