Planning an Active Directory Deployment by gc5nt4

VIEWS: 147 PAGES: 64

									                 Planning an
Active Directory Deployment
                     Lesson 1
Skills Matrix
Technology Skill           Objective Domain           Objective #
Designing an Active        Plan infrastructure        1.3
Directory Infrastructure   services server roles
Designing a Group Policy   Plan and implement group   2.3
Strategy                   policy strategy
Directory Service
• A directory service is a repository of
  information about the resources —
  hardware, software, and human — that are
  connected to a network.
• Users, computers, and applications
  throughout the network can access the
  repository for a variety of purposes, including
  user authentication, storage of configuration
  data, and even simple white pages–style
  information lookups.
Active Directory
• Active Directory is the directory service that
  Microsoft first introduced in Windows 2000 Server,
  and which they have upgraded in each successive
  server operating system release, including
  Windows Server 2008.
  – Active Directory makes services and resources
    available.
  – Provide authentication and authorization
     •Authentication is the process of verifying a user’s
       identity.
     •Authorization is the process of granting the user
       access only to the resources he or she is permitted
       to use.
Domain
• A domain is a logical container of each
  network component over which you have
  control and organize in one respective entity.
• Each domain was hosted by at least one
  server designated as a domain controller.
Active Directory Objects
• An Active Directory domain is a hierarchical
  structure that takes the form of a tree, much like a
  file system.
• The domain consists of objects, each of which
  represents a logical or physical resource.
• There are two basic classes of objects: container
  objects and leaf objects.
   – A container object, including domains, is one that
     can have other objects subordinate to it.
   – A leaf object can represent users, computers,
     groups, applications, and other resources on the
     network.
Active Directory Attributes
• Every object consists of attributes, which store
  information about the object.
• A container object has, as one of its attributes, a
  list of all the other objects it contains.
• Leaf objects have attributes that contain specific
  information about the specific resource the object
  represents.
• Some attributes are created automatically, such as
  the globally unique identifier (GUID) that the
  domain controller assigns to each object when it
  creates it, while administrators must supply
  information for other attributes manually.
Active Directory Attributes
Directory Schema
• Different object types have different sets of
  attributes, depending on their functions.
• The attributes each type of object can possess,
  both required and optional, the type of data that
  can be stored in each attribute, and the object’s
  place in the directory tree are all defined in the
  directory schema.
• In Active Directory, unlike Windows NT domains,
  the directory schema elements are extensible,
  enabling applications to add their own object types
  to the directory, or add attributes to existing object
  types.
Additional User Attributes for Microsoft Exchange
Organizational Unit (OU)
• A container object that functions in a subordinate
  capacity to a domain, something like a subdomain,
  but without the complete separation of security
  policies.
• As a container object, OUs can contain other OUs,
  as well as leaf objects.
• You can apply separate Group Policy to an OU, and
  delegate the administration of an OU as needed.
• However, an OU is still part of the domain and still
  inherits policies and permissions from its parent
  objects.
Organizational Units
Groups
• Active Directory supports groups with varying
  capabilities, as defined by the group type and the
  group scope.
• There are two group types in Active Directory:
   – Security groups — Administrators use security
     groups to assign permissions and user rights to a
     collection of objects. In the vast majority of cases,
     the term ―group‖ refers to a security group.
   – Distribution groups — Applications use distribution
     groups for non-security–related functions, such as
     sending email messages to a collection of users.
Security Groups
• The security group is the type you use most often
  when designing an Active Directory infrastructure.
• Within the security group type, there are three
  group scopes:
   – Domain local groups — Most often used to assign
     permissions to resources in the same domain.
   – Global groups — Most often used to organize users
     who share similar network access requirements.
   – Universal groups — Most often used to assign
     permissions to related resources in multiple
     domains.
Group Nesting
AGULP
• A traditional mnemonic for remembering the
  nesting capabilities of Active Directory
  groups.
• AGULP stands for:
  –Accounts
  –Global groups
  –Universal groups
  – domain Local groups
  –Permissions
Domain Tree
• When designing an Active Directory
  infrastructure, you might, in some cases,
  want to create multiple domains.
• Active Directory scales upward from the
  domain just as easily as it scales downward.
Internal Active Directory Domain Tree
Active Directory Domain Tree using an Internet
Domain Name
Forest
• An Active Directory forest consists of one or
  more separate domain trees, which have the
  same two-way trust relationships between
  them as two domains in the same tree.
• When you create the first domain on an
  Active Directory network, you are in fact
  creating a new forest, and that first domain
  becomes the forest root domain.
Global Catalog
• Domains function as the hierarchical boundaries
  for the Active Database as well.
• A domain controller maintains only the part of the
  Active Directory database that defines that domain
  and its objects.
• Active Directory clients still need a way to locate
  and access the resources of other domains in the
  same forest.
• To make this possible, each forest has a global
  catalog, which is a list of all of the objects in the
  forest, along with a subset of each object’s
  attributes.
Functional Levels
• Every Active Directory forest has a functional
  level, as does every domain.
• Functional levels are designed to provide
  backwards compatibility in Active Directory
  installations running domain controllers with
  various versions of the Windows Server
  operating system.
Domain Controllers
• Each domain on an Active Directory network should
  have at least two domain controllers, to ensure
  that the Active Directory database is available to
  clients at all times, and to provide clients with
  ready access to a nearby domain controller.
• How many domain controllers you install for each
  of your domains, and where you locate them, is an
  important part of designing an Active Directory
  infrastructure.
• Also important is an understanding of how and why
  the domain controllers communicate — with each
  other and with clients.
Lightweight Directory Access Protocol (LDAP)
• The standard communications protocol for
  directory service products, including Active
  Directory.
• LDAP defines the format of the queries that
  Active Directory clients send to domain
  controllers, as well as providing a naming
  structure for uniquely identifying objects in
  the directory.
Active Directory Replication
• Active Directory uses multiple-master
  replication.
• When a change is made to a domain object
  on any domain controller, that change is
  replicated to all of the other domain
  controllers.
Active Directory Replication
Read-Only Domain Controllers
• One of the new Active Directory features in
  Windows Server 2008 is the ability to create
  a Read-Only Domain Controller (RODC),
  which is a domain controller that supports
  only incoming replication traffic.
• As a result, it is not possible to create,
  modify, or delete Active Directory objects
  using the RODC.
Sites
• To facilitate the replication process, Active
  Directory includes another administrative division
  called the site.
• A site is defined as a collection of subnets that
  have good connectivity between them.
• Good connectivity is understood to be at least T-1
  speed (1.544 megabits per second).
• Generally speaking, this means that a site consists
  of all the local area networks (LANs) at a specific
  location.
• A different site would be a network at a remote
  location, connected to the other site using a T-1 or
  slower WAN technology.
Sites
• A site topology consists of three Active
  Directory object types:
  – Sites — A site object represents the group of
    subnets at a single location, with good
    connectivity.
  – Subnets — A subnet object represents an IP
    network at a particular site.
  – Site links — A site link object represents a
    WAN connection between two sites.
Designing an Active Directory Infrastructure
• The process of designing an Active Directory
  infrastructure consists of the following basic
  phases:
  – Designing the domain name space.
  – Designing the internal domain structure.
  – Designing a site topology.
  – Designing a Group Policy strategy.
Additional Active Directory Domains
• Reasons to Create:       • Reasons Not to Create:
  – Isolated replication     – Size
  – Unique domain policy     – Administration
  – Domain upgrades
Designing a Tree Structure
• Includes how you are going to arrange the
  domains to form a tree and deciding how
  you are going to name your domains and
  which domain will be the forest root.
Designing a Tree Structure
• If you plan to create domains corresponding to
  remote sites or organizational divisions, the most
  common practice is to make them all subdomains
  in the same tree, with a single root domain at the
  top.
• The first domain you create in an Active Directory
  forest — the forest root domain — is critical,
  because it has special capabilities.
   – The Schema Administrators group exists only in the
     forest root domain, and the members of that group
     have the ability to modify the Active Directory schema,
     which affects all of the domains in the forest.
Internal Domain Structure
• Once you create a design for your Active
  Directory domains and the trees and forests
  superior to them, it is time to zoom in on
  each domain and consider the hierarchy you
  want to create inside it.
Organizational Units
• Creating OUs should be based on:
  – Duplicating organization divisions.
  – Assigning Group Policy Settings.
  – Delegating administration.
Group Policies
• Group Policy is one of the most powerful features
  of Active Directory.
• Using Group Policy, you can deploy hundreds of
  configuration settings to large collections of users
  at once.
• To deploy Group Policy settings, you must create
  group policy objects (GPOs) and link them to Active
  Directory domains, organizational units, or sites.
• Every object in the container to which the GPO is
  linked receives the settings you configure in it.
Deploying Active Directory Domain Services
• Although it does not actually convert the
  computer into a domain controller, installing
  the Active Directory Domain Services role
  prepares the computer for the conversion
  process.
Active Directory Domain Services Role
Active Directory Domain Services Installation Wizard
The Choose a Deployment Configuration Page
The Name the Forest Root Domain Page
The Domain NetBIOS Name Page
The Set Forest Functional Level Page
The Set Domain Functional Level Page
The Additional Domain
Controller Options Page
The Location for Database, Log Files
and SYSVOL Page
The Directory Services Restore
Mode Administrator Password Page
The Summary Page
The Choose a Deployment Configuration Page
The Network Credentials Page
The Name the New Domain Page
The Select a Site Page
The Choose a Deployment Configuration Page
The Select a Domain Page
Summary
• A directory service is a repository of
  information about the resources —
  hardware, software, and human — that are
  connected to a network.
• Active Directory is the directory service that
  Microsoft first introduced in Windows 2000
  Server and that they have upgraded in each
  successive server operating system release,
  including Windows Server 2008.
Summary
• Users that are joined to an Active Directory
  domain log on to the domain, not to an
  individual computer or application, and are
  able to access any resources in that domain
  for which administrators have granted them
  the proper permissions.
Summary
• In Active Directory, you can subdivide a domain into
  organizational units and populate it with objects.
   – You can also create multiple domains and group
     them into sites, trees, and forests.
• An organizational unit (OU) is a container object
  that functions in a subordinate capacity to a
  domain.
   – OUs can contain other OUs, as well as leaf objects.
     You can apply separate Group Policy to an OU and
     delegate the administration of an OU as needed.
Summary
• Like organizational units, group objects are
  containers, but groups are not full-fledged security
  divisions as OUs are.
   – You cannot apply Group Policy settings to a group
     object.
• When you create your first domain on an Active
  Directory network, you are, in essence, creating the
  root of a domain tree.
   – You can populate the tree with additional domains
     as long as they are part of the same contiguous
     namespace.
Summary
• An Active Directory forest consists of two or
  more separate domain trees, which have the
  same two-way trust relationships between
  them as two domains in the same tree.
• To facilitate the replication process, Active
  Directory includes another administrative
  division called the site.
• A site is defined as a collection of subnets
  that have good connectivity between them.
Summary
• The overall objective in your Active Directory
  design process should be to create as few
  domains as possible.
Summary
• The design of a domain namespace should
  be based on the structure of your
  organization.
• The most common structural paradigms
  used in Active Directory designs are the
  geographic, in which the domain structure is
  representative of the organization’s physical
  locations, and the political, in which the
  structure conforms to the divisions or
  departments within your organization.
Summary
• A critical difference between a domain tree
  hierarchy and the OU hierarchy within a domain is
  inheritance.
• When you assign Group Policy settings to a
  domain, the settings apply to all leaf objects in that
  domain, but not to the subdomains that are
  subordinate to it.
• When you assign Group Policy settings to an OU,
  those settings apply to all leaf objects in the OU,
  and the settings are inherited by any subordinate
  OUs it contains.
Summary
• GPOs can contain Computer settings, which
  are applied as the client computer boots,
  and User settings, which are applied as the
  user logs on to the domain.
• The application of Group Policy settings at
  too many levels can slow down the boot
  and/or logon processes substantially.
Summary
• Part of the internal domain design process
  consists of deciding where you are going to
  deploy GPOs and creating a hierarchy that
  does not apply too many GPOs to individual
  leaf objects.

								
To top