Concepts • Active Directory Domain Services (AD DS) • Logical structure • Physical structure • Organizational units • Delegation of control • Groups Active Directory Domain Services Logical Structure • Forest; Tree; Domain; Organizational Unit; Groups Physical Structure • Physical layout of your domain which can determine replication • Multiple sites (remote offices) • Multiple domain controllers (DCs) • How Replication occurs • Replication of updates to Active Directory objects are transmitted between multiple domain controllers to keep replicas of directory partitions synchronized. Multiple domains are common in large organizations, as are multiple sites in disparate locations. In addition, domain controllers for the same domain are commonly placed in more than one site. • HUH? • Replication makes sure that all DCs have an “up to date” copy of the Active Directory database Active Directory Domain Services Replication can be managed through Active Directory Sites and Services Active Directory Domain Services • By default, replication occurs every 180 minutes. • Replication can be forced between DC’s • Replication schedule can be modified • Large domains should have regular replication • Many changes within the domain • Small (static) domains do not require a high frequency of replications • Very little change on the domain Active Directory Domain Services Active Directory Domain Services Active Directory replication topology has the following dependencies: • Routable IP infrastructure. The replication topology is dependent upon a routable IP infrastructure from which you can map IP subnet address ranges to site objects. This mapping generates the information that is used by client workstations to communicate with domain controllers that are close by, when there is a choice, rather than those that are located across WAN links. • DNS. The Domain Name System (DNS) resolves DNS names to IP addresses. Active Directory replication topology requires that DNS is properly designed and deployed so that domain controllers can correctly resolve the DNS names of replication partners. • DNS also stores service (SRV) resource records that provide site affinity information to clients searching for domain controllers, including domain controllers that are searching for replication partners. Every domain controller registers these records so that they can be located according to site. Active Directory Domain Services Active Directory replication topology has the following dependencies(cont): • Net Logon service. Net Logon is required for DNS registrations. • Remote Procedure Call (RPC). Active Directory replication requires IP connectivity and RPC to transfer updates between replication partners within sites • Inter-site Messaging. Inter-site Messaging is required for SMTP intersite replication and for site coverage calculations Active Directory Domain Services Domains Domains are units of replication. All of the domain controllers in a particular domain can receive changes and replicate those changes to all other domain controllers in the domain. Each domain in Active Directory is identified by a Domain Name System (DNS) domain name and requires one or more domain controllers. One or more domains that share a common schema and global catalog are referred to as a forest. The first domain in a forest is referred to as the forest root domain. A single domain can span multiple physical locations or sites and can contain millions of objects. Site structure and domain structure are separate and flexible. A single domain can span multiple geographical sites, and a single site can include users and computers belonging to multiple domains. Active Directory Domain Services A domain provides several benefits: Organizing Objects Using organizational units helps you manage the accounts and resources in the domain. You can then assign Group Policy settings and place users, groups, and computers into the organizational units. Using a single domain greatly simplifies administrative overhead. Publishing resources and information about domain objects A domain stores only the information about objects located in that domain, so by creating multiple domains, you are partitioning or segmenting the directory to better serve a disparate user base. When using multiple domains, you can scale the Active Directory service to accommodate your administrative and directory publishing requirements Applying a Group Policy object to the domain consolidates resource and security management A domain defines a scope or unit of policy. A Group Policy object (GPO) establishes how domain resources can be accessed, configured, and used. These policies are applied only within the domain and not across domains Active Directory Domain Services A domain provides several benefits: • Delegating authority eliminates the need for a number of administrators with broad administrative authority. Using delegated authority in conjunction with Group Policy objects and group memberships enables you to assign an administrator rights and permissions to manage objects in an entire domain or in one or more organizational units within the domain. • Security policies and settings (such as user rights and password policies) do not cross from one domain to another. Each domain has its own security policies and trust relationships with other domains. However, the forest is the final security boundary. • Each domain stores only the information about the objects located in that domain. By partitioning the directory this way, Active Directory can scale to very large numbers of objects. How many domains? Simple is best – use one if you can Plus • Single “Security Boundary” • Central Administration Minus • All roles (schema master, RID master, etc) in “exposed” domain • Need physical structure (sites, site-links, subnets) if have WAN links Multiple Domains Some reasons to create more than one domain are: • Different password requirements between departments or divisions • Massive numbers of objects • Decentralized network administration • More control of replication Although using a single domain for an entire network has several advantages, to meet additional scalability, security, or replication requirements you may consider creating one or more domains for your organization. Organizational Units • Organizational units are Active Directory containers into which you can place users, groups, computers, and other organizational units. An organizational unit cannot contain objects from other domains. • An organizational unit is the smallest scope or unit to which you can assign Group Policy settings or delegate administrative authority. Using organizational units, you can create containers within a domain that represent the hierarchical, logical structures within your organization. You can then manage the configuration and use of accounts and resources based on your organizational model. Organizational Units • You can use organizational units to create an administrative model that can be scaled to any size. A user can have administrative authority for all organizational units in a domain or for a single organizational unit. An administrator of an organizational unit does not need to have administrative authority for any other organizational units in the domain. Groups Domain Local • Used to assign rights/permissions to resources in that domain • Can contain users/DL/Global groups from any domain in forest Global • Groups users in that domain together logically • Added to member list of Domain Local to get rights Universal • Groups users from any domain in forest together • Assign rights to resources in any domain in forest Groups Terms to research Function Levels Operations roles Flexible Single Master of Operations (FIZZMO) or Operations Masters/Roles Site links Additional Resources • http://technet.microsoft.com/en-us/library/cc780856(WS.10).aspx • http://technet.microsoft.com