70-297: MCSE Guide to Designing a Microsoft Windows Server

70-297: MCSE Guide to Designing a

Microsoft Windows Server 2003 Active

Directory and Network Infrastructure

Chapter 2:

Developing the Active

Directory Infrastructure Design

Exam Objectives

• 1.5 Design the Active Directory infrastructure to meet business and technical requirements

– 1.5.1 Design the envisioned administration model

–

1.5.2 Create the conceptual design of the Active

Directory forest structure

–

1.5.3 Create the conceptual design of the Active

Directory domain structure

– 1.5.5 Create the conceptual design of the organizational unit (OU) structure

– 1.5.4 Design the Active Directory replication strategy

70-297: MCSE Guide to Designing a Microsoft Windows Server

2003 Active Directory and Network Infrastructure

2

Introduction

• Active Directory designs are developed after the environment has been assessed and fully documented

•

During the initial stages of the Active Directory services infrastructure design, identify the administrative model that will be implemented



3

Assessing and Designing the

Administrative Model

• Service administrators are responsible for:

–

Maintaining the Active Directory infrastructure

– Ensuring that the infrastructure provides the necessary functions and services to end users

–

Not the same people performing the data administrator role



4

The Role of the Service

Administrator

•

The service administrator is responsible for:

– Management and maintenance of domain controllers (DCs)

–

Management and maintenance of a Domain Name System (DNS)

– Management and maintenance of forestwide components

– Management and maintenance of Active Directory replication within the forest

– Deployment of Active Directory infrastructure throughout the organization

– Management and maintenance of trusts within the forest

–

Management and maintenance of trusts with external domains, forests, and Kerberos realms



5

The Role of the Data

Administrator

• The data administrator is responsible for:

–

Management of user objects

– Management of group objects

– Management of machine objects

– Management of printer objects

– Management of NTFS file and share access control lists

(ACLs)

– Management of member servers and workstations



6

Understanding Isolation and

Autonomy

• Autonomy:

–

Implies a degree of independence

– Can be achieved at the service admin level

– Can be achieved at the data administrator level

• Isolation:

–

Only administrators of the resource have access



7

Autonomy and Isolation Flow

Chart



8

Assessing and Defining the

Forest Design

• Forest design factors:

– Organizational

–

Operational

– Legal

–

Naming considerations

– Timescales

–

Management overhead

–

Test environments

– External facing environments



9

Forest Models

• Multiple forest scenarios:

–

The Service Provider model

– The Restricted Access model

– The Resource model

– The Organizational model

– The Single-Forest model



10

The Service Provider Model



11

The Restricted Access Model



12

The Resource Model



13

The Organizational Forest

Model



14

The Single Forest Model

• Simplest to design, engineer, and deploy

•

Cheapest option to deploy and the cheapest to own

• Isolation requires a separate forest to be established

•

Autonomy needs a separate domain to be established



15

Ownership, Accountability, and

Change Management

• Sponsors are responsible for ensuring that:

– Each business’s requirements are voiced during the design phase

–

Designs are appropriate and relevant to each participating business

•

Owners are responsible for assigning the appropriate people to the appropriate roles



16

Assessing and Creating the

Domain Design

• Decision to deploy additional domains is influenced by:

– Geographic separation

–

Network limitations

–

Service autonomy



17

Maximum Number of Users

Supported in a Single Domain



18

Names and Hierarchies

• When designing Active Directory forests and domains

– Each domain has two names: a NetBIOS name and a

DNS name

• Dedicated root domain

–

When deploying the first domain in a forest, the DNS name chosen is used as the suffix for all other domains



19

Using a Dedicated Root

Domain

• Deployed simply to exist as the root domain

•

Advantages:

– Forest service admins are separated from domain service admins

– Simpler to reconfigure the forest

– Politically neutral



20

The Dedicated Root Domain

Model



21

The Nondedicated Domain



22

Regional Domains

• Regional model implies that a separate domain is created for each distinct region within the organization

•

Disadvantages associated with introducing additional regional domains:

– Multiple service admin groups

– Additional overhead in duplicating settings

– Interdomain object moves



23

The Regional Domain Model



24

Functional Domains

• Established per functional group or business group within the organization

•

Within the functional domain model:

–

Forest might be home to multiple, disparate, autonomous businesses

–

Degree of collaboration is required



25

The Functional Domain Model



26

Comparing Trees with

Domains

• Advantages of the single tree approach:

– Only one namespace needs to be created and managed

–

No interoperability issues exist between disparate namespaces

•

Disadvantages of the single tree approach:

–

Disparate, autonomous businesses are constrained to using the first namespace

– Businesses do not have autonomy within their own namespace



27

A Single Tree



28

Multiple Trees

• Advantages:

–

Disparate businesses can use their own different namespaces

–

Autonomy within the business namespace

•

Disadvantages:

– Multiple DNS names

–

Increased DNS maintenance



29

A Forest with Multiple Trees



30

Single Domain Forest

• Houses all objects, including:

–

Forest service admins

– Domain service admins

– Users

– Groups

– Computers

–

DCs



31

Advantages and Disadvantages of a Single Domain Forest



32

Developing the OU Model

• OU design factors are dictated by:

–

The way in which the business is administered

– The way in which group policy needs to be

– The need to hide sensitive objects from users



33

OU Design Models

• Geographic models

– Start by creating geography-based OUs at the root of the domain

•

Functional models

– Start by creating functional-based OUs at the root of the domain

•

Object type models

– Start by creating object type-based OUs at the root of the domain



34

The Geographic OU Model



35

The Functional OU Model



36

The Object Type OU Model



37

Developing the Replication

Design

• Principles and concepts surrounding replication:

–

Sites

– Subnets

– Site links

– Site link bridges

– Connection objects

–

Multimaster replication



38

Developing the Replication

Design (continued)

• Principles and concepts surrounding replication:

–

Knowledge Consistency Checker (KCC)

– Inter Site Topology Generator and bridgehead servers

– SYSVOL

– File Replication System (FRS)

– Topology options

–

Ownership



39

Sites and Costs



40

Site Link Bridging



41

The Bridgehead and ISTG

Roles



42

Summary

• Service administrators manage the Active

Directory infrastructure

•

Data administrators manage data contained within

Active Directory and member computers

•

If service or data isolation is required, create a separate forest

•

If disparate schemas or Configuration partition data is required, create a separate forest



43

Summary (continued)

• Consider geographic domains to better manage replication

•

Consider functional domains for service autonomy

•

OU design influences:

– Administrative models

–

Group policy

–

Protection of sensitive objects

•

Be conversant with replication concepts



44

70-297: MCSE Guide to Designing a Microsoft Windows Server

Chapter 2:

Developing the Active

Directory Infrastructure Design

Related documents

Products

Support

70-297: MCSE Guide to Designing a Microsoft Windows Server

Chapter 2:

Developing the Active

Directory Infrastructure Design

Related documents

Add this document to collection(s)

Add this document to saved

Suggest us how to improve StudyLib