70-297: MCSE Guide to Designing a
Microsoft Windows Server 2003 Active
Directory and Network Infrastructure
Exam Objectives
• 1.5 Design the Active Directory infrastructure to meet business and technical requirements
– 1.5.1 Design the envisioned administration model
–
1.5.2 Create the conceptual design of the Active
Directory forest structure
–
1.5.3 Create the conceptual design of the Active
Directory domain structure
– 1.5.5 Create the conceptual design of the organizational unit (OU) structure
– 1.5.4 Design the Active Directory replication strategy
70-297: MCSE Guide to Designing a Microsoft Windows Server
2003 Active Directory and Network Infrastructure
2
Introduction
• Active Directory designs are developed after the environment has been assessed and fully documented
•
During the initial stages of the Active Directory services infrastructure design, identify the administrative model that will be implemented
70-297: MCSE Guide to Designing a Microsoft Windows Server
2003 Active Directory and Network Infrastructure
3
Assessing and Designing the
Administrative Model
• Service administrators are responsible for:
–
Maintaining the Active Directory infrastructure
– Ensuring that the infrastructure provides the necessary functions and services to end users
–
Not the same people performing the data administrator role
70-297: MCSE Guide to Designing a Microsoft Windows Server
2003 Active Directory and Network Infrastructure
4
The Role of the Service
Administrator
•
The service administrator is responsible for:
– Management and maintenance of domain controllers (DCs)
–
Management and maintenance of a Domain Name System (DNS)
– Management and maintenance of forestwide components
– Management and maintenance of Active Directory replication within the forest
– Deployment of Active Directory infrastructure throughout the organization
– Management and maintenance of trusts within the forest
–
Management and maintenance of trusts with external domains, forests, and Kerberos realms
70-297: MCSE Guide to Designing a Microsoft Windows Server
2003 Active Directory and Network Infrastructure
5
The Role of the Data
Administrator
• The data administrator is responsible for:
–
Management of user objects
– Management of group objects
– Management of machine objects
– Management of printer objects
– Management of NTFS file and share access control lists
(ACLs)
– Management of member servers and workstations
70-297: MCSE Guide to Designing a Microsoft Windows Server
2003 Active Directory and Network Infrastructure
6
Understanding Isolation and
Autonomy
• Autonomy:
–
Implies a degree of independence
– Can be achieved at the service admin level
– Can be achieved at the data administrator level
• Isolation:
–
Only administrators of the resource have access
70-297: MCSE Guide to Designing a Microsoft Windows Server
2003 Active Directory and Network Infrastructure
7
Autonomy and Isolation Flow
Chart
70-297: MCSE Guide to Designing a Microsoft Windows Server
2003 Active Directory and Network Infrastructure
8
Assessing and Defining the
Forest Design
• Forest design factors:
– Organizational
–
Operational
– Legal
–
Naming considerations
– Timescales
–
Management overhead
–
Test environments
– External facing environments
70-297: MCSE Guide to Designing a Microsoft Windows Server
2003 Active Directory and Network Infrastructure
9
Forest Models
• Multiple forest scenarios:
–
The Service Provider model
– The Restricted Access model
– The Resource model
– The Organizational model
– The Single-Forest model
70-297: MCSE Guide to Designing a Microsoft Windows Server
2003 Active Directory and Network Infrastructure
10
The Service Provider Model
70-297: MCSE Guide to Designing a Microsoft Windows Server
2003 Active Directory and Network Infrastructure
11
The Restricted Access Model
70-297: MCSE Guide to Designing a Microsoft Windows Server
2003 Active Directory and Network Infrastructure
12
The Resource Model
70-297: MCSE Guide to Designing a Microsoft Windows Server
2003 Active Directory and Network Infrastructure
13
The Organizational Forest
Model
70-297: MCSE Guide to Designing a Microsoft Windows Server
2003 Active Directory and Network Infrastructure
14
The Single Forest Model
• Simplest to design, engineer, and deploy
•
Cheapest option to deploy and the cheapest to own
• Isolation requires a separate forest to be established
•
Autonomy needs a separate domain to be established
70-297: MCSE Guide to Designing a Microsoft Windows Server
2003 Active Directory and Network Infrastructure
15
Ownership, Accountability, and
Change Management
• Sponsors are responsible for ensuring that:
– Each business’s requirements are voiced during the design phase
–
Designs are appropriate and relevant to each participating business
•
Owners are responsible for assigning the appropriate people to the appropriate roles
70-297: MCSE Guide to Designing a Microsoft Windows Server
2003 Active Directory and Network Infrastructure
16
Assessing and Creating the
Domain Design
• Decision to deploy additional domains is influenced by:
– Geographic separation
–
Network limitations
–
Service autonomy
70-297: MCSE Guide to Designing a Microsoft Windows Server
2003 Active Directory and Network Infrastructure
17
Maximum Number of Users
Supported in a Single Domain
70-297: MCSE Guide to Designing a Microsoft Windows Server
2003 Active Directory and Network Infrastructure
18
Names and Hierarchies
• When designing Active Directory forests and domains
– Each domain has two names: a NetBIOS name and a
DNS name
• Dedicated root domain
–
When deploying the first domain in a forest, the DNS name chosen is used as the suffix for all other domains
70-297: MCSE Guide to Designing a Microsoft Windows Server
2003 Active Directory and Network Infrastructure
19
Using a Dedicated Root
Domain
• Deployed simply to exist as the root domain
•
Advantages:
– Forest service admins are separated from domain service admins
– Simpler to reconfigure the forest
– Politically neutral
70-297: MCSE Guide to Designing a Microsoft Windows Server
2003 Active Directory and Network Infrastructure
20
The Dedicated Root Domain
Model
70-297: MCSE Guide to Designing a Microsoft Windows Server
2003 Active Directory and Network Infrastructure
21
The Nondedicated Domain
70-297: MCSE Guide to Designing a Microsoft Windows Server
2003 Active Directory and Network Infrastructure
22
Regional Domains
• Regional model implies that a separate domain is created for each distinct region within the organization
•
Disadvantages associated with introducing additional regional domains:
– Multiple service admin groups
– Additional overhead in duplicating settings
– Interdomain object moves
70-297: MCSE Guide to Designing a Microsoft Windows Server
2003 Active Directory and Network Infrastructure
23
The Regional Domain Model
70-297: MCSE Guide to Designing a Microsoft Windows Server
2003 Active Directory and Network Infrastructure
24
Functional Domains
• Established per functional group or business group within the organization
•
Within the functional domain model:
–
Forest might be home to multiple, disparate, autonomous businesses
–
Degree of collaboration is required
70-297: MCSE Guide to Designing a Microsoft Windows Server
2003 Active Directory and Network Infrastructure
25
The Functional Domain Model
70-297: MCSE Guide to Designing a Microsoft Windows Server
2003 Active Directory and Network Infrastructure
26
Comparing Trees with
Domains
• Advantages of the single tree approach:
– Only one namespace needs to be created and managed
–
No interoperability issues exist between disparate namespaces
•
Disadvantages of the single tree approach:
–
Disparate, autonomous businesses are constrained to using the first namespace
– Businesses do not have autonomy within their own namespace
70-297: MCSE Guide to Designing a Microsoft Windows Server
2003 Active Directory and Network Infrastructure
27
A Single Tree
70-297: MCSE Guide to Designing a Microsoft Windows Server
2003 Active Directory and Network Infrastructure
28
Multiple Trees
• Advantages:
–
Disparate businesses can use their own different namespaces
–
Autonomy within the business namespace
•
Disadvantages:
– Multiple DNS names
–
Increased DNS maintenance
70-297: MCSE Guide to Designing a Microsoft Windows Server
2003 Active Directory and Network Infrastructure
29
A Forest with Multiple Trees
70-297: MCSE Guide to Designing a Microsoft Windows Server
2003 Active Directory and Network Infrastructure
30
Single Domain Forest
• Houses all objects, including:
–
Forest service admins
– Domain service admins
– Users
– Groups
– Computers
–
DCs
70-297: MCSE Guide to Designing a Microsoft Windows Server
2003 Active Directory and Network Infrastructure
31
Advantages and Disadvantages of a Single Domain Forest
70-297: MCSE Guide to Designing a Microsoft Windows Server
2003 Active Directory and Network Infrastructure
32
Developing the OU Model
• OU design factors are dictated by:
–
The way in which the business is administered
– The way in which group policy needs to be
– The need to hide sensitive objects from users
70-297: MCSE Guide to Designing a Microsoft Windows Server
2003 Active Directory and Network Infrastructure
33
OU Design Models
• Geographic models
– Start by creating geography-based OUs at the root of the domain
•
Functional models
– Start by creating functional-based OUs at the root of the domain
•
Object type models
– Start by creating object type-based OUs at the root of the domain
70-297: MCSE Guide to Designing a Microsoft Windows Server
2003 Active Directory and Network Infrastructure
34
The Geographic OU Model
70-297: MCSE Guide to Designing a Microsoft Windows Server
2003 Active Directory and Network Infrastructure
35
The Functional OU Model
70-297: MCSE Guide to Designing a Microsoft Windows Server
2003 Active Directory and Network Infrastructure
36
The Object Type OU Model
70-297: MCSE Guide to Designing a Microsoft Windows Server
2003 Active Directory and Network Infrastructure
37
Developing the Replication
Design
• Principles and concepts surrounding replication:
–
Sites
– Subnets
– Site links
– Site link bridges
– Connection objects
–
Multimaster replication
70-297: MCSE Guide to Designing a Microsoft Windows Server
2003 Active Directory and Network Infrastructure
38
Developing the Replication
Design (continued)
• Principles and concepts surrounding replication:
–
Knowledge Consistency Checker (KCC)
– Inter Site Topology Generator and bridgehead servers
– SYSVOL
– File Replication System (FRS)
– Topology options
–
Ownership
70-297: MCSE Guide to Designing a Microsoft Windows Server
2003 Active Directory and Network Infrastructure
39
Sites and Costs
70-297: MCSE Guide to Designing a Microsoft Windows Server
2003 Active Directory and Network Infrastructure
40
Site Link Bridging
70-297: MCSE Guide to Designing a Microsoft Windows Server
2003 Active Directory and Network Infrastructure
41
The Bridgehead and ISTG
Roles
70-297: MCSE Guide to Designing a Microsoft Windows Server
2003 Active Directory and Network Infrastructure
42
Summary
• Service administrators manage the Active
Directory infrastructure
•
Data administrators manage data contained within
Active Directory and member computers
•
If service or data isolation is required, create a separate forest
•
If disparate schemas or Configuration partition data is required, create a separate forest
70-297: MCSE Guide to Designing a Microsoft Windows Server
2003 Active Directory and Network Infrastructure
43
Summary (continued)
• Consider geographic domains to better manage replication
•
Consider functional domains for service autonomy
•
OU design influences:
– Administrative models
–
Group policy
–
Protection of sensitive objects
•
Be conversant with replication concepts
70-297: MCSE Guide to Designing a Microsoft Windows Server
2003 Active Directory and Network Infrastructure
44