70-297: MCSE Guide to Designing a Microsoft Windows Server 2003 Active Directory and Network Infrastructure

Chapter 2: Developing the Active Directory Infrastructure Design

Exam Objectives
1.5 Design the Active Directory infrastructure to meet business and technical requirements
1.5.1 Design the envisioned administration model 1.5.2 Create the conceptual design of the Active Directory forest structure 1.5.3 Create the conceptual design of the Active Directory domain structure 1.5.5 Create the conceptual design of the organizational unit (OU) structure 1.5.4 Design the Active Directory replication strategy
70-297: MCSE Guide to Designing a Microsoft Windows Server 2003 Active Directory and Network Infrastructure 2

Introduction
Active Directory designs are developed after the environment has been assessed and fully documented During the initial stages of the Active Directory services infrastructure design, identify the administrative model that will be implemented

70-297: MCSE Guide to Designing a Microsoft Windows Server 2003 Active Directory and Network Infrastructure 3

Assessing and Designing the Administrative Model

Service administrators are responsible for:
Maintaining the Active Directory infrastructure Ensuring that the infrastructure provides the necessary functions and services to end users Not the same people performing the data administrator role

70-297: MCSE Guide to Designing a Microsoft Windows Server 2003 Active Directory and Network Infrastructure 4

The Role of the Service Administrator

The service administrator is responsible for:
Management and maintenance of domain controllers (DCs) Management and maintenance of a Domain Name System (DNS) Management and maintenance of forestwide components Management and maintenance of Active Directory replication within the forest Deployment of Active Directory infrastructure throughout the organization Management and maintenance of trusts within the forest Management and maintenance of trusts with external domains, forests, and Kerberos realms
70-297: MCSE Guide to Designing a Microsoft Windows Server 2003 Active Directory and Network Infrastructure 5

The Role of the Data Administrator

The data administrator is responsible for:
Management of user objects Management of group objects Management of machine objects Management of printer objects Management of NTFS file and share access control lists (ACLs) Management of member servers and workstations

70-297: MCSE Guide to Designing a Microsoft Windows Server 2003 Active Directory and Network Infrastructure 6

Understanding Isolation and Autonomy

Autonomy:
Implies a degree of independence Can be achieved at the service admin level Can be achieved at the data administrator level

Isolation:
Only administrators of the resource have access

70-297: MCSE Guide to Designing a Microsoft Windows Server 2003 Active Directory and Network Infrastructure 7

Autonomy and Isolation Flow Chart

70-297: MCSE Guide to Designing a Microsoft Windows Server 2003 Active Directory and Network Infrastructure 8

Assessing and Defining the Forest Design

Forest design factors:
Organizational Operational Legal Naming considerations Timescales Management overhead Test environments External facing environments

70-297: MCSE Guide to Designing a Microsoft Windows Server 2003 Active Directory and Network Infrastructure 9

Forest Models
Multiple forest scenarios:
The Service Provider model The Restricted Access model The Resource model The Organizational model The Single-Forest model

70-297: MCSE Guide to Designing a Microsoft Windows Server 2003 Active Directory and Network Infrastructure 10

The Service Provider Model

70-297: MCSE Guide to Designing a Microsoft Windows Server 2003 Active Directory and Network Infrastructure 11

The Restricted Access Model

70-297: MCSE Guide to Designing a Microsoft Windows Server 2003 Active Directory and Network Infrastructure 12

The Resource Model

70-297: MCSE Guide to Designing a Microsoft Windows Server 2003 Active Directory and Network Infrastructure 13

The Organizational Forest Model

70-297: MCSE Guide to Designing a Microsoft Windows Server 2003 Active Directory and Network Infrastructure 14

The Single Forest Model

Simplest to design, engineer, and deploy Cheapest option to deploy and the cheapest to own Isolation requires a separate forest to be established Autonomy needs a separate domain to be established

70-297: MCSE Guide to Designing a Microsoft Windows Server 2003 Active Directory and Network Infrastructure 15

Ownership, Accountability, and Change Management

Sponsors are responsible for ensuring that:
Each businesss requirements are voiced during the design phase Designs are appropriate and relevant to each participating business

Owners are responsible for assigning the appropriate people to the appropriate roles

70-297: MCSE Guide to Designing a Microsoft Windows Server 2003 Active Directory and Network Infrastructure 16

Assessing and Creating the Domain Design

Decision to deploy additional domains is influenced by:
Geographic separation Network limitations Service autonomy

70-297: MCSE Guide to Designing a Microsoft Windows Server 2003 Active Directory and Network Infrastructure 17

Maximum Number of Users Supported in a Single Domain

70-297: MCSE Guide to Designing a Microsoft Windows Server 2003 Active Directory and Network Infrastructure 18

Names and Hierarchies

When designing Active Directory forests and domains
Each domain has two names: a NetBIOS name and a DNS name

Dedicated root domain

When deploying the first domain in a forest, the DNS name chosen is used as the suffix for all other domains

70-297: MCSE Guide to Designing a Microsoft Windows Server 2003 Active Directory and Network Infrastructure 19

Using a Dedicated Root Domain

Deployed simply to exist as the root domain Advantages:
Forest service admins are separated from domain service admins Simpler to reconfigure the forest Politically neutral

70-297: MCSE Guide to Designing a Microsoft Windows Server 2003 Active Directory and Network Infrastructure 20

The Dedicated Root Domain Model

70-297: MCSE Guide to Designing a Microsoft Windows Server 2003 Active Directory and Network Infrastructure 21

The Nondedicated Domain

70-297: MCSE Guide to Designing a Microsoft Windows Server 2003 Active Directory and Network Infrastructure 22

Regional Domains
Regional model implies that a separate domain is created for each distinct region within the organization Disadvantages associated with introducing additional regional domains:
Multiple service admin groups Additional overhead in duplicating settings Interdomain object moves
70-297: MCSE Guide to Designing a Microsoft Windows Server 2003 Active Directory and Network Infrastructure 23

The Regional Domain Model

70-297: MCSE Guide to Designing a Microsoft Windows Server 2003 Active Directory and Network Infrastructure 24

Functional Domains
Established per functional group or business group within the organization Within the functional domain model:
Forest might be home to multiple, disparate, autonomous businesses Degree of collaboration is required

70-297: MCSE Guide to Designing a Microsoft Windows Server 2003 Active Directory and Network Infrastructure 25

The Functional Domain Model

70-297: MCSE Guide to Designing a Microsoft Windows Server 2003 Active Directory and Network Infrastructure 26

 Advantages of the single tree approach:

Comparing Trees with Domains

Only one namespace needs to be created and managed No interoperability issues exist between disparate namespaces

Disadvantages of the single tree approach:

Disparate, autonomous businesses are constrained to using the first namespace Businesses do not have autonomy within their own namespace

70-297: MCSE Guide to Designing a Microsoft Windows Server 2003 Active Directory and Network Infrastructure 27

A Single Tree

70-297: MCSE Guide to Designing a Microsoft Windows Server 2003 Active Directory and Network Infrastructure 28

Multiple Trees
Advantages:
Disparate businesses can use their own different namespaces Autonomy within the business namespace

Disadvantages:
Multiple DNS names Increased DNS maintenance

70-297: MCSE Guide to Designing a Microsoft Windows Server 2003 Active Directory and Network Infrastructure 29

A Forest with Multiple Trees

70-297: MCSE Guide to Designing a Microsoft Windows Server 2003 Active Directory and Network Infrastructure 30

Single Domain Forest

Houses all objects, including:
Forest service admins Domain service admins Users Groups Computers DCs

70-297: MCSE Guide to Designing a Microsoft Windows Server 2003 Active Directory and Network Infrastructure 31

Advantages and Disadvantages of a Single Domain Forest

70-297: MCSE Guide to Designing a Microsoft Windows Server 2003 Active Directory and Network Infrastructure 32

Developing the OU Model

OU design factors are dictated by:
The way in which the business is administered The way in which group policy needs to be The need to hide sensitive objects from users

70-297: MCSE Guide to Designing a Microsoft Windows Server 2003 Active Directory and Network Infrastructure 33

OU Design Models
Geographic models
Start by creating geography-based OUs at the root of the domain

Functional models
Start by creating functional-based OUs at the root of the domain

Object type models

Start by creating object type-based OUs at the root of the domain
70-297: MCSE Guide to Designing a Microsoft Windows Server 2003 Active Directory and Network Infrastructure 34

The Geographic OU Model

70-297: MCSE Guide to Designing a Microsoft Windows Server 2003 Active Directory and Network Infrastructure 35

The Functional OU Model

70-297: MCSE Guide to Designing a Microsoft Windows Server 2003 Active Directory and Network Infrastructure 36

The Object Type OU Model

70-297: MCSE Guide to Designing a Microsoft Windows Server 2003 Active Directory and Network Infrastructure 37

Developing the Replication Design

Principles and concepts surrounding replication:
Sites Subnets Site links Site link bridges Connection objects Multimaster replication

70-297: MCSE Guide to Designing a Microsoft Windows Server 2003 Active Directory and Network Infrastructure 38

Developing the Replication Design (continued)

Principles and concepts surrounding replication:
Knowledge Consistency Checker (KCC) Inter Site Topology Generator and bridgehead servers SYSVOL File Replication System (FRS) Topology options Ownership

70-297: MCSE Guide to Designing a Microsoft Windows Server 2003 Active Directory and Network Infrastructure 39

Sites and Costs

70-297: MCSE Guide to Designing a Microsoft Windows Server 2003 Active Directory and Network Infrastructure 40

Site Link Bridging

70-297: MCSE Guide to Designing a Microsoft Windows Server 2003 Active Directory and Network Infrastructure 41

The Bridgehead and ISTG Roles

70-297: MCSE Guide to Designing a Microsoft Windows Server 2003 Active Directory and Network Infrastructure 42

Summary
Service administrators manage the Active Directory infrastructure Data administrators manage data contained within Active Directory and member computers If service or data isolation is required, create a separate forest If disparate schemas or Configuration partition data is required, create a separate forest
70-297: MCSE Guide to Designing a Microsoft Windows Server 2003 Active Directory and Network Infrastructure 43

Summary (continued)
Consider geographic domains to better manage replication Consider functional domains for service autonomy OU design influences:
Administrative models Group policy Protection of sensitive objects

Be conversant with replication concepts

70-297: MCSE Guide to Designing a Microsoft Windows Server 2003 Active Directory and Network Infrastructure 44