Chapter 4 - PowerPoint - PowerPoint by nXCwt2Ts


									Hands-On Microsoft®
Windows® Server 2003
Active Directory

     Chapter 4
Practical Active Directory
   Design Decisions
• Choose the best domain name system
  (DNS) name for a domain
• Make Active Directory forest design
• Understand the roles and describe the
  characteristics of trusts
• Describe the characteristics of domains
• Describe the role and characteristics of
  organizational units (OUs)
                Hands-On Microsoft Windows     2
                Server 2003 Active Directory
Choosing a DNS Name
• A DNS name is used extensively
  throughout the domain
• Changing the domain name can be
  complicated, time consuming, and

              Hands-On Microsoft Windows     3
              Server 2003 Active Directory
What Makes a Good DNS
• Making the name meaningful and scalable
  – Will be used for all child domains in the tree
  – Will be used in the present and the future
• Two common uses
  – Define how resources are located within the
  – Define its Internet presence

                  Hands-On Microsoft Windows         4
                  Server 2003 Active Directory
Choosing How DNS Names for
Internet and Active Directory
Will Be Related
• Use the same DNS name for both
• Use completely different names altogether
• Delegate a subdomain from your Internet
  name for Active Directory

               Hands-On Microsoft Windows     5
               Server 2003 Active Directory
Using the Same DNS Name for
Active Directory and Internet
• Complicated steps are required to prevent
  confidential data from being available publicly
• Split DNS gives internal DNS servers complete
  zone data and external servers public records
• Internal users can access the network from the
  outside using a virtual private network (VPN)

                  Hands-On Microsoft Windows        6
                  Server 2003 Active Directory
Split DNS

            Hands-On Microsoft Windows     7
            Server 2003 Active Directory
Using Completely Different Names
for Active Directory and Internet
• Management of the Internet names and
  hosts is separate from Active Directory
• Internal names can be private or
  registered separately
• Clients can query internal servers using a
  forwarder or recursion to resolve external
                Hands-On Microsoft Windows     8
                Server 2003 Active Directory
Separate DNS Structure

          Hands-On Microsoft Windows     9
          Server 2003 Active Directory
Delegating a Subdomain from
the Internet Presence
Subdomain for Active Directory
• A subdomain is delegated from the
  existing Internet presence name
• Delegation records point all queries
  related to Active Directory to the correct

                Hands-On Microsoft Windows     10
                Server 2003 Active Directory
Delegated DNS Subdomain

         Hands-On Microsoft Windows     11
         Server 2003 Active Directory
Best Practices for Choosing a
DNS Name
• A delegated subdomain is recommended
• All domain controllers (DCs) run the DNS Server
  software with the Active Directory zones
  configured as integrated zones
• Replicate _msdcs zone to all domains as a
  standard secondary zone in non-Windows 2003
• Replicate the forest root zone to all DCs running
  DNS by using an application partition in
  Windows 2003 Server
                  Hands-On Microsoft Windows     12
                  Server 2003 Active Directory
Designing a Forest
• Design from the top down, from the forest
  to the domains
• Tackle the most important issues first

               Hands-On Microsoft Windows     13
               Server 2003 Active Directory
Characteristics of a Forest
• Centrally controlled schema
• Common configuration including
  infrastructure and topology elements
• Single Global Catalog (GC) to allow for
  quick searches
• Complete trust relationships

               Hands-On Microsoft Windows     14
               Server 2003 Active Directory
How Many Forests?
• A single forest is often sufficient for one
• Multiple forests justified when a high degree of
  separation between entities is necessary
  – Different schema for different parts of an organization
  – Complete separation of administration
  – One part cannot participate in a complete trust model
• New forests require new implementations of
  Active Directory

                    Hands-On Microsoft Windows           15
                    Server 2003 Active Directory
Understanding and Implementing
Trust Relationships
• A security principal in one domain can
  access a resource in another domain
  without needing separate credentials
  – The security principles exists in the trusted
  – The resource is in the trusting domain

                  Hands-On Microsoft Windows        16
                  Server 2003 Active Directory
Typical Trust Diagram

          Hands-On Microsoft Windows     17
          Server 2003 Active Directory
Two-Way, Transitive Trusts
•   Domain A trusts B
•   Domain B trusts A
•   Domain B trusts C
•   A automatically trusts C
•   Trusts established on a domain-to-domain

                Hands-On Microsoft Windows     18
                Server 2003 Active Directory
Two-way, Transitive Trusts Within
a Forest

            Hands-On Microsoft Windows     19
            Server 2003 Active Directory
Shortcut Trusts
• Authentications must follow a trust path
• Shortcut trusts point one domain directly to
  – Increase efficiency
  – Reduce number of possible points of failure

                 Hands-On Microsoft Windows       20
                 Server 2003 Active Directory
Adding Shortcut Trusts

           Hands-On Microsoft Windows     21
           Server 2003 Active Directory
Adding Explicit Inter-Forest Trusts

             Hands-On Microsoft Windows     22
             Server 2003 Active Directory
Designing Domains
• Determining the number of needed
  domains is an important part of
• There are administrative and technical
  reasons for creating more than one

               Hands-On Microsoft Windows     23
               Server 2003 Active Directory
Functions of a Domain
• Partition of the forest
   – Replication boundary
• Authentication
• Policy-based administration
• Setting of account policies for user accounts in
  the domain
• A directory for publishing shared resources
• An administrative boundary

                   Hands-On Microsoft Windows        24
                   Server 2003 Active Directory
The Forest Root Domain
• First domain created in the forest
• Holds the security principals that can
  manage the forest
• Central point for trust relationships
• Difficult to rename and delete

                Hands-On Microsoft Windows     25
                Server 2003 Active Directory
Is It a Security Boundary?
•   Users authenticated only by their domain
•   Group policy applied at domain level
•   Account policies set at domain level
•   Shares several partitions in the forest
•   Sends information about security
    principles outside of the domain

                 Hands-On Microsoft Windows     26
                 Server 2003 Active Directory
Which Works Better: Single or
Multiple Domains?
• Single domain
  – Easier to delegate authority
  – Requires fewer hardware resources
  – Requires fewer domain administrators
• Multiple domains
  – Tighter administrative control
  – Decentralized administrative structure
  – Organizational considerations
  – Less replication over slow links
                 Hands-On Microsoft Windows     27
                 Server 2003 Active Directory
Using a Dedicated Forest Root
• Dedicate forest root domain to
  infrastructure management
  – Allows greatest flexibility for the future
  – Fewer administrators are allowed to make
    forest-wide changes
• One domain or multiple domains by
• These are best practices recommended by
                 Hands-On Microsoft Windows      28
                 Server 2003 Active Directory
Designing OUs
• Hierarchical structure of objects in a
• Allows for delegation of administration
• Controls the scope of policy specification

                Hands-On Microsoft Windows     29
                Server 2003 Active Directory
Sample OU Configuration

          Hands-On Microsoft Windows     30
          Server 2003 Active Directory
Best Practices for Designing
• Use OUs to organize data, rather than
  create new domains
• Every OU should serve a purpose
• Nesting should be no more than 10 levels

               Hands-On Microsoft Windows     31
               Server 2003 Active Directory
Chapter Summary
• Carefully choose the best DNS name for
  Active Directory domains and forests
• Most companies have two different uses
  for a DNS name
  – Defining a public Internet presence
  – Defining a namespace for Active Directory
• Most organizations would treat SRV
  resource records as confidential
                Hands-On Microsoft Windows      32
                Server 2003 Active Directory
Chapter Summary (continued)
• Common choices for choosing DNS
  names for an Internet presence and the
  Active Directory domain:
  – The same DNS name for both
  – Completely different names
  – A subdomain delegated from your Internet

                Hands-On Microsoft Windows     33
                Server 2003 Active Directory
Chapter Summary (continued)
• Using the same DNS name for both
  Internet presence and Active Directory is
  not recommended
• Microsoft recommends running DNS
  services on all DCs
• A forest is an “instance” of Active Directory

                Hands-On Microsoft Windows     34
                Server 2003 Active Directory
Chapter Summary (continued)
• Trust relationships are automatically
  created in a forest
• Trusts are transitive and established on a
  one-to-one basis
• A shortcut trust allows a direct route for
  authentication between domains
• Explicit trusts can be manually created

                Hands-On Microsoft Windows     35
                Server 2003 Active Directory
Chapter Summary (continued)
• A domain is a partition of a forest
• A domain is a replication and administrative
• Domains provide authentication and a directory
  in which to publish shared resources
• The first domain created in a forest is the root
• Managing a multiple-domain forest is more
  complex and requires more resources than a
  single-domain forest
                 Hands-On Microsoft Windows      36
                 Server 2003 Active Directory
Chapter Summary (continued)
• Microsoft recommends:
   – Creating a forest root domain dedicated to infrastructure
   – Using only one domain for all directory objects
   – Using geography, rather than organization boundaries, for
     additional domains
• OUs are used to group objects within a domain into a
  hierarchical structure
• OUs can be nested without any practical limit
• OUs are comparatively easy to restructure
• A forest cannot be renamed or significantly restructured
  without extensive disruption to the network

                       Hands-On Microsoft Windows                37
                       Server 2003 Active Directory

To top