Practical Active Directory Design Decisions

1
Chapter 4

• Practical Active Directory Design Decisions

2
Objectives

• Choose the best domain name system (DNS) name for
  a domain
• Make Active Directory forest design decisions
• Understand the roles and describe the
  characteristics of trusts
• Describe the characteristics of domains
• Describe the role and characteristics of
  organizational units (OUs)

3
Choosing a DNS Name

• A DNS name is used extensively throughout the
  domain
• Changing the domain name can be complicated, time
  consuming, and expensive

4
What Makes a Good DNS Name?

• Making the name meaningful and scalable
• Will be used for all child domains in the tree
• Will be used in the present and the future
• Two common uses
• Define how resources are located within the
  network
• Define its Internet presence

5
Choosing How DNS Names for Internet and Active
Directory Will Be Related

• Use the same DNS name for both
• Use completely different names altogether
• Delegate a subdomain from your Internet name for
  Active Directory

6
Using the Same DNS Name for Active Directory and
Internet Presence

• Complicated steps are required to prevent
  confidential data from being available publicly
• Split DNS gives internal DNS servers complete
  zone data and external servers public records
  only
• Internal users can access the network from the
  outside using a virtual private network (VPN)

7
Split DNS
8
Using Completely Different Names for Active
Directory and Internet Presence

• Management of the Internet names and hosts is
  separate from Active Directory
• Internal names can be private or registered
  separately
• Clients can query internal servers using a
  forwarder or recursion to resolve external names

9
Separate DNS Structure
10
Delegating a Subdomain from the Internet Presence
Subdomain for Active Directory

• A subdomain is delegated from the existing
  Internet presence name
• Delegation records point all queries related to
  Active Directory to the correct servers

11
Delegated DNS Subdomain
12
Best Practices for Choosing a DNS Name

• A delegated subdomain is recommended
• All domain controllers (DCs) run the DNS Server
  software with the Active Directory zones
  configured as integrated zones
• Replicate _msdcs zone to all domains as a
  standard secondary zone in non-Windows 2003
  Servers
• Replicate the forest root zone to all DCs running
  DNS by using an application partition in Windows
  2003 Server

13
Designing a Forest

• Design from the top down, from the forest to the
  domains
• Tackle the most important issues first

14
Characteristics of a Forest

• Centrally controlled schema
• Common configuration including infrastructure and
  topology elements
• Single Global Catalog (GC) to allow for quick
  searches
• Complete trust relationships

15
How Many Forests?

• A single forest is often sufficient for one
  organization
• Multiple forests justified when a high degree of
  separation between entities is necessary
• Different schema for different parts of an
  organization
• Complete separation of administration
• One part cannot participate in a complete trust
  model
• New forests require new implementations of Active
  Directory

16
Understanding and Implementing Trust Relationships

• A security principal in one domain can access a
  resource in another domain without needing
  separate credentials
• The security principles exists in the trusted
  domain
• The resource is in the trusting domain

17
Typical Trust Diagram
18
Two-Way, Transitive Trusts

• Domain A trusts B
• Domain B trusts A
• Domain B trusts C
• A automatically trusts C
• Trusts established on a domain-to-domain level

19
Two-way, Transitive Trusts Within a Forest
20
Shortcut Trusts

• Authentications must follow a trust path
• Shortcut trusts point one domain directly to
  another
• Increase efficiency
• Reduce number of possible points of failure

21
Adding Shortcut Trusts
22
Adding Explicit Inter-Forest Trusts
23
Designing Domains

• Determining the number of needed domains is an
  important part of deployment
• There are administrative and technical reasons
  for creating more than one domain

24
Functions of a Domain

• Partition of the forest
• Replication boundary
• Authentication
• Policy-based administration
• Setting of account policies for user accounts in
  the domain
• A directory for publishing shared resources
• An administrative boundary

25
The Forest Root Domain

• First domain created in the forest
• Holds the security principals that can manage the
  forest
• Central point for trust relationships
• Difficult to rename and delete

26
Is It a Security Boundary?

• Users authenticated only by their domain
• Group policy applied at domain level
• Account policies set at domain level
• Shares several partitions in the forest
• Sends information about security principles
  outside of the domain

27
Which Works Better Single or Multiple Domains?

• Single domain
• Easier to delegate authority
• Requires fewer hardware resources
• Requires fewer domain administrators
• Multiple domains
• Tighter administrative control
• Decentralized administrative structure
• Organizational considerations
• Less replication over slow links

28
Using a Dedicated Forest Root

• Dedicate forest root domain to infrastructure
  management
• Allows greatest flexibility for the future
• Fewer administrators are allowed to make
  forest-wide changes
• One domain or multiple domains by geography
• These are best practices recommended by Microsoft

29
Designing OUs

• Hierarchical structure of objects in a domain
• Allows for delegation of administration
• Controls the scope of policy specification

30
Sample OU Configuration
31
Best Practices for Designing OUs

• Use OUs to organize data, rather than create new
  domains
• Every OU should serve a purpose
• Nesting should be no more than 10 levels deep

32
Chapter Summary

• Carefully choose the best DNS name for Active
  Directory domains and forests
• Most companies have two different uses for a DNS
  name
• Defining a public Internet presence
• Defining a namespace for Active Directory
• Most organizations would treat SRV resource
  records as confidential information

33
Chapter Summary (continued)

• Common choices for choosing DNS names for an
  Internet presence and the Active Directory
  domain
• The same DNS name for both
• Completely different names
• A subdomain delegated from your Internet domain

34
Chapter Summary (continued)

• Using the same DNS name for both Internet
  presence and Active Directory is not recommended
• Microsoft recommends running DNS services on all
  DCs
• A forest is an instance of Active Directory

35
Chapter Summary (continued)

• Trust relationships are automatically created in
  a forest
• Trusts are transitive and established on a
  one-to-one basis
• A shortcut trust allows a direct route for
  authentication between domains
• Explicit trusts can be manually created

36
Chapter Summary (continued)

• A domain is a partition of a forest
• A domain is a replication and administrative
  boundary
• Domains provide authentication and a directory in
  which to publish shared resources
• The first domain created in a forest is the root
• Managing a multiple-domain forest is more complex
  and requires more resources than a single-domain
  forest

37
Chapter Summary (continued)

• Microsoft recommends
• Creating a forest root domain dedicated to
  infrastructure functions
• Using only one domain for all directory objects
• Using geography, rather than organization
  boundaries, for additional domains
• OUs are used to group objects within a domain
  into a hierarchical structure
• OUs can be nested without any practical limit
• OUs are comparatively easy to restructure
• A forest cannot be renamed or significantly
  restructured without extensive disruption to the
  network