Upload
roxanne-barrett
View
239
Download
1
Tags:
Embed Size (px)
Citation preview
Designing Active Directory Child Domain
Sainath K.E.VDirectory Services MVP
5/Aug/2015
Overview
The scope of the work for Active Directory has been confined to installing and configuring a Child domain for an existing AD Forest. The Child domain will be used for testing internal applications before Go-Live.
The solution will be built on supported operating system which is compatible with implemented Active Directory forest which is Windows Server 2012 R2.
Contoso Corp does not use test domain for validating and testing their home grown applications.
There are three major options 1. Create a child domain within existing Active Directory forest 2. Create a separate Active Directory Forest 3. Create a separate Active Directory Forest in Microsoft Cloud –Azure (Recommended)
The design recommends Option 2 or Option 3 for as this provides an isolated environment for testing applications which will allow Directory aware applications to create custom attributes or schema extensions. Option 3 is a cloud solution managed by Microsoft and allows the solution to be hosted on Azure.
Design ScopeIn Scope
1. Create on premise dedicated Active Directory Foresta)Domain Controller planningb)Client affinityc) Sites and Services, Replication configurationd)Group Policy, Delegation and Account administratione)Application integration, Schema extensionsf) Backup and Restore, Name resolution configuration.
2. Create on premise Active Directory Child domain g) Domain Controller planningh) Client affinityi) Sites and Services, Replication configurationj) Group Policy, Delegation and Account administrationk) Application integration, Schema extensionsl) Backup and Restore, Name resolution configuration.
Design Scope3. Create Active Directory Child domain on Azure
• Setting up Azure Subscriptions• Design and implementation of Azure Network• Design and implementation of Azure Storage• Design and implementation of Azure Security• Configuring Azure Management• Server Management• High available and Disaster recovery • Domain Controller planning• Client affinity• Sites and Services, Replication configuration• Group Policy, Delegation and Account administration• Application integration, Schema extensions• Backup and Restore, Name resolution configuration.
Out of Scope• Storage configuration• Network configuration• Backups and AV configuration• Server build and SOE• Security and Firewall configuration
Background and Current State
Current State
Contoso Corp
Application Servers
Database Servers
SUBNET
DMZ
CORE
NETWORK
Application Servers
Appliance
FirewallRouterSwitch
FirewallRouterSwitch
Appliance Appliance
Edge FirewallEdge Router
InternetCurrent Active Directory infrastructure supports 4,000 users in the Hub / Datacentre site
• Four Domain Controllers running with Windows Server 2012 R2.
• Domain Functional Level and Forest Functional Level are set to Windows Server 2008 R2.
• There are 3 spoke sites connecting to Hub / Datacentre site with single Read Write domain controller at each site.
• Development, Test and Production directory aware applications use Production Active Directory for testing activities.
• All the Domain Controllers are configured as Virtual machines, staged on Hyper-V environment.
• FSMO roles are spread across 4 Domain Controllers
Limitations:
• No dedicated test environment for Development and Testing(UAT) environments.
• Active Directory schema extensions required for testing are performed on production AD.
• Current configuration is not scaled to support different workloads and customizations.
Item
Service Server Roles Operating System
No of Servers
Location Memory Total Memory
1 Active Directory Domain Controller
RW DC Client authentication and FSMO role holder
Windows Server 2012 R2
4 Hub Site 8 GB 32 GB
Child Domain Creation Solution
Child Domain Creation Solution 1
InternetI
InternetI
Root Active Directory
Application Servers
Database Servers
SUBNET
DMZ
CORE
NETWORK
Application Servers
Appliance
FirewallRouterSwitch
FirewallRouterSwitch
Appliance Appliance
SPOKE
SITE
1
Site 1
Edge FirewallEdge Router
DomainController
File Server Application Server 1
Application Server 2
Production Subnet
UAT Subnet
File ServerChild Domain
FirewallRouterSwitch
SPOKE
SITE
2Domain
ControllerFile Server Application
Server 1Application
Server 2
FirewallRouterSwitch
SPOKE
SITE
3Domain
ControllerFile Server Application
Server 1Application
Server 2
FirewallRouterSwitch
Site 2
Site 3CONTOSO CORP Datacentre
The following AD solution is based on extending existing AD Forest by creating additional Child Domain for performing Application Testing, this solution involves
• Infrastructure assessment and planning for placing Child Domain
• Domain Controller capacity planning
• Requires new virtual servers running Windows Server 2012 R2 for creating RW DC
• Active Directory OU structure and delegation
• Site and Subnets, AD Replication design
• Group Policy design and implementation
• Backup and Antivirus
• Application integration with Child Domain which involves changing hardcoded AD names in the applications
• Active Directory Trusts configuration
Dependencies and Risks
• This solution operates under single security boundary which might introduce additional level of complexity when there is a need for schema changes
• Schema changes during testing will introduce additional level of complexities.
• Clean up of testing changes will not be seamless
• SLA for managing AD Solution should be aligned to existing standards which might impose additional risk when performing testing.
• Dedicated hardware required to stage the solution
Child Domain Creation Solution 2The following AD solution is based on creating separate AD Forest for performing Application Testing, this solution involves
• Infrastructure assessment and planning for placing new AD forest
• Forest and Domain Planning
• Domain Controller capacity planning
• Requires new virtual servers running Windows Server 2012 R2 for creating RW DC
• Active Directory OU structure and delegation
• Site and Subnets, AD Replication design
• Group Policy design and implementation
• Backup and Antivirus
• Application integration with new AD Forest which involves changing hardcoded AD names in the applications
• Active Directory Trusts configuration
• High level integration testing of Domain Controllers and Application
Advantages:
• Dedicated AD Forest for testing Applications
• Make changes to AD forest without production impact
Dependencies and Risks
• Will increase Operational cost as it involves separate AD to be managed
• Dedicated hardware required to stage the solution
InternetI
InternetI
AD Forest 1
Application Servers
Database Servers
SUBNET
DMZ
CORE
NETW
ORK
Application Servers
Appliance
FirewallRouterSwitch
FirewallRouterSwitch
Appliance
Appliance
SPOKE
SITE
1
Site 1
Edge FirewallEdge Router
DomainController
File Server
Application Server 1
Application Server 2
Production Subnet
UAT Subnet
File ServerSecond AD Forest
FirewallRouterSwitch
SPOKE
SITE
2
DomainController
File Server Application Server 1
Application Server 2
FirewallRouterSwitch
SPOKE
SITE
3
DomainController
File Server Application Server 1
Application Server 2
FirewallRouterSwitch
Site 2
Site 3CONTOSO CORP Datacentre
Child Domain Creation Solution 3 (Recommended) The following AD solution is based on creating separate AD Forest in Microsoft
Azure for performing Application testing, this solution involves• Configuring Azure Subscriptions• Azure Network security which involves Vnets/Network zones, Subnets, IP
Address Allocation, NSGs, Firewall Rules, EndPoint configuration, VPN and Routing configurations.
• Azure Storage, Portal and Runbook configuration• Infrastructure assessment and planning for placing new AD forest• Forest and Domain Planning• Domain Controller capacity planning• Requires new virtual servers running Windows Server 2012 R2 for creating
RW DC• Active Directory OU structure and delegation• Site and Subnets, AD Replication design• Group Policy design and implementation• Backup and Antivirus • Application integration with new AD Forest which involves changing
hardcoded AD names in the applications• Active Directory Trusts configuration• High level integration testing of Domain Controllers and Application
Advantages:• Dedicated AD Forest for testing Applications• Make changes to AD forest without production impact• Solution is managed by Microsoft which might reduce Operational and
Maintenance cost.
InternetIFirewall
AD Forest 1
Application Servers
Database Servers
SUBNET
DMZ
CORE
NETWORK
Application Servers
Appliance
FirewallRouterSwitch
RouterSwitch
Appliance Appliance
SPOKE
SITE
1
Site 1
Edge FirewallEdge Router
DomainController
File Server
Application Server 1
Application Server 2
Production Subnet
FirewallRouterSwitch
SPOKE
SITE
2
DomainController
File Server
Application Server 1
Application Server 2
FirewallRouterSwitch
SPOKE
SITE
3Domain
ControllerFile Server Application
Server 1Application
Server 2
FirewallRouterSwitch
Site 2
Site 3CONTOSO CORP Datacentre
Firewall
Subnet 1 Subnet 2
NSG NSG
Subscription 1
VNET
Caltex.net.au virtual machine virtual machine virtual machine
Microsoft Azure