module 3 planning for active directory®
DESCRIPTION
Module Overview Selecting a Forest and Domain Topology Selecting a Domain and Forest Functional Level Planning Identity and Access Services in Active Directory Implementing Active Directory in the Physical Network Start planting the seed in the students’ minds that now they are going to incorporate the tools from Module 2 (Name Resolution, Perimeter Network definition, security, and others) into their Active Directory configuration. As each topic is addressed, be sure to map back how it relates to DNS, defining boundaries for internal versus external access and implications for maintaining or strengthening security. Do seek student involvement by finding out about various aspects of their network. Be prepared that students may not know a great deal of detail about how their Active Directory networks are set up (remember–these students likely have always worked on the support end, and not the design or input end of networking before). As an overall goal for the class, the students should have a better understanding of their own Active Directory design or they should be able to determine and/or understand better how their Active Directory networks have been set up. Throughout this module make a point of emphasizing that the physical and logical aspects of Active Directory should complement each other. Even though there is no technical dependency upon each other, the logical and the physical characteristics of Active Directory do impact each other. This can set the stage for addressing inevitable questions about the “best” Active Directory design. Of course, there is no such thing as a singular best design. Rather, the “best” design is one that comes closest to meeting the needs of the organization while taking into account whatever constraints the implementation is bound by. 2TRANSCRIPT
Module 3Planning for
Active Directory®
Module Overview• Selecting a Forest and Domain Topology• Selecting a Domain and Forest Functional Level• Planning Identity and Access Services in Active Directory• Implementing Active Directory in the Physical Network
Lesson 1: Selecting a Forest and Domain Topology• Overview of Active Directory• Considerations for Designing a Forest Infrastructure• Guidelines for Designing an Active Directory Domain
Infrastructure • Determining Whether to Implement Multiple Trees in Your
Forest• What Is a Trust Relationship?• Discussion: Selecting an Active Directory Topology
Overview of Active Directory• Forest• Schema• Global catalog• Tree• Domain• Site• Organizational unit
Considerations for Designing a Forest Infrastructure• Isolation requirements limit
design choices• Design negotiation can be a
lengthy process• Balance costs against
benefits• Document the proposed
forest design
Guidelines for Designing an Active Directory Domain Infrastructure• Review domain models• Determine number of
domains required• Consider upgrade
implications from existing domain infrastructure
Determining Whether to Implement Multiple Trees in Your Forest
Use a single tree unless your name space requires noncontiguous names within your organization
What Is a Trust Relationship?
Forest(root)
Tree/RootTrust
Forest Trust
Shortcut TrustExternal
Trust
Kerberos Realm
Realm Trust
Domain D
Forest 1
Domain BDomain ADomain E
Domain F
Forest(root)
Domain P Domain Q
Parent/ChildTrust
Forest 2
Domain C
Discussion: Selecting an Active Directory Topology
Given the following scenario, which Active Directory topology
would you recommend?
15 min
Lesson 2: Selecting a Domain and Forest Functional Level• What Are the Domain Functional Levels?• What Are the Forest Functional Levels?• Demonstration: Modifying the Functional Level
What Are the Domain Functional Levels?
Windows 2000 NativeWindows Server 2003Windows Server 2008
What Are the Forest Functional Levels?
Windows 2000 NativeWindows Server 2003Windows Server 2008
Demonstration: Modifying the Functional Level In this demonstration, you will see how to:• Raise the domain functional level• Raise the forest functional level
Lesson 3: Planning Identity and Access Services in Active Directory• What Is AD CS?• What Is AD LDS?• What Is AD FS?• What Is AD RMS?
What is AD CS?• Extends the concept of trust
A certificate from a trusted certificate authority (CA) proves identity Trust can be extended beyond the boundaries of your enterprise, as long as clients
trust the CA of the certificates you present• Creates a public key infrastructure (PKI)
Confidentiality, Integrity, Authenticity, Non-Repudiation• Many uses
Internal-only or external Secure Web sites (SSL) VPN Wireless authentication and encryption Smart card authentication
• Integration with AD DS powerful, but not required
What Is AD LDS?
Active Directory Lightweight Directory
Services
AD DS
What Is AD FS?
Corporate Network
Client
Account Federation
Server
Active Directory
Resource Federation
Server
AD FS Enabled Web Server
Active Directory
Internal Client
Corporate Network
Perimeter Network
What Is AD RMS?
1
2
1
2
Lesson 4: Implementing Active Directory in the Physical Network• What Is a Domain Controller?• Determining the Placement of Domain Controllers • Demonstration: Creating a Site• What Is a Read-Only Domain Controller?• Demonstration: Deploying an RODC
What Is a Domain Controller?
Domain controllers : •Provide authentication
• Host operations master roles •Host the global catalog •Support group policies and SYSVOL
• Provide for replication
Determining the Placement of Domain Controllers
Seattle
Bellevue
Redmond
Demonstration: Creating a SiteIn this demonstration, you will see how to:• Create a site• Configure the replication interval and schedule
What Is a Read-Only Domain Controller?RODCs host read-only partitions of the AD DS database, only accept replicated changes to Active Directory, and never initiate replication
RODCs:• Cannot hold operation master roles or be configured as replication
bridgehead servers
• Can be deployed on servers running Windows Server 2008 Server core for additional security
RODCs provide: •Additional security for branch office with limited physical security
• Additional security if applications must run on a domain controller
RODC
Demonstration: Deploying an RODCIn this demonstration, you will see how to:• Prepare the forest• Deploy an RODC• Configure the password replication policy for the RODC
Lab: Planning for Active Directory• Exercise 1: Selecting a Forest Topology • Exercise 2: Planning Active Directory for a Branch Network• Exercise 3: Deploying a Branch Domain Controller
Estimated time: 60 minutes
Logon information
Virtual machine6430B-SEA-DC16430B-SEA-SVR1
User name Adatum\AdministratorPassword Pa$$w0rd
Lab Scenario• Adatum Corporation has recently acquired Contoso, a
company with a range of compatible products. Allison Brown, the IT Manager, has asked you to create a document with recommendations about how best to incorporate the Contoso network infrastructure into that of Adatum.
• Adatum has a number of new sales offices in the western region. Allison Brown has asked you to determine the appropriate Active Directory configuration for them, and to document your proposals.
• You have been tasked with performing the deployment of the new domain controller at the Redmond sales branch office.
Module Review and Takeaways• Review Questions