MCSE-07-Designing_of_an_Active_Directory_Service-02-Theory

Document Sample
MCSE-07-Designing_of_an_Active_Directory_Service-02-Theory Powered By Docstoc
					ADVANTAGE PRO – Chennai’s Premier Networking Training Centre
Designing an Active Directory Domain




            ADVANTAGE PRO – Chennai’s Premier Networking Training Centre
Identifying Business Needs


Before Designing a Domain, You Should:
 Identify Administrative Strategy
 Identify Security Needs
 Plan for Growth and Flexibility




                   ADVANTAGE PRO – Chennai’s Premier Networking Training Centre
  Designing the Initial Active Directory Domain




                                           nwtraders.msft
Active Directory

                                          First Domain
                                           OU              OU



                                       OU      OU       OU     OU

                   ADVANTAGE PRO – Chennai’s Premier Networking Training Centre
         Planning for Security Groups




   Deciding Which Security Group to Use
   Planning for Nested Groups
   Design Guidelines




                      ADVANTAGE PRO – Chennai’s Premier Networking Training Centre
Deciding Which Security Group to Use


          Universal Group

           Members from any domain in    the forest
           Use for access to resources in any domain




          Global Group

           Members from own domain    only
           Use for access to resources in any domain



          Domain Local Group

           Members from any domain in    the forest
           Use for access to resources in one domain
          ADVANTAGE PRO – Chennai’s Premier Networking Training Centre
   Planning for Nested Groups
When Nesting, You Should:
   Minimize Levels of Nesting
   Document Group Membership

                Worldwide
                Managers
                Group                  Northeast Managers




         Southwest Managers
                                            Mid-Atlantic Managers


                    ADVANTAGE PRO – Chennai’s Premier Networking Training Centre
        Planning for OUs

   Planning Upper-Level OU Strategies

   Planning Lower-Level OU Strategies

   Design Guidelines




                        ADVANTAGE PRO – Chennai’s Premier Networking Training Centre
   Planning Upper-Level OU Strategies


                              nwtraders.msft
                                  Root
                                 Domain
First
Level                North
                                                   Asia
                    America


Second
Level      Mexico         Canada           Japan            China


Third
         Sales   HR     Mfg      HR Sales        HR       IT      HR
Level
                    ADVANTAGE PRO – Chennai’s Premier Networking Training Centre
   Planning Lower-Level OU Strategies


                              nwtraders.msft
                                  Root
                                 Domain
First
Level                North
                                                   Asia
                    America


Second
Level      Mexico         Canada           Japan            China


Third
         Sales   HR     Mfg      HR Sales        HR       IT      HR
Level
                    ADVANTAGE PRO – Chennai’s Premier Networking Training Centre
        Design Guidelines

   When Designing the OU Structure:

      Choose Stable Upper-Level OU Names That are
      Meaningful to Administrators

      Create Lower-Level OUs to Support Group Policy

      Test the OU Structure and Make Changes Based On
      Evaluation



                     ADVANTAGE PRO – Chennai’s Premier Networking Training Centre
ADVANTAGE PRO – Chennai’s Premier Networking Training Centre
Designing a Multiple-Domain Structure




            ADVANTAGE PRO – Chennai’s Premier Networking Training Centre
   How Kerberos V5 Works

                                                              Forest Root
Kerberos Authentication                    KDC                  Domain


          KDC                                    contoso.msft


           nwtraders.msft          3                      KDC
                  2
 KDC                                         4
                                                   Server
            1
                                           5
                Session
                 Ticket                              marketing.contoso.msft
 Client

sales.nwtraders.msft
                          ADVANTAGE PRO – Chennai’s Premier Networking Training Centre
     Shortcut Trusts in Windows 2000


                                                            Forest Root
                                                              Domain


                                               Domain 1               Tree One
      Tree Root
       Domain                      Forest

 Tree Two
                                  Shortcut Trust

                  Domain A
                                                           Domain 2
                                                           Trusting Domain


                             Domain C
   Domain B
Trusted Domain               Trusting Domain
                      ADVANTAGE PRO – Chennai’s Premier Networking Training Centre
The Global Catalog


   The Global Catalog and the Logon Process
   Creating a Global Catalog Server




                      ADVANTAGE PRO – Chennai’s Premier Networking Training Centre
       Problem: Logon and GC Dependency
                             A user’s universal group membership
                             changes by:
                             •Adding the user to a universal group
                             •Adding a global group of which the user is a
Membership details           member
 in logon domain             •Nesting appropriate global and universal
                             groups
Security Access Token   Builtin                                            GC
User SID                Domain Local
Group SIDs              Global
                                          Membership details in GC
                        Universal


         During the logon process the security access
          token is constructed

                           ADVANTAGE PRO – Chennai’s Premier Networking Training Centre
Strategies for Using Groups in Trees and
Forests

   Universal Groups and Replication
   Nesting Strategy Using Universal Groups




                      ADVANTAGE PRO – Chennai’s Premier Networking Training Centre
       Universal Groups and Replication

 All Membership Changes in the Universal
 Group Are Updated in the Global Catalog . . .
                                                Global Catalog Server




         Universal Group

. . . And Replicated to
All Global Catalog Servers
in the Forest             Reduce Replication Traffic by Minimizing
                                The use of universal groups to limit

                                  replication to a domain
                                The membership in universal groups to
                                  other groups rather than user accounts
                                Changes to the membership to reduce

                                  the Chennai’s Premier replication
                        ADVANTAGE PRO – frequency of Networking Training Centre
  Nesting Strategy Using Universal Groups

Add User Accounts
into Global Groups
                                   Users                  Global Group

Nest Global Groups
(optional)
                              Global Group               Global Group

Add Global Groups
from Each Domain
into Universal Groups         Global Group              Universal Group

Add Universal Groups
into Domain Local                                            DLG
Groups in Each Domain        Universal Group         Domain Local Group

Assign Permissions
to the Domain Local Group DLG
in Each Domain        Domain Local Group                  Permissions
                 ADVANTAGE PRO – Chennai’s Premier Networking Training Centre
       Identifying Business Needs



   Reasons to Maintain a Single Domain

   Reasons to Create Multiple Domains

   Reasons for multiple-tree forest

   Reasons for multiple forest



                      ADVANTAGE PRO – Chennai’s Premier Networking Training Centre
Reasons to Maintain a Single Domain


                           Ease of Management
                           Easier Delegation
      OU                   Fewer Members in Domain
                            Admins Group
                           Object Capacity Same as
                            Multiple Domain Structure
 OU        OU




           ADVANTAGE PRO – Chennai’s Premier Networking Training Centre
           Reasons to Create Multiple Domains

                                             Reasons for Using a Multiple-Domain
                    OU                        Tree:
                                                 Distinct domain-level policies
               OU        OU
                                                 Tighter administrative control
                                                 Decentralized administration
     OU                        OU
                                                 Separation and control of affiliate
                                                 relationships
OU        OU              OU        OU           Reduced replication traffic



                                              OU


                                         OU        OU
                                     ADVANTAGE PRO – Chennai’s Premier Networking Training Centre
Accessing Resources Between Domains


   Authentication Across a Forest

   Types of Trusts




                       ADVANTAGE PRO – Chennai’s Premier Networking Training Centre
       Planning for Multiple-Domain Trees


   Characteristics of Multiple-Domain Trees

   Creating an Empty Root Domain

   Design Guidelines




                        ADVANTAGE PRO – Chennai’s Premier Networking Training Centre
          Characteristics of Multiple-Domain Trees


                                        Root


                    nwtraders.msft




          us.nwtraders.msft                                   europe.nwtraders.msft
                           Child                        Child
                          Domain                       Domain

                                   Transitive Trusts Exist
                                   Between All Domains
               Child
              Domain
sales.us.nwtraders.msft       ADVANTAGE PRO – Chennai’s Premier Networking Training Centre
     Creating an Empty Root Domain



                                       Enterprise Admin is Sole
                                        User in Root Domain
         nwtraders.msft        Root




usa.nwtraders.msft                                europe.nwtraders.msft
                 Child                        Child
                Domain                       Domain




                     ADVANTAGE PRO – Chennai’s Premier Networking Training Centre
        Design Guidelines

Design Needs that May Require a Multiple-Domain Tree:
 Distinct Security Boundaries


   Bandwidth Constraints on WAN Links

   Legal Reasons for Separate Domains

   Distinct Domain-Level Group Policy Settings




                       ADVANTAGE PRO – Chennai’s Premier Networking Training Centre
    Planning for Multiple-Tree Forests


   Characteristics of Multiple-Tree Forests
   Design Guidelines




                        ADVANTAGE PRO – Chennai’s Premier Networking Training Centre
         Characteristics of a Multiple-Tree Forest



                                 Transitive Trust Relationship
                                   Created Between Roots
      contoso.msft

                 Root                                     nwtraders.msft

                                                           Root

                Tree 1
                                                 domainA.nwtraders.msft
        Child            Child
domain2.contoso.msft        domain3.contoso.msft           Child

                                                                   Tree 2

                          ADVANTAGE PRO – Chennai’s Premier
                domainB.domainA.nwtraders.msft Networking Training Centre
                                                            Child
 Design Guidelines


Consider Using a Multiple-Tree Forest When You Need:
 Distinct DNS names for Public Identities
 Centralized Control Among All Active Directory Trees and
  Domains




                    ADVANTAGE PRO – Chennai’s Premier Networking Training Centre
    Planning for Multiple Forests


   Characteristics of Multiple Forests
   Design Guidelines




                   ADVANTAGE PRO – Chennai’s Premier Networking Training Centre
         Characteristics of Multiple Forests`
                                 One-Way External
                                 Trusts Established
                                  Among Specified
    contoso.msft                   Domains Only
                                                                     nwtraders.msft

                 Root                                                 Root


                                                         domainA.nwtraders.msft
                Tree 1
                                                                      Child
        Child            Child
domain2.contoso.msft         domain3.contoso.msft                              Tree 2

                                                                      Child
                                             domainB.domainA.nwtraders.msft

                             ADVANTAGE PRO – Chennai’s Premier Networking Training Centre
    Design Guidelines

Design Multiple Forests When:

   You Do Not Want a Common Schema

   You Do Not Want a Global Directory

   You Need Limited Partner or Affiliate Relationships




                   ADVANTAGE PRO – Chennai’s Premier Networking Training Centre
ALL THE BEST




 ADVANTAGE PRO – Chennai’s Premier Networking Training Centre