Module 2: Module 2: Designing Designing a Directory Services a Directory Services
InfrastructureInfrastructure
AgendaAgenda
Introduction to Designing a Directory Services Introduction to Designing a Directory Services InfrastructureInfrastructure
DNS and Active DirectoryDNS and Active Directory Designing a DNS Naming Strategy for Active Designing a DNS Naming Strategy for Active
DirectoryDirectory Designing an Active Directory DomainDesigning an Active Directory Domain
Designing the Initial Active Directory DomainDesigning the Initial Active Directory Domain Planning for Security GroupsPlanning for Security Groups Planning for OUsPlanning for OUs
Designing a Multiple-Domain StructureDesigning a Multiple-Domain Structure Planning for Multiple-Domain TreesPlanning for Multiple-Domain Trees Planning for Multiple-Tree ForestsPlanning for Multiple-Tree Forests Planning for Multiple ForestsPlanning for Multiple Forests
Managing Operations Master RolesManaging Operations Master Roles
Conducting an Organizational Conducting an Organizational AnalysisAnalysis
Identifying Organizational NeedsIdentifying Organizational Needs Making Design ChoicesMaking Design Choices Planning GuidelinesPlanning Guidelines
Identifying Organizational Identifying Organizational NeedsNeeds
Determine the Goals of the OrganizationDetermine the Goals of the Organization Analyze the Administrative ModelAnalyze the Administrative Model Anticipate Growth and ReorganizationAnticipate Growth and Reorganization Document the Gathered InformationDocument the Gathered Information
Making Design ChoicesMaking Design Choices
Decision PointsDecision Points ImplicationsImplications Risks and CostsRisks and Costs TradeoffsTradeoffs
Planning GuidelinesPlanning Guidelines
Remember Business NeedsRemember Business Needs Maintain a Clear VisionMaintain a Clear Vision Make Solid Tradeoff DecisionsMake Solid Tradeoff Decisions Create a Simple DesignCreate a Simple Design Test the DesignTest the Design
Architectural Elements of Architectural Elements of Active DirectoryActive Directory
Designing a Naming StrategyDesigning a Naming Strategy Designing an Active Directory DomainDesigning an Active Directory Domain Designing Multiple DomainsDesigning Multiple Domains Designing a Site Topology Designing a Site Topology Designing for Delegation of Designing for Delegation of
Administrative AuthorityAdministrative Authority Designing for Group PolicyDesigning for Group Policy Designing Schema ModificationsDesigning Schema Modifications
Designing a Naming StrategyDesigning a Naming Strategy Active Directory Uses DNS as Active Directory Uses DNS as
Naming ServiceNaming Service Internet Presence a Determining Internet Presence a Determining
Factor in Selecting Domain NamesFactor in Selecting Domain Names
Domain Name SystemDomain Name System(DNS)(DNS)
Domain Name SystemDomain Name System(DNS)(DNS)
nwtraders.msftnwtraders.msft
Designing an Active Directory Designing an Active Directory DomainDomain
Create OUs to Create OUs to Support Delegation Support Delegation and Group Policyand Group Policy
Create OU Structure Create OU Structure to Reflect to Reflect Administrative ModelAdministrative Model
Carefully Name the Carefully Name the First DomainFirst Domain
OUOU
OUOU OUOU
OUOU
OUOU OUOU
First Domain
First Domain
nwtraders.msft
Administered Separately But May Share Administered Separately But May Share ResourcesResources
More Complex To ManageMore Complex To Manage
Designing Multiple DomainsDesigning Multiple Domains
nwtraders.msftnwtraders.msft
us.nwtraders.msftus.nwtraders.msft europe.nwtraders.msfteurope.nwtraders.msft
ChildDomain
RootRoot
ChildDomain
Designing a Site TopologyDesigning a Site Topology
Sites Define Sites Define Physical Physical Structure of Structure of Active DirectoryActive Directory
Use Sites to Use Sites to Control Network Control Network Traffic FlowTraffic Flow
nwtraders.msftnwtraders.msft
Redmond Site
Charlotte Site
Designing for Delegation of Designing for Delegation of Administrative Authority Administrative Authority
Relieves Burden of Relieves Burden of Centralized ManagementCentralized Management
Separates administrative Separates administrative Authority from Rest of Authority from Rest of NetworkNetwork
Domain
nwtraders.msft
na.nwtraders.msft
asia.nwtraders.msft
MfgMfgMfgMfg
researchresearchresearchresearch
HRHRHRHR
recruitingrecruitingrecruitingrecruiting
trainingtrainingtrainingtraining
Group Policy Objects Group Policy Objects Apply Configurations Apply Configurations to Sites, Domains, and to Sites, Domains, and OUsOUs
Group Policy Is Group Policy Is Inherited In Active Inherited In Active Directory HierarchyDirectory Hierarchy
Designing for Group PolicyDesigning for Group Policy
Site
GPO
DomainDomain
OUOUOUOU
Designing Schema ModificationsDesigning Schema Modifications
Schema Defines Objects and Schema Defines Objects and Attributes in Active DirectoryAttributes in Active Directory
Changing the Schema Can Changing the Schema Can Affect the Entire NetworkAffect the Entire Network
Create a Schema Create a Schema Modification Policy to Modification Policy to Manage ChangesManage Changes
SchemaSchema
AgendaAgenda
Introduction to Designing a Directory Services Introduction to Designing a Directory Services InfrastructureInfrastructure
DNS and Active DirectoryDNS and Active Directory Designing a DNS Naming Strategy for Active Designing a DNS Naming Strategy for Active
DirectoryDirectory Designing an Active Directory DomainDesigning an Active Directory Domain
Designing the Initial Active Directory DomainDesigning the Initial Active Directory Domain Planning for Security GroupsPlanning for Security Groups Planning for OUsPlanning for OUs
Designing a Multiple-Domain StructureDesigning a Multiple-Domain Structure Planning for Multiple-Domain TreesPlanning for Multiple-Domain Trees Planning for Multiple-Tree ForestsPlanning for Multiple-Tree Forests Planning for Multiple ForestsPlanning for Multiple Forests
Managing Operations Master RolesManaging Operations Master Roles
Introduction to the Role of DNS Introduction to the Role of DNS in Active Directoryin Active Directory Name ResolutionName Resolution
DNS translates computer names to IP addressesDNS translates computer names to IP addresses Computers use DNS to locate each other on the Computers use DNS to locate each other on the
networknetwork Naming Convention for Windows 2000 DomainsNaming Convention for Windows 2000 Domains
Windows 2000 uses DNS naming standards for Windows 2000 uses DNS naming standards for domain namesdomain names
DNS domains and Active Directory domains share a DNS domains and Active Directory domains share a common hierarchical naming structurecommon hierarchical naming structure
Locating the Physical Components of Active Locating the Physical Components of Active DirectoryDirectory DNS identifies domain controllers by the services DNS identifies domain controllers by the services
they providethey provide Computers use DNS to locate domain controllers and Computers use DNS to locate domain controllers and
global catalog serversglobal catalog servers
DNS and Active Directory DNS and Active Directory NamespacesNamespaces
microsoft.com
sales. microsoft.com
training. microsoft.com
training
microsoft
DNS Namespace
Active Directory Namespace
= DNS node (domain or computer) = Active Directory domain
sales
computer1
(DNS root domain)““.”.”““.”.”
com.com.com.com.
Internet
DNS Host Names and Windows DNS Host Names and Windows 2000 Computer Names2000 Computer Names
DNS host record and Active Directory object represent the same physical computer
DNS allows computers to locate domain controllers within Active Directory
Active DirectoryActive Directory
training.microsoft.com
Builtin
Computers
Computer1
Computer2
““.”.”““.”.”
com.com.com.com.
salessales trainingtrainingtrainingtraining
computer1computer1computer1computer1
microsoftmicrosoftmicrosoftmicrosoft
FQDN = computer1.training.microsoft.comWindows 2000 Computer Name = Computer1
FQDN = computer1.training.microsoft.comWindows 2000 Computer Name = Computer1
AgendaAgenda
Introduction to Designing a Directory Services Introduction to Designing a Directory Services InfrastructureInfrastructure
DNS and Active DirectoryDNS and Active Directory Designing a DNS Naming Strategy for Active Designing a DNS Naming Strategy for Active
DirectoryDirectory Designing an Active Directory DomainDesigning an Active Directory Domain
Designing the Initial Active Directory DomainDesigning the Initial Active Directory Domain Planning for Security GroupsPlanning for Security Groups Planning for OUsPlanning for OUs
Designing a Multiple-Domain StructureDesigning a Multiple-Domain Structure Planning for Multiple-Domain TreesPlanning for Multiple-Domain Trees Planning for Multiple-Tree ForestsPlanning for Multiple-Tree Forests Planning for Multiple ForestsPlanning for Multiple Forests
Managing Operations Master RolesManaging Operations Master Roles
Identifying Business NeedsIdentifying Business Needs
Main Business Needs that Impact a Main Business Needs that Impact a Naming Strategy:Naming Strategy: Intended Scope of Active DirectoryIntended Scope of Active Directory Internet PresenceInternet Presence
Distinguishing Between DNS Distinguishing Between DNS and Active Directoryand Active Directory
Domain Name SystemDomain Name System(DNS)(DNS)
Domain Name SystemDomain Name System(DNS)(DNS)
contoso.msftcontoso.msft
DNS Servers Store Resource Records
Active Directory Servers Store Domain Objects
Planning Active Directory Planning Active Directory Domain NamesDomain Names
Determining the Scope of Active DirectoryDetermining the Scope of Active DirectoryDesigning the Naming HierarchyDesigning the Naming HierarchyChoosing Active Directory Domain NamesChoosing Active Directory Domain Names
Determining the Scope of Determining the Scope of Active DirectoryActive Directory
DNS Name Should Represent Entire DNS Name Should Represent Entire OrganizationOrganization HeadquartersHeadquarters Branch LocationsBranch Locations Business PartnersBusiness Partners
Active Directory Name Can Be Internet NameActive Directory Name Can Be Internet Name Register Name with ICANNRegister Name with ICANN
Designing the Naming HierarchyDesigning the Naming Hierarchy
DNS Name: contoso.msft
namerica.contoso.msft
DNS Name: namerica.contoso.msft
DNS Name: europe.contoso.msft
ChildChild ChildChild
RootRoot
contoso.msft
europe.contoso.msft
Choosing Active Directory Choosing Active Directory Domain NamesDomain Names
Choose a Root Domain Name Unique to Choose a Root Domain Name Unique to the Internetthe Internet
Conform to DNS Naming RegulationsConform to DNS Naming RegulationsRegister Your DNS Domain NameRegister Your DNS Domain NameChoose Meaningful, Stable, Scalable Choose Meaningful, Stable, Scalable
NamesNamesUse An Existing DNS Domain NameUse An Existing DNS Domain Name
Designing a DNS Naming Designing a DNS Naming Strategy for Active DirectoryStrategy for Active DirectoryMaking Initial Naming DecisionsMaking Initial Naming DecisionsUsing a Delegated Subdomain Name for Using a Delegated Subdomain Name for
the Internal Networkthe Internal NetworkUsing a Single DNS Name for Public and Using a Single DNS Name for Public and
Private NetworksPrivate NetworksUsing a Different DNS Name for Public Using a Different DNS Name for Public
and Private Networksand Private NetworksDesign GuidelinesDesign Guidelines
Making Initial Naming Making Initial Naming DecisionsDecisions
Registering the DNS Root NameRegistering the DNS Root NameDesigning with an Existing DNS Designing with an Existing DNS
ImplementationImplementationDetermining Internal and External Determining Internal and External
Naming StrategiesNaming StrategiesMeeting Requirements of the DNS Meeting Requirements of the DNS
DesignDesignAssuring Client Name ResolutionAssuring Client Name Resolution
Using a Delegated Subdomain Using a Delegated Subdomain Name for the Internal NetworkName for the Internal Network
Zone 2
Zone 1
contoso.msft
ad.contoso.msft
FirewallFirewallFirewallFirewall
Create a New DNS Zone Create a New DNS Zone in New Domainin New Domain
Configure Authoritative Configure Authoritative DNS Server in Existing DNS Server in Existing DNS Domain to Delegate DNS Domain to Delegate to New Domainto New Domain
Create Active Directory Create Active Directory Forest Root in New Forest Root in New DomainDomain
Using a Single DNS Domain Name for Public and Private Networks
Private Internal Network
Zone for contoso.msftwith internal servers
Zone for contoso.msftwith internal servers
FirewallFirewallFirewallFirewall
Zone for contoso.msftwithout internal servers
Zone for contoso.msftwithout internal servers
Public Internet
Using a Different DNS Name for Using a Different DNS Name for Public and Private NetworksPublic and Private Networks
Public Internet
Private Internal Network
Zone for contoso.msftwithout internal servers
Zone for contoso.msftwithout internal servers
FirewallFirewallFirewallFirewall
Zone for contosoltd.msft
Zone for contosoltd.msft
Design GuidelinesDesign Guidelines
Naming Strategies Include:Naming Strategies Include:Delegated Subdomain for the Internal Delegated Subdomain for the Internal
NetworkNetworkSingle DNS Name for Public and Private Single DNS Name for Public and Private
NetworksNetworksDifferent DNS Name for Public and Private Different DNS Name for Public and Private
NetworksNetworks
AgendaAgenda
Introduction to Designing a Directory Services Introduction to Designing a Directory Services InfrastructureInfrastructure
DNS and Active DirectoryDNS and Active Directory Designing a DNS Naming Strategy for Active Designing a DNS Naming Strategy for Active
DirectoryDirectory Designing an Active Directory DomainDesigning an Active Directory Domain
Designing the Initial Active Directory DomainDesigning the Initial Active Directory Domain Planning for Security GroupsPlanning for Security Groups Planning for OUsPlanning for OUs
Designing a Multiple-Domain StructureDesigning a Multiple-Domain Structure Planning for Multiple-Domain TreesPlanning for Multiple-Domain Trees Planning for Multiple-Tree ForestsPlanning for Multiple-Tree Forests Planning for Multiple ForestsPlanning for Multiple Forests
Managing Operations Master RolesManaging Operations Master Roles
Identifying Business NeedsIdentifying Business Needs
Before Designing a Domain, You Should:Before Designing a Domain, You Should:Identify Administrative Strategy Identify Administrative Strategy Identify Security NeedsIdentify Security NeedsPlan for Growth and FlexibilityPlan for Growth and Flexibility
Designing the Initial Active Designing the Initial Active Directory DomainDirectory Domain
OUOU
OUOU OUOU
OUOU
OUOU OUOU
First DomainFirst Domain
nwtraders.msft
Active DirectoryActive Directory
Planning for Security GroupsPlanning for Security Groups
Deciding Which Security Group to UseDeciding Which Security Group to UsePlanning for Nested GroupsPlanning for Nested GroupsDesign GuidelinesDesign Guidelines
Deciding Which Security Group Deciding Which Security Group to Useto Use
Domain Local GroupDomain Local GroupDomain Local GroupDomain Local Group
Members from any domain in the forest Use for access to resources in one domain
Members from any domain in the forest Use for access to resources in one domain
Global GroupGlobal GroupGlobal GroupGlobal Group
Members from own domain only Use for access to resources in any domain
Members from own domain only Use for access to resources in any domain
Universal GroupUniversal GroupUniversal GroupUniversal Group
Members from any domain in the forest Use for access to resources in any domain
Members from any domain in the forest Use for access to resources in any domain
Planning for Nested GroupsPlanning for Nested GroupsWhen Nesting, You Should:
Minimize Levels of Nesting
Document Group Membership
Worldwide Managers Group
Worldwide Managers Group Northeast Managers
Mid-Atlantic Managers
Southwest Managers
Design GuidelinesDesign Guidelines
Payroll Clerks
Human Resources
Change
HR Clerks Benefits
HR ManagersHR Admins
Full Control
Add Users to Global Groups
Add Global Groups to Domain Local Groups
Assign Permissions to Domain Local Groups
Planning for OUs Planning for OUs
Planning Upper-Level OU StrategiesPlanning Upper-Level OU StrategiesPlanning Lower-Level OU StrategiesPlanning Lower-Level OU StrategiesDesign GuidelinesDesign Guidelines
Planning Upper-Level OU Planning Upper-Level OU StrategiesStrategies
nwtraders.msft
Root DomainRoot
Domain
First Level
SecondLevel
ThirdLevel
NorthNorthAmericaAmerica AsiaAsia
SalesSales HRHR
CanadaCanada
MfgMfg HRHR
JapanJapan
SalesSales HRHR
ChinaChina
ITIT HRHR
MexicoMexico
Planning Lower-Level OU Planning Lower-Level OU StrategiesStrategies
nwtraders.msft
Root DomainRoot
Domain
First Level
SecondLevel
ThirdLevel
NorthNorthAmericaAmerica AsiaAsia
SalesSales HRHR
CanadaCanada
MfgMfg HRHR
JapanJapan
SalesSales HRHR
ChinaChina
ITIT HRHR
MexicoMexico
Design GuidelinesDesign Guidelines
When Designing the OU Structure:When Designing the OU Structure: Choose Stable Upper-Level OU Names That Choose Stable Upper-Level OU Names That
are Meaningful to Administratorsare Meaningful to Administrators Create Lower-Level OUs to Support Group Create Lower-Level OUs to Support Group
PolicyPolicy Test the OU Structure and Make Changes Test the OU Structure and Make Changes
Based On EvaluationBased On Evaluation
AgendaAgenda
Introduction to Designing a Directory Services Introduction to Designing a Directory Services InfrastructureInfrastructure
DNS and Active DirectoryDNS and Active Directory Designing a DNS Naming Strategy for Active Designing a DNS Naming Strategy for Active
DirectoryDirectory Designing an Active Directory DomainDesigning an Active Directory Domain
Designing the Initial Active Directory DomainDesigning the Initial Active Directory Domain Planning for Security GroupsPlanning for Security Groups Planning for OUsPlanning for OUs
Designing a Multiple-Domain StructureDesigning a Multiple-Domain Structure Planning for Multiple-Domain TreesPlanning for Multiple-Domain Trees Planning for Multiple-Tree ForestsPlanning for Multiple-Tree Forests Planning for Multiple ForestsPlanning for Multiple Forests
Managing Operations Master RolesManaging Operations Master Roles
Characteristics of Multiple Characteristics of Multiple DomainsDomains
Reduce Replication Traffic
Maintain Separate and Distinct Security Policies Between Domains
Preserve the Domain Structure of Earlier Versions of Windows NT
Separate Administrative Control
Transitive Trusts in Windows 2000Transitive Trusts in Windows 2000
Parent-Child Trust
Parent-Child Trust
Tree-Root Trust
Domain Trusts Created by default Transitive Two-Way
Domain 1Domain 1
Domain ADomain A
Domain BDomain B
Domain CDomain C
Tree Two Tree One
Forest
Forest Root Domain
How Trusts WorkHow Trusts Work
Tree One
Tree Two
Domain 1
Forest
Domain ADomain A
Domain BDomain B
User
Tree Root Domain
Forest Root Domain
Trusted Domain Trusting Domain
Trusting Domain
Domain 2
Domain C
How Kerberos V5 WorksHow Kerberos V5 Works
contoso.msftcontoso.msft
marketing.contoso.msft
Forest Root DomainKDC
nwtraders.msftnwtraders.msft
KDC
Server
KDC
sales.nwtraders.msft
Client
KDC
Kerberos Authentication
22
Session Ticket
11
33
44
55
Shortcut Trusts in Windows Shortcut Trusts in Windows 20002000
Tree One
Tree Two
Domain 1
Forest
Domain ADomain A
Domain BDomain B
Tree Root Domain
Forest Root Domain
Trusted Domain Trusting Domain
Trusting Domain
Domain 2
Domain C
Shortcut Trust
Nontransitive Trusts in Nontransitive Trusts in Windows 2000Windows 2000
Nontransitive Trust
Nontransitive Trusts Manually created One-way
contoso.msftcontoso.msft
Forest
Nontransitive Trust Exists Between A Windows 2000 domain and a
Windows NT domain Two Windows 2000 domains in
two forests A Windows 2000 domain and a
Kerberos V5 realm
DomainDomain
sales.contoso.msftmarketing.contoso.msft
The Global CatalogThe Global Catalog
The Global Catalog and the Logon ProcessThe Global Catalog and the Logon ProcessCreating a Global Catalog ServerCreating a Global Catalog Server
The Global Catalog and the The Global Catalog and the Logon ProcessLogon Process
Global Catalog Provides Universal group membership
information for the account Domain information when using
user principal names during logon
User Logon
Domain
DomainDomain
Domain Domain
Global Catalog Server
Problem: Logon and GC Problem: Logon and GC DependencyDependency
During the logon process the During the logon process the security access token is security access token is constructedconstructed
Security Access Token
User SIDGroup SIDs
Membership details in logon domain
A user’s universal group membershipA user’s universal group membershipchanges by:changes by:•Adding the user to a universal groupAdding the user to a universal group•Adding a global group of which the user is a Adding a global group of which the user is a membermember•Nesting appropriate global and universal Nesting appropriate global and universal groups groups
BuiltinBuiltinDomain LocalDomain LocalGlobalGlobal
UniversalUniversal
GC
Membership details in GC
Strategies for Using Groups in Strategies for Using Groups in Trees and ForestsTrees and Forests
Universal Groups and ReplicationUniversal Groups and ReplicationNesting Strategy Using Universal GroupsNesting Strategy Using Universal Groups
Universal Groups and Universal Groups and ReplicationReplication
Global Catalog Server
Universal Group
. . . And Replicated to All Global Catalog Servers in the Forest
All Membership Changes in the Universal Group Are Updated in the Global Catalog . . .
The use of universal groups to limit replication to a domain
The membership in universal groups to other groups rather than user accounts
Changes to the membership to reduce the frequency of replication
Reduce Replication Traffic by Minimizing
Nesting Strategy Using Nesting Strategy Using Universal GroupsUniversal Groups
Add User Accounts into Global Groups
Global GroupUsers
Add Global Groups from Each Domain into Universal Groups Global Group Universal Group
Nest Global Groups(optional)
Global Group Global Group
Add Universal Groups into Domain Local Groups in Each Domain Universal Group Domain Local Group
DLG
Assign Permissions to the Domain Local Group in Each Domain PermissionsDomain Local Group
DLG
Identifying Business NeedsIdentifying Business Needs
Reasons to Maintain a Single DomainReasons to Maintain a Single DomainReasons to Create Multiple DomainsReasons to Create Multiple DomainsReasons for multiple-tree forestReasons for multiple-tree forestReasons for multiple forestReasons for multiple forest
Reasons to Maintain a Single Reasons to Maintain a Single DomainDomain
Ease of ManagementEase of ManagementEasier DelegationEasier DelegationFewer Members in Fewer Members in
Domain Admins Domain Admins GroupGroup
Object Capacity Same Object Capacity Same as Multiple Domain as Multiple Domain StructureStructure
OUOUOUOU
OUOUOUOU OUOUOUOU
Reasons to Create Multiple Reasons to Create Multiple DomainsDomains
Reasons for Using a Reasons for Using a Multiple-Domain Tree:Multiple-Domain Tree: Distinct domain-level Distinct domain-level
policiespolicies Tighter administrative Tighter administrative
controlcontrol Decentralized administrationDecentralized administration Separation and control of Separation and control of
affiliate relationshipsaffiliate relationships Reduced replication trafficReduced replication traffic
OUOUOUOU
OUOUOUOU OUOUOUOU
OUOUOUOU
OUOUOUOU OUOUOUOU
OUOUOUOU
OUOUOUOU OUOUOUOU
OUOUOUOU
OUOUOUOU OUOUOUOU
Planning for Multiple-Domain Planning for Multiple-Domain TreesTrees
Characteristics of Multiple-Domain TreesCharacteristics of Multiple-Domain TreesCreating an Empty Root DomainCreating an Empty Root DomainDesign GuidelinesDesign Guidelines
Characteristics of Multiple-Characteristics of Multiple-Domain TreesDomain Trees
Child
Domain
nwtraders.msftnwtraders.msft
us.nwtraders.msftus.nwtraders.msft
sales.us.nwtraders.msftsales.us.nwtraders.msft
Child Domain
Child Domain
europe.nwtraders.msfteurope.nwtraders.msft
RootRootRootRoot
Transitive Trusts Exist Between All Domains
Creating an Empty Root Creating an Empty Root DomainDomain
Child Domain
nwtraders.msftnwtraders.msft
usa.nwtraders.msftusa.nwtraders.msft
Child Domain
europe.nwtraders.msfteurope.nwtraders.msft
RootRootRootRoot
Enterprise Admin is Sole User in Root Domain
Enterprise Admin is Sole User in Root Domain
Design GuidelinesDesign Guidelines
Design Needs that May Require a Multiple-Design Needs that May Require a Multiple-Domain Tree:Domain Tree:
Distinct Security BoundariesDistinct Security BoundariesBandwidth Constraints on WAN LinksBandwidth Constraints on WAN LinksLegal Reasons for Separate DomainsLegal Reasons for Separate DomainsDistinct Domain-Level Group Policy Distinct Domain-Level Group Policy
SettingsSettings
Planning for Multiple-Tree Planning for Multiple-Tree ForestsForests
Characteristics of Multiple-Tree ForestsCharacteristics of Multiple-Tree ForestsDesign GuidelinesDesign Guidelines
Characteristics of a Multiple-Characteristics of a Multiple-Tree ForestTree Forest
Tree 2
RootRootRootRoot
ChildChild
ChildChild
nwtraders.msftnwtraders.msft
domainB.domainA.nwtraders.msftdomainB.domainA.nwtraders.msft
Transitive Trust Relationship Created Between Roots
Tree 1
RootRootRootRoot
ChildChild
contoso.msftcontoso.msft
ChildChild
domain3.contoso.msftdomain3.contoso.msftdomain2.contoso.msftdomain2.contoso.msft
domainA.nwtraders.msftdomainA.nwtraders.msft
Design GuidelinesDesign Guidelines
Consider Using a Multiple-Tree Forest When Consider Using a Multiple-Tree Forest When You Need:You Need:
Distinct DNS names for Public IdentitiesDistinct DNS names for Public IdentitiesCentralized Control Among All Active Centralized Control Among All Active
Directory Trees and DomainsDirectory Trees and Domains
Planning for Multiple ForestsPlanning for Multiple Forests
Characteristics of Multiple ForestsCharacteristics of Multiple ForestsDesign GuidelinesDesign Guidelines
Characteristics of Multiple Characteristics of Multiple ForestsForests
Tree 1
Tree 2
RootRootRootRoot
ChildChild
RootRootRootRoot
ChildChild
ChildChild
contoso.msftcontoso.msft
ChildChild
domain3.contoso.msftdomain3.contoso.msft
nwtraders.msftnwtraders.msft
domainB.domainA.nwtraders.msftdomainB.domainA.nwtraders.msft
domain2.contoso.msftdomain2.contoso.msft
One-Way External Trusts Established Among Specified
Domains Only
domainA.nwtraders.msftdomainA.nwtraders.msft
Design GuidelinesDesign Guidelines
Design Multiple Forests When:Design Multiple Forests When:You Do Not Want a Common SchemaYou Do Not Want a Common SchemaYou Do Not Want a Global DirectoryYou Do Not Want a Global DirectoryYou Need Limited Partner or Affiliate You Need Limited Partner or Affiliate
RelationshipsRelationships
AgendaAgenda
Introduction to Designing a Directory Services Introduction to Designing a Directory Services InfrastructureInfrastructure
DNS and Active DirectoryDNS and Active Directory Designing a DNS Naming Strategy for Active Designing a DNS Naming Strategy for Active
DirectoryDirectory Designing an Active Directory DomainDesigning an Active Directory Domain
Designing the Initial Active Directory DomainDesigning the Initial Active Directory Domain Planning for Security GroupsPlanning for Security Groups Planning for OUsPlanning for OUs
Designing a Multiple-Domain StructureDesigning a Multiple-Domain Structure Planning for Multiple-Domain TreesPlanning for Multiple-Domain Trees Planning for Multiple-Tree ForestsPlanning for Multiple-Tree Forests Planning for Multiple ForestsPlanning for Multiple Forests
Managing Operations Master RolesManaging Operations Master Roles
Introduction to Operations Introduction to Operations MastersMasters
Only a Domain Controller That Holds a Specific Operations Master Role Can Perform Associated Active Directory Changes
Changes Made by an Operations Master Are Replicated to Other Domain Controllers
Any Domain Controller Can Hold an Operations Master Role Operations Master Roles Can Be Moved to Other Domain Controllers
Replication
Single Master Operations
Operations Master
Operations Master RolesOperations Master Roles
Operations Master Default LocationsOperations Master Default LocationsSchema MasterSchema MasterDomain Naming MasterDomain Naming MasterPDC EmulatorPDC EmulatorRID MasterRID MasterInfrastructure MasterInfrastructure Master
Operations Master Default Operations Master Default LocationsLocations
First Domain Controller in the Forest Root Domain
Domain-wide Roles RID master PDC emulator Infrastructure master
Forest-wide Roles Schema master Domain naming
master
Domain-wide Roles RID master PDC emulator Infrastructure master
Schema MasterSchema Master Controls All Updates to the SchemaControls All Updates to the Schema Replicates Updates to All Domain Controllers in Replicates Updates to All Domain Controllers in
the Forestthe Forest Allows Only the Members of the Schema Admin Allows Only the Members of the Schema Admin
Group to Make Modifications to the SchemaGroup to Make Modifications to the Schema
Schema MasterReplication
Domain Naming MasterDomain Naming Master
Controls the Addition or Removal of Controls the Addition or Removal of Domains in the ForestDomains in the Forest
New Domain
Domain Naming Master
Global Catalog Server
PDC Emulator PDC Emulator Acts As a PDC to Support Windows NT BDCs and
Pre-Windows 2000-based Client Computers
Updates Password Changes from Pre-Windows 2000-based Client Computers
Minimizes Replication Latency for Password Changes for Windows 2000-based Client Computers
Manages Time Synchronization
Prevents the Possibilities of Overwriting GPOs
Client Computer Running Pre-Windows 2000 Version of Windows
PDC Emulator
Windows NT BDC
RID MasterRID MasterAllocates Blocks of RIDs to Each Domain
Controller in Its Domain
Prevents Object Duplication if Objects Move from One Domain Controller to Another
Move
Object SID = Domain SID + RIDObject SID = Domain SID + RID
RID Master
Block of RIDsBlock of RIDs
Move
RID Allocation
Infrastructure MasterInfrastructure Master
Updates References to Objects and Group Memberships from Other Domains
Infrastructure Master
Global Group Nested into Domain Local Group
Move
GUID SIDNew DN
GUID SIDNew DN
Group Membership List
Group Membership List
Operations Masters DependenciesOperations Masters Dependencies
Forest wide operations master rolesForest wide operations master roles Schema master: low performance impactSchema master: low performance impact Domain naming master: low performance impact, must be GCDomain naming master: low performance impact, must be GC
Domain wide operations master rolesDomain wide operations master roles PDC operations master: low performance impact PDC operations master: low performance impact
(root domain only)(root domain only) RID pool operations master: low performance impactRID pool operations master: low performance impact Infrastructure master: low performance impact, Infrastructure master: low performance impact,
must not be a GCmust not be a GC Best practiceBest practice
First DC in forest root domain is a GC and has all operation First DC in forest root domain is a GC and has all operation master roles by defaultmaster roles by default Leave GC service and forest wide operation master roles Leave GC service and forest wide operation master roles
on first DCon first DC Do not add GC service to second DC in forest root domain and Do not add GC service to second DC in forest root domain and
move all domain wide operations master roles to second DCmove all domain wide operations master roles to second DC Monitor these two DCs very closelyMonitor these two DCs very closely
Operations Master Offline ScenariosOperations Master Offline Scenarios
If you don’t need the operations master online, If you don’t need the operations master online, do nothingdo nothing Having the Schema, Domain Naming master and Infrastructure Having the Schema, Domain Naming master and Infrastructure
master off-line for a short time does not affect the DSmaster off-line for a short time does not affect the DS RID pool owner should be brought back within hours, RID pool owner should be brought back within hours,
but bulk-operations (migrations) might need it earlierbut bulk-operations (migrations) might need it earlier PDC emulator must be onlinePDC emulator must be online
If operations master down-time is planned and either very long, If operations master down-time is planned and either very long, or master is needed, transfer operations master roleor master is needed, transfer operations master role
Only seize operations master roles if the original operations Only seize operations master roles if the original operations master can never be brought back, master can never be brought back, or the role is needed urgentlyor the role is needed urgently Installation of the OS of the operations master Installation of the OS of the operations master
can never come back online anymorecan never come back online anymore Server has to be re-installed, but same name can Server has to be re-installed, but same name can
be reused againbe reused again