WEBCAST SCHEDULE

1
WEBCAST SCHEDULE

• Todays event will run one-hour long. Here are
  the expected times for each segment of the
  webcast
• 00 05 Moderator introduces the speaker and
  discusses the details of the Webcast.
• 05- 25 Speaker delivers a PowerPoint
  presentation on the webcast topic.
• 25- 35 Moderator and speaker engage in a brief
  QA on the topic.
• 35- 60 The speaker responds to questions
  submitted by the audience.
• You can submit questions to the speaker at any
  time during the event. Just click on the Ask a
  Question button in the lower left corner of your
  screen.

2
TECHNICAL FAQs

• Here are answers to the most common technical
  problems users encounter during a webcast 
• Q Why cant I hear the audio part of the
  webcast?
• A Try increasing the volume on your computer.
• Q I just entered the webcast and do not see the
  slide that the speaker is referring to. What
  should I do?
• A The slides are constantly being pushed to
  your screen. You should refresh (hit F5) to view
  the latest slide.
•  
• Q What time zone do the webcasts take place?
• A The TechTarget webcasts all occur on Eastern
  Daylight Saving Time (UTC/GMT - 4 hours). After
  Oct. 27, 2002, the webcasts will occur on Eastern
  Standard Time (UTC/GMT 5 hours).
• If your question is still not answered, please
  click the Ask a Question button in the lower
  left corner of your screen and submit your
  problem. A technical support person will respond
  immediately. You can also visit the Broadcast
  Help page for more information or to test your
  browser compatibility. Click here
  http//help.yahoo.com/help/bcst/
•  

3
Building and managingmultiple-forest Active
Directory implementations

• Howard Marks Chief Scientist
• Networks Are Our Lives, Inc.

4
Whats a forest?
Transitive Trust Relationships
Root
Root
clarabell.com
bozo.com
Child
Child
Child
Props..bozo.com
Child
Seltzer.Props.bozo.com
BigShoes.clarabell.com
RedNose.clarabell.com
Tree 2
Tree 1

• A non-contiguous namespace with a common schema
  and global catalog

5
Microsofts initial AD design rules

• Even the largest organization only needs a single
  Active Directory forest.
• If you need multiple forests, see rule 1.

6
Why multiple forests?

• Mergers and acquisitions
• AD has no forest merge
• Expected divestitures
• AD has no forest split
• Outward-looking domains
• Lack of trust between business units
• someone needs to be
• schema admin
• enterprise admin

7
Multiple forest headaches

• Multiple forest implementations do NOT
• share a common global catalog
• no exchange GAL
• trust each other
• fixed if all your DCs are running .NET Server
  2003
• you can set up old style trusts between domains
  in different forests
• Rule of thumb one forest per CIO

8
The forest owner role

• Service owner
• ultimately responsible for the delivery of
  directory services in the forest
• set policy, process for changes to shared
  configuration, schema
• Gatekeeper for new domains
• domain owners are service owners
• must be carefully managed
• The Enterprise Admin

9
Forest model 1 Strong central control
Division 1
Division 3
Division 2

• All business units share centralized
• DS infrastructure

10
Forest model 2 Hybrid/Subscription
Division 2
Division 3
Division 1

• Business units opt-in/opt-out of
• centralized infrastructure

11
Forest model 3Distributed infrastructure
Division 3
Division 2
Division 1

• Each business unit maintains
• separate DS infrastructure

12
Assign forests
Multiple forests
Multiple forests with MMS
Subscription forest
Long term trend
Single forest
13
Identify candidateforest owners

• What IT groups are chartered to deliver NOS
  directory services?
• Common to find multiple groups
• owners of Master User Domains (MUDs)
• previously deployed forests
• The Anti-Social
• Legal reasons
• Create list of candidate forest owners

14
Forest participation criteria

• Satisfied with terms of service
• schema, config. change control policies
• disaster recovery
• Security considerations
• trust forest owner and all domain owners
• DCs placed in secure locations
• Have clear forest ownership
• attempting to share forest management may present
  organizational challenges
• do not extend forest management across multiple
  outsourcers

15
Inter-forest implications

• No automatic trust
• explicit trust is one-way, non-transitive
• Kerberos not available between forests
• no mutual authentication
• Global catalog has forest scope
• aggregate view across forests requires
  synchronization technology
• Microsoft Metadirectory Services (MMS)
• 3rd parties

16
Forest best practice recommendation

• Single forest deployment
• may require changing business practices
• may encounter resistance in organization
• may be difficult to reach consensus
• Set a deadline for your decision
• no consensus deploy multiple forests

17
Living with multiple forests

• Determine your collaboration needs
• just a common e-mail directory
• use a sync/metadirectory tool
• some access by users from division A to resources
  in division B
• add trusts
• Cant we all just get along?
• either get Sr. Management to force cooperation or
  wait for .NET Server 2003

18
Microsofts tool

• Microsoft Metadirectory Service
• acquired with Zoomit in 1999
• builds metadirectory from many sources not just
  AD
• version 3.0 (real soon now) to use AD as store)
• available from Microsoft Consulting services or
  certified consulting firm
• minimum implementation cost about 30,000

19
SimpleSync

• From CPS-Systems (www.cps-systems.com)
• Less complex, expensive than MMS
• Perfect for building global address list
• Syncs with many e-mail systems, NDS
• Implementation cost 10-30 of MMS

20
Conclusion

• One forest does not fit all.
• Progress to a real directory often more important
  than dogma.
• Planning and tools can make it work.
• Working with someone thats done it before may
  help.

21
Audience QA

• Time for YOU to ask questions!
• Howard is now taking questions from the audience
  on Building and managing multiple forest Active
  Directory implementations. Click the Ask a
  question button in the lower left section of
  your screen to submit a question.

22
Feedback

• Thank you for your participation.
• Did you like this webcast topic? Would you like
  us to host other events similar to this one? Send
  us your feedback on this event and ideas for
  other topics at editor_at_searchWin2000.com.