module 1: introduction to designing a directory services infrastructure
TRANSCRIPT
Module 1: Introduction to Designing a Directory Services Infrastructure
Overview
Role of Active Directory in an Enterprise
Conducting an Organizational Analysis
Architectural Elements of Active Directory
This module provides the basic context and terminology for the course. It starts by describing how Microsoft® Windows® 2000 Active Directory™ directory service works in an enterprise network environment. Prior to designing the Active Directory structure, the architect must first identify the administrative and business goals of an organization. General guidelines for identifying business needs are provided, and a framework for making good design choices is discussed. Finally, an overview of the architectural elements of Active Directory is presented.
At the end of this module, you will be able to:
Describe Active Directory in Windows 2000.
Explain the importance of determining business needs prior to designing an Active Directory infrastructure.
Describe the architectural elements used in the design of the Active Directory infrastructure.
Role of Active Directory in an Enterprise
Domains and OUs Form Hierarchical Structures
Multiple Domains Can Form
Trees
Forests
DomainDomain
Domain
Tree
Tree
Forest
Objects
OUOU
OUOU OUOU
DomainDomain
DomainDomain
DomainDomain
Active Directory in Windows 2000 is a network directory service. Administrators use Active Directory to define, arrange, and manage objects, such as user data, printers, and servers, so that they are available to users and applications throughout the organization. Objects in Active Directory are logically organized into a hierarchical structure.
The objects that create the overall structural hierarchy in Active Directory are:
Domains. This is the core unit of Active Directory. A domain is a container of objects that share security requirements, replication processes, and administration. Active Directory uses a multi-master replication model in which all domain controllers are equal.
Organizational units (OUs). An OU is a container object that is used to organize objects within a domain into logical administrative groups. Within a domain, OUs form a hierarchical structure based on the organization's administrative model.
Multiple domains within a single Active Directory can create additional structure in the form of:
Trees. A tree is a hierarchical arrangement of one or more domains with a single root name. Domains within a tree share a common root domain name and share information through automatic trust relationships.
Forests. A forest is a collection of one or more trees. Multiple trees within a forest do not share a common root domain name, but share information through automatic trust relationships. Multiple forests can share information only through explicit trusts.
Conducting an Organizational Analysis
Identifying Organizational Needs
Making Design Choices
Planning Guidelines
Enterprise architects must design the Active Directory directory service to meet the business needs of the customer. The first step in meeting this goal is performing an organizational analysis to determine the business as well as the information technology (IT) needs of the customer.
In this lesson you will learn about the following topics:
Identifying organizational needs
Making design choices
Planning guidelines
Identifying Organizational Needs
Determine the Goals of the Organization
Analyze the Administrative Model
Anticipate Growth and Reorganization
Document the Gathered Information
Identifying organizational needs consists of the following steps:
Determine Goals of the Organization. As an architect, you must identify and then prioritize the business needs of an organization. Once you have identified the goals, you must translate them into a design for the Active Directory structure that meets those goals. In the design, you must ensure that Active Directory meets the business needs of the organization, instead of basing the goals of the organization on the Active Directory structure.
Analyze the Administrative Model. The Active Directory directory service is designed to support the storage and easy retrieval of information. The design must support the administrative model. The administrators of an organization support the enterprise. Therefore, you need to design Active Directory to support administrator needs. These needs may be different from the business practices of the organization. Identify and analyze the current administrative model, and determine if any improvements can be made.
Anticipate Growth and Reorganization. An Active Directory structure has an anticipated life span of three to five years. When designing the Active Directory structure, you must anticipate future growth and reorganization, and then design Active Directory so it can easily accommodate growth.
Document the Gathered Information. After your initial organizational analysis, document your findings. Documentation will guide you through the design process and clarify any conflicts that may occur as you design Active Directory.
Making Design Choices
Decision Points
Implications
Risks and Costs
Tradeoffs
When making design choices, identify the following factors that will influence design:
Decision Points. You should filter information you received from your organizational analysis. Organizations can often provide too little or too much information about their business needs. Careful examination of your information will help you incorporate only the most pertinent information into the design of the Active Directory structure.
Implications. Be aware of the implications of making a particular design decision, and possible alternatives to the decision. There are often several ways to achieve an intended outcome in the design of the Active Directory structure. Knowing the implications of each possible option will help guide your design choices.
Risks and Costs. Identifying risks before beginning the design process gives you an opportunity to mitigate or decrease possible problems. For example, if there are limited resources for testing, then implementation of a design can be scheduled for off-peak hours to mitigate any unforeseen results of the implementation.
Tradeoffs. Every organization will have individuals or departments with different goals for the project. Not all goals may be achievable due to schedule and resource constraints. By prioritizing goals and identifying positive and negative characteristics of each goal, you can make effective tradeoff decisions
Planning Guidelines
Remember Business Needs
Maintain a Clear Vision
Make Solid Tradeoff Decisions
Create a Simple Design
Test the Design
Remember Business Needs
When designing an Active Directory structure, ensure that the business needs, rather than the technology, determine the design. Only allow technology to influence your design if the technology can provide a more efficient means of doing business.
Maintain a Clear Vision
As your design progresses, maintain a clear vision of your overall structure.
Make Solid Tradeoff Decisions
Carefully consider tradeoff decisions when faced with design options.
Create a Simple Design
The best strategy is to create the simplest design possible.
Test the Design
Finally, ensure that the design is adequately tested before releasing the design to the team responsible for implementing Active Directory.
Architectural Elements of Active Directory
Designing a Naming Strategy
Designing for Delegation of Administrative Authority
Designing Schema Modifications
Designing for Group Policy
Designing an Active Directory Domain
Designing Multiple Domains
Designing a Site Topology
An enterprise architect combines the various architectural components of Active Directory to design a directory services infrastructure that meets the business needs of the organization. To use these components effectively, you must understand the capabilities of each component and the design elements within Active Directory that each component influences.
In this lesson you will learn about the following topics:
Designing a naming strategy
Designing for delegation of administrative authority
Designing schema modifications
Designing for group policy
Designing an active directory domain
Designing multiple domains
Designing a site topology
Designing a Naming Strategy
Active Directory Uses DNS as Naming Service
Internet Presence a Determining Factor in Selecting Domain Names
Domain Name SystemDomain Name System(DNS)(DNS)
Domain Name SystemDomain Name System(DNS)(DNS)
nwtraders.msftnwtraders.msft
Active Directory follows the Domain Name System (DNS) standard as a basis for naming domains. Active Directory also uses DNS as the domain locator service. You can use DNS for name resolution of the organization's internal resources, such as its intranet, and external resources, such as the Internet.
An organization's current and planned presence on the Internet will help determine Active Directory naming strategies. Carefully selecting an inclusive DNS name for the root domain is crucial, because a carefully selected name may make it easier for users to access the network over the Internet. The root domain name will also be included in any child domains created from the root domain.
DNS Basics
Designing for Delegation of Administrative Authority
Relieves Burden of Centralized Management
Separates Administrative Authority from Rest of Network
Domain
nwtraders.msft
na.nwtraders.msft
asia.nwtraders.msft
MfgMfgMfgMfg
researchresearchresearchresearch
HRHRHRHR
recruitingrecruitingrecruitingrecruiting
trainingtrainingtrainingtraining
Delegating administrative authority in Active Directory allows network administrators to grant administrative control of objects in Active Directory to trusted users. Delegating authority reduces the workload of a centralized administrator, and also separates the delegated authority from other areas of the network.
You can create a hierarchical structure of domains and OUs that reflects the administrative model of an organization. You can also delegate authority to individual users and computers. By structuring the Active Directory hierarchy and then managing the permissions on the objects and properties in Active Directory, you can precisely specify the accounts that can access information in Active Directory and the level of permissions that they can have. This precise specification allows network administrators to delegate specific authority over portions of Active Directory to groups of users, without making its information vulnerable to unauthorized access.
Designing Schema Modifications
Schema Defines Objects and Attributes in Active Directory
Changing the Schema Can Affect the Entire Network
Create a Schema Modification Policy to Manage Changes
Schema
The Active Directory schema contains the definitions of all objects, such as computers, users, and printers, that are stored in Active Directory. The definitions contained within the schemadefine the classes of objects Active Directory may contain, and the types of attributes eachobject may or must have.
Schema modification includes adding or changing object class or attribute definitions. Changingthe schema has implications that can affect the entire network. Schema modifications are rare, but an organization may have business needs that can only be met by schema modification. You will need to create a schema modification policy to manage the modification process.
Group Policy Objects Apply Configurations to Sites, Domains, and OUs
Group Policy Is Inherited In Active Directory Hierarchy
Designing for Group Policy
Site
GPO
DomainDomain
OUOUOUOU
Group Policy is used to manage software configurations and regulate security on computers and users in Active Directory. A Group Policy object (GPO) is used to apply Group Policy to users and computers in Active Directory at the site, domain, and OU level.
You can design Active Directory to support the application of Group Policy through delegation and by the creation of lower-level OUs to contain users and computers subject to particular GPOs. Group Policy is also inherited through the site, domain, and OU structure. By carefully designing the Active Directory infrastructure, you can apply GPOs to intended users and computers in upper-level domains or OUs so that the GPOs will be inherited to lower-level domains and OUs.
Designing an Active Directory Domain
Create OUs to Support Delegation and Group Policy
Create OU Structure to Reflect Administrative Model
Carefully Name the First Domain
OUOU
OUOU OUOU
OUOU
OUOU OUOU
First Domain
First Domain
nwtraders.msft
The ongoing administrative tasks of an organization can be simplified by initially planning how to organize objects in a domain. A well-designed OU structure comprised of upper- and lower-level OUs will allow administrators to delegate authority and apply Group Policy.
The first domain created in Active Directory is the root domain of the entire forest. The first domain is also referred to as the forest root. The forest root contains the configuration and schema information for the forest. Naming the first domain is an important design step, since the first domain cannot be renamed.
Administered Separately But May Share Resources
More Complex To Manage
Designing Multiple Domains
nwtraders.msftnwtraders.msft
us.nwtraders.msftus.nwtraders.msft europe.nwtraders.msfteurope.nwtraders.msft
ChildDomain
RootRoot
ChildDomain
Domains, trees, and forests are bordered units within Microsoft Windows 2000 Active Directory directory service. These units can share resources but can also be administered separately. Most business needs can be met by a single domain structure. A single domain is simpler to manage, and it is simple to delegate administrative authority. However, a business may want to use multiple domains within Active Directory. You will need to evaluate the need for a multiple-domain structure and the implications of increasing the complexity of the Active Directory structure before making this decision.
Domains can be arranged into multiple-domain trees, multiple-tree forests, and multiple forests. The business drivers that require a multiple-domain design will also affect the type of design you create.
Designing a Site Topology
Sites Define Physical Structure of Active Directory
Use Sites to Control Network Traffic Flow
nwtraders.msftnwtraders.msft
Redmond Site
Charlotte Site
Active Directory uses sites to define the physical structure of the network. A site is a collection of well-connected machines, based on Internet Protocol (IP) subnets. A site definition is stored as a site object in Active Directory. Collectively, all sites form a site topology. Because sites represent the physical structure of your network, they do not need to map to the logical structure of the Active Directory.
You can use sites to control workstation logon traffic, replication traffic, Distributed file system (Dfs) topology,and File Replication service (FRS).
Excessive network traffic can occur between remote locations due to frequent exchange of large amounts of data and directory information. Designing an appropriate site topology helps you better organize the Windows 2000 network in your organization and optimize the exchange of data and directory information.
Review
Role of Active Directory in an Enterprise
Conducting an Organizational Analysis
Architectural Elements of Active Directory