Designing the Active Directory Structure

1
Designing the Active Directory Structure
Vikram Thakur
2
Agenda

• Introduction to Active Directory
• FSMO Roles
• Replication
• Active Directory deployment planning
• Guiding principles
• Structure planning
• More information

3
Introduction to Active Directory

• What is it?
• How does it help?
• How is it stored?
• Where is it stored?
• Can its scope be extended?

4
Domain Controller

• These are Logon or Authenticating servers
  with the NTDS Directory
• Under any circumstances there should be at least
  2 of these DCs
• They check for DB Consistency
• They maintain the domain information

5
AD Properties

• It doesnt require the PDC/BDC structure
  anymore.that went away with NT4
• Delegation is possiblemore later
• It provides an LDAP interface to other
  applications
• Multiple Domains can be a part of a single AD
  with Inter Site Trust (Forests)

6
Storage Structure of AD

• Comprises of 2 parts
• Transaction Logs
• Database
• SYSVOL (old NETLOGON)

7
FSMO

• FSMO Flexible Single Master of Operations
• Schema
• PDC
• RID
• Domain Naming
• Infrastructure

8
Global Catalogs (GCs)

• Hold limited form of AD
• Can be modified by using the SCHMGMT.DLL
• Used for location of resources

9
Replication

• AD works in Multi-Master mode by default
• Happens every 5 minutes
• Default Every DC replicates with 2 other DCs
• KCC is part of LSASS (Monitoring that will tell
  you when you need another DC)
• USN (Update Sequence Number)

10
Planning and Deployment
11
Deployment Planning

• Three steps
• Assess your environment
• Create Active Directory structure plan
• Create migration plan

12
Guiding Principles

• Keep it simple
• Aim for the ideal design
• Evaluate several alternatives
• Anticipate change

13
Structure Planning
Forest plan
Domain plan

• Deliverable planning documents

OU plan
14
Forest Planning

• Start with a forest plan

Forest plan
Domain plan
OU plan
Site topology
15
Forest PlanningConcepts
User Principal Name bob_at_domain.com
16
Forest PlanningMethodology

• Start with a single forest
• Create change control policy
• Schema Admins and Enterprise Admins group
  membership
• Multiple forests may be required
• Cannot agree on change control
• Division requires own schema or config
• Complete trust undesirable

17
Forest PlanningInter-forest Considerations

• Users must be aware of structure
• Explicit query to domain outside forest
• Import objects from other forests
• Config, schema managed separately
• One-way, non-transitive trust only

18
Forest PlanningExamples

• Central authority
• Single forest
• Conglomerate, autonomous division
• May require multiple forests
• ISP or hosting scenario
• Multiple forests
• No reason to share schema, config or to have
  complete trust

19
Domain Planning
Forest plan

• Create a domain plan for each forest

Domain plan
OU plan
20
Domain PlanningConcepts

• A domain is a partition of a forest
• Unit of partitioning for replication
• Administrative and policy boundary
• Scope of authority of Domain Admins
• Policy and access control do not flow between
  domains

21
Domain PlanningMethodology
Forest plan
Partition
Domain plan
Select Forest Root
OU plan
Create Hierarchy
DNS Support
22
Domain PlanningPartitioning

• Start with a single domain
• Justify each additional domain
• Example justification
• Administrative partitioning (admin/policy)
• Physical partitioning (replication)
• Upgrade existing domain in-place

23
Domain PlanningObsolete Reasons to Partition

• WinNT 4.0 40,000 object limit
• Active Directory tests 1,500,000
• Primary Domain Controller (PDC) availability
  requirements
• Active Directory is multi-master
• Delegation of administration
• Resource domains no longer needed
• Delegate within a domain using OUs

24
Domain PlanningCreating a Domain Hierarchy
corp.domain.com (forest root)
25
Domain PlanningActual Trust Hierarchy
corp.domain.com (forest root)
hq
na
europe
example.net (tree root)
26
OU Planning
Forest plan
Domain plan

• Create an OU plan for each domain

OU plan
27
OU PlanningConcepts

• An Organizational Unit (OUs) is a container
  inside a domain
• Nested to create hierarchical structure
• Not a security principal
• Easily changed
• Typically not exposed to users
• Depth does not impact performance

28
OU PlanningMethodology
Forest plan
Domain plan
Delegate Administration
OU plan
Apply Group Policy
29
OU PlanningDelegate Administration

• Objects can be permission on a per-attribute
  basis
• Very flexible delegation possible
• Minimize number of Domain Admins
• Example procedure
• Delegate full control
• Delegate full control per-object class
• Delegate control of specific attribute

30
OU PlanningApply Group Policy

• Group policy is used to control desktop
  configurations
• Applied to Users and Computers
• Associated with Sites, Domains, or Organizational
  Units
• Create OUs to apply unique policy
• Filter application of policy using access control

31
Summary

• Deployment planning
• Assess current environment
• Structure planning
• Migration planning
• Start with structure planning
• Forest, domain, OU
• Guiding principles
• Keep it simple
• Anticipate change

32
For More Information

• Read the Windows 2003 Deployment Guide (on the
  Windows 2003 CD)
• Read the Distributed Systems book in the Windows
  2003 Resource Kit
• Watch for whitepapers on the Windows 2003 Server
  home page
• http//www.microsoft.com/windows/server/

33
Scenario Discussion time permitting