Implementing Active Directory

1
Implementing Active Directory

• Planning Active Directory Implementation
• Installing Active Directory
• Operations Master Roles
• Implementing an Organizational Unit Structure

2
Planning Active Directory Implementation

• Planning a Domain Structure
• Planning a Domain Namespace
• Planning an OU Structure
• Planning a Site Structure

3
Planning aDomain Structure

• Logical and physical environment structure
• Administrative requirements
• Domain requirements
• Domain organization needs

4
Functional and Geographical Divisions
5
Assessing the Logical Environment

• Consider how the company conducts daily
  operations to determine the logical structure of
  the organization.
• Consider how the company operates functionally
  and geographically.

6
Physical Environment
7
Assessing the Physical Environment Users

• Number of employees
• Growth rate
• Plans for expansion

8
Assessing the Physical Environment Network

• Organization of network connections
• Network connection speed
• Utilization of network connections
• TCP/IP subnets

9
Administrative Requirements

• Centralized administration
• Single administrative team manages the network,
  users, and security.
• This method is often used by smaller companies
  with fewer locations or business functions.
• Decentralized administration
• A number of administrators or administrative
  teams manage the network, users, and security.
• Teams are divided by location or business
  function.
• Customized administration
• Administration is centralized for some resources
  and decentralized for others.
• The method of administration is dependent upon
  business needs.

10
Domain Requirements

• Start with a single domain which is the easiest
  domain structure to administer.
• Add domains only when the single domain model no
  longer meets the needs of the company.
• One domain can span multiple sites and contain
  millions of objects.
• Site and domain structures are separate and
  flexible.
• Single domain can span multiple geographical
  sites a single site can include users and
  computers belonging to multiple domains.
• No need exists to create separate domains merely
  to reflect the companys organization of
  divisions and departments.
• Use OUs to model the organizations management
  hierarchy for delegation of administration.

11
Reasons to Create More Than One Domain

• Decentralized network administration
• Replication control
• Different password requirements between
  organizations
• Massive number of objects
• Different Internet domain names
• International requirements
• Internal political requirements

12
Assessing Domain Organization Needs

• Organize the domains into a tree or a forest
  hierarchy that fits the organizations needs.
• Domains in trees and forests share the same
  configuration, schema, and global catalog.
• The two-way transitive trust relationship allows
  the domains to share resources.
• DNS name structure is the primary difference
  between domain trees and forests.
• Multiple domains should be set up in a single
  domain tree unless the organization operates as a
  group of several entities.
• Create a forest to combine organizations with
  unique domain names and to separate DNS zones.
• Each tree in the forest has its own unique
  namespace.

13
Planning a Domain Namespace

• Domains are named with DNS names.
• Plan the DNS namespace before using DNS on the
  network.
• Decisions must be made about how DNS is to be
  used and what goals will be accomplished using
  DNS.
• Has a DNS domain name been previously chosen and
  registered for the Internet?
• Will the companys internal Active Directory
  namespace be the same or different from its
  external Internet namespace?
• What naming requirements and guidelines must be
  followed when choosing DNS domain names?

14
Choosing a DNS Domain Name

• First choose and register a unique parent DNS
  name that can be used for hosting the
  organization on the Internet.
• Before deciding on a parent DNS name for the
  organization, perform a search to see if the name
  is already registered to another entity.
• The Internet DNS namespace is currently managed
  by Network Solutions, Inc., though other domain
  name registrars are also available.
• Combine the parent DNS name with a location or
  organizational name used within your organization
  to form other subdomain names.

15
Same Internal and External Namespaces
16
Advantages to Using the Same Internal and
External Namespaces

• Tree name is consistent on both the internal
  private network and the external public Internet.
• The idea of a single logon name is extended to
  the public Internet, allowing users to use the
  same logon name both internally and externally.

17
Disadvantages to Using the Same Internal and
External Namespaces

• The result is a more complex proxy configuration.
• Proxy clients must be configured to know the
  difference between internal and external
  resources.
• Care must be taken not to publish internal
  resources on the external public Internet.
• Duplication of efforts in managing resources
  could occur.
• Users will get a different view of internal and
  external resources even though the namespace is
  the same.

18
Separate Internal and External Namespaces
19
Advantages to Using Separate Internal and
External Namespaces

• Because they are based on different domain names,
  the difference between internal and external
  resources is clear.
• The environment is more easily managed because no
  overlap or duplication of effort occurs.
• Configuration of proxy clients is simpler because
  exclusion lists need to contain only a tree name
  when identifying external resources.

20
Disadvantages to Using Separate Internal and
External Namespaces

• Logon names are different from e-mail names.
• Multiple names must be registered with an
  Internet DNS.

21
Microsoft Domain Name Structure
22
Domain Naming Requirements and Guidelines

• Select a root domain name that will remain
  static.
• Use simple and precise domain names that are easy
  for users to remember and enable users to search
  intuitively for resources.
• Use standard DNS characters and Unicode
  characters.
• Windows 2000 supports the following standard DNS
  characters A-Z, a-z, 0-9, and the hyphen (-), as
  defined in RFC 1035.
• Limit the number of domain levels.
• Use unique names.
• Avoid lengthy domain names can be up to 63
  characters, including the periods total length
  cannot exceed 255 characters.
• Case-sensitive naming is not supported.

23
OU Structure
24
Business FunctionBased OU Structure
25
Geographical-Based OU Structure
26
Business Function and Geographical-Based OU
Structure
27
Planning a Site Structure

• A site is part of the Active Directory physical
  structure a combination of one or more IP
  subnets connected by a highly reliable and fast
  network connection.
• Site structure is concerned with the physical
  environment maintained separately from the
  logical environment, the domain structure.
• A single domain can include multiple sites a
  single site can include multiple domains or parts
  of multiple domains.
• Main role of a site is to provide good network
  connectivity.

28
The Manner in which Sites Are Set Up Affects
Windows 2000 in Two Ways

• Workstation logon and authentication When a user
  logs on, Windows 2000 will try to find a domain
  controller in the same site as the users
  computer to service the users logon request and
  subsequent requests for network information.
• Directory replication You can configure the
  schedule and path for replication of a domains
  directory differently for inter-site replication,
  as opposed to replication within a site.

29
Optimizing Workstation Logon Traffic

• Consider which domain controller(s) the
  workstations on a given subnet should use.
• To have a particular workstation log on only to a
  specific set of domain controllers, define sites
  so that only those domain controllers are in the
  same subnet as that workstation.

30
Optimizing Directory Replication

• Consider where the domain controllers and the
  network connections between the domain
  controllers will be located.
• Each domain controller must participate in
  directory replication with the other domain
  controllers in its domain.
• Configure sites so that replication occurs at
  times and intervals that will not interfere with
  network performance.
• Consider establishing a bridgehead server to
  provide criteria for choosing which domain
  controller should be preferred as the recipient
  for inter-site replication.

31
Designing a Site Structure

• A simple LAN can be a single site, because
  connections typically are fast.
• Establish a separate site with its own domain
  controllers when domain controllers are not
  responding fast enough to meet the needs of the
  users.
• Determining what is fast enough depends on the
  criteria for network performance.
• Inadequate performance is more common when
  deployments span a wide geographic range.
• Other inadequacies may be attributed to poor
  network design and implementation.

32
Installing Active Directory

• The Active Directory Installation Wizard
• Configuring DNS for Active Directory
• The Database and Shared System Volume
• Domain Modes
• Removing Active Directory Services from a DC
• Practice Installing Active Directory

33
Active Directory Installation Wizard

• Run DCPROMO from the command prompt or run
  Configure Your Server on the Administrative Tools
  menu of the Start menu to launch the wizard.
• The wizard runs on a stand-alone server and aids
  in the process of installing Active Directory and
  creating a new domain controller.
• During the installation process, the choice must
  be made to add the new domain controller to an
  existing domain or create the first domain
  controller for a new domain.

34
Wizard Can Perform the Following Tasks

• Add a domain controller to an existing domain
• Create the first domain controller of a new
  domain
• Create a new child domain
• Create a new domain tree
• Install a DNS server
• Create the database and database log files
• Create the shared system volume
• Remove Active Directory services from a domain
  controller

35
Configuring DNS for Active Directory

• Active Directory uses DNS to find domain
  controllers.
• A client queries DNS for resource records that
  provide the names and IP addresses for the LDAP
  servers for the domain.
• LDAP is the protocol used to query and update
  Active Directory.
• Active Directory cannot be installed without DNS
  on the network.
• DNS can be installed without Active Directory.
• Configure Windows 2000 DNS server automatically
  using the Active Directory Installation Wizard.
• Manual configuration of DNS to support Active
  Directory is not needed unless using a DNS server
  other than Windows 2000 or using a special
  configuration.
• Manually configure DNS using the DNS console.

36
Database and Shared System Volume

• Installing Active Directory creates the database
  and database log files, as well as the shared
  system volume.
• Replication of the shared system volume occurs on
  the same schedule as replication of the Active
  Directory.
• File replication to or from the newly created
  system volume may not be noticed until two
  replication periods have elapsed, typically 10
  minutes.
• The first file replication period updates the
  configuration of other system volumes so that
  they are aware of the newly created system volume.

37
Database and Database Log Files

• The database is the directory for the new domain.
• Default location is systemroot\NTDS.
• Place the database and log file on separate hard
  disks.

38
Shared System Volume

• A folder structure that exists on all Windows
  2000 domain controllers.
• Stores scripts and some of the group policy
  objects for both the current domain and the
  enterprise.
• Default location is systemroot\SYSVOL.
• Must be located on a partition or volume
  formatted with NTFS 5.0.

39
Domain Modes

• Mixed mode
• Domain controller is set to run in mixed mode
  when it is first installed or upgraded.
• Allows the domain controller to interact with any
  domain controllers in the domain that are running
  previous versions of Windows NT.
• Switch to native mode
• When all domain controllers in the domain run
  Windows 2000 Server.
• When no more pre-Windows 2000 domain controllers
  are planned to be added to the domain.

40
Removing Active Directory Services from a Domain
Controller

• Remove Active Directory by running DCPROMO from
  the Run dialog box.
• If the domain controller is the last domain
  controller in the domain, it will become a
  stand-alone server.
• Removing Active Directory from all domain
  controllers in the domain also deletes the
  directory database for the domain the domain no
  longer exists.
• Computers joined to this domain can no longer log
  on to the domain or use domain services.

41
Operations Master Roles

• Operations Master Rolls
• Forest-Wide Operations Master Roles
• Domain-Wide Operations Master Roles
• Planning Operations Master Locations
• Identifying Operations Master Role Assignments
• Transferring Operations Master Role Assignments
• Responding to Operations Master Failures

42
Purpose of Operations Master Roles

• Active Directory supports multimaster replication
  of the Active Directory database between all
  domain controllers in the domain.
• Some changes are impractical to perform in
  multimaster fashion one or more domain
  controllers can be assigned to perform operations
  that are single-master operations.
• Single-master operations are not permitted to
  occur at different places in a network at the
  same time.

43
Forest-Wide Operations Master Roles

• Schema master
• Controls all updates and modifications to the
  schema
• Must be accessed to update the schema of the
  forest
• Can be only one in the entire forest
• Domain naming master
• Controls the addition or removal of domains in
  the forest
• Can be only one in the entire forest

44
Domain-WideOperations Master Roles

• Relative ID master
• PDC emulator
• Infrastructure master

45
Relative ID Master Role

• Allocates sequences of relative IDs to each of
  the various domain controllers in its domain.
• Only one domain controller acts as the relative
  ID master in each domain in the forest.
• Whenever a domain controller creates a user,
  group, or computer object, it assigns the object
  a unique security ID (SID).
• SID consists of a domain SID, plus a relative ID
  that is unique for each SID created within the
  domain.
• To move an object between domains you must
  initiate the move on the domain controller acting
  as the relative ID master of the domain that
  currently contains the object.

46
Primary Domain Controller (PDC) Emulator Role

• Acts as a Windows NT PDC, if the domain contains
  computers operating without Windows 2000 client
  software or if it contains BDCs.
• Processes password changes from clients and
  replicates updates to the BDCs.
• Receives preferential replication of password
  changes performed by other domain controllers in
  the domain once all systems are upgraded to
  Windows 2000 and the Windows 2000 domain is
  operating in native mode.
• If a logon authentication fails at another domain
  controller due to a bad password, that domain
  controller will forward the authentication
  request to the PDC emulator before rejecting the
  logon attempt.
• Only one domain controller acts as the PDC
  emulator in each domain in the forest.

47
Infrastructure Master Role

• Responsible for updating the group-to-user
  references whenever the members of groups are
  renamed or changed.
• When renaming or moving a member of a group and
  that member resides in a different domain from
  the group, the group may temporarily appear not
  to contain that member.
• Responsible for updating the group so that it
  knows the new name or location of the member.
• Distributes the update via multimaster
  replication.
• No compromise to security during the time between
  the member rename and the group update.
• Only one domain controller acts as the
  infrastructure master in each domain.

48
Operations Master Role Default Distribution in a
Forest
49
Relative Identifier Master and PDC Emulator

• In typical domains, assign both the relative
  identifier master and PDC emulator roles to the
  operations master domain controller.
• In very large domains, reduce the peak load on
  the PDC emulator by placing these roles on
  separate domain controllers, both of which are
  direct replication partners of the standby
  operations master domain controller.
• Keep the two roles together unless the load on
  the operations master domain controller justifies
  separating the roles.

50
Infrastructure Master and Global Catalog

• The infrastructure master role should not be
  assigned to the domain controller that is hosting
  the global catalog unless only one domain
  controller exists in the domain.
• Assign the infrastructure master role to any
  domain controller that is well connected to a
  global catalog in the same site.
• If the infrastructure master and global catalog
  are on the same domain controller, the
  infrastructure master will not function.
• The infrastructure master will never find data
  that is out of date, so it will never replicate
  any changes to the other domain controllers in
  the domain.
• If all the domain controllers in a domain are
  also hosting the global catalog, they all will
  have the current data, and which domain
  controller holds the infrastructure master role
  does not matter.

51
Planning the Operations Master Roles for the
Forest

• After all the domain roles have been planned for
  each domain, consider the forest roles.
• Schema master and domain naming master roles
  should always be assigned to the same domain
  controller.
• For best performance, assign them to a domain
  controller that is well connected to the
  computers used by the administrator or group
  responsible for schema updates and creation of
  new domains.
• The load of these operations master roles is very
  light.
• Place these roles on the operations master domain
  controller of one of the domains in the forest.

52
Planning for Growth

• Normally, it is not necessary to change the
  locations of the various operations master roles
  as the forest grows.
• Review the plan and revise the operations master
  role assignments when planning to decommission a
  domain controller, change the global catalog
  status of a domain controller, or reduce the
  connectivity of parts of your network.

53
Responding to Operations Master Failures

• Schema Master Failure
• Domain Naming Master Failure
• Relative ID Master Failure
• PDC Emulator Failure
• Infrastructure Master Failure

54
Operations Master Failure Overview

• Some of the operations master roles are crucial
  to the operation of the network.
• Others can be unavailable for some time before
  their absence becomes a problem.
• If an operations master is not available due to
  computer failure or network problems, seize the
  operations master role, also known as forcing a
  transfer.
• Before forcing the transfer, first determine the
  cause and expected duration of the computer or
  network failure.
• If the cause is a networking problem or a server
  failure that will be resolved soon, wait for the
  role holder to become available again.
• Seizing an operations master role is a drastic
  step that should be considered only if the
  current operations master will never be available
  again.

55
Schema Master Failure

• Temporary loss of the schema operations master is
  not visible to network users.
• If unavailable for an unacceptable length of
  time, seize the role to the standby operations
  master.
• Seizing this role is a step that should be taken
  only when the failure is permanent.

56
Domain Naming Master Failure

• Temporary loss of the domain naming master is not
  visible to network users.
• If unavailable for an unacceptable length of
  time, seize the role to the standby operations
  master.
• Seizing this role is a step that should be taken
  only when the failure is permanent.

57
Relative ID Master Failure

• Temporary loss of the relative identifier
  operations master is not visible to network
  users.
• If unavailable for an unacceptable length of
  time, seize the role to the standby operations
  master.
• Seizing this role is a step that should be taken
  only when the failure is permanent.

58
PDC Emulator Failure

• This loss affects network users.
• You may need to immediately seize the role.
• Seize the PDC emulator master role to the standby
  operations master if it is unavailable for an
  unacceptable length of time and its domain has
  clients without Windows 2000 client software, or
  if it contains Windows NT BDCs.
• When the original PDC emulator master is returned
  to service, return the role to the original
  domain controller.

59
Infrastructure Master Failure

• Temporary loss of the infrastructure operations
  master is not visible to network users.
• If unavailable for an unacceptable length of
  time, seize the role to a domain controller that
  is not a global catalog but is well connected to
  a global catalog, ideally in the same site as the
  current global catalog.
• When the original infrastructure master is
  returned to service, transfer the role back to
  the original domain controller.

60
Implementing an OU Structure

• Creating OUs
• Setting OU Properties
• Practice Creating an OU

61
OU Structure Overview

• Create OUs that mirror the organizations
  functional or business structure.
• Each domain can implement its own OU hierarchy.
• If the enterprise contains several domains,
  create OU structures within each domain
  independent of the structures in the other
  domains.
• Use Active Directory Users and Computers console
  to create OUs.
• An OU is always created on the first available
  domain controller that is contacted by MMC, and
  then the OU is replicated to all domain
  controllers.

62
OU Properties Dialog Box
63
Setting OU Properties

• A set of default properties is associated with
  each OU that is created.
• These properties equate to the object attributes.
• Use the properties that are defined for an OU to
  search for OUs in the directory.
• Provide detailed property definitions for each OU
  that is created.
• The tabs in the OU Properties dialog box contain
  information about each OU.