number and configuration of domains and trusts defines the domain model in use
DESCRIPTION
(Skill 1). Examining a Windows NT Infrastructure (2). Number and configuration of domains and trusts Defines the domain model in use Of utmost concern when upgrading rather than restructuring Types of domain models used in Windows NT Single master Multi-master Mesh (full trust). - PowerPoint PPT PresentationTRANSCRIPT
3.1 © 2004 Pearson Education, Inc.
Exam 70-297 Designing a Microsoft® Windows® Server 2003 Active Directory and Network Infrastructure
Lesson 3: Examining the Current Directory Services Infrastructure
Number and configuration of domains and trusts
Defines the domain model in use
Of utmost concern when upgrading rather than restructuring
Types of domain models used in Windows NT
Single master
Multi-master
Mesh (full trust)
Examining a Windows NT Infrastructure (2)
(Skill 1)
3.2 © 2004 Pearson Education, Inc.
Exam 70-297 Designing a Microsoft® Windows® Server 2003 Active Directory and Network Infrastructure
Lesson 3: Examining the Current Directory Services Infrastructure
Single master domain model
Consists of one account domain trusted by one or more resource domains
User accounts are contained in the account domain (also called master domain)
Resources are administered from the resource domain
Advantage: centralized model with well-defined administrative boundary
Disadvantages: reduced user limits and potential for excessive WAN traffic
Examining a Windows NT Infrastructure (3)
(Skill 1)
3.3 © 2004 Pearson Education, Inc.
Exam 70-297 Designing a Microsoft® Windows® Server 2003 Active Directory and Network Infrastructure
Lesson 3: Examining the Current Directory Services Infrastructure
Multi-master domain model
Consists of multiple account and resource domains, with master domains all trusting each other and resource domains trusting all master domains
Accounts are contained in all master domains
Resources are administered in the resource domain
Advantages: fairly well-centralized, strong administrative boundaries, and higher account limits than single master
Disadvantages: increased complexity and still some potential for excessive WAN traffic
Examining a Windows NT Infrastructure (4)
(Skill 1)
3.4 © 2004 Pearson Education, Inc.
Exam 70-297 Designing a Microsoft® Windows® Server 2003 Active Directory and Network Infrastructure
Lesson 3: Examining the Current Directory Services Infrastructure
Mesh (full trust) domain model
Contains multiple domains that all trust all other domains
Accounts and resources are administered in each domain
Advantages: unlimited account limits and few traffic problems
Disadvantages: very complex administrative structure, difficult to administer if more than four domains, requires defining and administering an excessive number of trust relationships
Examining a Windows NT Infrastructure (5)
(Skill 1)
3.5 © 2004 Pearson Education, Inc.
Exam 70-297 Designing a Microsoft® Windows® Server 2003 Active Directory and Network Infrastructure
Lesson 3: Examining the Current Directory Services Infrastructure
Administrative model
Normally follows domain structure
Important to understand because the model helps define administrative boundaries in new network
Most accurate way to determine is to examine daily functions of each member of administrative team
Other methods
Interviewing administrative or IT management
Examining permissions, rights, and group memberships
Helpful to create diagram once examination is complete
Examining a Windows NT Infrastructure (6)
(Skill 1)
3.6 © 2004 Pearson Education, Inc.
Exam 70-297 Designing a Microsoft® Windows® Server 2003 Active Directory and Network Infrastructure
Lesson 3: Examining the Current Directory Services Infrastructure
Replication
Almost entirely dependent on domain model chosen and domain controller layout
Windows NT uses replicator service to replicate file and folder structures to specific servers
In Windows Server 2003 and Windows 2000 Server, this function has been taken over by the File Replication Service (FRS)
During design process, you must know which folders will need to be replicated by FRS, which almost always includes a subset of the files currently replicated by the replicator service
Examining a Windows NT Infrastructure (7)
(Skill 1)
3.7 © 2004 Pearson Education, Inc.
Exam 70-297 Designing a Microsoft® Windows® Server 2003 Active Directory and Network Infrastructure
Lesson 3: Examining the Current Directory Services Infrastructure
System policies
Currently configured system policies provide a good starting point on which to base Group Policies
System policies also define rights assignments, which are important when designing the security and administrative structure of the new network
Examining a Windows NT Infrastructure (8)
(Skill 1)
3.8 © 2004 Pearson Education, Inc.
Exam 70-297 Designing a Microsoft® Windows® Server 2003 Active Directory and Network Infrastructure
Lesson 3: Examining the Current Directory Services Infrastructure
Group structure
Must take into account global and local group memberships
In many Windows NT networks, global groups are used almost exclusively, which leads to a large number of global groups
Rearrange group structure to utilize both global and local groups and follow the Microsoft rule
Microsoft rule (A-G-DL-P): Put user accounts (A) into global groups (G), put global groups into domain local groups (DL), and then grant permissions (P)
Examining a Windows NT Infrastructure (9)
(Skill 1)
3.9 © 2004 Pearson Education, Inc.
Exam 70-297 Designing a Microsoft® Windows® Server 2003 Active Directory and Network Infrastructure
Lesson 3: Examining the Current Directory Services Infrastructure
Domain controller configuration If reusing existing domain controllers, hardware specifications
become critical
Check compatibility and ability to scale
Perform a pilot upgrade if possible
If a pilot is not possible, use Performance Monitor or third-party tools to determine peak number of interactive logins that must be supported by each domain controller (primary metric)
RAM, disk, and network requirements fairly static
Processor requirements depend on number of users interactively logging in during peak period
Take other services into account
Examining a Windows NT Infrastructure (10)
(Skill 1)
3.10 © 2004 Pearson Education, Inc.
Exam 70-297 Designing a Microsoft® Windows® Server 2003 Active Directory and Network Infrastructure
Lesson 3: Examining the Current Directory Services Infrastructure
Domain controller placement
Analysis of current placement helps determine the areas of the network that may be prone to performance or reliability constraints
Examining a Windows NT Infrastructure (11)
(Skill 1)
3.11 © 2004 Pearson Education, Inc.
Exam 70-297 Designing a Microsoft® Windows® Server 2003 Active Directory and Network Infrastructure
Lesson 3: Examining the Current Directory Services Infrastructure
Figure 3-1 Single master domain model
(Skill 1)
3.12 © 2004 Pearson Education, Inc.
Exam 70-297 Designing a Microsoft® Windows® Server 2003 Active Directory and Network Infrastructure
Lesson 3: Examining the Current Directory Services Infrastructure
Figure 3-2 Multi-master domain model
(Skill 1)
3.13 © 2004 Pearson Education, Inc.
Exam 70-297 Designing a Microsoft® Windows® Server 2003 Active Directory and Network Infrastructure
Lesson 3: Examining the Current Directory Services Infrastructure
Figure 3-3 Mesh domain model
(Skill 1)
3.14 © 2004 Pearson Education, Inc.
Exam 70-297 Designing a Microsoft® Windows® Server 2003 Active Directory and Network Infrastructure
Lesson 3: Examining the Current Directory Services Infrastructure
Figure 3-4 A diagram of a simple administrative
model
(Skill 1)
3.15 © 2004 Pearson Education, Inc.
Exam 70-297 Designing a Microsoft® Windows® Server 2003 Active Directory and Network Infrastructure
Lesson 3: Examining the Current Directory Services Infrastructure
Figure 3-5 The Microsoft Rule
(Skill 1)
3.16 © 2004 Pearson Education, Inc.
Exam 70-297 Designing a Microsoft® Windows® Server 2003 Active Directory and Network Infrastructure
Lesson 3: Examining the Current Directory Services Infrastructure
Redesigning a Windows 2000 Active Directory-based infrastructure typically requires a more thorough examination of the existing infrastructure than when redesigning a Windows NT infrastructure
Active Directory adds significant complexity to the environment
Examining a Windows 2000 Infrastructure
(Skill 2)
3.17 © 2004 Pearson Education, Inc.
Exam 70-297 Designing a Microsoft® Windows® Server 2003 Active Directory and Network Infrastructure
Lesson 3: Examining the Current Directory Services Infrastructure
Factors to consider when designing an Active Directory-based network
Forest and tree design
Existing manual trust relationships
DNS configuration
Site configuration
Schema modifications
Organizational unit (OU) design
Examining a Windows 2000 Infrastructure (2)
(Skill 2)
3.18 © 2004 Pearson Education, Inc.
Exam 70-297 Designing a Microsoft® Windows® Server 2003 Active Directory and Network Infrastructure
Lesson 3: Examining the Current Directory Services Infrastructure
Factors to consider when designing an Active Directory-based network
Active Directory security settings
Group Policy
Sysvol requirements
Global catalog server requirements
Security and distribution group configuration
Flexible Single Master of Operations (FSMO) role configuration
Examining a Windows 2000 Infrastructure (3)
(Skill 2)
3.19 © 2004 Pearson Education, Inc.
Exam 70-297 Designing a Microsoft® Windows® Server 2003 Active Directory and Network Infrastructure
Lesson 3: Examining the Current Directory Services Infrastructure
Forest and tree design
Forest design affects number of schemas, administrative model, number of global catalogs, and trust design
If a network contains more than one forest, you should know the reasoning behind that decision
Importance of tree design
It describes the network’s domain naming model
It defines the configuration of default trust relationships within the forest(s)
Examining a Windows 2000 Infrastructure (4)
(Skill 2)
3.20 © 2004 Pearson Education, Inc.
Exam 70-297 Designing a Microsoft® Windows® Server 2003 Active Directory and Network Infrastructure
Lesson 3: Examining the Current Directory Services Infrastructure
Existing manual trust relationships
Types of manual trusts
Shortcut trusts (manual two-way transitive trusts, also known as explicit trusts)
One-way trusts (typically established between Windows NT and Active Directory domains or different Active Directory forests)
Must understand reasoning behind why they exist, because it may influence new design
Examining a Windows 2000 Infrastructure (5)
(Skill 2)
3.21 © 2004 Pearson Education, Inc.
Exam 70-297 Designing a Microsoft® Windows® Server 2003 Active Directory and Network Infrastructure
Lesson 3: Examining the Current Directory Services Infrastructure
Site configuration
Sites are commonly misconfigured
Pay special attention to site links and the relationship between physical topology and site topology
Mistakes can lead to significantly higher WAN link usage
Examining a Windows 2000 Infrastructure (7)
(Skill 2)
3.22 © 2004 Pearson Education, Inc.
Exam 70-297 Designing a Microsoft® Windows® Server 2003 Active Directory and Network Infrastructure
Lesson 3: Examining the Current Directory Services Infrastructure
Schema modifications
Of concern because schema modifications can make drastic changes to the functionality of Active Directory
Examine the number and type of schema modifications, organization’s schema modification guidelines, and reasoning
Failure to take schema modifications into account can lead to last minute schema modifications, which can cause massive Active Directory replication and other problems
Examining a Windows 2000 Infrastructure (8)
(Skill 2)
3.23 © 2004 Pearson Education, Inc.
Exam 70-297 Designing a Microsoft® Windows® Server 2003 Active Directory and Network Infrastructure
Lesson 3: Examining the Current Directory Services Infrastructure
Organizational unit (OU) design
One of most significant factors in Active Directory design
Affects administrative delegation, object organization, and Group Policy application within each domain
Examining a Windows 2000 Infrastructure (9)
(Skill 2)
3.24 © 2004 Pearson Education, Inc.
Exam 70-297 Designing a Microsoft® Windows® Server 2003 Active Directory and Network Infrastructure
Lesson 3: Examining the Current Directory Services Infrastructure
Organizational unit (OU) design
Need to analyze the certain facets
Structure of the OU design
Number of levels present in the OU design
Organization (or lack thereof) in the design
Delegation of permissions
Group Policies applied to OUs
Use of Block Inheritance and No Override permissions
Contents of each OU
Examining a Windows 2000 Infrastructure (10)
(Skill 2)
3.25 © 2004 Pearson Education, Inc.
Exam 70-297 Designing a Microsoft® Windows® Server 2003 Active Directory and Network Infrastructure
Lesson 3: Examining the Current Directory Services Infrastructure
Active Directory security settings
Related to OU design
Typically applied to one or more groups within the structure in the form of delegated permissions applied to the OU
Sometimes applied to individual objects
All should be examined thoroughly
Examining a Windows 2000 Infrastructure (11)
(Skill 2)
3.26 © 2004 Pearson Education, Inc.
Exam 70-297 Designing a Microsoft® Windows® Server 2003 Active Directory and Network Infrastructure
Lesson 3: Examining the Current Directory Services Infrastructure
Group Policy
Settings have a significant impact on operation of systems within the network
Note which Group Policy Objects (GPOs) are applied at site, domain, and OU levels.
Examine each GPO to determine their configured settings
Examine use of No Override and Block Inheritance
Examine permissions configured on each Group Policy
Examining a Windows 2000 Infrastructure (12)
(Skill 2)
3.27 © 2004 Pearson Education, Inc.
Exam 70-297 Designing a Microsoft® Windows® Server 2003 Active Directory and Network Infrastructure
Lesson 3: Examining the Current Directory Services Infrastructure
Global catalog server requirements
Examine locations, paying special attention to locations that do not contain any global catalog servers
Examine the configuration of each existing global catalog server
Examine reliability and performance statistics
Examine network traffic related to global catalog replication and queries
Examining a Windows 2000 Infrastructure (14)
(Skill 2)
3.28 © 2004 Pearson Education, Inc.
Exam 70-297 Designing a Microsoft® Windows® Server 2003 Active Directory and Network Infrastructure
Lesson 3: Examining the Current Directory Services Infrastructure
Flexible Single Master of Operations (FSMO) role configuration
Examine placement of these roles closely, because they are so important
Make sure in new design that you transfer roles as necessary to achieve maximum level of reliability and redundancy
Examining a Windows 2000 Infrastructure (16)
(Skill 2)
3.29 © 2004 Pearson Education, Inc.
Exam 70-297 Designing a Microsoft® Windows® Server 2003 Active Directory and Network Infrastructure
Lesson 3: Examining the Current Directory Services Infrastructure
FSMO role configuration
Obtain the following information on servers currently hosting FSMO rolesServer hardware configuration
Server performance and reliability statistics
Backup records or logs
Other services configured
Security settings
Whether the server is a global catalog server
Whether the server hosts more than one FSMO role
Examining a Windows 2000 Infrastructure (17)
(Skill 2)
3.30 © 2004 Pearson Education, Inc.
Exam 70-297 Designing a Microsoft® Windows® Server 2003 Active Directory and Network Infrastructure
Lesson 3: Examining the Current Directory Services Infrastructure
Figure 3-9 Analyzing Group Policy application
(Skill 2)