Upload
engkuathirah1
View
234
Download
0
Embed Size (px)
Citation preview
8/4/2019 Chap4 Implementing Active Directory
1/32
IMPLEMENTING
ACTIVE DIRECTORY
Chapter 4
8/4/2019 Chap4 Implementing Active Directory
2/32
Outline
Planning Stage
Design Stage
Install AD Stage
Plan
Domain structure Domain namespace
OU structure Site structure
8/4/2019 Chap4 Implementing Active Directory
3/32
Plan a Domain
Structure
As a core unit of logical structure in AD, it need to be
planned carefully
It must consider a company:
Logical and physical environment
Administrative requirements
Domain requirements Domain organization needs
Plan
Domain structure Domain namespace
OU structure Site structure
8/4/2019 Chap4 Implementing Active Directory
4/32
Logical Structure
Understand how your
company conducts daily
operations to determine
the logical structure of
your organization.
Consider how the company
operates functionally and
geographically.
8/4/2019 Chap4 Implementing Active Directory
5/32
Physical Structure
Determine the technicalrequirements forimplementing ActiveDirectory
Must consider yourcompany's user andnetwork requirements so
you can determine thelogical requirements forimplementing ActiveDirectory
8/4/2019 Chap4 Implementing Active Directory
6/32
To assess user requirements,for each functional andgeographical divisiondetermine:
The number of employees
The growth rate
Plans for expansion
To assess network requirements,for each geographicaldivision determine:
How network connections areorganized
Network connection speed
How network connections areutilized
TCP/IP subnets
8/4/2019 Chap4 Implementing Active Directory
7/32
Administrative requirements
Identify the method of network administration used by yourcompany:
Centralized administration.
A single administrative team provides network services.Smaller companies with fewer locations or business functionsoften use this method.
Decentralized administration.
A number of administrators or administrative teams providenetwork services. Teams may be divided by location orbusiness function.
Customized administration.
The administration of some resources is centralized and it is
decentralized for others, depending on business needs.
8/4/2019 Chap4 Implementing Active Directory
8/32
Domain Requirements
The easiest domain structure to administer is a single domain.
Should start with a single domain and only add domains whenthe single domain model no longer meets your needs.
One domain can span multiple sites and contain millions ofobjects
8/4/2019 Chap4 Implementing Active Directory
9/32
A single domain can span multiple geographical sites, and a
single site can include users and computers belonging to
multiple domains
Each domain, you can model your organization's management
hierarchy for delegation or administration using OUs for this
purpose, which will act as logical containers for other objects.
You can then assign group policy and place users, groups, and
computers into the OUs
8/4/2019 Chap4 Implementing Active Directory
10/32
There are some reasons to create more than one domain:
Decentralized network administration
Replication control
Different password requirements between organizations Massive numbers of objects
Different Internet domain names
International requirements
Internal political requirements
8/4/2019 Chap4 Implementing Active Directory
11/32
Domain Organization Needs
Must organize the domains into a hierarchy that fits the needs
of the organization if the organization need more than 1
domain.
Arrange domains into a tree or a forest depending on the
Company's business needs.
As domains are placed in a tree or forest hierarchy, the two-way transitive trust relationship allows the domains to share
resources.
8/4/2019 Chap4 Implementing Active Directory
12/32
Planning Domain
Namespace
Must first choose and register a unique parent DNS name can
be used for hosting your organization on the Internet.
Perform a search to see if the name is already registered toanother entity
Once you have chosen your parent DNS name, you can
combine this name with a location or organizational name usedwithin your organization to form other subdomain names.
Example microsoft.com and denver.microsoft.com
Plan
Domain structure Domain namespace
OU structure Site structure
8/4/2019 Chap4 Implementing Active Directory
13/32
Same Internal and External namespace.
Example : Microsoft.com can be used internal and external company
Separate Internal and external namespace.
Example : Inside firewallmsn.com
Outside Firewallmicrosoft.com
8/4/2019 Chap4 Implementing Active Directory
14/32
Domain Naming Requirement and
guidelines
Select a root domain name that will remain static
Use simple and unique names
Use standard DNS characters and Unicode characters.
Limit the number of domain levels. no more than five levels down the hierarchy.
Avoid lengthy domain names
Domain names can be up to 63 characters, including the periods
8/4/2019 Chap4 Implementing Active Directory
15/32
Plan an OU
Structure
OUs allow you to model your organization in a meaningful
and manageable way and to assign an appropriate local
authority as administrator at any hierarchical level
Consider creating an OU if you want to do the following:
Reflect your company's structure and organization within
a domain. Without OUs, all users are maintained anddisplayed in a single list, regardless of a user's
department, location, or role.
Plan
Domain structure Domain namespace
OU structure Site structure
8/4/2019 Chap4 Implementing Active Directory
16/32
Delegate administrative control over network resources, but
maintain the ability to manage them. You can grant
administrative permissions to users or groups of users at the
OU level.
Accommodate potential changes in your company's
organizational structure. You can reorganize users between
OUs easily, whereas reorganizing users between domains
generally requires more time and effort.
8/4/2019 Chap4 Implementing Active Directory
17/32
Group objects to allow administrators to locate similar
network resources easily, to simplify security, and to perform
any administrative tasks. For example, you could group all
user accounts for temporary employees into an OU called
TempEmployees.
Restrict visibility of network resources in Active Directory.
Users can view only the objects for which they have access.
8/4/2019 Chap4 Implementing Active Directory
18/32
Planning an OU hierarchy:
There are many ways to structure OUs for your company.
It is important to determine what model will be used as a basefor the OU hierarchy.
Consider the following models for classifying OUs in the OU
hierarchy:
8/4/2019 Chap4 Implementing Active Directory
19/32
Business Function-based OU Geographical-based OU
Business Function and Geographical- based OU
8/4/2019 Chap4 Implementing Active Directory
20/32
Plan a Site
Structure
A single domain can include multiple sites, and a single site
can include multiple domains or parts of multiple domains
The way in which you set up your sites affects Windows2000 in two ways:
Workstation logon and authentication.
When a user logs on, Windows 2000 will try to find a DC in the same site
as the user's computer to service the user's logon request and subsequent
requests for network information. Directory replication.
You can configure the schedule and path for replication of a domain's
directory differently for inter-site replication, as opposed to replication
within a site. Generally, you should set replication between sites to be less
frequent than replication within a site.
Plan
Domain structure Domain namespace
OU structure Site structure
8/4/2019 Chap4 Implementing Active Directory
21/32
Optimizing Workstation Logon Traffic
When planning sites, consider which domain controller(s) the
workstations on a given subnet should use.
To have a particular workstation only log on to a specific setof domain controllers, define the sites so that only those
domain controllers are in the same subnet as that workstation
8/4/2019 Chap4 Implementing Active Directory
22/32
Optimizing Directory Replication
When planning sites, consider where the domain controllersand the network connections between the domain controllerswill be located.
Because each domain controller must participate in directoryreplication with the other domain controllers in its domain,configure sites so that replication occurs at times and intervalsthat will not interfere with network performance
8/4/2019 Chap4 Implementing Active Directory
23/32
Designing a Site Structure
Follow these steps to design a site structure for an organization
with multiple physical locations:
Assess the physical environment Review the information you gathered when determining domain
structure, including site locations, network speed, how network
connections are organized, network connection speed, how network
connections are utilized, and TCP/IP subnets.
Determine the physical locations that form domains
Determine which physical locations are involved in each domain.
8/4/2019 Chap4 Implementing Active Directory
24/32
Determine which areas of the network should be sites
If the network area requires workstation logon controls or directory
replication, the area should be set up as a site.
Identify the physical links connecting sites
Identify the link types, speeds, and utilization that exist so the links can
be determined as site link objects. A site link objectcontains the schedule
that determines when replication can occur between the sites that it
connects.
8/4/2019 Chap4 Implementing Active Directory
25/32
For each site link object, determine the cost and schedule
The lowest cost site link performs replication; determine the priority ofeach link by setting the cost (default cost is 100; lower cost provides ahigher priority). Replication occurs every 3 hours by default; set theschedule according to your needs.
Provide redundancy by configuring a site link bridge
A site link bridge provides fault tolerance for replication.
8/4/2019 Chap4 Implementing Active Directory
26/32
Installing AD
Domain mode can be divided into:
Mixed mode
Native mode
Mixed mode
When you first install or upgrade a domain controller to
Windows 2000 Server, the domain controller is set to run in
mixed mode. Mixed mode allows the domain controller tointeract with any domain controllers in the domain that are
running previous versions of Windows NT.
8/4/2019 Chap4 Implementing Active Directory
27/32
Native Mode
When all the domain controllers in the domain run Windows
2000 Server, and you do not plan to add any more pre-
Windows 2000 domain controllers to the domain, you can switch
the domain from mixed mode to native mode.
During the conversion from mixed mode to native mode
Support for pre-Windows 2000 replication ceases. Because pre-Windows 2000
replication is gone, you can no longer have any domain controllers in your domainthat are not running Windows 2000 Server.
You can no longer add new pre-Windows 2000 domain controllers to the domain.
The server that served as the primary domain controller during migration is no
longer the domain master; all domain controllers begin acting as peers.
8/4/2019 Chap4 Implementing Active Directory
28/32
Operation Masters
An operation master refers to a domain controller that isresponsible for a particular role.
Multimaster replication happens when some changes arereplicated across all of the domains in the forest. To avoid
replication conflicts, assign a single domain controller as asingle master replication.
In any Active Directory forest, five operations master roles mustbe assigned to one or more domain controllers. Some rolesmust appear in every forest. Other roles must appear in every
domain in the forest.
8/4/2019 Chap4 Implementing Active Directory
29/32
Five roles:
Schema master
Domain naming master
Primary domain controller emulator (PDC) Relative identifier master
Infrastructure master
8/4/2019 Chap4 Implementing Active Directory
30/32
Forest-wide roles
Schema master
Controls all updates to the schema which contains the master list of
object classes and attributes
Domain naming master
Controls the addition or removal of domains in the forest
Only one schema and one domain naming master in the entire
forest
8/4/2019 Chap4 Implementing Active Directory
31/32
Domain-wide roles
Primary domain controller emulator (PDC) Acts as a Windows NT PDC to support any backup domain controllers
(BDCs) running MS Windows NT within a mixed-mode domain.
This type of domain has DCs that run Windpows NT 4.0
PDC emulator is the first DC that you create in a new domain
Relative identifier master (RID master) Whenever a domain controller creates a user, group, or computer object,
it assigns the object a unique security ID. The security ID consists of adomain security ID (which is the same for all security IDs created in thedomain), and a relative ID that is unique for each security ID created inthe domain
8/4/2019 Chap4 Implementing Active Directory
32/32
Infrastructure master
When an objects are moved from one domain to another, theinfrastructure master updates object references in its domain that pointto the object in the other domain.
The object reference contains the objects globally unique identifier
(GUID), distinguished name and a SID.
AD periodically updates the distinguished name and a SID wheneverobject moves within and between domain and the deletion of the object.
Each domain in a forest has its own PDC emulator, RID masterand infrastructure master.